Extension token configuration does not exist in the configuration service on RSA Authentication Manager 8.2 and up while attempting to extend SecurID token lifetime.
Originally Published: 2019-11-08
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2, 8.3, 8.4, 8.5
Issue
- Software tokens are distributed on RSA Authentication Manager 8.2 and up.
- Tokens meet the other conditions for being extended; such as tokens are not already in the process of being replaced or extended.
- Search results display Yes in the Extendable column for software tokens that are eligible for extension.
- The token record file that contains extension token records was imported.
- An attempt to Extend SecurID Token Lifetime using methods outlined at Extend Software Token Lifetimes Errors "The extension token configuration does not exist in the configuration service"
The error shown here is in the primary instance's /opt/rsa/am/server/logs/imsConsoleTrace.log with verbose logging enabled:
@@@2019-11-07 23:42:28,936, [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'], (EJBRemoteTargetBase.java:178),
trace.com.rsa.command.EJBRemoteTargetBase, ERROR, SOMP-RSA01.colehaan.net,,,,Exception during command execution.
com.rsa.command.AuditedLocalizableSystemException: COMMAND_EXECUTION_UNEXPECTED_ERROR
Caused by: com.rsa.common.SystemException: AM_EXTEND_TOKEN_LIFETIME_NOT_DEFINED
Caused by: com.rsa.common.SystemException: AM_EXTEND_TOKEN_LIFETIME_NOT_DEFINED
at com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl.a(TokenAdministrationImpl.java:1771)
at com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl.a(TokenAdministrationImpl.java:1550)
at com.rsa.authmgr.internal.admin.tokenmgt.impl.TokenAdministrationImpl.lookupExtensionTokenLifeConfigValue(TokenAdministrationImpl.java:933)
at com.rsa.authmgr.admin.tokenmgt.LookupExtensionTokenConfigCommand$Executive.execute(LookupExtensionTokenConfigCommand.java:7)
at com.rsa.authmgr.admin.tokenmgt.LookupExtensionTokenConfigCommand.performExecute(LookupExtensionTokenConfigCommand.java:128)
Cause
Resolution
- Launch an SSH client, such as PuTTY.
- Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.
Note that during Quick Setup another username may have been selected. Use that username to log in.
- Change to /opt/rsa/am/utils:
log in as: rsaadmin Using keyboard-interactive authentication. Password: <enter operating system password> Last login: Tue Nov 06 12:46:44 2018 from xxxxxxxxxxxxx RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@SOMP-RSA01:~> cd /opt/rsa/am/utils
- Type the command ./rsautil store -a update_config auth_manager.extend_token_life.token_days_remaining_for_expiration <number> GLOBAL 503, where number is the number of days before expiration. For example, we can set the days to 60, as shown below.
rsaadmin@SOMP-RSA01:/opt/rsa/am/utils> ./rsautil store -a update_config auth_manager.extend_token_life.token_days_remaining_for_expiration 60 GLOBAL 503 Please enter OC Administrator username: <enter Operations Console administrator name> Please enter OC Administrator password: <enter Operations Console administrator password> psql.bin:/tmp/fa85b98e-58c6-4df5-a9fb-fa1a60cb1e681066583051878639531.sql:167: NOTICE: Changed the value of configuration parameter 'auth_manager.extend_token_life.token_days_remaining_for_expiration' from 'number' to '60' for the instance 'GLOBAL'. update_config --------------- (1 row)
- Restart all RSA Authentication Manager services on the primary:
rsaadmin@SOMP-RSA01:/opt/rsa/am/utils> cd /opt/rsa/am/server rsaadmin@SOMP-RSA01:/opt/rsa/am/server> ./rsaserv restart all
- Log on to each replica instance and restart services.
rsaadmin@SOMP-RSA02:/opt/rsa/am/utils> cd /opt/rsa/am/server rsaadmin@SOMP-RSA02:/opt/rsa/am/server> ./rsaserv restart all
