Article Number | 000036650 |
Applies To | RSA Product Set: SecurID RSA Product/Service Type: RSA Authentication Manager Prime, Authentication Manager Integration Service (AMIS) |
Issue | The following error displays in the ../rsa/logs/amisam8.log:
INFO ,==DC== driver created in 131ms INFO ,~[_internal-}~Begin session context: User id: $internal$ DEBUG,~[_internal-}~Set user context on current thread ==> 29 / InstanceID 6c0399f9-a689-4114-af35-9881924d53e5 INFO ,~[_internal-}~Service account authentication for user: amis-service DEBUG,~[_internal-}~registered users flag: false WARN ,~[_internal-}~Attempt to autenticate service account. User id does not have the correct service account role.: UserID: amis-service
|
Cause | The AMIS service account is not a member of the service account role that is defined by default in the am8-config.xml file:
<serviceAccount passwordDuration="25" durationWindow="5"storageAttribute="serviceAccountPolicy"> <roles>service-accountrole1,service-accountrole2</roles> </serviceAccount>
|
Resolution | Create a new empty administrative role with no real privileges and assign it to the service account:
- From the RSA Security Console, navigate to Administration > Administrative Roles > Add New.
- In the Administrative Role Name field, enter service-accountrole1 as a name for the new administrative role.
- Under Administrative Scope, choose the service accounts domain.
- Click Next to accept the name and domain scoping (with no changes).
- Click Next to accept General Permissions (with no changes).
- Click Next to accept Authentication Permissions (with no changes).
- Click Next to accept Self-Service Permissions (with no changes).
- Click Save to complete the creation of the new role.
- Go to Identity > Users > Manage Existing.
- Search for the amis-service account.
- Click on the context arrow next to the user ID and choose Administrative Roles > Assign More.
- Search for service-accountrole1.
- Place a check next to the role and click Assign Role.
|
Notes | - The service account should never be amis-bind, it's only used with AMIS directly and service account has to be a different one.
- You either create the administrative role name service-accountrole1 or service-accountrole2.
- You might need to restart tthe Tomcat service on the AMIS machine, after applying this change:
service tomcat-amis restart
|