RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0 patch 5
When logged into the Security Console and selecting Settings > Self Service Settings and then selecting Identity Sources the following error displays:
Identity sources are configured and users are seen in the Security Console.
There was a problem processing your request.
No Identity Source is available
Users can log onto self-service console page and request a token.
Admins can assign tokens and see both internal and external identity sources.
In the Security Console, set logging to verbose
Review the /opt/rsa/am/....imsTrace.log fopr messages such as:
2014-10-21 13:10:40,617, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (AbstractPropertiesSynchronizer.java:695), trace.com.rsa.ims.security.keymanager.sys.AbstractPropertiesSynchronizer, WARN, den-prod-auth-01.quickplay.local,,,,Database information not found
com.rsa.common.DataNotFoundException: No data for 0000-Global-0000.ims.sso.filter.properties found
The reason for this error is that there is a difference in the enrollment of identity sources is different from Authentication Manager 7.1 to Authentication Manager 8.0/8.1; that is, only internal database users are enrolled in Authentication Manager 8.0/8.1. Migration from 7.1 to 8.0/8.1 has introduced the above issue. The root cause of the defect is how the migration is handled for user enrollment.
A fix for this issue is scheduled for Authentication Manager 8.1 patch 6 or patch 7.
- Launch an SSH client, such as PuTTY.
- Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.
Note that during Quick Setup another user name may have been selected. Use that user name to login.
- Navigate to /opt/rsa/am/utils.
- Run the command rsautil manage-secrets -a get com.rsa.db.dba.password to obtain the com.rsa.db.dba.password. You will need to provide the Operations Console user name and password to run the command. Record the value for the password returned.
rsaadmin@am81p:~> cd /opt/rsa/am/utils/
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console admin user name>
Please enter OC Administrator password: <enter Operations Console admin password>
com.rsa.db.dba.password: <output of the com.rsa.db.dba.password for your instance>
- Navigate to /opt/rsa/am/pgsql/bin:
- Run the following commands:
./psql -h localhost -p 7050 -d db -U rsa_dba -c 'select * from RSA_REP.UCM_IDENTITY_SOURCES;' -o /tmp/idsources.txt
./psql -h localhost -p 7050 -d db -U rsa_dba -c 'select id, name, src_type, internal_store, runtime_only FROM RSA_REP.IMS_IDENTITY_SOURCE;' -o /tmp/idnames.txt
- Look in for the identitysource_id in idsources.txt and the runtime_only in the idnames,txt file, the values should be the same, e.g. 24205f6d0465a8c0027cf59121f24159, This value will be used in the workaround update.
- Since this update uses single ticks, run it from SQL instead of with -c:
./psql -h localhost -p 7050 -d db -U rsa_dba -o /tmp/updateIS.txt
Password for user rsa_dba: <enter the password from step 4 above>
db-# UPDATE RSA_REP.UCM_IDENTITY_SOURCES SET available_status=0 WHERE identitysource_id='24205f6d0465a8c0027cf59121f24159';
The above query should resolve the issue. Make sure after running the query, the internal database is added for enrollment if required from Self-Service Settings
> Identity Sources
Same symptom as Jira
AM-27838/ AM-26825 which were fixed in patch 1