000029022 - sync-tokens command fails with an Access Denied message

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029022
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.0, 8.1
Platform: Linux
Platform (Other):
O/S Version:
Product Name:
Product Description: 
IssueSymptom:
1. When trying to run the sync-tokens command with the superadmin account, customer gets an access denied message.
2. Customer provides superadmin credentials as well as other parameters in one command line:  ./rsautil sync-tokens -u xxxxxx -p xxxxxxxxxx -o /var/tmp/tokens.log -a -l
3. They have verified that they can run the manage-oc-administrators with the same superadmin account.
4. /opt/rsa/am/utils/logs/imsCluTrace.log shows following error:
@@@2014-11-07 10:19:32,929, [Main Thread], (EJBRemoteTargetBase.java:178), trace.com.rsa.command.EJBRemoteTargetBase, ERROR,SecurID.xxxxxx.com,,,,Exception during command execution. 

com.rsa.authn.AuthenticationCommandException: Access Denied 

at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237) 

at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:464) 

at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:272) 

at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_1211_WLStub.executeCommand(Unknown Source) 

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 

at java.lang.reflect.Method.invoke(Method.java:597) 

at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:84) 

at com.sun.proxy.$Proxy0.executeCommand(Unknown Source) 

at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:251) 

at com.rsa.command.EJBRemoteTargetBase$CommandExecutor.run(EJBRemoteTargetBase.java:1) 

at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) 

at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146) 

at weblogic.security.Security.runAs(Security.java:61) 

at com.rsa.command.WebLogicSecurityContextWrapper.runAs(WebLogicSecurityContextWrapper.java:51) 

at com.rsa.command.EJBRemoteTargetBase.executeCommand(EJBRemoteTargetBase.java:167) 

at com.rsa.command.DelegatingCommandTarget.executeCommand(DelegatingCommandTarget.java:66) 

at com.rsa.command.TargetableCommand.execute(TargetableCommand.java:297) 

at com.rsa.authn.LoginCommand.execute(LoginCommand.java:611) 

at com.rsa.authn.AuthenticatedTargetImpl.login(AuthenticatedTargetImpl.java:158) 

at com.rsa.command.ConnectionFactory$ConnectionImpl.connect(ConnectionFactory.java:758) 

at com.rsa.command.ConnectionFactory$ConnectionImpl.connect(ConnectionFactory.java:740) 

at com.rsa.command.ConnectionFactory.connect(ConnectionFactory.java:456) 

at com.rsa.authmgr.admin.tools.SyncTokens.login(SyncTokens.java:66) 

at com.rsa.authmgr.admin.tools.SyncTokens.main(SyncTokens.java:181) 

Caused by: com.rsa.authn.AuthenticationCommandException: Access Denied 

at com.rsa.authn.LoginCommand$Executive.execute(LoginCommand.java:775) 

at com.rsa.authn.LoginCommand.performExecute(LoginCommand.java:679) 

at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:119) 

at com.rsa.ims.command.LocalTransactionalCommandTarget.access$0(LocalTransactionalCommandTarget.java:1) 

at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:268) 

at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1) 

at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:130) 

at com.rsa.ims.command.LocalTransactionalCommandTarget.executeCommand(LocalTransactionalCommandTarget.java:260) 

at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:1) 

at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113) 

at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439) 

at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:445) 

at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:373) 

at com.rsa.command.CommandServerBean.executeCommand(CommandServerBean.java:89) 

at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.executeCommand(Unknown Source) 

at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_WLSkel.invoke(Unknown Source) 

at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:696) 

at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230) 

at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118) 

at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256) 

at weblogic.work.ExecuteThread.run(ExecuteThread.java:221) 
 
CauseThe error shown in /opt/rsa/am/utils/logs/imsCluTrace.log indicates that customer input incorrect credentials. Since the password is provided as a parameter in command line, if it contains some special characters, like $, it will cause unexpected interrupt. 
 
ResolutionUse interactive mode to run the sync-tokens command. Don't provide superadmin credentials in command line.

Attachments

    Outcomes