[OPENAM-9745] SecurID Authentication not working, error displayed "Unknown error. Please contact your Administrator" Created: 26/Sep/16  Updated: 11/Dec/17  Resolved: 16/Nov/16

Status: Closed
Project: OpenAM
Component/s: authentication, security
Affects Version/s: 13.5.0
Fix Version/s: 13.5.1, 14.0.0

Type: Bug Priority: Major
Reporter: David Kwok [X] (Inactive) Assignee: Peter Major [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: EDISON, Must-Fix, SecurID
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Redhat Enterprise 7.2

Issue Links:
is duplicated by OPENAM-9660 SecurID Authentication not working, g... Closed
Target Version/s:
Rank: 1|hzsjpj:
Sprint: AM Sustaining Sprint 29, AM Sustaining Sprint 30, AM Sustaining Sprint 31
Story Points: 2
QA Assignee: Filip Kubáň [X] (Inactive)
Verified Version/s:


I am trying authenticate against securID RSA server via openAM it is not working.
I have openAM 13.5 installed on RHEL7.2 box with default configuration.
1. I deployed openAM13.5 war in Apache
2. copied authapi.jar and crypto.jar to WEB-INF/lib
3. Copied sdconf file to configuration directory ~/OpenAM-13.5.0/OpenAM-13.5.0/auth/ace/data.
4. Created Module 'SecurID'. Created Chain 'rsachain'. set it is 'sufficient'.
5. Went to login at : http://server:port/openam/XUI/#login/<REALM>
After i enter username & passcode,
I am getting 'Unknown error. Please contact your Administrator'.

Comment by Mark de Reeper [ 13/Oct/16 ]

Appears to be caused OpenAM's use of the Log4J bridge libraries, workaround is to replace the existing log4j-over-slf4j-1.7.5.jar file shipped within the OpenAM WAR with a copy of log4j-1.2.8.jar. The SLF4J to LOG4J bridge did not implement the removeAllAppenders method, which the RSA authagent class appears to require.

Comment by Mark de Reeper [ 13/Oct/16 ]

Tracked as http://jira.qos.ch/browse/SLF4J-303 in the SLF4J project.

Comment by David Kwok [X] (Inactive) [ 13/Oct/16 ]

@mark Indeed that was the cause. Question to follow up is, will removing the log4j-over-slf4j library and then replacing it with the log4j actual library, cause any issue to the OpenAM functionality ?

Comment by Peter Major [X] (Inactive) [ 16/Nov/16 ]

The log4j-over-slf4j library is no longer shipped with OpenAM. There is no replacement provided in new builds either. If customers want to use the SecurID module, then they should ask for a compatible version of log4j library from RSA (1.2.x is likely to work, but can't really make any guarantees).

Comment by Filip Kubáň [X] (Inactive) [ 30/Nov/16 ]

Verified fix on: OpenAM 14.0.0-M7 Build eff0e96cfd (2016-November-25 16:23)

according to previous conversation with Peter:
the only thing you can really test is whether the log4j-over-slf4j has been removed from the final WAR file
which is removed

Comment by Filip Kubáň [X] (Inactive) [ 06/Jun/17 ]

Verified fix on OpenAM 13.5.1-RC3 Build 80264d3f67 (2017-May-11 21:12)
(see comment above)

Comment by Mark de Reeper [ 11/Dec/17 ]

As noted above, the fix for this issue is to ask RSA for a compatible version of the log4j-over-slf4j library that works with the RSA supplied libraries and add it to the OpenAM WAR.

The log4j-over-slf4j library is not longer shipped with OpenAM.

Generated at Mon Mar 01 22:21:43 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.