000035427 - How to recover the AveksaAdmin account password in RSA Identity Governance & Lifecycle 7.0.2 P02 and above

Document created by RSA Customer Support Employee on Apr 18, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035427
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2 P02+
IssueStarting in RSA Identity Governance & Lifecycle 7.0.2 P02, the AveksaAdmin Account password is hashed and encrypted in a format that is unique to each installation.

When importing data containing this password after performing a new installation or upgrade, RSA Identity Governance & Lifecycle creates a marker KEK file, called Xmk.key, which links the hashed and encrypted AveksaAdmin password to a specific deployment. After the Xmk.key file is created, RSA Identity Governance & Lifecycle handles subsequent attempts to import the AveksaAdmin password in the older format, or attempts to manually edit the AveksaAdmin password in the database, as potential tampering.

Restoring the AveksaAdmin password may be required in the following circumstances:
  • The AveksaAdmin password is lost or forgotten and needs to be reset.
  • After a new installation or upgrade, more than one attempt to import an old AveksaAdmin password has been detected, and the AveksaAdmin account has been locked out due to possible tampering. If this happens, the following symptoms may be seen: 
    • Logging in to the AveksaAdmin account results in an invalid credentials error message.
    • A security-type event is logged in the Admin Errors table, with the description: "Super Admin account access denied." The event contains the details "Super admin password tampering has been detected. Password recovery steps must be taken before login to the Super Admin account is allowed, please consult documentation." l
    • The T_AV_EVENT and T_AV_EVENT_INFO tables contain a failure audit event of type SUPER_ADMIN_ACCESS with the details "Possible Super Admin account password tampering detected, access denied."
    • The aveksaServer.log may have the following error:
       

      9/05/2017 12:39:56.288 ERROR (default task-16) [com.aveksa.server.authentication.AuthenticationProviderServiceImpl] Error while fetching the super admin password
      java.lang.IllegalStateException: An issue with handling encryption was encountered
      at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:507)
      at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:615)
      at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.checkOldPassword(ModifySystemSettingsDialogData.java:604)
      at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validatePassword(ModifySystemSettingsDialogData.java:445)
      at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validateData(ModifySystemSettingsDialogData.java:489)
      at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleSubmit(ModifySystemSettingsDialogData.java:196)
      at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45)
      at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleRequest(ModifySystemSettingsDialogData.java:179)
      at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:597)
      at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340)
      at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271)
      at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:184)
      at com.aveksa.gui.core.MainManager.doGet(MainManager.java:128)
      at com.aveksa.gui.core.MainManager.doPost(MainManager.java:420)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
      at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
      at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:53)
      at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
      at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
      at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
      at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
      at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
      at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
      at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
      at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
      at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
      at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
      at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
      at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
      at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
      at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
      at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
      at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:172)
      at java.security.AccessController.doPrivileged(Native Method)
      at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:169)
      at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
      at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:748)
      Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its embedded key version: keyVersion[EAn]; Value[ENCAEAn(zwF...)]
      -- Check that the security key file is not missing

      at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501)
      ... 53 more
      09/05/2017 12:39:56.291 ERROR (default task-16) [com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData] Authentication Exception while checking for password
      com.aveksa.server.authentication.AuthenticationProviderServiceException: Error while doing the authentication
      at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:667)
      at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.checkOldPassword(ModifySystemSettingsDialogData.java:604)
      at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validatePassword(ModifySystemSettingsDialogData.java:445)
      at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validateData(ModifySystemSettingsDialogData.java:489)
      at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleSubmit(ModifySystemSettingsDialogData.java:196)
      at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45)
      at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleRequest(ModifySystemSettingsDialogData.java:179)
      at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:597)
      at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340)
      at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271)
      at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:184)
      at com.aveksa.gui.core.MainManager.doGet(MainManager.java:128)
      at com.aveksa.gui.core.MainManager.doPost(MainManager.java:420)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
      at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
      at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:53)
      at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
      at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
      at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
      at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
      at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
      at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
      at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
      at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
      at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
      at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
      at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
      at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
      at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
      at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
      at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
      at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
      at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:172)
      at java.security.AccessController.doPrivileged(Native Method)
      at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:169)
      at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
      at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:748)
      Caused by: java.lang.IllegalStateException: An issue with handling encryption was encountered
      at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:507)
      at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:615)
      ... 52 more
      Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its embedded key version: keyVersion[EAn]; Value[ENCAEAn(zwF...)]
      -- Check that the security key file is not missing
      at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501)
      ... 53 more

       
ResolutionFor remediation of this issue, please call RSA Customer Support and refer to this article.

Attachments

    Outcomes