You might encounter the following issues while working with the identity applications:
Issue: The Identity Manager drivers use Identity Manager engine’s keystore instead of User Application's keystore to access the User Application. If these components use different certificates, drivers report an error message similar to the following when set at Trace level 5:
DirXML Log Event
Message: Code(-9205) Error in vnd.nds.stream://VAULT/TEST/DRIVERSET1/DRIVER1/Publisher/POLICY#XmlData:133: Couldn't request assignment of role: '<Role DN>' to identity: '<User DN>': com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Workaround: Verify that the JRE used by the Identity Manager engine has the required certificate to connect to the User Application. Otherwise, import the certificate from the User Application.
Locate cacerts in the Identity Manager engine directory.
For example, /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts on Linux.
Determine the certificate used by the User Application.
Navigate to the User Application keystore.
For example, /opt/netiq/idm/apps/jre/lib/security/cacerts.
List the certificates by running the following command from the command line:
keytool -list -v -keystore cacerts
(Conditional) If you have access to the certificate, import the certificate into Identity Manager engine’s cacerts directory by running the following command:
keytool -import -alias <newalias> -keystore cacerts -file certificate.der
(Conditional) If you do not have access to the certificate, export the certificate from the User Application’s cacerts directory, and then import the certificate into Identity Manager engine’s cacerts directory.
Restart the Identity Vault.
Issue: The User Application driver fails to communicate with the User Application server and returns a retry status error. This issue may occur if one of the following conditions is true:
You are using Java 1.7.x in your environment.
The User Application driver does not have the certificate required for the connection.
Workaround: Perform the following actions:
Manually update your current Java version to version 1.8 Update 92 or later.
Import the certificates from User Application into Identity Manager engine's JRE directory for use by the User Application driver. If your User Application server is protected by NetIQ Access Manager or a load balancer, add the certificates from Access Manager or the load balancer into Identity Manager engine's JRE directory.
Issue: When a new resource is created in a driver, the resource is not added to the User Application after running the code map refresh for the driver. One of the reasons that can cause this issue is missing value of some of the parameters in the entitlement configuration of the driver. For example, <entitlement data-collection="false" dn="CN=ExchangeMailbox,CN=AD Driver for Groups,CN=DriverSet,O=system" parameter-format="" resource-mapping="" role-mapping="">.
User Application reports the following error in the catalina.out file:
2017-11-03 15:55:21,373 [http-bio-8443-exec-340] ERROR com.novell.idm.nrf.persist.DirXMLDriverDAO- [RBPM] Error occurred parsing the entitlement configuration XML: cn=EntitlementConfiguration,cn=AD Driver for Groups,cn=DriverSet,o=system
java.lang.StringIndexOutOfBoundsException: String index out of range: 0
Workaround: Add the missing values in the entitlement configuration for the driver. For example, <entitlement data-collection="false" dn="CN=ExchangeMailbox,CN=AD Driver for Groups,CN=DriverSet,O=system"parameter-format="idm4" resource-mapping="true" role-mapping="true">.
Issue: On a Linux server, sometimes Identity Applications report the following error when you log out of the Dashboard.
5082 ERROR_STARTUP_ERROR (unable to write to applicationPath /opt/netiq/idm/apps/sspr/sspr_data)
Workaround: Manually restart Tomcat.
Issue: Sometimes permission index is not updated if you are bulk importing roles or resources into the Identify Vault. This prevents the User Application's Role or Resource Catalogs to display the newly added roles or resources.
Workaround: Perform the following actions:
Stop the Tomcat application server where identity applications are deployed.
Delete the permission index from /apps/tomcat/temp/permindex.
Issue: Notification templates such as notification, email, and provisioning must reside in the Default Notification Collection folder in Identity Vault’s Security container. If you perform any operations such as request permissions in the identity applications in absence of these templates, the following error is reported in the catalina.out file:
com.netiq.common.i18n.impl.LocalizedResourceResolverNoDefaultFoundException: The resource resolver com.novell.soa.notification.impl.vdx.LocalizedEmailTemplateResolver did not return a resource for the default locale of en. It is required that a resource exist for the default locale.
Workaround: Deploy the required packages for notification, email, and provisioning templates to the Identity Vault.
Open your project in Designer.
In the Outline pane, expand your project.
Select, then click .
Right-click, select , and click .
Issue: When you click thebutton to add a new application with a logo (image), the following error appears:
Invalid image file uploaded
Workaround: Add the application without an image. Then, edit the newly added application to add an image as follows:
Ensure the user has write permissions for user home directory.
For example: /home/users/novlua/
Log in to Identity Manager Dashboard and go to.
Click Manage Applications icon.
Clickon the newly added application and add the logo (image).
If the User Application driver fails to establish a connection with the identity applications, the driver fails to process the delete operation and loops infinitely. You can confirm this by looking at the User Application driver startup and trace logs.
This issue typically occurs if the https certificates used by the identity applications are not available in the User Application driver's certificate store. The default certificate store for the driver is the Java cacerts directory (/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts or <eDirectory install path>\jre\lib\security).