20.4 Troubleshooting Login

The following table lists the issues you might encounter and the suggested actions for working on these issues. If the problem persists, contact your NetIQ representative.

Issue

Suggested Actions

Launching Designer displays the following error and the Designer readme will not be shown:

Exception... "Update manifest is missing a required addons property."

Ignore the error and launch Designer. There is no functionality loss.

User is unable to login in large scale environment (>2 million objects)

Add an index for mail(Internet Mail Address) attribute with the rule set as Value in both eDirectory master and replica servers.

When you sign out from Identity Applications page, SSPR shows an error 5053 ERROR_APP_UNAVALIABLE.

Ignore this error. It does not cause any functionality loss.

Challenge Responses are not prompted at the first login to the Identity Applications

  1. Ensure that the SSPR server has a certificate created using FQDN.

  2. Log in to the User Application server and launch ConfigUpdate (/opt/netiq/idm/apps/configupdate/)utility.

  3. Navigate to SSO Clients > Self Service Password Reset and make sure the settings are correct.

If SSPR is installed on a separate server, make sure that the SSPR certificate is imported into idm.jks located in the User Application server at /opt/netiq/idm/apps/tomcat/conf.

Browser displays a blank page when SSPR URL is accessing

This occurs when SSPR is not properly configured with OSP. The SSPR log shows the following information:

2018-01-24T22:24:02Z, ERROR, oauth.OAuthConsumerServlet, 5071 ERROR_OAUTH_ERROR (unexpected error communicating with oauth server: password.pwm.error.PwmUnrecoverableException: 5071 ERROR_OAUTH_ERROR (io error during oauth code resolver http request to oauth server: Certificate for <IP> doesn't match any of the subject alternative names: [IP]))

  1. Verify that the Tomcat server where OSP is running has a valid certificate created using FQDN. Log in to the User Application server and launch ConfigUpdate utility. Navigate to SSO Clients > Self Service Password Reset and make sure the settings are correct.

  2. Log in to SSPR by overriding the OSP login method. (for example, https://<sspr sserver ip>:<port>/sspr/private/Login?sso=false)

  3. Navigate to Configuration Editor in the top right corner of the page.

  4. Specify Configure Password, then click Sign In.

  5. Navigate to LDAP > LDAP Directories > Default > Connection.

  6. If the LDAP certificate is not correct, click Clear.

  7. To reimport the certificate, click Import From Server.

  8. Navigate to Settings >Single Sign On (SSO)Client > OAuth and verify that the certificate under OAUTH Web Service Server Certificate is correct.

  9. If the certificate is not correct, click Clear.

  10. To reimport the certificate, click Import From Server.

Error when ConfigUpdate utility is launched from a different directory

The ConfigUpdate utility reports errors. It does not save any changes. For example, if you launch the configupdate utility using the /opt/netiq/idm/apps/configupdate/configupdate.sh command, it does not launch.

Instead, navigate to the /opt/netiq/idm/apps/configupdate/ directory and then run ./configupdate.sh command.