17.3 Troubleshooting the User Application and Identity Reporting

The following table lists the issues you might encounter and the suggested actions for working on these issues. If the problem persists, contact your NetIQ representative.

Issue

Suggested Actions

If the LDAP Server Name specified in the Certificate Subject and the Application Configuration are different, the Identity Applications fails to connect to the Identity Vault after upgrading Identity Manager. This issue is observed from Identity Manager 4.7.1.1 onwards.

Identity Manager 4.7.1.1 uses Java version 1.8.0_181. From this version onwards, Java has enabled endpoint identification on LDAPS connections and thus mandates that the server name that you specify while connecting to the Identity Manager server and the server name returned in the certificate are the same. If the server names are different, perform the following steps:

  1. Navigate to the /opt/netiq/idm/apps/configupdate directory.

  2. Run the following command to launch the Configuration Update utility.

    ./configupdate.sh

  3. Navigate to the User Application tab, click Identity Vault server, and change the server name to the one specified in the LDAP server certificate subject.

    This action will update the DirectoryService/realms/jndi/params/AUTHORITY property in the ism-configuration.properties file.

  4. Click OK.

When Identity Applications and Identity Reporting are installed on the same server and you perform configuration changes using the configuration update utility located at <reporting install folder>/bin directory, the Identity Manager Dashboard fails to launch. Following error is reported in catalina.out log file for Tomcat:

EboPortalBootServlet [RBPM] +++++WARNING!!!!: This portal application context, IDMProv, does not match the portal.context property set in the PortalService-conf/config.xml file. Only one portal per database is allowed. Data has been loaded using the previous portal context. To correct this you must revert back to the previous portal name of, NoCacheFilter, please consult the documentation.

For any configuration changes, use the configuration update utility located at /opt/netiq/idm/apps/configupdate/ directory.

If Identity Applications and Identity Reporting are installed on the same server and CEF auditing is enabled through the configuration update utility (configupdate.sh), both the components fail to launch.

NOTE:This issue is not observed when Identity Applications and Identity Reporting are installed on different servers.

Perform the following steps to workaround this issue:

  1. Navigate to the ism-configuration.properties and idmrptcore_logging.xml files located at /opt/netiq/idm/apps/tomcat/conf directory.

  2. Edit the ism-configuration.properties and idmrptcore_logging.xml file respectively.

  3. Change the values of com.netiq.ism.audit.cef.protocol and <protocol> from tcp to TCP in the ism-configuration.properties and idmrptcore_logging.xml files respectively.

  4. Ensure that the novlua permissions are set for the intermediate cache directory. Otherwise, you cannot access the Identity Application. To change the permission and ownership of the directory, use this command: chown -R nolvua:novlua /<directorypath> command, where <directorypath> is the intermediate cache file directory path.

  5. Restart Tomcat.

If your Identity Applications and Identity Reporting are installed on the same server and you choose the database creation option as Startup, you will notice some exceptions in the log.

To clear the exceptions, manually restart Tomcat.

If your existing Identity Applications or Identity Reporting configuration has been configured without ports, and you try to upgrade to Identity Manager 4.7 version, the IP address and ports mentioned under the Authentication and SSO Clients tab in the configuration update utility displays incorrect values.

Once you upgrade Identity Applications and Identity Reporting to 4.7 version, perform the following steps:

  1. Navigate to the /opt/netiq/idm/apps/configupdate directory.

  2. Run the following command:

    ./configupdate.sh

  3. In the Authentication tab, specify the correct IP address and port in the OAuth server host identifier and OAuth server TCP port fields respectively.

  4. In the SSO Clients tab, ensure that URLs for IDM Administrator, Reporting, and IDM Data Collection Services are in correct format.

  5. Restart Tomcat.

You want to modify one or more of the following the User Application configuration settings created during installation:

  • Identity Vault connections and certificates

  • E-mail settings

  • Identity Manager Engine User Identity and User Groups

  • Access Manager or iChain settings

Run the configuration utility independent of the installer.

Linux: Run the following command from the installation directory (by default, /opt/netiq/idm/apps/configupdate/):

./configupdate.sh

Starting Tomcat causes the following exception:

port 8180 already in use

Shut down any instances of Tomcat (or other server software) that might already be running. If you reconfigure Tomcat to use a port other than 8180, edit the config settings for the User Application driver.

When Tomcat starts, the application reports it cannot find trusted certificates.

Ensure that you start Tomcat by using the JDK specified during the installation of the User Application.

Cannot log in to the portal admin page.

Ensure that the User Application Administrator account exists. This account is not the same as your iManager administrator account.

Cannot create new users even with administrator account.

The User Application Administrator must be a trustee of the top container and should have Supervisor rights. You can try setting the User Application Administrator’s rights equivalent to the LDAP Administrator’s rights (using iManager).

Starting application server throws keystore errors.

Your application server is not using the JDK specified during the installation of the User Application.

Use the keytool command to import the certificate file:

keytool -import -trustcacerts -alias aliasName -file certFile -keystore ..\lib\security\cacerts -storepass changeit

  • Replace aliasName with a unique name of your choice for this certificate.

  • Replace certFile with the full path and name of your certificate file.

  • The default keystore password is changeit (if you have a different password, specify it).

Email notification not sent.

Run the configupdate utility to check whether you supplied values for the following User Application configuration parameters: Email From and Email Host.

Linux: Run the following command from the installation directory (by default, /opt/netiq/idm/apps/UserApplication/):

./configupdate.sh