5.1 Troubleshooting Drivers

This section describes many of the most common issues that arise in the driver configuration and provides tips for resolving these issues.

5.1.1 Issue: No Identity Vaults Presented on the Identity Vaults Screen

If you look at the Identity Vaults screen in Identity Reporting, you may notice that no Identity Vaults are listed. You will also see an error message at the top of the screen.

Here are some of the possible causes for this problem:

The Data Collection Service driver is not configured or started.
The Data Collection Service driver is configured incorrectly. Here are some things that may be not be properly defined:
- You have specified an invalid user account, account password, or the account does not have sufficient privileges (is not assigned as Report Administrator).
- The reporting connection configuration is wrong.

Here are some troubleshooting tips:

Verify that the Data Collection Service driver is configured and running. To do this:
- Check in iManager that the driver is present and that the driver state is Running. If it is not running, start the driver.
- Check in Designer that the driver configuration points to the reporting services and has a valid account and password configured. If you need to modify the configuration settings, make your changes in Designer. Stop the driver before you redeploy, and start the driver after a successful deployment. NetIQ recommends that you synchronize the driver prior to modifying and redeploying it.
Verify that the identity applications are installed and the Report Administrator role assignment has been processed and assigned to the user account configured in the reporting connection parameters for the Data Collection Service driver.

To verify the role assignment, log into the identity applications with the Role Administrator account. Then, go to the Work Dashboard and look at the list of assigned roles for accounts used by the Data Collection Service driver. If you don’t see the role assigned, verify that the Role and Resource driver has been started.

If the Data Collection Service configuration seems correct, enable DS Trace for the Data Collection Service driver at level 5, and verify that there are no communication or connection errors in the log.

Verify that the Data Collection Service driver is sending registration events to the REST services. The best way to do this is to add the following trace to the idmrptcore_logging.xml file and tail the console log (by using tail -f server.log). You should see trace messages with recognizable DNs, names, and so forth.

<logger name="com.novell.idm.rpt.core.server.events.rptdriver" level="TRACE" additivity="true"/>

5.1.2 Issue: Reports Are Missing Identity Vault Data

If you notice that some of your reports are missing Identity Vault data, you should look at the following list of possible causes:

Report definition is out of date.
The Data Collection Service driver or Identity Reporting is not started.
The Data Collection Service driver was not migrated. If the driver has not been migrated, the objects are not synchronized into the Identity Information Warehouse.
The timeout setting on the Data Collection Service driver is set too high and the events are not immediately propagated into the database. This could appear to be a problem if you don’t wait until the event is sent and processed.
The Data Collection Service driver is not configured correctly. Here are some things to look at:
- Objects are missing from the Filter Policy.
- Objects are not under the Data Collection Service scope.

Here are troubleshooting tips:

Verify that the data missing from the reports is present in the idm_rpt_data schema tables:
- If the data is present in the database, verify that you have the latest report definitions installed. On the detail page of each report is a field showing the data it was built or customized. You need to compare the date on the detail for that report with the data on the download page http://cdn.novell.com’cached/designer/idmrpt/.
- If the data is missing from the database, verify that the Data Collection Service driver is sending events to the REST services and that they are being processed correctly:
  1. Make sure there are no errors in event processing. View the JBoss console log (server.log) and look for errors (for example, grep -i "error" server.log)
  2. If there are no errors, make sure that the events are being received from the Data Collection Service driver.
    
    Add the following trace to the idmrptcore_logging.xml file and tail the console log (by using tail -f server.log). You should see trace messages with recognizable DNs, names, and so forth.
    <logger name="com.novell.idm.rpt.core.server.events.rptdriver" level="TRACE" additivity="true"/>
Verify that the Data Collection Service driver is configured and running:
- Check in iManager to see that the driver was deployed and the driver state is Running.
- Check the following settings for the Data Collection Service driver in iManager:
  - Reporting connection information
  - Reporting access account
  - Data Collection Service driver filter policy
  - Data Collection Service driver scope
  - Data Collection Service driver event processing settings
    
    Look at the Time interval between submitting events and the Number of events to be sent in batch. Set these to lower values for more immediate results.

When you are confident that your configuration is correct, and you still don’t see the expected data populated, you need to check for Data Collection Service driver errors. Check the DS Trace from the driver to see if there are errors:

Check the DS Trace from the driver to see if there are any errors.
Enable the driver trace at level 5.
Delete the old trace file (if one exists) and restart the Data Collection Service driver. (The trace file can become very large.)

5.1.3 Issue: Object Already Exists Error

In your server log (server.log), you may see the following error:

Associated object already exists in database with GUID:...

Here are some common causes for this error:

The Data Collection Service driver was removed and re-added/ When you remove the Data Collection Service driver, you must also refresh the database. Otherwise, the new Data Collection Service driver will attempt to re-add the objects that already exist in the database.
There is an overlap in scope between two Data Collection Service drivers. They are both trying to synchronize objects in the database.

5.1.4 Issue: MSGW Driver is Missing from Identity Vaults Screen

If you see that the Managed System Gateway Driver is missing from the Identity Vaults screen in Identity Reporting, look at the following list of possible causes:

The Managed System Gateway driver has not been configured and deployed.
The Data Collection Service driver is not configured to register the Managed System Gateway driver.
The Data Collection Service driver is not running or cannot connect to Identity Reporting. The connection may fail if the account that the Data Collection Service driver is configured with does not have sufficient privileges, or if the reporting connection information is wrong in the Data Collection Service driver.

Here are some troubleshooting tips:

Verify in iManager that the Managed System Gateway driver is configured and deployed to the Identity Vault.
Verify that the Data Collection Service driver settings are correct:
- In iManager or Designer, verify that the Data Collection Service state is Running.
- In Designer, verify that the Managed System Gateway driver parameter section of the Data Collection Service driver is set to register the Managed System Gateway driver.
- Verify that the reporting connection information is correct in the Data Collection Service driver configuration. Check the connection URL, account, and password.

5.1.5 Issue: Managed System Data is Missing from Reports

If you notice that some of the managed system data is missing from the reports, look at the following list of possible causes:

Reports are not up-to-date.
Pulled data collection has not been activated for the Data Collection Service driver.
The next data collection time is in the future. Data has been changed in the managed system between data collections.
The Managed System Gateway driver is not running.
The Identity Manager driver for the managed system (Active Directory, SAP, and so forth) is not running.
The managed system can be reached by the Identity Manager driver.
The data collection process was suspended because of errors.

Here are some troubleshooting tips:

Check to see if data missing from the report is present in the Identity Information Warehouse.
- The data collection services use the idm_rpt_data schema space. Tables starting with the idmrpt_ms_ prefix are used to store data retrieved from the Managed System Gateway driver.
- If the data is present, verify that the report definitions are up-to-date. Down, import, and rerun the report that is missing data.
Verify that the Managed System Gateway driver is running. Check in iManager to see that the driver is present and the driver state is Running. If it is not running, start the driver and activate the data collection process on the Identity Vaults screen.
Verify that the Managed System Gateway driver is accessible from the machine that Identity Reporting is running on. If Identity Reporting and Identity Manager are not running on the same box, verify that the Managed System Gateway driver configuration references the real IP address, rather than 127.0.0.1 (the default setting).
Verify that the Managed System Gateway connection information is correct.
- In Designer, check the Managed System Gateway Registration section of the Data Collection Service driver.
- Check that the proper configuration information is reflected in the idm_rpt_data.idmrpt_ms_collector table.
```
select * from idm_rpt_data.idmrpt_ms_collector
```
Verify that you can connect to the Managed System Gateway driver and get a response using Poster or the RESTClient Firefox plug-in.
Check the data collection status:
- Log in to Identity Reporting. Then navigate to the Identity Vaults screen and verify the status of data collection for the Managed System Gateway driver.
- If the collection status is Initialized, activate data collection. Then, wait until it completes, and check if the data is present.
- If the collection status is Suspended, see Issue: Status of Data Collection is Suspended for details on what to do.
Verify that the managed system can be reached:
- Check if the Identity Manager driver for the managed system is running.
- Check to see if there are any errors in the log for the Identity Manager driver for the managed system. If there are errors, enable driver trace and reactivate data collection.

5.1.6 Issue: Status of Data Collection is Suspended

You may see that the data collection status is Suspended on the Identity Vaults screen.

In this case, you should look at the following list of possible causes:

The Managed System Gateway driver is not running.
The Managed System Gateway driver has incorrect connection information.
Errors have occurred in collection services for the Data Collection Service driver.

Here are some troubleshooting tips:

Look at the database to see if it provides any clues about what might be causing the suspension:
- The data collection status and failure reasons are stored in the idm_rpt_data.idmrp_ms_collect_state table.
- The Managed System Gateway driver registration is stored in the idm_rpt_data.idmrpt_ms_collector table.
- The Data Collection Service driver registration is stored in the idm_rpt_data.idmrpt_rpt_driver table:
```
select ms_collect_id, ms_query_api, ms_collect_time, ms_collect_error from idm_rpt_data.idmrpt_ms_collect_state where
idm_rpt_data.idmrpt_ms_collect_state.ms_collect_state = FALSE;
```
If you see a failure to connect error:
- Verify that the Managed System Gateway driver is running. In iManager, check that the driver is present and the current status is running. If not, start the driver and activate data collection on the Identity Vaults screen.
- Verify that the Managed System Gateway driver is accessible from the machine that Identity Reporting is running on. If Identity Reporting and Identity Manager are not running on the same server, verify that the Managed System Gateway driver configuration references the real IP address, rather than 127.0.0.1 (the default setting).
  
  Also, check the Managed System Gateway parameter section.
  
  Check that the proper configuration information is reflected in the idm_rpt_data.idmrpt_ms_collector table.
```
select * from idm_rpt_data.idmrpt_ms_collector;
```
- If you see an HTTP status other than 200, verify that you can execute a query from a different tool such as Poster or RESTClient.
If you see other kinds of errors, enable logging and reactive data collection.
- Enable Managed System Gateway driver trace logging at level 5. Delete the old trace file (if one exists) and restart the Data Collection Service driver.
- Enabled pulled Data Collection Service driver trace logging.
  
  Add the following trace to the idmrptcore_logging.xml file and tail the console log (by using tail -f server.log). You should see trace messages with recognizable DNs, names, and so forth.
```
<logger name="com.novell.idm.rpt.core.server.service.DataCollectMgrService" level="TRACE" dditivity="true"/>
<logger name="com.novell.idm.rpt.core.server.dc" level="TRACE" additivity="true"/>
```

5.1.7 Issue: Status 400 Returned for Status Query

You may see a status 400 returned for a status query REST call (/idvdata/results/{requestId}/status Query). This error may occur when you execute a query with a large data set. With a large data set, a query may cause the Managed System Gateway driver to restart, which resets the session, and causes the data collection to fail.

To fix this problem, set the publisher heartbeat interval to zero.

5.1.8 Issue: Driver Errors Occur in Multi-Driver Set Environment

If you see Data Collection Service errors occur in a multiple driver set environment, the cause may be that the driver scope is not correctly configured.

To correct this problem, verify the driver scope settings, and make changes as necessary.