When the user logs in to Self-Service Console, it displays the following error:
Sorry, your request cannot be processed at this time. It either has been processed or is bad request. Return to home and try again.
The [wt_home]/server/logs/imsConsoleTrace.log on the web tier shows the following error:
com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR Caused by: com.rsa.common.SystemException:
Access denied. The authentication request was routed through a load balancer/Proxy server that is not recognized by the system.
The /opt/rsa/am/server/logs/imsTrace.log shows an unknown IP address:
trace.com.rsa.ims.sso.service.SSOServiceImpl, FATAL, <FQDN of Auth Manager server>,,,,Access denied.
The authentication request was routed through a load balancer <IP address> (This IP is not used to define the virtual host in Operations Console).
The /opt/rsa/am/server/logs/imsTrace.log shows the following error:
2019-10-14 16:35:04,156, [[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'], (SSOServiceImpl.java:285),
trace.com.rsa.ims.sso.service.SSOServiceImpl, FATAL, <FQDN of Auth Manager server>,,,,Access denied. The authentication request was routed
through a load balancer <IP address> that is not recognized by the system.
The opt/rsa/am/server/logs/AdminServer_access.log on Web Tier has the following lines showing the incorrect IP address:
#Start-Date: 2019-10-14 16:34:56<IP address> 2019-10-14 16:34:56 0.313 GET / 302 285
<IP address> 2019-10-14 16:34:56 0.187 GET /console-selfservice/ 302 313
<IP address> 2019-10-14 16:34:57 0.844 GET /console-selfservice/SelfService.do 200 13280
<IP address> 2019-10-14 16:34:58 0.031 GET /console-selfservice/images/default/caret_gray.gif 200 56
<IP address> 2019-10-14 16:34:58 0.0 GET /console-selfservice/images/default/icn_help.gif 200 1648
<IP address> 2019-10-14 16:34:58 0.0 GET /console-selfservice/images/default/icn_help_caret.gif 200 49
<IP address> 2019-10-14 16:34:58 0.016 GET /console-selfservice/images/default/spacer.gif 200 43
<IP address> 2019-10-14 16:34:58 0.094 GET /console-selfservice/framework/rsa/css/framework-ext.css 200 20506
<IP address> 2019-10-14 16:34:58 0.0 GET /console-selfservice/images/default/icn_wait.gif 200 771
<IP address> 2019-10-14 16:34:58 0.203 GET /console-selfservice/framework/js/extjs/4.0.2a/resources/css/ext-all-gray.css 500 5931
<IP address> 2019-10-14 16:34:58 0.407 GET /console-selfservice/framework/js/extjs/4.0.2a/ext-all.js 500 5931
<IP address> 2019-10-14 16:34:58 0.141 GET /console-selfservice/images/default/selfservice_logo.gif 200 16268
<IP address> 2019-10-14 16:34:58 0.093 GET /console-selfservice/common/components/smartmenu/c_smartmenus.js 200
The authentication requests are coming from an IP address which is not defined in the load balancer details in the RSA Authentication Manager Operations Console.
To resolve this issue,
Login to the primary's RSA Authentication Manager Operations Console.
Go to Deployment Configuration > Virtual Host & Load Balancing.
Add the appropriate IP address in Load Balancer Details box and press Add when done.
Press Save to exit.
Bypassing the loadbalancer IP check:
SSH to v8.0 appliance as rsaadmin.
Obtain Database Administrator User ID (rsa_dba) password.
NOTE: the OC Administrator username and returned rsa_dba password shown below are example values only.
rsaadmin@am8-p:~> cd /opt/rsa/am/utils
rsaadmin@am8-p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: ocadmin
Please enter OC Administrator password: ********
Connect to the Authentication Manager 8.x database.
rsaadmin@am8-p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
You will be prompted for the com.rsa.db.dba.password obtained previously. SQL queries can then be run from the command line then bypass the loadbalance IP issue:
rsaadmin@am8p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba:
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
db=#UPDATE RSA_REP.ims_config_value SET value='true' WHERE name='ims.sso.service.bypass_loadbalancer_config_check';
Finally, restart AM services:
rsaadmin@amp:/opt/rsa/am/server> ./rsaserv restart all
Check if Webtiers require reinstallation and the issue will be resolved afterwards.
There can be up to 30 logs stored for the imsTrace.log, imsConsoleTrace.log and Admin_Server_access files. Additional files will have a number value appended to the file name (file name.log.1, file name.log.2, so on).