000033721 - Unexpected error during command com.rsa.admin.GetPrincipalNestedGroupsCommand execution in RSA Authentication Manager 8.1 SP1 Patch 15

Document created by RSA Customer Support Employee on Aug 22, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000033721
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0 SP1 P15
Platform: Suse Linux 11
O/S Version: Suse Linux 11
Product Name: Authentication Manager SecurID
 
IssueCustomer experiencing the following error message when loading a username in the dashboard of authentication manager.
Unexpected error during command com.rsa.admin.GetPrincipalNestedGroupsCommand execution.


There was a problem loading the page. Please click the refresh button on your browser.
All fields seem to load except for group membership and the error banner appears at the top of the dashboard. 
There are nested groups.
CauseLDAP lookup information is not found as it should be. All Users report also has empty group information. The Patch release notes document some rsautil commands that can fix this, and it will also should be fixed in AM 8.2 P1 .
ResolutionThe Patch release notes document some rsautil commands that can fix this, which I have listed in a more readable and direct fashion below.  this problem also should be fixed in AM 8.2 P1
If you get the same problem in an All Users report, it does not show User group information, then you need to run the following rsautil commands in Linux.  The commands are documented in the readme for P2 and higher, under New Features from Patch 2 and 9. 
 
Details for running this command:
SSH with rsaadmin Operating System account
cd /opt/rsa/am/utils


PuTTy SSH
You will be Prompted for ocadmin:
& ocadmin password:
 
./rsautil store -a add_config auth_manager.reports.principal.all_group true GLOBAL 500
You will be Prompted for ocadmin:
& ocadmin password:
rsautil_add_config_auth_manager.reports.principal.all_group
This command will allow the report to list all the user’s groups. You will need to resatrt services when it's done.
cd /opt/rsa/am/server
./rsaserv restart all


 
Optionally, If you wanted to restrict the report to just the scope of the admin running the report, and not see all groups, you could use this command instead:
 
./rsautil store -a add_config auth_manager.reports.principal.registered_group_only true GLOBAL 500


 
Also, if you for whatever reason need to undo or disable this command -  change add_config to update_config and change true to false
./rsautil store -a update_config auth_manager.reports.principal.all_group false GLOBAL 500


These commands are not known to break anything, and if misspelled or contain syntax errors they simply do not run.  Optionally you can verify they did not exist by running the update_config version of the command, you would get an error that the variable did not exist.
 
WorkaroundThe Patch release notes document some rsautil commands that can fix this, which I have listed in a more readable and direct fashion below. This problem also should be fixed in AM 8.2 P1 .
 
NotesNote:  Other possibly related problems, if you see “String index out of range: -2” error or is clearly an Admin Priv issue.
insufficient Admin Priv
If this used to work but started to fail after P6 or later to SP1, AND only works for SuperAdmin, you probably have had the fix for AM-29203 break your limited role Admins, because AM-29203 tightened up the role permissions check on your Admins, so they can no longer see the groups, and get an explicit privilege violation when they try to see or access those groups.
Your options are:
1. Roll back to pre-P6 to verify if your Admins can go back to seeing the groups.  Not the best solution as you lose all the other fixes.
2. Apply Patch P15 or later, to see if this helps.  If you want to be able to roll back, you should roll back P14 first, then apply p15 and see if that works, this way you would retain the option to roll back P15 as you can only roll back the latest patch, and only once.  The fix in P15 does not sound like it will 'help' or undo this problem though.
3. Tweak the current admin role until you make it so that they can see the groups.
Each option requires some work or some risk.  This does not appear to be a new bug, but even if it were you'd still have to reproduce it, which would involve going through roles and privs as in step 3. to assess the logic and test ability to see groups (internal/External/in that Security Domain) from this Admin role.
You probably need view or read to all Security Domains.

Attachments

    Outcomes