000033721 - Unexpected error during command com.rsa.admin.GetPrincipalNestedGroupsCommand execution in RSA Authentication Manager 8.1 SP1 patch 15

Document created by RSA Customer Support Employee on Nov 24, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000033721
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 SP1 patch 15
 
IssueThe following error message displays on the screen as well as in the /opt/rsa/am/server/logs/imsTrace.log when loading a username in the dashboard of Authentication Manager:

Unexpected error during command com.rsa.admin.GetPrincipalNestedGroupsCommand execution.

In the Security Console the following warning message is seen:
There was a problem loading the page. Please click the refresh button on your browser.


Dashbd
All fields seem to load except for group membership and the error banner appears at the top of the dashboard. 

CauseThe LDAP lookup information is not found as it should be. The All Users report also has empty group information. Page 11 of the RSA Authentication Manager 8.1.1.15 Readme
document describes the new features and enhancements in patch 9, including the rsautil commands that preserve agent host associations when duplicating groups.  It also should be fixed in Authentication Manager 8.2 patch 1.
ResolutionIf the All Users report does not show user group information, follow the steps below. To begin,
  1. Open an SSH session to the server or start a direct connection.
  2. Login as the rsaadmin user.
  3. Navigate to /opt/rsa/am/utils.
  4. Run the command ./rsautil store -a add_config auth_manager.reports.principal.all_group true GLOBAL 500.
  5. Enter the username and password for an Operations Console admin, when prompted.
  6. When done, navigate to  /opt/rsa/am/server and restart the Authentication Manager services for the changes to take effect.

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter Operating System admin password>
Last login: Mon Aug 22 19:33:01 2016 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil store -a add_config auth_manager.reports.principal.all_group true GLOBAL 500
Please enter OC Administrator username: <enter Operations Console admin user name>
Please enter OC Administrator password: <enter Operations Console admin user password>
psql.bin:/tmp/d987cbc0-28b8-42cb-8268-a7f19f39c0a5366730406702853418.sql:167: NOTICE:  Changed the value of configuration parameter
'auth_manager.reports.principal.all_group' from 'false' to 'true' for the instance 'GLOBAL'.
update_config
----------------
(1 row)
rsaadmin@am81p:/opt/rsa/am/utils> cd ../server
rsaadmin@am81p:/opt/rsa/am/server> ./rsaserv restart all
Stopping RSA RADIUS Server: **
RSA RADIUS Server                                          [SHUTDOWN]
Stopping RSA Runtime Server: ****
RSA Runtime Server                                         [SHUTDOWN]
Stopping RSA Console Server: **
RSA Console Server                                         [SHUTDOWN]
Stopping RSA Replication (Primary): *
RSA Replication (Primary)                                  [SHUTDOWN]
Stopping RSA Database Server: **
RSA Database Server                                        [SHUTDOWN]
Stopping RSA RADIUS Server Operations Console: **
RSA RADIUS Server Operations Console                       [SHUTDOWN]
Stopping RSA Administration Server with Operations Console: **
RSA Administration Server with Operations Console          [SHUTDOWN]
Starting RSA Administration Server with Operations Console:
Starting RSA Database Server: ******************
RSA Administration Server with Operations Console          [RUNNING]
Starting RSA RADIUS Server Operations Console: *\ RSA Database Server                                        [RUNNING]                                                          ******************
RSA RADIUS Server Operations Console                       [RUNNING]
Starting RSA Runtime Server: *********************************
RSA Runtime Server                                         [RUNNING]
Starting RSA RADIUS Server: *
RSA RADIUS Server                                          [RUNNING]
Starting RSA Console Server: *
Starting RSA Replication (Primary): ****
RSA Replication (Primary)                                  [RUNNING]*******************
RSA Console Server                                         [RUNNING]
rsaadmin@am81p:/opt/rsa/am/server>

Optionally, to restrict the report to the scope of the administrator running the report and not see all groups, use the following command. Authentication Manager services will need to be restarted for the change to take effect.

./rsautil store -a add_config auth_manager.reports.principal.registered_group_only true GLOBAL 500

To undo or disable this command, change add_config to update_config and change true to false with the following command. Authentication Manager services will need to be restarted for the change to take effect.

./rsautil store -a update_config auth_manager.reports.principal.all_group false GLOBAL 500

These commands are not known to harm the database. If items are misspelled or if the string contains other syntax errors, it simply will not run.
Optionally you can verify the change did not exist by running the update_config version of the command. If it had been run an error would display that the variable did not exist.
NotesRelated issue, You do not have sufficient administrative privileges to complete this operation
insufficient Admin Priv

If this used to work but started to fail after AM 8.1 SP1 P6 and only works for superadmin, you need to apply patch 15 to AM 8.1 SP1

Attachments

    Outcomes