21.3 Troubleshooting Installation and Uninstallation

The following table lists the issues you might encounter and the suggested actions for working on these issues. If the problem persists, contact your NetIQ representative.

Issue

Suggested Actions

Identity Manager authorizes and securely communicates with its components using digital certificates. The Identity Vault certificates must be imported into the idm.jks and tomcat.ks keystore files. However, when attempting to access Identity Applications after importing the certificates, you might hit the following error:

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Could not determine revocation status.

The certificates are validated by checking the Certificate Revocation Lists (CRLs) specified by the CRL Distribution Point (CDP) field to determine whether the certificate has been revoked or not. The CRLDPs are available in both the root certificate and the intermediate certificates present in the keystore files tomcat.ks and idm.jks. Certificate revocation checking, however, is disabled by default. As a result, the PKIX trust manager is unable to determine the revocation status of the certificates.

To fix this issue, enable CRL distribution point checking by setting the -Dcom.sun.security.enableCRLDP property to true.

To set the property, perform the following actions:

  1. Stop Tomcat.

  2. Go to the setenv.sh file located in the Tomcat's bin folder. For example, C:\NetIQ\idm\apps\tomcat\bin\setenv.bat.

  3. Add the property -Dcom.sun.security.enableCRLDP=true in CATALINA_OPTS as:

    export CATALINA_OPTS="-Dcom.sun.security.enableCRLDP=true"

  4. Start Tomcat.

After upgrading Identity Manager, logging in to Identity Manager Dashboard is extremely slow for non-admin users. There is a significant delay in loading the Applications and the Dashboard pages.

This issue occurs due to the nested group search, which is enabled by default. The application will look for the permissions inherited by the logged-in user via the nested group membership, regardless of whether there are any nested groups in the environment.

(Conditional) The following steps apply to Identity Manager 4.8.5 and later.

  1. Log in to the server where Identity Applications is upgraded to 4.8.5 version.

  2. Navigate to the C:\NetIQ\IDM\apps\tomcat\conf location.

  3. Open the ism-configuration.properties file in a text editor.

  4. At the end of the file, add the following property:

    DirectoryService/realms/jndi/params/USE_NESTED_GROUPS=false

  5. Save the file and restart Tomcat.

After upgrading Identity Applications to 4.8.x version, you are unable to login to the Identity Applications Dashboard. This issue occurs when the Identity Vault truststore path is not updated to proper keystore (cacerts) file location during the Identity Applications upgrade. The following exception is logged to the catalina.out file:

com.netiq.idm.auth.oauth.AuthenticationCommunicationException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=***, OU=idm, O=***, L=***, ST=***, C=**" is not a CA certificate"

Identity Applications uses JAVA_HOME environment variable which is set to <install_path>\Common\JRE. When the truststore path is not set to cacerts file at JAVA_HOME, the SSL communication fails resulting in SSL error associated with ‘TrustAnchor’ (Trust anchor is used as enhanced java security check for SSL certificates).

To resolve this issue, perform the following actions:

  1. Stop the Tomcat service.

  2. Log in to the Identity Applications server and launch the configupdate utility located at <install_path>\idm\apps\configupdate.

  3. In User Application tab, go to Identity Vault Certificates and ensure that the Truststore path is set to <install_path>\Common\JRE\lib\security\cacerts.

  4. Start the Tomcat service.

After you upgrade Identity Manager in a distributed environment to 4.8.1 version, login to the Identity Applications fails. The following error message is displayed:

Your login process did not complete successfully.

Logging to the Identity Applications requires trust anchor certificates for establishing a secure connection between the Identity Applications and the OSP. A trust anchor certificate must include the Basic Constraints extension with the Subject Type set to CA. Identity Manager makes use of the property jdk.security.allowNonCaAnchor to validate the trust anchors in the certificate. By default, this property is set to false. Therefore, when the trust anchors are not found in the certificates, the connection between Identity Applications and OSP cannot be established and the login fails. You will also notice the following exception in the idm-osp.log file:

sun.security.validator.ValidatorException: TrustAnchor with subject "CN=***, L=***, O=***" is not a CA certificate

To resolve this issue, you must satisfy either of the following conditions:

  • Ensure that the certificates used to establish a secure connection between the Identity Applications and the OSP are trusted CA certificates with proper Basic Constraints extension.

  • In case of self signed certificates and custom certificates that are trusted by the clients, you can change the property jdk.security.allowNonCaAnchor to allow non CA certificates without Basic Constraints extension. Perform the following actions to modify the Java security settings:

  1. Navigate to the C:\NetIQ\idm\apps\jre\lib\security\java.security directory.

  2. Set the value of the property jdk.security.allowNonCaAnchor=true.

  3. Save the file.

After upgrading to Identity Applications 4.8.1 version, you are not able to open forms while requesting for permissions in the Identity Applications Dashboard.

To resolve this issue, perform the following steps:

  1. Press Windows + R on your keyboard, type services.msc and select OK to open the Windows Services interface.

  2. Search for the service names, NetIQ Nginx Service and NetIQ IGA Form Renderer Service. Right-click the service and select the Restart option.

The Identity Applications uses NGNIX service for rendering forms in the Identity Applications Dashboard.

After upgrading Identity Applications or Identity Reporting to the 4.8 version, multiple entries of PostgreSQL are displayed in the Control Panel.

Uninstall the previous versions of PostgreSQL from the Control Panel.

Uninstallation process reports as incomplete but the log file shows no failures.

The process failed to delete the netiq directory that contains the installation files by default. You can delete the directory if you have removed all NetIQ software from your computer.

After you upgrade Identity Manager, the following property is added to the ism-configuration.properties file:

com.netiq.idm.osp.ldap.admin-dn = cn=admin,ou=sa,o=system

Comment out the property in the ism-configuration.properties file and restart Tomcat. It does not cause any functionality loss.

After you upgrade Identity Manager, the following SSPR property is added to the ism-configuration.properties file, even if you do not have SSPR in your deployment:

com.netiq.sspr.redirect.url = https://___SSPR_IP___:___SSPR_TOMCAT_HTTPS_PORT___/sspr/public/oauth

Comment out the property in the ism-configuration.properties file and restart Tomcat. It does not cause any functionality loss.

Unable to start Tomcat after Identity Manager upgrade. You will notice few exceptions in tomcat logs and a communication failure between the workflow engine and the Identity Vault.

  1. Log in to iManager.

  2. Navigate to Roles and Tasks > NetIQ Certificate Access > Server Certificates.

  3. Select the SSL CertificateDNS check box and click Export.

  4. In the Certificates drop-down list, select the SSL CertificateDNS.

  5. Clear the Export private key check box. Ensure that the Export format is set to DER.

  6. Click Next > Save the exported certificate to download the certificate in your system.

  7. Log in to the Identity Applications server.

  8. Stop Tomcat.

  9. Navigate to C:\NetIQ\Common\JRE\bin\ directory and import the certificate to idm.jks file using the following command:

    <Installed_path>\NetIQ\Common\JRE\bin\keytool -import -trustcacerts -alias <certificate_alias_name> -keystore <idm.jks> -file <certificate_file_downloaded>

  10. Restart Tomcat.

After upgrading Identity Manager from 4.7.4 to 4.8, the Tomcat service does not come up and no errors are reported in the log files. This issue occurs when the Heartbeat timer is not updated properly in afenginestate table in the igaworkflow database.

To resolve this issue, log in to a database admin tool such as pgAdmin. Run the following query to manually update the Heartbeat timer in afenginestate table in the igaworkflow database.

update afenginestate set heartbeat=now()::timestamp;