You might encounter the following issues while working with the identity applications:
Issue: The Identity Manager drivers use Identity Manager engine’s keystore instead of User Application's keystore to access the User Application. If these components use different certificates, drivers report an error message similar to the following when set at Trace level 5:
DirXML Log Event
Message: Code(-9205) Error in vnd.nds.stream://VAULT/TEST/DRIVERSET1/DRIVER1/Publisher/POLICY#XmlData:133: Couldn't request assignment of role: '<Role DN>' to identity: '<User DN>': com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Workaround: Verify that the JRE used by the Identity Manager engine has the required certificate to connect to the User Application. Otherwise, import the certificate from the User Application.
Locate cacerts in the Identity Manager engine directory.
For example, /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts on Linux.
Determine the certificate used by the User Application.
Navigate to the User Application keystore.
For example, /opt/netiq/idm/apps/jre/lib/security/cacerts.
List the certificates by running the following command from the command line:
keytool -list -v -keystore cacerts
(Conditional) If you have access to the certificate, import the certificate into Identity Manager engine’s cacerts directory by running the following command:
keytool -import -alias <newalias> -keystore cacerts -file certificate.der
(Conditional) If you do not have access to the certificate, export the certificate from the User Application’s cacerts directory, and then import the certificate into Identity Manager engine’s cacerts directory.
Restart the Identity Vault.
Issue: The User Application driver fails to communicate with the User Application server and returns a retry status error. This issue may occur if one of the following conditions is true:
You are using Java 1.7.x in your environment.
The User Application driver does not have the certificate required for the connection.
Workaround: Perform the following actions:
Manually update your current Java version to version 1.8 Update 92 or later.
Import the certificates from User Application into Identity Manager engine's JRE directory for use by the User Application driver. If your User Application server is protected by NetIQ Access Manager or a load balancer, add the certificates from Access Manager or the load balancer into Identity Manager engine's JRE directory.
Issue: When a new resource is created in a driver, the resource is not added to the User Application after running the code map refresh for the driver. One of the reasons that can cause this issue is missing value of some of the parameters in the entitlement configuration of the driver. For example, <entitlement data-collection="false" dn="CN=ExchangeMailbox,CN=AD Driver for Groups,CN=DriverSet,O=system" parameter-format="" resource-mapping="" role-mapping="">.
User Application reports the following error in the catalina.out file:
2017-11-03 15:55:21,373 [http-bio-8443-exec-340] ERROR com.novell.idm.nrf.persist.DirXMLDriverDAO- [RBPM] Error occurred parsing the entitlement configuration XML: cn=EntitlementConfiguration,cn=AD Driver for Groups,cn=DriverSet,o=system
java.lang.StringIndexOutOfBoundsException: String index out of range: 0
Workaround: Add the missing values in the entitlement configuration for the driver. For example, <entitlement data-collection="false" dn="CN=ExchangeMailbox,CN=AD Driver for Groups,CN=DriverSet,O=system"parameter-format="idm4" resource-mapping="true" role-mapping="true">.
Issue: On a Linux server, sometimes Identity Applications report the following error when you log out of the Dashboard.
5082 ERROR_STARTUP_ERROR (unable to write to applicationPath /opt/netiq/idm/apps/sspr/sspr_data)
Workaround: Manually restart Tomcat.
Issue: Sometimes permission index is not updated if you are bulk importing roles or resources into the Identify Vault. This prevents the User Application's Role or Resource Catalogs to display the newly added roles or resources.
Workaround: Perform the following actions:
Stop the Tomcat application server where identity applications are deployed.
Delete the permission index from /apps/tomcat/temp/permindex.
Issue: Notification templates such as notification, email, and provisioning must reside in the Default Notification Collection folder in Identity Vault’s Security container. If you perform any operations such as request permissions in the identity applications in absence of these templates, the following error is reported in the catalina.out file:
com.netiq.common.i18n.impl.LocalizedResourceResolverNoDefaultFoundException: The resource resolver com.novell.soa.notification.impl.vdx.LocalizedEmailTemplateResolver did not return a resource for the default locale of en. It is required that a resource exist for the default locale.
Workaround: Deploy the required packages for notification, email, and provisioning templates to the Identity Vault.
Open your project in Designer.
In the Outline pane, expand your project.
Select, then click .
Right-click, select , and click .
Issue: When you click thebutton to add a new application with a logo (image), the following error appears:
Invalid image file uploaded
Workaround: Add the application without an image. Then, edit the newly added application to add an image as follows:
Ensure the user has write permissions for user home directory.
For example: /home/users/novlua/
Log in to Identity Manager Dashboard and go to.
Click Manage Applications icon.
Clickon the newly added application and add the logo (image).
If the User Application driver fails to establish a connection with the identity applications, the driver fails to process the delete operation and loops infinitely. You can confirm this by looking at the User Application driver startup and trace logs.
This issue typically occurs if the https certificates used by the identity applications are not available in the User Application driver's certificate store. The default certificate store for the driver is the Java cacerts directory (/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts or <eDirectory install path>\jre\lib\security).
If you are using custom certificates for authentication in a distributed environment where Identity Engine is running in one server and Identity Applications in another server, your Identity Applications will fail to connect to the OSP and consequently you will not be able to login to Identity Applications. You will see the following error:
ERROR [com.netiq.idm.auth.oauth.OAuthRestFilter] (https-jsse-nio-8543-exec-1) [RBPM] An error occurred while attempting to contact the authentication service.
In case of Kubernetes environment, resolve this issue by performing the following actions:
Go to the setenv.sh file located in tomcat directory under the idm/apps. For example,
Add the property -Dcom.sun.net.ssl.checkRevocation=false in JAVA_OPTS as:
Alternatively, you can set JAVA_OPTS="-Dcom.sun.net.ssl.checkRevocation=false"
Issue: For a custom entity, while searching for an integer type attribute, the valid search inputs are either a string or an integer. For example, * or 1 or 123 etc. A combination of both in a search entity throws an error because LDAP server does not support such filters for integer attributes.
For example, while searching for an integer type attribute, you can use either * or an integer (such as 1) as search input. You cannot search on values such as a1 or 1* etc.
Workaround: There is no workaround at this moment.
Issue: For a custom entity, while searching for the DN type attribute, the valid search inputs are either full DN or searching using *. However, providing substring value in the search entity will throw an error because LDAP server does not support such filters for DN attribute.
For example, while searching for a DN type attribute, you can use either * or full DN (such as cn=alison,o=data) as search input. You cannot search on substring values such as alison etc.
Workaround: There is no workaround at this time.
Issue: When you delegate all your requests to an assigned delegate (delegated user) in your organization, the Identity Applications fails to list the PRD in thepage and displays the following error when you try to change your availability status:
An error occurred while fetching the prds
This issue can be observed in one scenario when the Identity Applications 4.8 version is installed for the first time and other when you upgrade Identity Applications from 4.8 to 4.8.1 version. Upgrading from a prior version of Identity Applications does not display any error.
Workaround: To resolve this issue, create a new Provisioning Request Definition (PRD) and assign the trustee rights to the required user or data container to access the PRD. For more information, see Creating a Provisioning Request Definition in the NetIQ Identity Manager - Administrator’s Guide to Designing the Identity Applications.
Issue: Ifin the Settings page includes the CN attribute, the page is not listing users under the tab in the field while requesting permissions for others.
Workaround: To resolve this issue, perform the following actions:
Create a new CN attribute in the Directory Abstraction Layer with Key value as cn under the User entity. For more information on how to add attributes using Designer, see Adding Attributes in the NetIQ Identity Manager - Administrator’s Guide to Designing the Identity Applications.
Log in to the Identity Applications Dashboard as an Administrator.
Go to> option and select the newly created CN attribute in the field.
Issue: In Designer, when you add an attribute for the user entity in the directory abstraction layer, that attribute can be added in the advanced search option to search for a user in the Dashboard. However, if you define the attribute with a hyphen in the key value, the application throws an error while searching using that attribute. This issue occurs because the Dashboard does not treat hyphen as a valid character while performing advanced searches.
Workaround: There is no workaround at this time.