RSA Authentication Manager 8.2 reports 'Unexpected error during command com.rsa.admin.GetPrincipalNestedGroupsCommand execution'
2 years ago
Originally Published: 2016-08-29
Article Number
000044041
Applies To
RSA Product Set:  SecurID
RSA Product/Service Type:  RSA Authentication Manager
RSA Version/Condition:  8.2
Issue
An administrative task to lookup User Group Membership of a User ID mapped from an identity source generates a message:

There was a problem processing your request. Unexpected error during command com.rsa.admin.GetPrincipalNestedGroupsCommand execution​
  1. First, ensure that verbose logging is turned on in the Security Console.  To do this,
    1. Click Setup > System Settings > Logging.  
    2. Select the primary server and click Next.  
    3. Set Trace Log value to Verbose in the Log Levels section.
    4. Scroll down and check the option to apply the above settings to the replica instance(s) upon save.
    5. Click Save.
  2. If verbose logging was not enabled, redo the process above to generate error.  Skip to step 3 if it was enabled.
  3. Review the /opt/rsa/am/server/logs/imsTrace.log for an error such as:
2016-08-26 08:50:58,071, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (CommandServerEngine.java:897), trace.com.rsa.command.CommandServerEngine, DEBUG, {AM-hostname},,,,Command : class com.rsa.admin.GetPrincipalNestedGroupsCommand Execution Exception: com.rsa.common.UnexpectedDataStoreException: exception during group search: (&(objectClass=group)(member={group DN})): Unable to find the   requested data from the directory server com.rsa.common.UnexpectedDataStoreException: exception during group search: (&(objectClass=group)(member={group DN})): Unable to find the requested data from the directory server 
at com.rsa.ims.admin.dal.ldap.GroupAccessLDAP.getMemberOfGroups(GroupAccessLDAP.java:1426) 
atcom.rsa.ims.admin.impl.GroupAdministrationImpl.getMemberOfGroupsForGroup(GroupAdministrationImpl.java:3255) at com.rsa.ims.admin.impl.GroupAdministrationImpl.getAllSuperGroups(GroupAdministrationImpl.java:3179) 
at com.rsa.ims.admin.impl.GroupAdministrationImpl.getAllGroupsPrincipalBelongsTo(GroupAdministrationImpl.java:3222) at com.rsa.admin.GetPrincipalNestedGroupsCommand.performExecute(GetPrincipalNestedGroupsCommand.java:138) at com.rsa.command.LocalTarget.executeCommand(LocalTarget.java:119) 
at com.rsa.ims.command.LocalTransactionalCommandTarget.access$0(LocalTransactionalCommandTarget.java:1) 
at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:268) 
atcom.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1) at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131) 
at com.rsa.ims.command.LocalTransactionalCommandTarget.executeCommand(LocalTransactionalCommandTarget.java:260) at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:933) 
at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:1) 
at com.rsa.ims.security.spi.SimpleSecurityContextImpl.doAs(SimpleSecurityContextImpl.java:113) 
at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439) 
at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:445) 
at com.rsa.command.CommandServerEngine.executeCommand(CommandServerEngine.java:373) 
at com.rsa.command.CommandServerBean.executeCommand(CommandServerBean.java:89) 
at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.__WL_invoke(Unknown Source) 
at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:34) 
at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.executeCommand(Unknown Source) 
at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl_WLSkel.invoke(Unknown Source) 
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:701) 
at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:231) 
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:527) 
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363) 
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:523) 
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118) 
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311) 
at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)
Cause
An administrator has configured an Active Directory Global Catalog as an identity source in the Operations Console, however the Directory URL used for connectivity to the Active Directory Global Catalog does not contain the Global Catalog port number.  The default non-secure Global Catalog port is 3268, whereas the secure Global Catalog port is 3269.
Resolution
An administrator needs to include the port number of the Global Catalog in the identity source Directory URL for the connectivity to the Active Directory Global Catalog.
  1. Log into the Operations Console.  
  2. Select Deployment Configuration > Identity Sources > Manage Existing.  
  3. Left click the appropriate identity source and select Edit.  
  4. Ensure you are in the Connections tab and update the Directory URL(s) to include the required port number.
  5. The example below illustrates using the default non-secure Global Catalog port of 3268:
User-added image
Notes
Page 71 of the RSA Authentication Manager 8.2 Administrator's Guide provides information on the properties of the Directory URL in the identity source configuration; whereas, page 90 provides information on integrating an LDAP directory as an identity source.

Related Articles

Trending Articles

Don't see what you're looking for?