This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

How to recover the AveksaAdmin account password in RSA Identity Governance & Lifecycle 7.0.2 P02 and above

Article Number

000035427

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2 P02+

Issue

Starting in RSA Identity Governance & Lifecycle 7.0.2 P02, the AveksaAdmin Account password is hashed and encrypted in a format that is unique to each installation.

When importing data containing this password after performing a new installation or upgrade, RSA Identity Governance & Lifecycle creates a marker KEK file, called Xmk.key, which links the hashed and encrypted AveksaAdmin password to a specific deployment. After the Xmk.key file is created, RSA Identity Governance & Lifecycle handles subsequent attempts to import the AveksaAdmin password in the older format, or attempts to manually edit the AveksaAdmin password in the database, as potential tampering.

Restoring the AveksaAdmin password may be required in the following circumstances:
  • The AveksaAdmin password is lost or forgotten and needs to be reset.
  • After a new installation or upgrade, more than one attempt to import an old AveksaAdmin password has been detected, and the AveksaAdmin account has been locked out due to possible tampering. If this happens, the following symptoms may be seen: 
    • Logging in to the AveksaAdmin account results in an invalid credentials error message.
    • A security-type event is logged in the Admin Errors table, with the follwing description: 
Super Admin account access denied. 
  • The event contains the following details:
Super admin password tampering has been detected. Password recovery steps must be taken before login to the Super Admin account is allowed, please consult documentation.
  • The T_AV_EVENT and T_AV_EVENT_INFO tables contain a failure audit event of type SUPER_ADMIN_ACCESS with the details:
Possible Super Admin account password tampering detected, access denied.
  • The aveksaServer.log may have the following error: 
    
9/05/2017 12:39:56.288 ERROR (default task-16) [com.aveksa.server.authentication.AuthenticationProviderServiceImpl] Error while fetching the super admin password 
java.lang.IllegalStateException: An issue with handling encryption was encountered 
at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:507) 
at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:615) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.checkOldPassword(ModifySystemSettingsDialogData.java:604) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validatePassword(ModifySystemSettingsDialogData.java:445) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validateData(ModifySystemSettingsDialogData.java:489) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleSubmit(ModifySystemSettingsDialogData.java:196) 
at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleRequest(ModifySystemSettingsDialogData.java:179) 
at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:597) 
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340) 
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271) 
at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:184) 
at com.aveksa.gui.core.MainManager.doGet(MainManager.java:128) 
at com.aveksa.gui.core.MainManager.doPost(MainManager.java:420) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) 
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) 
at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:53) 
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) 
at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20) 
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) 
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) 
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) 
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) 
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) 
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) 
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) 
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) 
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) 
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) 
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) 
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) 
at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:172) 
at java.security.AccessController.doPrivileged(Native Method) 
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:169) 
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) 
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) 
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
at java.lang.Thread.run(Thread.java:748) 
Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its embedded key version: keyVersion[EAn]; Value[ENCAEAn(zwF...)] 
-- Check that the security key file is not missing 
at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501) 
... 53 more 
09/05/2017 12:39:56.291 ERROR (default task-16) [com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData] Authentication Exception while checking for password 
com.aveksa.server.authentication.AuthenticationProviderServiceException: Error while doing the authentication 
at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:667) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.checkOldPassword(ModifySystemSettingsDialogData.java:604) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validatePassword(ModifySystemSettingsDialogData.java:445) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.validateData(ModifySystemSettingsDialogData.java:489) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleSubmit(ModifySystemSettingsDialogData.java:196) 
at com.aveksa.gui.pages.base.data.dialog.EditableDialogPageData.handleRequest(EditableDialogPageData.java:45) 
at com.aveksa.gui.pages.admin.system.settings.edit.ModifySystemSettingsDialogData.handleRequest(ModifySystemSettingsDialogData.java:179) 
at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:597) 
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:340) 
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:271) 
at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:184) 
at com.aveksa.gui.core.MainManager.doGet(MainManager.java:128) 
at com.aveksa.gui.core.MainManager.doPost(MainManager.java:420) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) 
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) 
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130) 
at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:53) 
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) 
at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20) 
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) 
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) 
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) 
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) 
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) 
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) 
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63) 
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) 
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) 
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) 
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261) 
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247) 
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76) 
at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:172) 
at java.security.AccessController.doPrivileged(Native Method) 
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:169) 
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197) 
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759) 
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) 
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) 
at java.lang.Thread.run(Thread.java:748) 
Caused by: java.lang.IllegalStateException: An issue with handling encryption was encountered 
at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:507) 
at com.aveksa.server.authentication.AuthenticationProviderServiceImpl.loginSuperAdmin(AuthenticationProviderServiceImpl.java:615) 
... 52 more 
Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its embedded key version: keyVersion[EAn]; Value[ENCAEAn(zwF...)] 
-- Check that the security key file is not missing 
at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501) 
... 53 more

Resolution

For remediation of this issue, please call RSA Customer Support and refer to this article.
0 Likes
Was this article helpful? Yes No
0% helpful (0/1)

In this article

Version history
Last update:
‎2021-04-23 12:17 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.