|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 22.214.171.124
|Issue||After applying Authentication Manager 8.2 patch 1, all token authentication attempts to the primary and all replicas will fail with the following error:|
Passcode reuse or previous token code detected
Fixed passcodes and emergency tokencodes work successfully.
Other symptoms include:
10/26/2016 2:15 WARN 26041 Clock Setback Detected Detected clock setback, current:“2016-10-26 06:15 UTC” expected:“2016-10-26 12:15 UTC”
10/26/2016 3:03 INFO 16256 Update configuration
STATUS | wrapper | main | 2017/05/06 04:01:23 | <-- Wrapper Stopped
2016/10/26 08:13:32 | <Oct 26, 2016 8:13:32 AM EDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING.> STATUS | wrapper | main
Passcode reuse or previous token code detected for user “<UserID>” in security domain “SystemDomain” from “Internal Database” identity source. Request originated from agent “<FQDN_of_agent>” with IP address “<IP_address_of_agent>” in security domain “SystemDomain” with protocol version “Internal Database”. Authentication method: “SecurID_Native”, Authentication policy exp: “”, Activation Group: “”, Token serial number: “<Token_serial_number>”, Alias: “”
Authentication method failed
Bad tokencode, but good PIN detected for token serial number “<Token_serial_number>” assigned to user “<UserID>” in security domain “SystemDomain”
|Cause||The hardware clock is set ahead of the system/NTP time; meaning the hardware clock is in the future relative to) the system time.|
Access Authentication Manager through an SSH session and compare the date system time (NTP) with the hardware clock. They should be the same; but if not, that is what is causing the problem.
login as: rsaadmin
Starting the Authentication Manager services set the token High Water Mark (HWM) to that future time. The HWM is kind of a shortcut used by the Authentication Manager Adjudicator (replication service) to quickly determine if any tokencode had been used previously. In short, any tokencode or passcode from a time (relatively) earlier than the HWM automatically is considered as previously used. In this situation where the HWM is mistakenly set to the future by reading the incorrect time on the hardware clock, followed by NTP fixing the time to correct time, which causes the problem.
All tokencodes from all tokens will not work until system time catches up to the future HWM time. Fixed passcodes and emergency tokencodes or passcodes will still work, since they are not time-based and cannot have a High Water Mark.
|Resolution||If the hardware clock is different from the system clock, but system time is correct, then you can manually update the system time to the hardware clock using the command hwclock -w to write the system time to hardware clock. To complete this, follow the steps below:|
login as: rsaadmin
Engineering will provide a patch (or hot fix) in the near future to avoid this situation
|Workaround||As a work around, wait for the system time to reach the time that the hardware clock was at when the reboot happened; basically wait to pass the value of the High Water Mark.|
|Notes||Jira bug AM-30552 - CE Assist: RCA on AM 8.2 upgrade failure - Primary had all "Passcode reuse or previous token code detected"|
“previously used passcode”
High Water Mark, HWM