20.3 Troubleshooting the Identity Applications and Identity Reporting

The following table lists the issues you might encounter and the suggested actions for working on these issues. If the problem persists, contact your NetIQ representative.

Issue

Suggested Actions

If the LDAP Server Name specified in the Certificate Subject and the Application Configuration are different, the Identity Applications fails to connect to the Identity Vault after upgrading Identity Manager.

Java enables endpoint identification on LDAPS connections and thus mandates that the server name that you specify while connecting to the Identity Manager server and the server name returned in the certificate are the same. If the server names are different, perform the following steps:

  1. Navigate to the /opt/netiq/idm/apps/configupdate directory.

  2. Run the following command to launch the Configuration Update utility.

    ./configupdate.sh

  3. Navigate to the User Application tab, click Identity Vault server, and change the server name to the one specified in the LDAP server certificate subject.

    This action will update the DirectoryService/realms/jndi/params/AUTHORITY property in the ism-configuration.properties file.

  4. Click OK.

When Identity Applications and Identity Reporting are installed on the same server and you perform configuration changes using the configuration update utility located at <reporting install folder>/bin directory, the Identity Manager Dashboard fails to launch. The following error is reported in catalina.out log file:

EboPortalBootServlet [RBPM] +++++WARNING!!!!: This portal application context, IDMProv, does not match the portal.context property set in the PortalService-conf/config.xml file. Only one portal per database is allowed. Data has been loaded using the previous portal context. To correct this you must revert back to the previous portal name of, NoCacheFilter, please consult the documentation.

For any configuration changes, use the configuration update utility located at /opt/netiq/idm/apps/configupdate/ directory.

Cannot change the password of a property using the configuration update utility.

You can change the password of a property, for example com.netiq.rpt.ssl-keystore from the command line by performing the following steps:

  1. Use the below utility to encrypt your password:

    /opt/netiq/common/jre/bin/java -jar tomcat/lib/obscurity-0.7.0-uber.jar <<Password>>

  2. Navigate to the ism-configuration.properties file located at /opt/netiq/idm/apps/tomcat/conf/ directory.

  3. Modify the ism-configuration.properties file and add the encrypted password specified in step 2 for the com.netiq.rpt.ssl-keystore.pwd parameter.

  4. Save the file and restart Tomcat.

If Identity Reporting is installed on a standalone server and you launch the Identity Reporting or the IDM DCS URL from the dashboard, then the URL fails to launch.

Perform the following steps after you launch the Identity Reporting or IDM DCS URL:

  1. Navigate to the address bar.

  2. Modify the URL and manually provide the host name and port details of the server where Identity Reporting is installed.

In addition to that, navigate to the configupdate.sh.properties file on the server where Identity Applications is installed and add the entry called rpt in the sso_apps parameter and then save the changes. For example, sso_apps=ua,rpt

If Identity Applications and Identity Reporting are installed on the same server and CEF auditing is enabled for OSP and Identity Applications, then the Reporting component fails to launch.

Perform the following steps to workaround this issue:

  1. Navigate to the idmrptcore_logging.xml file located at /opt/netiq/idm/apps/tomcat/conf directory.

  2. Add the <keystore file> parameter and specify the keystore file path in the idmrptcore_logging.xml file. For example, add the following line:

    <keystore-file>/opt/netiq/idm/app/tomcat/conf/idm.jks</keystore-file>

  3. Restart Tomcat.

If your Identity Applications and Identity Reporting are installed on the same server and you choose the database creation option as Startup, you will notice some exceptions in the log.

To clear the exceptions, manually restart Tomcat.

If your existing Identity Applications or Identity Reporting configuration has been configured without ports, and you try to upgrade to Identity Manager, the IP address and ports mentioned under the Authentication and SSO Clients tab in the configuration update utility displays incorrect values.

Once you upgrade Identity Applications and Identity Reporting, perform the following steps:

  1. Navigate to the /opt/netiq/idm/apps/configupdate directory.

  2. Run the following command:

    ./configupdate.sh

  3. In the Authentication tab, specify the correct IP address and port in the OAuth server host identifier and OAuth server TCP port fields respectively.

  4. In the SSO Clients tab, ensure that URLs for IDM Administrator, Reporting, and IDM Data Collection Services are in correct format.

  5. Restart Tomcat.

You want to modify one or more of the following the User Application configuration settings created during installation:

  • Identity Vault connections and certificates

  • E-mail settings

  • Identity Manager Engine User Identity and User Groups

  • Access Manager or iChain settings

Run the configuration utility independent of the installer.

Linux: Run the following command from the installation directory (by default, /opt/netiq/idm/apps/configupdate/):

./configupdate.sh

Starting Tomcat causes the following exception:

port 8180 already in use

Shut down any instances of Tomcat (or other server software) that might already be running. If you reconfigure Tomcat to use a port other than 8180, edit the config settings for the User Application driver.

When Tomcat starts, the application reports it cannot find trusted certificates.

Ensure that you start Tomcat by using the JDK specified during the installation of the User Application.

Cannot log in to the portal admin page.

Ensure that the User Application Administrator account exists. This account is not the same as your iManager administrator account.

Cannot create new users even with administrator account.

The User Application Administrator must be a trustee of the top container and should have Supervisor rights. You can try setting the User Application Administrator’s rights equivalent to the LDAP Administrator’s rights (using iManager).

Starting application server throws keystore errors.

Your application server is not using the JDK specified during the installation of the User Application.

Use the keytool command to import the certificate file:

keytool -import -trustcacerts -alias aliasName -file certFile -keystore ..\lib\security\cacerts -storepass changeit

  • Replace aliasName with a unique name of your choice for this certificate.

  • Replace certFile with the full path and name of your certificate file.

  • The default keystore password is changeit (if you have a different password, specify it).

Email notification not sent.

Run the configupdate utility to check whether you supplied values for the following User Application configuration parameters: Email From and Email Host.

Linux: Run the following command from the installation directory (by default, /opt/netiq/idm/apps/configupdate/):

./configupdate.sh

IG SSO Clients tab is not seen in the configuration update utility

In the configupdate.sh.properties file, add an entry for ig in the sso_apps parameter and then save the changes. If the sso_apps parameter already contains the Identity Applications and Identity Reporting entries, add the Identity Governance entry to the list. For example, sso_apps=ua,rpt,ig