Unable to delete a Security Domain in RSA Authentication Manager 8.x

15 days ago

Originally Published: 2017-08-11

Article Number

000045561

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Platform: SuSE Linux
O/S Version: SuSe Linux Enterprise 11 SP4

Issue

When deleting a Security Domain, it encounters an error: User-added image

There was a problem processing your request. 
An attempt to update or delete a security domain resulted in a dependency violation on externally managed resources such as roles or users

Procedure to delete a Security Domain:
In the Security Console, click Administration > Security Domains > Manage Existing.
Use the Search tab or the Browse tab to find the security domain that you want to delete. Some fields are case sensitive.
Click the security domain that you want to delete, and select Delete.
Select Yes, delete this security domain.
Click Delete Security Domain.

Cause

There are some objects, such as users, groups, agents and administrative roles, that are associated with the security domain.
You cannot delete the security domain until you remove the objects by deleting them or moving them to another security domain.

Resolution

Move users, groups, tokens, agents and administrative roles to another SystemDomain

Review Web Documents for details of moving users, groups, agents, tokens, and administrative roles to a new Security Domain

In some cases, administrators have an environment where some objects are still associated with the security domain but cannot find what they are.

Administrator requires Posgres Database access to run SQL commands.
1. Open an SSH session on the Authentication Manager primary and run the commands in bold to capture the com.rsa.db.dba.password

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter OS password>
Last login: Wed Jan 14 10:27:53 2017 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console admin's name>
Please enter OC Administrator password: <enter Operations Console admin's password>
com.rsa.db.dba.password: rSAD5bGguLGNL9uGvFWnJoxIcHJah2
rsaadmin@am81p:/opt/rsa/am/utils> cd ../pgsql/bin
rsaadmin@am81p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <enter the com.rsa.db.dba.password captured above>
psql.bin (9.2.4)

2. Run a SQL command to find a table information:

select name,id from rsa_rep.ims_security_domain where name='ims_security_domain';

where ims_security_domain is the name of Security Domain

A sample output is:

name                 |              id
---------------------------------------------------------
ims_security_domain  | 036e1d1a0b80a8c04c203eddeabe8bf5

3. Run a SQL command with id from above to check the dependency in Security Domain table:

delete from rsa_rep.ims_security_domain where id='036e1d1a0b80a8c04c203eddeabe8bf5';

A sample output is:

db=#
ERROR: update or delete on table "ims_security_domain" violates foreign key constraint "fk_sec_dom_token" on table "am_token"
DETAIL: Key (id)=(036e1d1a0b80a8c04c203eddeabe8bf5) is still referenced from table "am_token".
db=#

Note that outputs may vary depending on the objects still associated with the Security Domain table. In the above example, it was a token object and it may be users, groups, agents, and/or administrative roles.

4. Remove the objects by deleting them or moving them to another security domain

Don't see what you're looking for?

Related Articles

Trending Articles