No identity source available in RSA Authentication Manager 8.1 patch 5

3 years ago

Originally Published: 2014-10-29

Article Number

000057039

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0 patch 5

Issue

When logged into the Security Console and selecting Settings > Self Service Settings and then selecting Identity Sources the following error displays:

There was a problem processing your request.
No Identity Source is available

Identity sources are configured and users are seen in the Security Console.
Users can log onto self-service console page and request a token.
Admins can assign tokens and see both internal and external identity sources.

Cause

In the Security Console, set logging to verbose

Review the /opt/rsa/am/....imsTrace.log fopr messages such as:

2014-10-21 13:10:40,617, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (AbstractPropertiesSynchronizer.java:695), trace.com.rsa.ims.security.keymanager.sys.AbstractPropertiesSynchronizer, WARN, den-prod-auth-01.quickplay.local,,,,Database information not found
com.rsa.common.DataNotFoundException: No data for 0000-Global-0000.ims.sso.filter.properties found

The reason for this error is that there is a difference in the enrollment of identity sources is different from Authentication Manager 7.1 to Authentication Manager 8.0/8.1; that is, only internal database users are enrolled in Authentication Manager 8.0/8.1. Migration from 7.1 to 8.0/8.1 has introduced the above issue. The root cause of the defect is how the migration is handled for user enrollment.

Resolution

A fix for this issue is scheduled for Authentication Manager 8.1 patch 6 or patch 7.

Workaround

Launch an SSH client, such as PuTTY.
Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

Navigate to /opt/rsa/am/utils.
Run the command rsautil manage-secrets -a get com.rsa.db.dba.password to obtain the com.rsa.db.dba.password. You will need to provide the Operations Console user name and password to run the command. Record the value for the password returned.

rsaadmin@am81p:~> cd /opt/rsa/am/utils/
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter Operations Console admin user name>
Please enter OC Administrator password: <enter Operations Console admin password>
com.rsa.db.dba.password: <output of the com.rsa.db.dba.password for your instance>

Navigate to /opt/rsa/am/pgsql/bin:

cd /opt/rsa/am/pgsql/bin

Run the following commands:

./psql -h localhost -p 7050 -d db -U rsa_dba -c 'select * from RSA_REP.UCM_IDENTITY_SOURCES;' -o /tmp/idsources.txt
./psql -h localhost -p 7050 -d db -U rsa_dba -c 'select id, name, src_type, internal_store, runtime_only FROM RSA_REP.IMS_IDENTITY_SOURCE;' -o /tmp/idnames.txt

Look in for the identitysource_id in idsources.txt and the runtime_only in the idnames,txt file, the values should be the same, e.g. 24205f6d0465a8c0027cf59121f24159, This value will be used in the workaround update.
Since this update uses single ticks, run it from SQL instead of with -c:

./psql -h localhost -p 7050 -d db -U rsa_dba -o /tmp/updateIS.txt 
Password for user rsa_dba: <enter the password from step 4 above>
 db-# UPDATE RSA_REP.UCM_IDENTITY_SOURCES SET available_status=0 WHERE identitysource_id='24205f6d0465a8c0027cf59121f24159';
 db-# \q

The above query should resolve the issue. Make sure after running the query, the internal database is added for enrollment if required from Self-Service Settings > Identity Sources.

Notes

Same symptom as Jira ~~AM-27838~~/~~AM-26825~~ which were fixed in patch 1

Attachments

If the attachment does not open when clicked, please refresh the page and try again. You must be logged into view the file(s).

Don't see what you're looking for?

Related Articles

Trending Articles