44.5 Troubleshooting General Issues

You might encounter the following issues while working with the identity applications:

44.5.1 Mismatch of Certificates Used by Identity Manager Engine and User Application Causes Code (-9205) Error in vnd.nds.stream

Issue: The Identity Manager drivers use Identity Manager engine’s keystore instead of User Application's keystore to access the User Application. If these components use different certificates, drivers report an error message similar to the following when set at Trace level 5:

DirXML Log Event
Message: Code(-9205) Error in vnd.nds.stream://VAULT/TEST/DRIVERSET1/DRIVER1/Publisher/POLICY#XmlData:133: 
Couldn't request assignment of role: '<Role DN>' to identity: '<User DN>': 
com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Workaround: Verify that the JRE used by the Identity Manager engine has the required certificate to connect to the User Application. Otherwise, import the certificate from the User Application.

  1. Locate cacerts in the Identity Manager engine directory.

    For example, /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts on Linux.

  2. Determine the certificate used by the User Application.

    1. Navigate to the User Application keystore.

      For example, /opt/netiq/idm/apps/jre/lib/security/cacerts.

    2. List the certificates by running the following command from the command line:

      keytool -list -v -keystore cacerts

  3. (Conditional) If you have access to the certificate, import the certificate into Identity Manager engine’s cacerts directory by running the following command:

    keytool -import -alias <newalias> -keystore cacerts -file certificate.der

  4. (Conditional) If you do not have access to the certificate, export the certificate from the User Application’s cacerts directory, and then import the certificate into Identity Manager engine’s cacerts directory.

  5. Restart the Identity Vault.

44.5.2 User Application Driver Fails to Communicate with the User Application Server on a Secured Connection

Issue: The User Application driver fails to communicate with the User Application server and returns a retry status error. This issue may occur if one of the following conditions is true:

  • You are using Java 1.7.x in your environment.

  • The User Application driver does not have the certificate required for the connection.

Workaround: Perform the following actions:

  • Manually update your current Java version to version 1.8 Update 92 or later.

  • Import the certificates from User Application into Identity Manager engine's JRE directory for use by the User Application driver. If your User Application server is protected by NetIQ Access Manager or a load balancer, add the certificates from Access Manager or the load balancer into Identity Manager engine's JRE directory.

44.5.3 Entitlement Configuration Error During Codemap Refresh

Issue: When a new resource is created in a driver, the resource is not added to the User Application after running the code map refresh for the driver. One of the reasons that can cause this issue is missing value of some of the parameters in the entitlement configuration of the driver. For example, <entitlement data-collection="false" dn="CN=ExchangeMailbox,CN=AD Driver for Groups,CN=DriverSet,O=system" parameter-format="" resource-mapping="" role-mapping="">.

User Application reports the following error in the catalina.out file:

2017-11-03 15:55:21,373 [http-bio-8443-exec-340] ERROR com.novell.idm.nrf.persist.DirXMLDriverDAO- [RBPM] Error occurred parsing the entitlement configuration XML: cn=EntitlementConfiguration,cn=AD Driver for Groups,cn=DriverSet,o=system
java.lang.StringIndexOutOfBoundsException: String index out of range: 0

Workaround: Add the missing values in the entitlement configuration for the driver. For example, <entitlement data-collection="false" dn="CN=ExchangeMailbox,CN=AD Driver for Groups,CN=DriverSet,O=system"parameter-format="idm4" resource-mapping="true" role-mapping="true">.

44.5.4 Error After Logging Out of the Dashboard on Linux

Issue: On a Linux server, sometimes Identity Applications report the following error when you log out of the Dashboard.

5082 ERROR_STARTUP_ERROR (unable to write to applicationPath /opt/netiq/idm/apps/sspr/sspr_data)

Workaround: Manually restart Tomcat.

44.5.5 Bulk Import of Roles and Resources May Not Update the Permission Index

Issue: Sometimes permission index is not updated if you are bulk importing roles or resources into the Identify Vault. This prevents the User Application's Role or Resource Catalogs to display the newly added roles or resources.

Workaround: Perform the following actions:

  1. Stop the Tomcat application server where identity applications are deployed.

  2. Delete the permission index from /apps/tomcat/temp/permindex.

  3. Restart Tomcat.

44.5.6 Absence of Notification Templates Causes Workflow Error

Issue: Notification templates such as notification, email, and provisioning must reside in the Default Notification Collection folder in Identity Vault’s Security container. If you perform any operations such as request permissions in the identity applications in absence of these templates, the following error is reported in the catalina.out file:

com.netiq.common.i18n.impl.LocalizedResourceResolverNoDefaultFoundException: The resource resolver com.novell.soa.notification.impl.vdx.LocalizedEmailTemplateResolver did not return a resource for the default locale of en. It is required that a resource exist for the default locale.

Workaround: Deploy the required packages for notification, email, and provisioning templates to the Identity Vault.

  1. Open your project in Designer.

  2. In the Outline pane, expand your project.

  3. Right-click Default Notification Collection.

  4. Select Add All Templates.

  5. Select Overwrite Existing Templates, then click OK.

  6. Right-click Default Notification Collection, select Live, and click Deploy.

  7. Click OK to deploy.

44.5.7 Error Occurs When You Add a New Application With a Logo

Issue: When you click the Add button to add a new application with a logo (image), the following error appears:

Invalid image file uploaded

Workaround: Add the application without an image. Then, edit the newly added application to add an image as follows:

  1. Ensure the user has write permissions for user home directory.

    For example: /home/users/novlua/

  2. Log in to Identity Manager Dashboard and go to Applications.

  3. Click Manage Applications icon.

  4. Click Edit on the newly added application and add the logo (image).

  5. Click Save.

44.5.8 User Application Driver Fails to Process Delete Events

If the User Application driver fails to establish a connection with the identity applications, the driver fails to process the delete operation and loops infinitely. You can confirm this by looking at the User Application driver startup and trace logs.

This issue typically occurs if the https certificates used by the identity applications are not available in the User Application driver's certificate store. The default certificate store for the driver is the Java cacerts directory (/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts or <eDirectory install path>\jre\lib\security).

44.5.9 Identity Applications Login Failure While Attempting to Contact the Authentication Service

If you are using custom certificates for authentication in a distributed environment where Identity Engine is running in one server and Identity Applications in another server, your Identity Applications will fail to connect to the OSP and consequently you will not be able to login to Identity Applications. You will see the following error:

ERROR [com.netiq.idm.auth.oauth.OAuthRestFilter] (https-jsse-nio-8543-exec-1) [RBPM] An error occurred while attempting to contact the authentication service.

In case of Kubernetes environment, resolve this issue by performing the following actions:

  1. Stop tomcat.

  2. Go to the setenv.sh file located in tomcat directory under the idm/apps. For example,

    • Linux: /opt/netiq/idm/apps/tomcat/bin/setenv.sh

    • Windows: C:\NetIQ\idm\apps\tomcat\bin\setenv.bat

  3. Add the property -Dcom.sun.net.ssl.checkRevocation=false in JAVA_OPTS as:

    export JAVA_OPTS="-Dcom.sun.net.ssl.checkRevocation=false"

    Alternatively, you can set JAVA_OPTS="-Dcom.sun.net.ssl.checkRevocation=false"

  4. Start tomcat.

44.5.10 Searching an Entity With a Combination of String and Integer Value Is Not Supported

Issue: For a custom entity, while searching for an integer type attribute, the valid search inputs are either a string or an integer. For example, * or 1 or 123 etc. A combination of both in a search entity throws an error because LDAP server does not support such filters for integer attributes.

For example, while searching for an integer type attribute, you can use either * or an integer (such as 1) as search input. You cannot search on values such as a1 or 1* etc.

Workaround: There is no workaround at this moment.

44.5.11 Searching an Entity with Substring Value for DN Attribute Is Not Supported

Issue: For a custom entity, while searching for the DN type attribute, the valid search inputs are either full DN or searching using *. However, providing substring value in the search entity will throw an error because LDAP server does not support such filters for DN attribute.

For example, while searching for a DN type attribute, you can use either * or full DN (such as cn=alison,o=data) as search input. You cannot search on substring values such as alison etc.

Workaround: There is no workaround at this time.

44.5.12 Unable to Change the Availability Status in the Availability Settings Page

Issue: When you delegate all your requests to an assigned delegate (delegated user) in your organization, the Identity Applications fails to list the PRD in the Availability Settings page and displays the following error when you try to change your availability status:

An error occurred while fetching the prds

This issue can be observed in one scenario when the Identity Applications 4.8 version is installed for the first time and other when you upgrade Identity Applications from 4.8 to 4.8.1 version. Upgrading from a prior version of Identity Applications does not display any error.

Workaround: To resolve this issue, create a new Provisioning Request Definition (PRD) and assign the trustee rights to the required user or data container to access the PRD. For more information, see Creating a Provisioning Request Definition in the NetIQ Identity Manager - Administrator’s Guide to Designing the Identity Applications.

44.5.13 Workflow Forms for Three Steps Parallel Approval Process is Not Loading in the Workflow Wizard

Issue: While adding workflow to a role or resource using the Workflow wizard, when you select three steps, parallel approval workflow, the request form is not loading in the browser. This issue is specific to Identity Manager 4.8.1.

Workaround: To resolve this issue, perform the following actions:

  1. Open your project in Designer.

  2. In the Outline view, right-click the User Application Driver and select Properties.

  3. Select Packages from the navigation menu.

  4. Perform one of the following procedures as required:

    If theCreate Workflow Templates package is already installed, then:

    1. Run a package update check to ensure that the package installed in your Designer is the latest supported version. A green tick mark in the Available Upgrades check box indicates that a new version of the package is available for upgrade. Click on the Operation drop-down menu and select Upgrade.

      NOTE:1.1.0.20200316113624 is the latest version of Create Workflow Templates package supported in Designer.

    2. From a list of available packages, select the 1.1.0.20200316113624 radio button.

    3. Click OK.

    If the Create Workflow Templates package is not installed, then:

    1. Click to add a new package.

    2. From the list of available packages, select the Create Workflow Templates check box and click OK.

  5. Click Apply.

  6. Confirm the installation task by clicking Finish.

  7. Click OK to close the window.

44.5.14 New Request Page Not Listing Users in the Recipients Field

Issue: If User Search Lookup Attribute in the Settings page includes the CN attribute, the New Request page is not listing users under the Users tab in the Recipients field while requesting permissions for others.

Workaround: To resolve this issue, perform the following actions:

  1. Create a new CN attribute in the Directory Abstraction Layer with Key value as cn under the User entity. For more information on how to add attributes using Designer, see Adding Attributes in the NetIQ Identity Manager - Administrator’s Guide to Designing the Identity Applications.

  2. Log in to the Identity Applications Dashboard as an Administrator.

  3. Go to Settings > Customization option and select the newly created CN attribute in the User Search Lookup Attribute field.

  4. Click Save.

44.5.15 Advanced Search for User Entities Displaying an Error When the Search Attribute Contains a Hyphen

Issue: In Designer, when you add an attribute for the user entity in the directory abstraction layer, that attribute can be added in the advanced search option to search for a user in the Dashboard. However, if you define the attribute with a hyphen in the key value, the application throws an error while searching using that attribute. This issue occurs because the Dashboard does not treat hyphen as a valid character while performing advanced searches.

Workaround: There is no workaround at this time.

44.5.16 Unable to Search for Users While Requesting For Permissions on Behalf of Others

Issue: When requesting permissions for others, team managers and administrative users are unable to search for users on the New Request page. This occurs when the User Search Lookup Attribute or User Search Default Attribute includes custom (non-default) attributes on the Settings page. This issue is specific to Identity Manager 4.8.x, where x = 0, 1, and 2.

Workaround: To resolve this issue, modify the trustee rights of individual users with team manager or administrative user roles in Identity Applications as described below:

  1. Log in to iManager as an administrator.

  2. Click the View Objects option.

  3. In the Tree tab, click data.

  4. Select the check box corresponding to the desired user name.

  5. Go to Actions > Modify Trustees.

  6. Click Assigned Rights option corresponding to the selected user name.

  7. Click Add Property > [All Attributes Rights] > OK.

  8. The user is assigned compare and read permissions by default. Assign additional rights as necessary.

  9. Click Done.

  10. Select OK or Apply to save the changes to the directory.

You can also change the trustee rights for all users under the users.data trustee name. Click data > users > (current level) check box in the Tree tab, then proceed to Step 5 through Step 10 in the procedure above.

44.5.17 Entities Display Extended Characters Incorrectly in Dashboard

Issue: While requesting permissions through the Identity Manager Dashboard, if a user enter extended characters such as ö, ä, ü (German umlauts) in the request form, the Identity Applications will not display those characters appropriately on the Users page. This issue is specific to Identity Manager 4.8.

Workaround: Follow the steps below to configure Identity Applications to use the UTF-8 character set for identifying all characters, punctuations, and symbols.

  1. Log in to the Identity Applications server.

  2. Stop Tomcat.

  3. Navigate to the C:\NetIQ\idm\apps\tomcat\conf\ folder.

  4. Open the web.xml file in a text editor and add the following line:

    <request-character-encoding>UTF-8</request-character-encoding>

  5. Start Tomcat.

44.5.18 Workflow Legacy Forms Displaying Errors After Upgrading to Identity Manager 4.8.5 Version

Issue: After upgrading to Identity Manager 4.8.5, workflow forms on the Identity Manager user interface is displaying errors. This issue is only observed in the legacy forms. For example, when one of the fields in the request form uses the outdated .size() function, the following error message is displayed:

Field 1: An error 'TypeError: $(...).size is not a function' was encountered while executing the script '$('#_Field0').val("Size: " + $( "li" ).size() ):'

This issue applies to Identity Manager 4.8.5 or later.

Workaround: Legacy form is updated in this release to use jQuery 3.5.1. As a result, existing forms that use outdated functions from previous jQuery versions may display errors after upgrading. Deprecated functions, however, may not throw an error and are still valid.

To resolve this issue, we recommend that you remove the outdated and deprecated functions from existing forms and replace them with valid jQuery functions. You can perform this operation in Designer by using the ECMA Expression Builder. The ECMA Expression builder can be accessed via the scripts section of a form or the properties tab of a form field. After saving the form, ensure that the provisioning request definition is deployed.

The following table lists the valid jQuery functions to use in place of the deprecated and outdated functions:

Replace

With jQuery functions

Deprecated functions

jQuery.parseJSON()

JSON.parse()

jQuery.isArray()

Array.isArray()

For a list of all deprecated jQuery functions between jQuery version 2.0.3 and 3.5.1, see https://api.jquery.com/category/deprecated/.

Outdated functions

.andSelf()

.addBack()

.error( handler)

.on("error", handler)

.load( handler)

.on("load", handler)

.context

No replacement

.size()

.length

.unload( handler)

.on("unload", handler)

For a list of all functions no longer supported between jQuery version 2.0.3 and 3.5.1, see https://api.jquery.com/category/removed/.

44.5.19 Identity Applications Reports ExceptionInInitializerError When Clustering is Enabled in the Cluster Cache Configuration

Issue: The Cluster Enabled option in the Cluster Cache Configuration global settings does not work when its value is changed to true. Identity Applications encounters a null pointer exception while attempting to locate the system language and country properties resulting in an ExceptionInInitializerError which gets logged in the catalina.out file. This issue is observed when Identity Manager is installed on Azure and Amazon Web Services (AWS) cloud platforms.

Workaround: To resolve this error, you must ensure that the "-Duser.language" and "-Duser.country" properties are set. You can include these Java properties in the /opt/netiq/idm/apps/tomcat/bin/setenv.sh file.

For example, -Duser.language=en -Duser.country=US

(This will set the language to English and the country to the United States of America.)

Alternatively, you can resolve the error by adding -Djgroups.use.jdk_logger=true as java_opt(s) to the /opt/netiq/idm/apps/tomcat/bin/setenv.sh file.

44.5.20 Dashboard Does Not Display Objects With Certain Special Characters in their Names, IDs, or Descriptions

Issue: When creating a new role, resource, user, or group on Dashboard, certain special characters are not allowed in the Name, ID, and Description fields. However, there is no validation check if these objects are created in Identity Vault via a connected system. If the object, such as a role, contains a backslash (\) not permitted in Identity Applications, the catalina.out log file will display the following exception:

Java.lang.IllegalArgumentException: Not a valid attribute string value:FI\CO,improper usage of backslash at javax.naming.ldap.Rdn.unescapeValue(Rdn.java:654)at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:118)at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70)at javax.naming.ldap.LdapName.parse(LdapName.java:785)at javax.naming.ldap.LdapName.<init>(LdapName.java:123)javax.naming.InvalidNameException: Invalid name: cn=r12_employee helpdesk, vision operations : cs,cn=level10,cn=roledefs,cn=roleconfig,cn=appconfig,cn=user application driver,cn=driverset,ou=services,o=bimbo      at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111)      at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:74)      at javax.naming.ldap.LdapName.parse(LdapName.java:785)      at javax.naming.ldap.LdapName.<init>(LdapName.java:123)

Workaround: Remove any invalid characters from the object’s name, ID, or description, then restart Tomcat in the Identity Applications server.

IMPORTANT:

  • Do not use the following special characters in the ID field: < ; \ " + # = / | * ~ ' ! @ $ %

  • Do not use the following special characters in the Name field: < ; \ " + # / | * ~

  • Do not use the following special characters in the Description field: | ~

44.5.21 Workflow Forms Hang While Loading

Issue: The application is unable to load some workflow forms. The following error is reported in the NGINX error.log file: upstream prematurely closed connection while reading response header from upstream. This issue happens when the IGAFormRenderer, which is launched by the NGINX service, exceeds the maximum number of TCP connections allowed on the server. This issue applies to Identity Manager 4.8.5 or later.

Workaround: This issue is related to the server’s ulimit settings. Navigate to the /etc/init.d/netiq-golang.sh file on the application server and add the "ulimit -n 4096" line as shown in the following sample, followed by the NGINX service restart:

#!/bin/bash
. gettext.sh
TEXTDOMAIN=install
export TEXTDOMAIN
TEXTDOMAINDIR=/opt/netiq/idm/uninstall_data/common/locale/
export TEXTDOMAINDIR
case $1 in
start)
str1=`gettext install "Starting IGA form renderer backend."`
echo $str1
ulimit -n 4096
(/opt/netiq/idm/apps/sites/IgaFormRenderer.sh -config /opt/netiq/idm/apps/sites/config.ini -golangPort 3000 start &> /dev/null) &
;;

44.5.22 Configuring Full Name Attribute for the Default Full Name Pattern Does Not Work in Dashboard

Issue: To customize how user names are displayed in Dashboard, you can set several attributes for the Default Full Name Pattern in Designer, including CN, EMail Address, displayName, Full Name, Given Name, Surname, and Description. However, when you configure the Full Name attribute, the functionality does not work on certain pages, specifically the Permission of others page, where the Dashboard fails to display user’s full name in the search result. This issue applies to Identity Manager 4.8.2 or later.

Workaround: After setting the Full Name attribute in the user entity’s Default Full Name Pattern, you must add the attribute property to the EntityDefs object in iManager or Designer. To resolve this issue, perform the following steps in iManager:

  1. Log in to iManager.

  2. In Objects tab, browse to Driver Set > User Application Driver > AppConfig > DirectoryModel > EntityDefs and select sys-nrf-user-group-container.

  3. In the Valued Attributes list, select XmlData and click Edit.

  4. In the Edit Attribute window, search for <attribute>...</attribute> tag and add the following tag for the Full Name attribute:

    <attribute
            editable="true" enabled="true" hideable="false"
            multivalue="true" protected="false" readable="true"
            required="false" searchable="true"
                viewable="true">
<key>FullName</key>
<ldap-name>fullName</ldap-name>
<nds-name>Full Name</nds-name>
<display
            xml:lang="en">
<label>Full Name</label>
</display>
<type>String</type>
</attribute>

  5. Click OK, the click OK again.

  6. Restart the User Application driver.