000016966 - Impersonation error when creating a token using runtimeAPI.createToken

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016966
Applies ToRSA Access Manger AdminAPI
RSA Access Manager 6.1
RSA Access Manager version 6.2
IssueImpersonation error when creating a token using runtimeAPI.createToken
The following error is logged in the eserver standard output file in DEBUG mode:

15:29:33:115 [*] [MuxWorker-10] - result: {EXCEPTION_TYPE=TokenException, EXCEPTION_MESSAGE=Impersonation is allowed only for administrative user}
CauseThis error occurs when using runtimeAPI.createToken() or RunTimeAPI .setTokenValue() on the token map of a token of an authenticated user.  When a token is created with an authenticate method the token is populated with several default keys including SC_IMPERSONATED_ID.  No errors are generated when the token is created as the result of the authentication call, but any attempts to subsequently modify the token map and create a new token afterwards will generate this error.  User impersonation is a new feature introduced in Access Manager 6.1 that is supposed to ensure that tokens created by a user other than the authenticated user are created through the impersonation API.  The check for an impersonation ID in the token incorrectly occurs even if cleartrust.aserver.impersonation.enable=false is set in the aserver.conf file.
ResolutionBefore calling the create token method remove the key the token key for impersonation with the remove method.   This will prevent check for a valid impersonation from being made.
values.remove(TokenKeys. SC_IMPERSONATED_ID);

This error should not occur when cleartrust.aserver.impersonation.enable=false.  This will be fixed in a future service pack. 
WorkaroundUpgraded from 6.0 to 6.1
Legacy Article IDa61620