43.5 Troubleshooting General Issues

43.5.1 Mismatch of Certificates Used by Identity Manager Engine and User Application Causes Code (-9205) Error in vnd.nds.stream

Issue: The Identity Manager drivers use Identity Manager engine’s keystore instead of User Application's keystore to access the User Application. If these components use different certificates, drivers report an error message similar to the following when set at Trace level 5:

DirXML Log Event
Message: Code(-9205) Error in vnd.nds.stream://VAULT/TEST/DRIVERSET1/DRIVER1/Publisher/POLICY#XmlData:133: 
Couldn't request assignment of role: '<Role DN>' to identity: '<User DN>': 
com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Workaround: Verify that the JRE used by the Identity Manager engine has the required certificate to connect to the User Application. Otherwise, import the certificate from the User Application.

  1. Locate cacerts in the Identity Manager engine directory.

    For example, /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts on Linux.

  2. Determine the certificate used by the User Application.

    1. Navigate to the User Application keystore.

      For example, /opt/netiq/idm/apps/jre/lib/security/cacerts.

    2. List the certificates by running the following command from the command line:

      keytool -list -v -keystore cacerts
  3. (Conditional) If you have access to the certificate, import the certificate into Identity Manager engine’s cacerts directory by running the following command:

    keytool -import -alias <newalias> -keystore cacerts -file certificate.der
  4. (Conditional) If you do not have access to the certificate, export the certificate from the User Application’s cacerts directory, and then import the certificate into Identity Manager engine’s cacerts directory.

  5. Restart the Identity Vault.

43.5.2 User Application Driver Fails to Communicate with the User Application Server on a Secured Connection

Issue: The User Application driver fails to communicate with the User Application server and returns a retry status error. This issue may occur if one of the following conditions is true:

  • You are using Java 1.7.x in your environment.

  • The User Application driver does not have the certificate required for the connection.

Workaround: Perform the following actions:

  • Manually update your current Java version to version 1.8 Update 92 or later.

  • Import the certificates from User Application into Identity Manager engine's JRE directory for use by the User Application driver. If your User Application server is protected by NetIQ Access Manager or a load balancer, add the certificates from Access Manager or the load balancer into Identity Manager engine's JRE directory.

43.5.3 Entitlement Configuration Error During Codemap Refresh

Issue: When a new resource is created in a driver, the resource is not added to the User Application after running the code map refresh for the driver. One of the reasons that can cause this issue is missing value of some of the parameters in the entitlement configuration of the driver. For example, <entitlement data-collection="false" dn="CN=ExchangeMailbox,CN=AD Driver for Groups,CN=DriverSet,O=system" parameter-format="" resource-mapping="" role-mapping="">.

User Application reports the following error in the catalina.out file:

2017-11-03 15:55:21,373 [http-bio-8443-exec-340] ERROR com.novell.idm.nrf.persist.DirXMLDriverDAO- [RBPM] Error occurred parsing the entitlement configuration XML: cn=EntitlementConfiguration,cn=AD Driver for Groups,cn=DriverSet,o=system
java.lang.StringIndexOutOfBoundsException: String index out of range: 0

Workaround: Add the missing values in the entitlement configuration for the driver. For example, <entitlement data-collection="false" dn="CN=ExchangeMailbox,CN=AD Driver for Groups,CN=DriverSet,O=system"parameter-format="idm4" resource-mapping="true" role-mapping="true">.

43.5.4 Error After Logging Out of the Dashboard on Linux

Issue: On a Linux server, sometimes Identity Applications report the following error when you log out of the Dashboard.

5082 ERROR_STARTUP_ERROR (unable to write to applicationPath /opt/netiq/idm/apps/sspr/sspr_data)

Workaround: Manually restart Tomcat.

43.5.5 Bulk Import of Roles and Resources May Not Update the Permission Index

Issue: Sometimes permission index is not updated if you are bulk importing roles or resources into the Identify Vault. This prevents the User Application's Role or Resource Catalogs to display the newly added roles or resources.

Workaround: Perform the following actions:

  1. Stop the Tomcat application server where identity applications are deployed.

  2. Delete the permission index from /apps/tomcat/temp/permindex.

  3. Restart Tomcat.

43.5.6 Absence of Notification Templates Causes Workflow Error

Issue: Notification templates such as notification, email, and provisioning must reside in the Default Notification Collection folder in Identity Vault’s Security container. If you perform any operations such as request permissions in the identity applications in absence of these templates, the following error is reported in the catalina.out file:

com.netiq.common.i18n.impl.LocalizedResourceResolverNoDefaultFoundException: The resource resolver com.novell.soa.notification.impl.vdx.LocalizedEmailTemplateResolver did not return a resource for the default locale of en. It is required that a resource exist for the default locale.

Workaround: Deploy the required packages for notification, email, and provisioning templates to the Identity Vault.

  1. Open your project in Designer.

  2. In the Outline pane, expand your project.

  3. Right-click Default Notification Collection.

  4. Select Add All Templates.

  5. Select Overwrite Existing Templates, then click OK.

  6. Right-click Default Notification Collection, select Live, and click Deploy.

  7. Click OK to deploy.

43.5.7 Error Occurs When You Add a New Application With a Logo

Issue: When you click the Add button to add a new application with a logo (image), the following error appears:

Invalid image file uploaded

Workaround: Add the application without an image. Then, edit the newly added application to add an image as follows:

  1. Ensure the user has write permissions for user home directory.

    For example: /home/users/novlua/

  2. Log in to Identity Manager Dashboard and go to Applications.

  3. Click Manage Applications icon.

  4. Click Edit on the newly added application and add the logo (image).

  5. Click Save.

43.5.8 User Application Driver Fails to Process Delete Events

If the User Application driver fails to establish a connection with the identity applications, the driver fails to process the delete operation and loops infinitely. You can confirm this by looking at the User Application driver startup and trace logs.

This issue typically occurs if the https certificates used by the identity applications are not available in the User Application driver's certificate store. The default certificate store for the driver is the Java cacerts directory (/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts or <eDirectory install path>\jre\lib\security).

43.5.9 Unable to Search for Users While Requesting For Permissions on Behalf of Others

Issue: When requesting permissions for others, team managers and administrative users are unable to search for users on the New Request page. This occurs when the User Search Lookup Attribute or User Search Default Attribute includes custom (non-default) attributes on the Settings page.

Workaround: To resolve this issue, modify the trustee rights of individual users with team manager or administrative user roles in Identity Applications as described below:

  1. Log in to iManager as an administrator.

  2. Click the View Objects option.

  3. In the Tree tab, click data.

  4. Select the check box corresponding to the desired user name.

  5. Go to Actions > Modify Trustees.

  6. Click Assigned Rights option corresponding to the selected user name.

  7. Click Add Property > [All Attributes Rights] > OK.

  8. The user is assigned compare and read permissions by default. Assign additional rights as necessary.

  9. Click Done.

  10. Select OK or Apply to save the changes to the directory.

You can also change the trustee rights for all users under the users.data trustee name. Click data > users > (current level) check box in the Tree tab, then proceed to Step 5 through Step 10 in the procedure above.