on Jun 15, 2016Article Content
| Article Number | 000029022 |
| Applies To | RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.0, 8.1 Platform: Linux Platform (Other): O/S Version: Product Name: Product Description: |
| Issue | Symptom: 1. When trying to run the sync-tokens command with the superadmin account, customer gets an access denied message. 2. Customer provides superadmin credentials as well as other parameters in one command line: ./rsautil sync-tokens -u xxxxxx -p xxxxxxxxxx -o /var/tmp/tokens.log -a -l 3. They have verified that they can run the manage-oc-administrators with the same superadmin account. 4. /opt/rsa/am/utils/logs/imsCluTrace.log shows following error: @@@2014-11-07 10:19:32,929, [Main Thread], (EJBRemoteTargetBase.java:178), trace.com.rsa.command.EJBRemoteTargetBase, ERROR,SecurID.xxxxxx.com,,,,Exception during command execution. com.rsa.authn.AuthenticationCommandException: Access Denied at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237) at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:464) at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:272) at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_1211_WLStub.executeCommand(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:84) at com.sun.proxy.$Proxy0.executeCommand(Unknown Source) at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:251) at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:1) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146) at weblogic.security.Security.runAs(Security.java:61) at com.rsa.command.WebLogicSecurityContextWrapper.runAs(WebLogicSecurityContextWrapper.java:51) at com.rsa.command.EJBRemoteTargetBase.executeCommand(EJBRemoteTargetBase.java:167) at com.rsa.command.DelegatingCommandTarget.executeCommand(DelegatingCommandTarget.java:66) at com.rsa.command.TargetableCommand.execute(TargetableCommand.java:297) at com.rsa.authn.LoginCommand.execute(LoginCommand.java:611) at com.rsa.authn.AuthenticatedTargetImpl.login(AuthenticatedTargetImpl.java:158) at com.rsa.command.ConnectionFactory$ConnectionImpl.connect(ConnectionFactory.java:758) at com.rsa.command.ConnectionFactory$ConnectionImpl.connect(ConnectionFactory.java:740) at com.rsa.command.ConnectionFactory.connect(ConnectionFactory.java:456) at com.rsa.authmgr.admin.tools.SyncTokens.login(SyncTokens.java:66) at com.rsa.authmgr.admin.tools.SyncTokens.main(SyncTokens.java:181) Caused by: com.rsa.authn.AuthenticationCommandException: Access Denied at com.rsa.authn.LoginCommand$Executive.execute(LoginCommand.java:775) at com.rsa.authn.LoginCommand.performExecute(LoginCommand.java:679) at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:119) at com.rsa.ims.command.LocalTransactionalCommandTarget.access$0(LocalTransactionalCommandTarget.java:1) at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:268) at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1) at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:130) at com.rsa.ims.command.LocalTransactionalCommandTarget.executeCommand(LocalTransactionalCommandTarget.java:260) at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:1) at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113) at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439) at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:445) at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:373) at com.rsa.command.CommandServerBean.executeCommand(CommandServerBean.java:89) at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.executeCommand(Unknown Source) at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_WLSkel.invoke(Unknown Source) at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:696) at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230) at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256) at weblogic.work.ExecuteThread.run(ExecuteThread.java:221) |
| Cause | The error shown in /opt/rsa/am/utils/logs/imsCluTrace.log indicates that customer input incorrect credentials. Since the password is provided as a parameter in command line, if it contains some special characters, like $, it will cause unexpected interrupt. |
| Resolution | Use interactive mode to run the sync-tokens command. Don't provide superadmin credentials in command line. |