000029022 - Access denied error when running sync-tokens command in Authentication Manager 8.x

Symptoms

1. When trying to run the sync-tokens command with a super admin account, an access denied message is displayed.
2. The super admin credentials, as well as other parameters, are entered in one line via command line.  For example,

./rsautil sync-tokens -u <super admin user ID> -p <super admin password> -o /var/tmp/tokens.log -a -l

4. The super admin user can run ./rsautil manage-oc-administrators with the same super admin account.
5. The /opt/rsa/am/utils/logs/imsCluTrace.log shows following error:

@@@2014-11-07 10:19:32,929, [Main Thread], (EJBRemoteTargetBase.java:178), trace.com.rsa.command.EJBRemoteTargetBase, ERROR,SecurID.xxxxxx.com,,,,Exception during command execution. 
com.rsa.authn.AuthenticationCommandException: Access Denied 
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237) 
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:464) 
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:272) 
at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_1211_WLStub.executeCommand(Unknown Source) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:597) 
at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:84) 
at com.sun.proxy.$Proxy0.executeCommand(Unknown Source) 
at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:251) 
at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:1) 
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) 
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146) 
at weblogic.security.Security.runAs(Security.java:61) 
at com.rsa.command.WebLogicSecurityContextWrapper.runAs(WebLogicSecurityContextWrapper.java:51) 
at com.rsa.command.EJBRemoteTargetBase.executeCommand(EJBRemoteTargetBase.java:167) 
at com.rsa.command.DelegatingCommandTarget.executeCommand(DelegatingCommandTarget.java:66) 
at com.rsa.command.TargetableCommand.execute(TargetableCommand.java:297) 
at com.rsa.authn.LoginCommand.execute(LoginCommand.java:611) 
at com.rsa.authn.AuthenticatedTargetImpl.login(AuthenticatedTargetImpl.java:158) 
at com.rsa.command.ConnectionFactory$ConnectionImpl.connect(ConnectionFactory.java:758) 
at com.rsa.command.ConnectionFactory$ConnectionImpl.connect(ConnectionFactory.java:740) 
at com.rsa.command.ConnectionFactory.connect(ConnectionFactory.java:456) 
at com.rsa.authmgr.admin.tools.SyncTokens.login(SyncTokens.java:66) 
at com.rsa.authmgr.admin.tools.SyncTokens.main(SyncTokens.java:181) 
Caused by: com.rsa.authn.AuthenticationCommandException: Access Denied 
at com.rsa.authn.LoginCommand$Executive.execute(LoginCommand.java:775) 
at com.rsa.authn.LoginCommand.performExecute(LoginCommand.java:679) 
at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:119) 
at com.rsa.ims.command.LocalTransactionalCommandTarget.access$0(LocalTransactionalCommandTarget.java:1) 
at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:268) 
at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1) 
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:130) 
at com.rsa.ims.command.LocalTransactionalCommandTarget.executeCommand(LocalTransactionalCommandTarget.java:260) 
at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:1) 
at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113) 
at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439) 
at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:445) 
at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:373) 
at com.rsa.command.CommandServerBean.executeCommand(CommandServerBean.java:89) 
at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.executeCommand(Unknown Source) 
at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_WLSkel.invoke(Unknown Source) 
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:696) 
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230) 
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118) 
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256) 
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil sync-tokens -I

Authenticator Bulk Synchronization Utility 8.2.1.8.0 (1398219)
Copyright (C) 1994 - 2016 EMC Corporation. All Rights Reserved.

Enter the absolute path for the output report file               : /tmp/tokensync.txt
Enter the base security domain name for recursive search [(none)]: none
Enter the type of token selection                [ (all) | file ]: all
Choose a token filter          [ assigned | unassigned | (both) ]: both
What action do you wish to perform?           [ (list) | modify ]: list
Enter administrator user ID                                      : administrator
Enter administrative password                                    : *********