• Product: RSA Identity Governance & Lifecycle
• Version: 7.x,8.x
• Component: AveksaAdmin Super Admin Account, Authentication Module
• Key File Involved: Xmk.key (installation-specific password encryption key)
• Operating System: Linux
• Required User: aveksa user (AveksaAdmin)

The AveksaAdmin Super Admin account in RSA Identity Governance & Lifecycle is inaccessible — either the password has been lost or forgotten, or the account has been locked following detection of a possible password tampering event after an installation or upgrade.

This article applies if you are experiencing one or both of the following scenarios:

• Scenario 1 — Password Lost or Forgotten: The AveksaAdmin password is unknown and needs to be reset.
• Scenario 2 — Account Locked Due to Tampering Detection: After a new installation or upgrade, more than one attempt to import an old AveksaAdmin password was detected, and the account has been automatically locked.

Observable symptoms include:

• Logging in to the AveksaAdmin account returns an invalid credentials error message, even with the correct password.
• A security event is visible in Admin > Admin Errors with the description: Super Admin account access denied.
• The event details contain: Super admin password tampering has been detected. Password recovery steps must be taken before login to the Super Admin account is allowed.
• The T_AV_EVENT and T_AV_EVENT_INFO database tables contain a failure audit event of type SUPER_ADMIN_ACCESS with the details: Possible Super Admin account password tampering detected, access denied.
• The following key errors appear in aveksaServer.log (located at $AVEKSA_HOME/logs/aveksaServer.log):

  ERROR [AuthenticationProviderServiceImpl] Error while fetching the super admin password
  java.lang.IllegalStateException: An issue with handling encryption was encountered
  Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its embedded key version -- Check that the security key file is not missing

NOTE: The full Java stack trace associated with this error is available in the Appendix at the bottom of this article. If opening a support case, include the full aveksaServer.log excerpt.

Starting in version 7.0.2 P02, the AveksaAdmin password is hashed and encrypted using an installation-specific key stored in the Xmk.key file — if this file is missing, mismatched, or if an incompatible password is imported, the authentication system locks the Super Admin account as a security measure.

When a new installation or upgrade is performed and existing AveksaAdmin password data is imported, RSA Identity Governance & Lifecycle generates the Xmk.key file to link the encrypted password to that specific deployment. Any subsequent attempt to import an AveksaAdmin password in an older or incompatible format — or to manually edit the password directly in the database — is treated by the system as potential tampering, triggering an automatic lockout of the Super Admin account.

This commonly occurs after an upgrade or fresh installation where administrators attempt to restore or migrate AveksaAdmin credentials more than once, or where the Xmk.key file is absent from the expected location on the application server.

Please contact RSA Support for resolution regarding AveksaAdmin password reset.