Error "System was modified beyond the allowed threshold, cannot decrypt" on RSA Authentication Manager 8.x
Originally Published: 2021-05-20
Article Number
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
- RSA Authentication manager fails to boot as usual and errors "com.rsa.ims.security.keymanager.sys.SystemModificationThresholdException: System was modified beyond the allowed threshold, cannot decrypt." during RSA Authentication Manager 8.x bootup.
- RSA Authentication Manager services fail to start.
- RSA Authentication Manager Server does not allow reverting to default certificate.
Cause
Resolution
An administrator is required to use the command rsautil manage-secrets –a recover to reset the system fingerprint.
1. Using the steps in 000038244 - SSH to an RSA Authentication Manager server, use the rsaadmin account to logon to the operating system hosting the Authentication Manager instance.
login as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system user password> Last login: Thu May 20 09:18:20 2021 from jumphost.vcloud.local RSA Authentication Manager Installation Directory: /opt/rsa/am
- Go to /opt/rsa/am/utils.
- Use the command ./rsautil manage-secrets –a recover to restore the system fingerprint.
rsaadmin@am85:> cd /opt/rsa/am/utils rsaadmin@am85:/opt/rsa/am/utils> ./rsautil manage-secrets -a recover Please enter OC Administrator username: <enter Operations Console administrator name> Please enter OC Administrator password: <enter Operations Console administrator password> Machine fingerprint restored successfully.
- Go to /opt/rsa/am/server and restart all RSA Authentication Manager services for the change to take effect How to stop, start, and restart RSA Authentication Manager 8.x services at the command line
