This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Unable to login to Self-Service Console after moving web tier to Internet in RSA Authentication Manager 8.4 patch 6

Article Number

000038115

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.4.0

Issue

One or more of the following errors occur:
  • When the user logs in to Self-Service Console, it displays the following error:
Sorry, your request cannot be processed at this time. It either has been processed or is bad request. Return to home and try again.
  • The [wt_home]/server/logs/imsConsoleTrace.log on the web tier shows the following error: 
com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR Caused by: com.rsa.common.SystemException: 
Access denied. The authentication request was routed through a load balancer/Proxy server that is not recognized by the system.
  • The /opt/rsa/am/server/logs/imsTrace.log shows an unknown IP address: 
trace.com.rsa.ims.sso.service.SSOServiceImpl, FATAL, <FQDN of Auth Manager server>,,,,Access denied. 
The authentication request was routed through a load balancer <IP address> (This IP is not used to define the virtual host in Operations Console).
  • The /opt/rsa/am/server/logs/imsTrace.log shows the following error:  
2019-10-14 16:35:04,156, [[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'], (SSOServiceImpl.java:285), 
trace.com.rsa.ims.sso.service.SSOServiceImpl, FATAL, <FQDN of Auth Manager server>,,,,Access denied. The authentication request was routed 
through a load balancer <IP address> that is not recognized by the system.
  • The opt/rsa/am/server/logs/AdminServer_access.log on Web Tier has the following lines showing the incorrect IP address:
#Start-Date: 2019-10-14 16:34:56
<IP address> 2019-10-14 16:34:56 0.313 GET / 302 285
<IP address> 2019-10-14 16:34:56 0.187 GET /console-selfservice/ 302 313
<IP address>  2019-10-14 16:34:57 0.844 GET /console-selfservice/SelfService.do 200 13280
<IP address> 2019-10-14 16:34:58 0.031 GET /console-selfservice/images/default/caret_gray.gif 200 56
<IP address> 2019-10-14 16:34:58 0.0 GET /console-selfservice/images/default/icn_help.gif 200 1648
<IP address> 2019-10-14 16:34:58 0.0 GET /console-selfservice/images/default/icn_help_caret.gif 200 49
<IP address> 2019-10-14 16:34:58 0.016 GET /console-selfservice/images/default/spacer.gif 200 43
<IP address> 2019-10-14 16:34:58 0.094 GET /console-selfservice/framework/rsa/css/framework-ext.css 200 20506
<IP address> 2019-10-14 16:34:58 0.0 GET /console-selfservice/images/default/icn_wait.gif 200 771
<IP address> 2019-10-14 16:34:58 0.203 GET /console-selfservice/framework/js/extjs/4.0.2a/resources/css/ext-all-gray.css 500 5931
<IP address> 2019-10-14 16:34:58 0.407 GET /console-selfservice/framework/js/extjs/4.0.2a/ext-all.js 500 5931
<IP address> 2019-10-14 16:34:58 0.141 GET /console-selfservice/images/default/selfservice_logo.gif 200 16268
<IP address> 2019-10-14 16:34:58 0.093 GET /console-selfservice/common/components/smartmenu/c_smartmenus.js 200

Cause

The authentication requests are coming from an IP address which is not defined in the load balancer details in the RSA Authentication Manager Operations Console.

Resolution

To resolve this issue,
  1. Login to the primary's RSA Authentication Manager Operations Console.
  2. Go to Deployment Configuration > Virtual Host & Load Balancing.
  3. Add the appropriate IP address in Load Balancer Details box and press Add when done.
  4. Press Save to exit.

Workaround

 Bypassing the loadbalancer IP check:
 
  1. SSH to v8.0 appliance as rsaadmin.
  2. Obtain Database Administrator User ID (rsa_dba) password. 
    NOTE: the OC Administrator username and returned rsa_dba password shown below are example values only.
rsaadmin@am8-p:~> cd /opt/rsa/am/utils
rsaadmin@am8-p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: ocadmin
Please enter OC Administrator password: ********
com.rsa.db.dba.password: FO3hibQ7dCYPQpeXjHsP7xxwhSpJEK
     
  3. Connect to the Authentication Manager 8.x database. 
    rsaadmin@am8-p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
     
  4. You will be prompted for the com.rsa.db.dba.password obtained previously.  SQL queries can then be run from the command line then bypass the loadbalance IP issue: 
    rsaadmin@am8p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba:
psql.bin (9.1.9)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

db=#UPDATE RSA_REP.ims_config_value SET value='true' WHERE name='ims.sso.service.bypass_loadbalancer_config_check';
  5. Finally, restart AM services: 
    rsaadmin@amp:/opt/rsa/am/server> ./rsaserv restart all
  6. Check if Webtiers require reinstallation and the issue will be resolved afterwards.

Notes

There can be up to 30 logs stored for the imsTrace.log, imsConsoleTrace.log and Admin_Server_access files. Additional files will have a number value appended to the file name (file name.log.1, file name.log.2, so on).
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 08:20 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.