Adding an additional Operations Console administrator fails with the error message Encrypted data could not be updated in RSA Authentication Manager 8.x
a month ago
Originally Published: 2019-01-10
Article Number
000042051
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
An Operations Console administrator is a user with permissions to perform administrative tasks in the Operations Console and to run some command line utilities. An attempt to create a new Operations Console administrator in the Security Console throws the following error:
 
Encrypted data could not be updated
 
User-added image
Cause
Creating an Operations Console administrator fails because the limit for  the maximum number of Operations Console administrator accounts has been reached. The /opt/rsa/am/server/logs/imsTrace.log with trace log level set to Verbose captures the underlying error.

2019-01-10 02:33:23,209, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (SystemfieldsUserAdministrationImpl.java:80), trace.com.rsa.ims.ocadmin.management.impl.SystemfieldsUserAdministrationImpl, ERROR, am82p.vcloud.local,,,,Failed to create systemfields user com.rsa.common.InvalidArgumentException: Failed to encrypt field com.rsa.pwd.auth.users
  at com.rsa.ims.ocadmin.management.util.SystemfieldsWrapper.setTextField(SystemfieldsWrapper.java:106)
  at com.rsa.ims.ocadmin.management.impl.AbstractSystemfieldsUsersAdministration.create(AbstractSystemfieldsUsersAdministration.java:68)      
  at com.rsa.ims.ocadmin.management.impl.SystemfieldsUserAdministrationImpl.create(SystemfieldsUserAdministrationImpl.java:73)
  at com.rsa.ims.ocadmin.management.CreateOcAdminCommandExecutive.performExecute(CreateOcAdminCommandExecutive.java:51)
  at com.rsa.ims.ocadmin.management.CreateOcAdminCommandExecutive.performExecute(CreateOcAdminCommandExecutive.java: 
  at com.rsa.command.TargetableCommand.performExecute(TargetableCommand.java:470)   
  at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:119)
  at com.rsa.ims.command.LocalTransactionalCommandTarget.access$0(LocalTransactionalCommandTarget.java:1)  
  at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:268)  
  at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1)
  at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)
  at com.rsa.ims.command.LocalTransactionalCommandTarget.executeCommand(LocalTransactionalCommandTarget.java:260)   
  at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:933)
  at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:1)  
  at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113)
  at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439)
  at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:445)  
  at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:373)
  at com.rsa.command.CommandServerBean.executeCommand(CommandServerBean.java:89)
  at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.__WL_invoke(Unknown Source)
  at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:34)
  at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.executeCommand(Unknown Source)
  at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_WLSkel.invoke(Unknown Source)
  at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:701)
  at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:231)
  at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:527)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)  
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)   
  at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:523)   
  at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)   
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)  
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)

Resolution
A maximum of 42 Operations Console administrators can be created in the Security Console.
Workaround
Like the super admin role, an Operations Console administrator account should only be granted to the most trusted administrators.

Operations Console administrators provide predefined roles and have the permissions required to perform most of the tasks offered by the Operations Console.  

As a workaround,
  1. From the Security Console navigate to Administration > Manage OC Administrators
  2. Review those users who are listed as Operations Console administrators, checking for admins who no longer administer the deployment.
  3. Click Delete to remove the administrator then confirm by clicking OK.
  4. Once admins have been removed, new Operations Console admins can be added.
Notes

Refer to documentation on how to Add an Operations Console Administrator

To set logging to Verbose,

  1. Logon to the Security Console and navigate to Setup > System Settings
  2. Under Basic Settings, select Logging
  3. Select the server on which to enable logging and click Next.  Note that if you choose the primary, there is an option on the next page to apply settings to all replicas.  
  4. Set the Trace Log value to Verbose
  5. Click Save.

 

Important: Do not set the trace logging level to verbose for extended periods of time unless instructed to do so by RSA Customer Support. Trace logs may occupy large amounts of disk space and this can impact system performance.

Related Articles

Trending Articles

Don't see what you're looking for?