20.6 Troubleshooting Upgrade

The following table lists the issues you might encounter and the suggested actions for working on these issues. If the problem persists, contact your NetIQ representative.

Issue

Suggested Actions

Identity Manager authorizes and securely communicates with its components using digital certificates. The Identity Vault certificates must be imported into the idm.jks and tomcat.ks keystore files. However, when attempting to access Identity Applications after importing the certificates, you might hit the following error:

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Could not determine revocation status.

The certificates are validated by checking the Certificate Revocation Lists (CRLs) specified by the CRL Distribution Point (CDP) field to determine whether the certificate has been revoked or not. The CRLDPs are available in both the root certificate and the intermediate certificates present in the keystore files tomcat.ks and idm.jks. Certificate revocation checking, however, is disabled by default. As a result, the PKIX trust manager is unable to determine the revocation status of the certificates.

To fix this issue, enable CRL distribution point checking by setting the -Dcom.sun.security.enableCRLDP property to true.

To set the property, perform the following actions:

  1. Stop Tomcat.

  2. Go to the setenv.sh file located in the Tomcat's bin directory. For example, /opt/netiq/idm/apps/tomcat/bin/setenv.sh.

  3. Add the property -Dcom.sun.security.enableCRLDP=true in CATALINA_OPTS as:

    export CATALINA_OPTS="-Dcom.sun.security.enableCRLDP=true"

  4. Start Tomcat.

After upgrading Identity Manager, logging in to Identity Manager Dashboard is extremely slow for non-admin users. There is a significant delay in loading the Applications and the Dashboard pages.

This issue occurs due to the nested group search, which is enabled by default. The application will look for the permissions inherited by the logged-in user via the nested group membership, regardless of whether there are any nested groups in the environment.

(Conditional) The following steps apply to Identity Manager 4.8.5 and later.

  1. Log in to the server where Identity Applications is upgraded to 4.8.5 version.

  2. Navigate to the /opt/netiq/idm/apps/tomcat/conf/ location.

  3. Open the ism-configuration.properties file in a text editor.

  4. At the end of the file, add the following property:

    DirectoryService/realms/jndi/params/USE_NESTED_GROUPS=false

  5. Save the file and restart Tomcat.

After upgrading Identity Applications to 4.8 version from a prior version, the Form Renderer does not work as expected. This issue is observed when the default IDMProv deployment context is modified to a custom context.

To work around this issue, perform the following steps:

  1. Log in to the server where Identity Applications is upgraded to 4.8 version.

  2. Navigate to the /opt/netiq/idm/apps/sites directory.

  3. Edit the ServiceRegistry.json file.

  4. Modify the deployment context from IDMProv to the custom context that was specified prior to upgrade.

  5. Save the ServiceRegistry.json file.

  6. Navigate to the /opt/netiq/idm/apps/sites/forms/ directory.

  7. Edit the main.<version>.js file, where <version> is the randomly generated alphanumeric value.

  8. Modify the deployment context from IDMProv to the custom context that was specified prior to upgrade.

  9. Save the main.<version>.js file.

  10. Restart Tomcat.

After you upgrade Identity Manager in a distributed environment to 4.8.1 version, login to the Identity Applications fails. The following error message is displayed:

Your login process did not complete successfully.

Logging to the Identity Applications requires trust anchor certificates for establishing a secure connection between the Identity Applications and the OSP. A trust anchor certificate must include the Basic Constraints extension with the Subject Type set to CA. Identity Manager makes use of the property jdk.security.allowNonCaAnchor to validate the trust anchors in the certificate. By default, this property is set to false. Therefore, when the trust anchors are not found in the certificates, the connection between Identity Applications and OSP cannot be established and the login fails. You will notice the following exception in the idm-osp.log file:

sun.security.validator.ValidatorException: TrustAnchor with subject "CN=***, L=***, O=***" is not a CA certificate

To resolve this issue, you must satisfy either of the following conditions:

  • Ensure that the certificates used to establish a secure connection between the Identity Applications and the OSP are trusted CA certificates with proper Basic Constraints extension.

  • In case of self signed certificates and custom certificates that are trusted by the clients, you can change the property jdk.security.allowNonCaAnchor to allow non CA certificates without Basic Constraints extension. Perform the following actions to modify the Java security settings:

  1. Navigate to the /opt/netiq/common/jre/lib/security/java.security directory.

  2. Set the value of the property jdk.security.allowNonCaAnchor=true.

  3. Save the file.

After upgrading to Identity Applications 4.8.1 version, you are not able to open forms while requesting for permissions in the Identity Applications Dashboard.

To resolve this issue, manually restart the NGNIX and Golang services using the following commands:

  • NGNIX: /opt/netiq/common/ngnix/ngnix

  • Golang: /etc/init.d/netiq-golang.sh

The Identity Applications uses the NGNIX service for rendering forms in the Identity Applications Dashboard.

After you upgrade Identity Reporting in a standard edition, the is_prov parameter in the configupdate.sh.properties is set to true. Since Identity Applications is not available in a standard edition, the value of this parameter must be set to false.

Manually set the is_prov parameter to false in the configupdate.sh.properties file.

Unable to re-run the Identity Manager engine installer if the prior upgrade of Identity Manager Engine fails. For example, if the 4.8 upgrade for Identity Manager Engine fails on the first attempt and you try upgrading Identity Manager Engine again, the upgrade process cannot be triggered.

Perform the following steps:

  1. Downgrade the Identity Manager engine to the previous version using the novell-DXMLengnx RPM.

  2. Upgrade Identity Manager engine.

After you upgrade Identity Manager, the following property is added to the ism-configuration.properties file:

com.netiq.idm.osp.ldap.admin-dn = cn=admin,ou=sa,o=system

Comment out the property in the ism-configuration.properties file and restart Tomcat. It does not cause any functionality loss.

After you upgrade Identity Manager, the following SSPR property is added to the ism-configuration.properties file, even if you do not have SSPR in your deployment:

com.netiq.sspr.redirect.url = https://___SSPR_IP___:___SSPR_TOMCAT_HTTPS_PORT___/sspr/public/oauth

Comment out the property in the ism-configuration.properties file and restart Tomcat. It does not cause any functionality loss.

After you upgrade Identity Manager, the ism-configuration.properties file populates some duplicate values of java.protocol.handler.pkgs property.

There is no loss of functionality. To resolve this issue, perform the following actions:

  1. Navigate to the ism-configuration.properties file located at /opt/netiq/idm/apps/tomcat/conf/directory.

  2. Modify the ism-configuration.properties file and remove the duplicate values of the java.protocol.handler.pkgs property.

  3. Save the file and restart Tomcat.

Unable to start Tomcat after Identity Manager upgrade. You will notice few exceptions in tomcat logs and a communication failure between the workflow engine and the Identity Vault.

  1. Log in to iManager.

  2. Navigate to Roles and Tasks > NetIQ Certificate Access > Server Certificates.

  3. Select the SSL CertificateDNS check box and click Export.

  4. In the Certificates drop-down list, select the SSL CertificateDNS.

  5. Clear the Export private key check box. Ensure that the Export format is set to DER.

  6. Click Next > Save the exported certificate to download the certificate in your system.

  7. Log in to the Identity Applications server.

  8. Stop Tomcat.

  9. Navigate to opt/netiq/common/jre/bin directory and import the certificate to idm.jks file using the following command:

    opt/netiq/common/jre/bin/keytool -import -trustcacerts -alias <certificate_alias_name> -keystore /opt/netiq/idm/apps/tomcat/conf/idm.jks -file <certificate_file_downloaded>

  10. Restart Tomcat.