This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Access Manager Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by RSA Access Manager experts.

AxM - ClassCastException causes critical aserver failure

Article Number

000029972

Applies To

RSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager
RSA Version/Condition: 6.2
Platform: Linux
Platform (Other): null
O/S Version: Red Hat Enterprise Linux 5.x
Product Name: null
Product Description: null

Issue

Users are unable to authenticate to RSA Access Manager.

The RSA Access Manager Agent log file at normal log level logs the following critical log message:

2015-03-31 10:47:02 -0700 - [4924] - <Critical> - Critical error: CT_AUTH_UNKNOWN_ERROR

The RSA Access Mangager Agent log file at DEBUG log level shows the following:

2015-03-31 10:47:02 -0700 - [4924] - <Info> - Result map: EXCEPTION_TYPE\nSERVER_ERROR
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Authentication return code: 100
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Status is 100 (CT_AUTH_UNKNOWN_ERROR)
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Previous user: (null), current user: user2
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Previous status is CT_SESSION_ACTIVE
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Attempt multiple authentication is false and status is not CT_SESSION_ACTIVE, breaking
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Status is not CT_CHECK_ACCESS_REQUIRED
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Resetting status to: 100
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Authenticated bit from table: 0
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - URI: /cleartrust/ct_logon.asp, User: user2
2015-03-31 10:47:02 -0700 - [4924] - <Debug> - Status is: 100
2015-03-31 10:47:02 -0700 - [4924] - <Critical> - Critical error: CT_AUTH_UNKNOWN_ERROR

The RSA Access Manager aserver.out file in DEBUG mode shows the following exception:

15:28:15:598 [*] [pool-8-thread-1] -   postalcode
15:28:15:598 [*] [pool-8-thread-1] -   postalcode
15:28:15.599 ldc=8 op=26 SearchRequest {baseObject=ou=People, dc=corp, dc=rsasecurity, scope=1, derefAliases=0,sizeLimit=1000, timeLimit=0, attrsOnly=false, filter=(&(objectclass=inetOrgPerson)(uid=user1)), attributes=uid+userpassword+ctscAccountStartDate+ctscAccountEndDate+ctscPasswordCreationDate+ctscPasswordExpirationDate+ctscUserKeywords+ctscUserKeywords+ctscUserKeywords+ctscFailedLoginCount+ctscLockoutExpirationDate+ctscLastResetDate+mail+givenname+sn+postalcode+postalcode}
15:28:15.600 ldc=8 op=26 SearchResponse {entry='uid=user1,ou=People,dc=corp,dc=rsasecurity', attributes='LDAPAttribute {type='uid', values='user1'},LDAPAttribute {type='userpassword', values='{SSHA}EvtMBX/5petUzDOCXc0CoG/bvmDgfWucHjDlkw=='},LDAPAttribute {type='ctscAccountStartDate', values='20130328230104Z'},LDAPAttribute {type='ctscAccountEndDate', values='20220328230100Z'},LDAPAttribute {type='ctscPasswordCreationDate', values='20130328230140Z'},LDAPAttribute {type='ctscPasswordExpirationDate', values='20130527230140Z'},LDAPAttribute {type='ctscUserKeywords', values='NotExpired,PasswordPolicy'},LDAPAttribute {type='ctscLockoutExpirationDate', values='20130328230140Z'},LDAPAttribute {type='ctscLastResetDate', values='20130328230140Z'},LDAPAttribute {type='mail', values='user1@supportlab7.com'},LDAPAttribute {type='sn', values='user1'},LDAPAttribute {type='postalcode', values='User1Value'}'}
15:28:15.600 ldc=8 op=26 SearchResult {resultCode=0}
15:28:15:607 [*] [pool-8-thread-1] - 
***************************
15:28:15:607 [*] [pool-8-thread-1] - RPCManager.invokeLocalProcedure(): Exception in myDomainMapper.convertNodeToObject()
15:28:15:607 [*] [pool-8-thread-1] - java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List
java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List
    at sirrus.da.auth.Entity.initSpecialPropertyMaps(Entity.java:962)
    at sirrus.da.ldap.auth.LDAPEntity.init(LDAPEntity.java:134)
    at sirrus.da.ldap.auth.LDAPEntity.<init>(LDAPEntity.java:116)
    at sirrus.da.ldap.auth.LDAPUser.<init>(LDAPUser.java:86)
    at sirrus.da.ldap.auth.factory.LDAPEntityFactory.getUserByName_aroundBody2(LDAPEntityFactory.java:249)
    at sirrus.da.ldap.auth.factory.LDAPEntityFactory$AjcClosure3.run(LDAPEntityFactory.java:1)
    at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
    at sirrus.perf.LogExecutionTimeAspect.coreLogic(LogExecutionTimeAspect.java:123)
    at sirrus.perf.LogExecutionTimeAspect.ajc$inlineAccessMethod$sirrus_perf_LogExecutionTimeAspect$sirrus_perf_LogExecutionTimeAspect$coreLogic(LogExecutionTimeAspect.java:1)
    at sirrus.perf.LogExecutionTimeAspect.adviceAtDALLayer(LogExecutionTimeAspect.java:66)
    at sirrus.da.ldap.auth.factory.LDAPEntityFactory.getUserByName(LDAPEntityFactory.java:209)
    at sirrus.da.auth.cache.factory.CachingEntityFactory.getUserByName_aroundBody2(CachingEntityFactory.java:274)
    at sirrus.da.auth.cache.factory.CachingEntityFactory$AjcClosure3.run(CachingEntityFactory.java:1)
    at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
    at sirrus.perf.LogExecutionTimeAspect.coreLogic(LogExecutionTimeAspect.java:123)
    at sirrus.perf.LogExecutionTimeAspect.ajc$inlineAccessMethod$sirrus_perf_LogExecutionTimeAspect$sirrus_perf_LogExecutionTimeAspect$coreLogic(LogExecutionTimeAspect.java:1)
    at sirrus.perf.LogExecutionTimeAspect.adviceAtDALLayer(LogExecutionTimeAspect.java:66)
    at sirrus.da.auth.cache.factory.CachingEntityFactory.getUserByName(CachingEntityFactory.java:203)
    at sirrus.da.auth.Entity.getUserByName(Entity.java:88)
    at sirrus.authserver.AuthorizationAPI.getEntityByMap(AuthorizationAPI.java:3795)
    at sirrus.authserver.AuthorizationAPI.authenticate(AuthorizationAPI.java:762)
    at sirrus.authserver.DebugAuthorizationAPI.authenticate(DebugAuthorizationAPI.java:134)
    at sirrus.authserver.DebugAuthorizationAPI.authenticate(DebugAuthorizationAPI.java:122)
    at sirrus.authserver.TCPServerAPIAdaptor.authenticate_aroundBody2(TCPServerAPIAdaptor.java:94)
    at sirrus.authserver.TCPServerAPIAdaptor$AjcClosure3.run(TCPServerAPIAdaptor.java:1)
    at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
    at sirrus.perf.LogExecutionTimeAspect.coreLogic(LogExecutionTimeAspect.java:123)
    at sirrus.perf.LogExecutionTimeAspect.ajc$inlineAccessMethod$sirrus_perf_LogExecutionTimeAspect$sirrus_perf_LogExecutionTimeAspect$coreLogic(LogExecutionTimeAspect.java:1)
    at sirrus.perf.LogExecutionTimeAspect.adviceAtRuntimeAPI(LogExecutionTimeAspect.java:38)
    at sirrus.authserver.TCPServerAPIAdaptor.authenticate(TCPServerAPIAdaptor.java:88)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at sirrus.util.io.rpc.FunctionMapping.createObjectFromFunctionNode(FunctionMapping.java:127)
    at sirrus.util.io.rpc.BasicDomainMapper$8.map(BasicDomainMapper.java:255)
    at sirrus.util.io.rpc.NodeToObjectMapper.map(NodeToObjectMapper.java:45)
    at sirrus.util.io.rpc.BasicDomainMapper.convertFunctionNodeToObject(BasicDomainMapper.java:244)
    at sirrus.util.io.rpc.fope.FunctionNode.convertToObject(FunctionNode.java:67)
    at sirrus.util.io.rpc.BasicDomainMapper.convertNodeToObject(BasicDomainMapper.java:225)
    at sirrus.util.io.rpc.RPCManager.invokeLocalProcedure_aroundBody0(RPCManager.java:146)
    at sirrus.util.io.rpc.RPCManager$AjcClosure1.run(RPCManager.java:1)
    at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
    at sirrus.perf.LogExecutionTimeAspect.coreLogic(LogExecutionTimeAspect.java:123)
    at sirrus.perf.LogExecutionTimeAspect.ajc$inlineAccessMethod$sirrus_perf_LogExecutionTimeAspect$sirrus_perf_LogExecutionTimeAspect$coreLogic(LogExecutionTimeAspect.java:1)
    at sirrus.perf.LogExecutionTimeAspect.adviceAtMUXLayer(LogExecutionTimeAspect.java:111)
    at sirrus.util.io.rpc.RPCManager.invokeLocalProcedure(RPCManager.java:129)
    at sirrus.authserver.MuxRequestThreadPool$MuxWorkerTask.call(MuxRequestThreadPool.java:387)
    at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
    at java.util.concurrent.FutureTask.run(FutureTask.java:166)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:722)
15:28:15:611 [*] [pool-8-thread-1] - ***************************
 

Cause

This error occurs if more than one user property is defined with the same user property name.  Only one instance of a user property name may exist. 

This issue may occur due to a feature change with regards to Administrative Group permissions introduced in Access Manager 6.2. Prior to 6.2 user properties were considered global objects that could be manipulated by any Administrative group. When adding a new user property we checked to see if the user property already existed and prevented any attempts to create duplicateuser property names. In 6.2 we introduced a security change so that user properties were assigned to a specific Administrative Group and only Administrators of that group have permission to create, manipulate and if the user property is marked Private to view user properties in that group. What was not anticipated with this change was that there still was a requirement to do a check for the existence of the same user property in other administrative groups when creating user properties to prevent duplicate user property names from being defined. In the current code because an administrator does not have permission to view other user properties, it allows that administrator to create a duplicate user property with the same name.

Resolution

This issue is will be fixed in a hotfix for RSA Access Manager 6.2.3 (SP3)   Contact RSA Customer Support and request the latest cumulative hotfix. 

6.2.3 (SP3) allows separate user properties to be defined with the same name for administrative purposes, but at runtime the user property will be treated as a single user property. 

Workaround

  1. Create user properties as Public rather than Private.   Public properties are viewable by other administrators and it is not possible to create a user property with the same name as an existing public user property.
  2. Use a SuperUser Administrative User to create user properties.   The SuperUser can still create user properties visible only to specific administrative groups, but it will always check for the any existing of any public or private user properties with the same name before doing so.
  3. Create Administrative Roles to restrict creation of user properties to administrators in a particular administrative group, or to superusers for example the Default Administrative Group.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-13 07:52 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.