Password change fails for users in an external identity source via Self-Service Console in RSA Authentication Manager 8.x
Originally Published: 2014-10-19
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
3rd-party Product: Microsoft Active Directory
Issue
There was a problem processing your request.
The operations failed because an identity source is read-only. Please contact your System Administrator
The operations failed because an identity source is read-only. Please contact your System Administrator
The /opt/rsa/am/server/logs/imsTrace.log shows the following error:
2014-10-17 14:22:45,146, [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'], (RequestHandlerImpl.java:1527), trace.com.rsa.ucm.internal.request.impl.RequestHandlerImpl, ERROR, testAM81pri.kangnet.local,,,,ReasonKey[UCM_INVALID_ARGUMENT_EXCEPTION]
com.rsa.common.InvalidArgumentException: The specified identity source is readonly : 407626cea11c200a1c404370881799b0
at com.rsa.ucm.ssointegration.ims.validator.BaseIMSValidator.validateIdentitySource(BaseIMSValidator.java:141)
at com.rsa.ucm.ssointegration.ims.validator.UpdatePasswordValidator.validateRequest(UpdatePasswordValidator.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy174.validateRequest(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy175.validateRequest(Unknown Source)
at com.rsa.ucm.internal.ssointegration.DefaultSelfServiceOperationManagerImpl.validateRequest(DefaultSelfServiceOperationManagerImpl.java:155)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.processNonWorkflowRequest(AddRequestHandlerImpl.java:395)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.addUCMRequest(AddRequestHandlerImpl.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
com.rsa.common.InvalidArgumentException: The specified identity source is readonly : 407626cea11c200a1c404370881799b0
at com.rsa.ucm.ssointegration.ims.validator.BaseIMSValidator.validateIdentitySource(BaseIMSValidator.java:141)
at com.rsa.ucm.ssointegration.ims.validator.UpdatePasswordValidator.validateRequest(UpdatePasswordValidator.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy174.validateRequest(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:50)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy175.validateRequest(Unknown Source)
at com.rsa.ucm.internal.ssointegration.DefaultSelfServiceOperationManagerImpl.validateRequest(DefaultSelfServiceOperationManagerImpl.java:155)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.processNonWorkflowRequest(AddRequestHandlerImpl.java:395)
at com.rsa.ucm.internal.request.impl.AddRequestHandlerImpl.addUCMRequest(AddRequestHandlerImpl.java:176)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Cause
Resolution
This is functioning as designed as documented on page 115 of the RSA Authentication Manager 8.1 Administrator·s Guide, where it states that
LDAP users are not able to change their password via the Forgot Your Password link in the Self-Service Console.
Users can change their passwords when prompted during authentication, not when requested with the Forgot Your Password link.
It will prompt to change password when one of the following conditions applies in LDAPS configuration:
- The user's password has expired.
- An Authentication Manager administrator has edited the user's user record to force a password change by checking the Require the user to change password at next logon box (Identity > Users > Manage Existing > Select a user > Click Edit in the context menu).
- The LDAP directory is configured to require the user to reset the password the next time the user authenticates.
Workaround
- Administrators can manually change an LDAP user's password in the Security Console.
- Users in the internal database can change their password via the Self-Service Console.
- Configure LDAP with a secure connection.
- The LDAPS Connection test is successful in the Operations Console.
- The Forgot Your Password link is checked.
- In the Security Console,
- Click Setup > Self-Service Settings.
- On the Settings page, under Customization, click Enable or Disable Self-Service Features.
- Under Set Display Options for Self-Service Console - Home Page, the Forgot Your Password link is checked.
Related Articles
RSA Authentication Manager 8.x trusted realms not working (java.net.UnknownHostException) Number of Views Authentication Manager Log Messages (26111-26150) Number of Views Duplicate users in RSA Identity Governance & Lifecycle Number of Views How to change the AveksaAdmin password in RSA Identity Governance & Lifecycle Number of Views Default token policy change prompts every user to change their PIN in RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Supported On-Demand Authentication (ODA) SMS providers for use with RSA Authentication Manager 8.x Deploying RSA Authenticator 6.2.2 for Windows Using DISM
Don't see what you're looking for?
