You might encounter the following issues while working with the identity applications:
Issue: The Identity Manager drivers use Identity Manager engine’s keystore instead of User Application's keystore to access the User Application. If these components use different certificates, drivers report an error message similar to the following when set at Trace level 5:
DirXML Log Event
Message: Code(-9205) Error in vnd.nds.stream://VAULT/TEST/DRIVERSET1/DRIVER1/Publisher/POLICY#XmlData:133 : Couldn't request assignment of role: '<Role DN>' to identity: '<User DN>': com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Workaround: Verify that the JRE used by the Identity Manager engine has the required certificate to connect to the User Application. Otherwise, import the certificate from the User Application.
Locate cacerts in the Identity Manager engine directory.
For example, /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts on Linux.
Determine the certificate used by the User Application.
Navigate to the User Application keystore.
For example, /opt/netiq/idm/apps/jre/lib/security/cacerts.
List the certificates by running the following command from the command line:
keytool -list -v -keystore cacerts
(Conditional) If you have access to the certificate, import the certificate into Identity Manager engine’s cacerts directory by running the following command:
keytool -import -alias <newalias> -keystore cacerts -file certificate.der
(Conditional) If you do not have access to the certificate, export the certificate from the User Application’s cacerts directory, and then import the certificate into Identity Manager engine’s cacerts directory.
Restart the Identity Vault.
Issue: The User Application driver fails to communicate with the User Application server and returns a retry status error. This issue may occur if one of the following conditions is true:
You are using Java 1.7.x in your environment.
The User Application driver does not have the certificate required for the connection.
Workaround: Perform the following actions:
Manually update your current Java version to version 1.8 Update 92 or later.
Import the certificates from User Application into Identity Manager engine's JRE directory for use by the User Application driver. If your User Application server is protected by NetIQ Access Manager or a load balancer, add the certificates from Access Manager or the load balancer into Identity Manager engine's JRE directory.
Issue: When a new resource is created in a driver, the resource is not added to the User Application after running the code map refresh for the driver. One of the reasons that can cause this issue is missing value of some of the parameters in the entitlement configuration of the driver. For example, <entitlement data-collection="false" dn="CN=ExchangeMailbox,CN=AD Driver for Groups,CN=DriverSet,O=system" parameter-format="" resource-mapping="" role-mapping="">.
User Application reports the following error in the catalina.out file:
2017-11-03 15:55:21,373 [http-bio-8443-exec-340] ERROR com.novell.idm.nrf.persist.DirXMLDriverDAO- [RBPM] Error occurred parsing the entitlement configuration XML: cn=EntitlementConfiguration,cn=AD Driver for Groups,cn=DriverSet,o=system
java.lang.StringIndexOutOfBoundsException: String index out of range: 0
Workaround: Add the missing values in the entitlement configuration for the driver. For example, <entitlement data-collection="false" dn="CN=ExchangeMailbox,CN=AD Driver for Groups,CN=DriverSet,O=system" parameter-format.
If the User Application driver fails to establish a connection with the identity applications, the driver fails to process the delete operation and loops infinitely. You can confirm this by looking at the User Application driver startup and trace logs.
This issue typically occurs if the https certificates used by the identity applications are not available in the User Application driver's certificate store. The default certificate store for the driver is the Java cacerts directory (/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts or <eDirectory install path>\jre\lib\security).