000035427 - How to recover the AveksaAdmin account password in RSA Identity Governance & Lifecycle 7.0.2 P02 and above

Document created by RSA Customer Support Employee on Apr 18, 2018Last modified by RSA Customer Support Employee on Jun 26, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035427
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2 P02+
IssueStarting in RSA Identity Governance & Lifecycle 7.0.2 P02, the AveksaAdmin Account password is hashed and encrypted in a format that is unique to each installation.

When importing data containing this password after performing a new installation or upgrade, RSA Identity Governance & Lifecycle creates a marker KEK file, called Xmk.key, which links the hashed and encrypted AveksaAdmin password to a specific deployment. After the Xmk.key file is created, RSA Identity Governance & Lifecycle handles subsequent attempts to import the AveksaAdmin password in the older format, or attempts to manually edit the AveksaAdmin password in the database, as potential tampering.

Restoring the AveksaAdmin password may be required in the following circumstances:
  • The AveksaAdmin password is lost or forgotten and needs to be reset.
  • After a new installation or upgrade, more than one attempt to import an old AveksaAdmin password has been detected, and the AveksaAdmin account has been locked out due to possible tampering. If this happens, the following symptoms may be seen: 
    • Logging in to the AveksaAdmin account results in an invalid credentials error message.
    • A security-type event is logged in the Admin Errors table, with the follwing description: 

Super Admin account access denied. 


  • The event contains the following details:

Super admin password tampering has been detected. Password recovery steps must be taken before login to the Super Admin account is allowed, please consult documentation.


  • The T_AV_EVENT and T_AV_EVENT_INFO tables contain a failure audit event of type SUPER_ADMIN_ACCESS with the details:

Possible Super Admin account password tampering detected, access denied.


  • The aveksaServer.log may have the following error:

    9/05/2017 12:39:56.288 ERROR (default task-16) [com.aveksa.server.authentication.AuthenticationProviderServiceImpl] Error while fetching the super admin password
    java.lang.IllegalStateException: An issue with handling encryption was encountered
    at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:507)
    at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:615)
    at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.checkOldPassword(ModifySystemSettingsDialogData.java:604)
    at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validatePassword(ModifySystemSettingsDialogData.java:445)
    at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validateData(ModifySystemSettingsDialogData.java:489)
    at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleSubmit(ModifySystemSettingsDialogData.java:196)
    at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45)
    at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleRequest(ModifySystemSettingsDialogData.java:179)
    at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:597)
    at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340)
    at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271)
    at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:184)
    at com.aveksa.gui.core.MainManager.doGet(MainManager.java:128)
    at com.aveksa.gui.core.MainManager.doPost(MainManager.java:420)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
    at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:53)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
    at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
    at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
    at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
    at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:172)
    at java.security.AccessController.doPrivileged(Native Method)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:169)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:748)
    Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its embedded key version: keyVersion[EAn]; Value[ENCAEAn(zwF...)]
    -- Check that the security key file is not missing

    at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501)
    ... 53 more
    09/05/2017 12:39:56.291 ERROR (default task-16) [com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData] Authentication Exception while checking for password
    com.aveksa.server.authentication.AuthenticationProviderServiceException: Error while doing the authentication
    at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:667)
    at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.checkOldPassword(ModifySystemSettingsDialogData.java:604)
    at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validatePassword(ModifySystemSettingsDialogData.java:445)
    at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validateData(ModifySystemSettingsDialogData.java:489)
    at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleSubmit(ModifySystemSettingsDialogData.java:196)
    at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45)
    at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleRequest(ModifySystemSettingsDialogData.java:179)
    at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:597)
    at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340)
    at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271)
    at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:184)
    at com.aveksa.gui.core.MainManager.doGet(MainManager.java:128)
    at com.aveksa.gui.core.MainManager.doPost(MainManager.java:420)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
    at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:53)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
    at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
    at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
    at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
    at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:172)
    at java.security.AccessController.doPrivileged(Native Method)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:169)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:748)
    Caused by: java.lang.IllegalStateException: An issue with handling encryption was encountered
    at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:507)
    at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:615)
    ... 52 more
    Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its embedded key version: keyVersion[EAn]; Value[ENCAEAn(zwF...)]
    -- Check that the security key file is not missing
    at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501)
    ... 53 more

ResolutionFor remediation of this issue, please call RSA Customer Support and refer to this article.

Attachments

    Outcomes