QR code not displaying in the RSA Authentication Manager Prime Self-Service Portal (SSP)
Originally Published: 2019-10-11
Article Number
Applies To
RSA Product/Service Type: Authentication Manager Prime
RSA Version/Condition: 8.4
Platform: Java Runtime Environment 1.8.x
Issue
The QR code image keeps spinning without generating the QR code.
Cause
The CTF conversion utility uses the Java random function which results in a massive delay in minutes. Oracle has noted this performance issue regarding using the random function to generate cryptographically strong random number generator (RNG), and the resolution is below in the resolution section.
As per the logs:
- The header request API call sent from the AMIS server to the Authentication Manager server is not correct. It is stating that the distribution type of the token is CTF, however it should be CTKIP.
- Below is the API call generated from the SSP request, found in the ssp_daily.log file, with theissuehoghlighted in red:
2019-10-10T06:29:22,001-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,start :: replaceNextToken
2019-10-10T06:29:22,001-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO , URL : http://localhost:8181/am8/token/replace/{tokenserial}/{newtokenserial}?newPinMode={booleanFlag}
2019-10-10T06:29:22,001-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO , URL Parameters : {tokenserial=000156522108, tokenType=software, booleanFlag=false}
2019-10-10T06:29:22,244-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,service result <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<serviceResult result="true">
<TokenSerialNumber>000156522080</TokenSerialNumber>
</serviceResult>
2019-10-10T06:29:22,245-0700,com.rsa.pso.selfservice.web.SSPHomeActionBean,?,INFO ,000156522108 got replaced with 000156522080
2019-10-10T06:29:22,252-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,start :: updateToken
2019-10-10T06:29:22,252-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,Header value 22818430
2019-10-10T06:29:22,252-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO , URL : http://localhost:8181/am8/token/update/
2019-10-10T06:29:22,258-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,Token Entry :<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<tokenEntry>
<algorithm>time</algorithm>
<deviceType>ims.000000000000000000002001f0050028</deviceType>
<distribution CTF="false">
<QR background="16777215" foreground="0" size="220"/>
<STDID copyProtected="false" distributionType="ctf" passwordProtect="NoPassword" regenerateTokenCode="false">
<CTFExpirationMinutes>15</CTFExpirationMinutes>
</STDID>
</distribution>
<enabled>true</enabled>
<interval>60</interval>
<pin requirePintAtNextLogin="false"/>
<properties clearValues="false">
<property name="DeviceSerialNumber" value=""/>
</properties>
<tokenCodeLength>8</tokenCodeLength>
</tokenEntry>
2019-10-10T06:29:22,001-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO , URL : http://localhost:8181/am8/token/replace/{tokenserial}/{newtokenserial}?newPinMode={booleanFlag}
2019-10-10T06:29:22,001-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO , URL Parameters : {tokenserial=000156522108, tokenType=software, booleanFlag=false}
2019-10-10T06:29:22,244-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,service result <?xml version="1.0" encoding="UTF-8" standalone="no"?>
<serviceResult result="true">
<TokenSerialNumber>000156522080</TokenSerialNumber>
</serviceResult>
2019-10-10T06:29:22,245-0700,com.rsa.pso.selfservice.web.SSPHomeActionBean,?,INFO ,000156522108 got replaced with 000156522080
2019-10-10T06:29:22,252-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,start :: updateToken
2019-10-10T06:29:22,252-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,Header value 22818430
2019-10-10T06:29:22,252-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO , URL : http://localhost:8181/am8/token/update/
2019-10-10T06:29:22,258-0700,com.rsa.pso.selfservice.securid.AMISClientServiceImp,?,INFO ,Token Entry :<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<tokenEntry>
<algorithm>time</algorithm>
<deviceType>ims.000000000000000000002001f0050028</deviceType>
<distribution CTF="false">
<QR background="16777215" foreground="0" size="220"/>
<STDID copyProtected="false" distributionType="ctf" passwordProtect="NoPassword" regenerateTokenCode="false">
<CTFExpirationMinutes>15</CTFExpirationMinutes>
</STDID>
</distribution>
<enabled>true</enabled>
<interval>60</interval>
<pin requirePintAtNextLogin="false"/>
<properties clearValues="false">
<property name="DeviceSerialNumber" value=""/>
</properties>
<tokenCodeLength>8</tokenCodeLength>
</tokenEntry>
- As per the Prime AMIS Developer's Guide, the request for CTKIP should look like the snippet shown below. The header below does not contain the distribution type CTF which is the error in the above request.
<tokenEntry>
<enabled>true</enabled>
<distribution>
<QR size="200" />
<CTKIP deviceFamilyName="iPhone" />
</distribution>
<deviceType>ims.000000000000000000002001f0050022</deviceType>
<algorithm>time</algorithm>
<tokenCodeLength>8</tokenCodeLength>
<interval>60</interval>
<properties clearValues="false">
<property name="DeviceSerialNumber" value="556f1985-33dd-442c-9155-3a0e994f21b1" />
</properties>
<pin requirePintAtNextLogin="false" action="nothing" pinType="passcode" />
</tokenEntry>
<enabled>true</enabled>
<distribution>
<QR size="200" />
<CTKIP deviceFamilyName="iPhone" />
</distribution>
<deviceType>ims.000000000000000000002001f0050022</deviceType>
<algorithm>time</algorithm>
<tokenCodeLength>8</tokenCodeLength>
<interval>60</interval>
<properties clearValues="false">
<property name="DeviceSerialNumber" value="556f1985-33dd-442c-9155-3a0e994f21b1" />
</properties>
<pin requirePintAtNextLogin="false" action="nothing" pinType="passcode" />
</tokenEntry>
Resolution
- Navigate to JRE_HOME/lib/security/.
- Edit the java,security file using a text editor:
vi java.security
- Search for securerandom.source. Search in vi by pressing Escape button and typing a forward slash then the text string:
/securerandom.source
- Change the line from securerandom.source=file:/dev/random to:
securerandom.source=file:/dev/./urandom
- Stop and start all Tomcat services for AMIS and SSP.
