The following table lists the issues you might encounter and the suggested actions for working on these issues. If the problem persists, contact your NetIQ representative.
Issue |
Suggested Actions |
---|---|
Identity Manager authorizes and securely communicates with its components using digital certificates. The Identity Vault certificates must be imported into the idm.jks and tomcat.ks keystore files. However, when attempting to access Identity Applications after importing the certificates, you might hit the following error: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Could not determine revocation status. The certificates are validated by checking the Certificate Revocation Lists (CRLs) specified by the CRL Distribution Point (CDP) field to determine whether the certificate has been revoked or not. The CRLDPs are available in both the root certificate and the intermediate certificates present in the keystore files tomcat.ks and idm.jks. Certificate revocation checking, however, is disabled by default. As a result, the PKIX trust manager is unable to determine the revocation status of the certificates. |
To fix this issue, enable CRL distribution point checking by setting the -Dcom.sun.security.enableCRLDP property to true. To set the property, perform the following actions:
|
After upgrading Identity Manager, logging in to Identity Manager Dashboard is extremely slow for non-admin users. There is a significant delay in loading the Applications and the Dashboard pages. This issue occurs due to the nested group search, which is enabled by default. The application will look for the permissions inherited by the logged-in user via the nested group membership, regardless of whether there are any nested groups in the environment. |
(Conditional) The following steps apply to Identity Manager 4.8.5 and later.
|
After upgrading Identity Applications to 4.8.x version, you are unable to login to the Identity Applications Dashboard. This issue occurs when the Identity Vault truststore path is not updated to proper keystore (cacerts) file location during the Identity Applications upgrade. The following exception is logged to the catalina.out file: com.netiq.idm.auth.oauth.AuthenticationCommunicationException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=***, OU=idm, O=***, L=***, ST=***, C=**" is not a CA certificate" Identity Applications uses JAVA_HOME environment variable which is set to <install_path>\Common\JRE. When the truststore path is not set to cacerts file at JAVA_HOME, the SSL communication fails resulting in SSL error associated with ‘TrustAnchor’ (Trust anchor is used as enhanced java security check for SSL certificates). |
To resolve this issue, perform the following actions:
|
After you upgrade Identity Manager in a distributed environment to 4.8.1 version, login to the Identity Applications fails. The following error message is displayed: Your login process did not complete successfully. Logging to the Identity Applications requires trust anchor certificates for establishing a secure connection between the Identity Applications and the OSP. A trust anchor certificate must include the Basic Constraints extension with the Subject Type set to CA. Identity Manager makes use of the property jdk.security.allowNonCaAnchor to validate the trust anchors in the certificate. By default, this property is set to false. Therefore, when the trust anchors are not found in the certificates, the connection between Identity Applications and OSP cannot be established and the login fails. You will also notice the following exception in the idm-osp.log file: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=***, L=***, O=***" is not a CA certificate |
To resolve this issue, you must satisfy either of the following conditions:
|
After upgrading to Identity Applications 4.8.1 version, you are not able to open forms while requesting for permissions in the Identity Applications Dashboard. |
To resolve this issue, perform the following steps:
The Identity Applications uses NGNIX service for rendering forms in the Identity Applications Dashboard. |
After upgrading Identity Applications or Identity Reporting to the 4.8 version, multiple entries of PostgreSQL are displayed in the Control Panel. |
Uninstall the previous versions of PostgreSQL from the Control Panel. |
Uninstallation process reports as incomplete but the log file shows no failures. |
The process failed to delete the netiq directory that contains the installation files by default. You can delete the directory if you have removed all NetIQ software from your computer. |
After you upgrade Identity Manager, the following property is added to the ism-configuration.properties file: com.netiq.idm.osp.ldap.admin-dn = cn=admin,ou=sa,o=system |
Comment out the property in the ism-configuration.properties file and restart Tomcat. It does not cause any functionality loss. |
After you upgrade Identity Manager, the following SSPR property is added to the ism-configuration.properties file, even if you do not have SSPR in your deployment: com.netiq.sspr.redirect.url = https://___SSPR_IP___:___SSPR_TOMCAT_HTTPS_PORT___/sspr/public/oauth |
Comment out the property in the ism-configuration.properties file and restart Tomcat. It does not cause any functionality loss. |
Unable to start Tomcat after Identity Manager upgrade. You will notice few exceptions in tomcat logs and a communication failure between the workflow engine and the Identity Vault. |
|
After upgrading Identity Manager from 4.7.4 to 4.8, the Tomcat service does not come up and no errors are reported in the log files. This issue occurs when the Heartbeat timer is not updated properly in afenginestate table in the igaworkflow database. |
To resolve this issue, log in to a database admin tool such as pgAdmin. Run the following query to manually update the Heartbeat timer in afenginestate table in the igaworkflow database. update afenginestate set heartbeat=now()::timestamp; |