000033891 - RSA Authentication Manager 8.2 reports 'Unexpected error during command com.rsa.admin.GetPrincipalNestedGroupsCommand execution'

Document created by RSA Customer Support Employee on Oct 31, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033891
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Manager
RSA Version/Condition:  8.2
IssueAn administrative task to lookup User Group Membership of a User ID mapped from an identity source generates a message:

There was a problem processing your request. Unexpected error during command com.rsa.admin.GetPrincipalNestedGroupsCommand execution

  1. First, ensure that verbose logging is turned on in the Security Console.  To do this,
    1. Click Setup > System Settings > Logging.  
    2. Select the primary server and click Next.  
    3. Set Trace Log value to Verbose in the Log Levels section.
    4. Scroll down and check the option to apply the above settings to the replica instance(s) upon save.
    5. Click Save.
  2. If verbose logging was not enabled, redo the process above to generate error.  Skip to step 3 if it was enabled.
  3. Review the /opt/rsa/am/server/logs/imsTrace.log for an error such as:
2016-08-26 08:50:58,071, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (CommandServerEngine.java:897), trace.com.rsa.command.CommandServerEngine, DEBUG, {AM-hostname},,,,Command : class com.rsa.admin.GetPrincipalNestedGroupsCommand Execution Exception: com.rsa.common.UnexpectedDataStoreException: exception during group search: (&(objectClass=group)(member={group DN})): Unable to find the   requested data from the directory server com.rsa.common.UnexpectedDataStoreException: exception during group search: (&(objectClass=group)(member={group DN})): Unable to find the requested data from the directory server 
at com.rsa.ims.admin.dal.ldap.GroupAccessLDAP.getMemberOfGroups(GroupAccessLDAP.java:1426)
atcom.rsa.ims.admin.impl.GroupAdministrationImpl.getMemberOfGroupsForGroup(GroupAdministrationImpl.java:3255) at com.rsa.ims.admin.impl.GroupAdministrationImpl.getAllSuperGroups(GroupAdministrationImpl.java:3179)
at com.rsa.ims.admin.impl.GroupAdministrationImpl.getAllGroupsPrincipalBelongsTo(GroupAdministrationImpl.java:3222) at com.rsa.admin.GetPrincipalNestedGroupsCommand.performExecute(GetPrincipalNestedGroupsCommand.java:138) at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:119)
at com.rsa.ims.command.LocalTransactionalCommandTarget.access$0(LocalTransactionalCommandTarget.java:1)
at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:268)
atcom.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1) at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)
at com.rsa.ims.command.LocalTransactionalCommandTarget.executeCommand(LocalTransactionalCommandTarget.java:260) at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:933)
at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:1)
at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113)
at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439)
at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:445)
at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:373)
at com.rsa.command.CommandServerBean.executeCommand(CommandServerBean.java:89)
at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.__WL_invoke(Unknown Source)
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:34)
at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.executeCommand(Unknown Source)
at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:701)
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:231)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:527)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:523)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)
CauseAn administrator has configured an Active Directory Global Catalog as an identity source in the Operations Console, however the Directory URL used for connectivity to the Active Directory Global Catalog does not contain the Global Catalog port number.  The default non-secure Global Catalog port is 3268, whereas the secure Global Catalog port is 3269.
ResolutionAn administrator needs to include the port number of the Global Catalog in the identity source Directory URL for the connectivity to the Active Directory Global Catalog.
  1. Log into the Operations Console.  
  2. Select Deployment Configuration > Identity Sources > Manage Existing.  
  3. Left click the appropriate identity source and select Edit.  
  4. Ensure you are in the Connections tab and update the Directory URL(s) to include the required port number.
  5. The example below illustrates using the default non-secure Global Catalog port of 3268:
User-added image
NotesPage 71 of the RSA Authentication Manager 8.2 Administrator's Guide provides information on the properties of the Directory URL in the identity source configuration; whereas, page 90 provides information on integrating an LDAP directory as an identity source.

Attachments

    Outcomes