21.2 Troubleshooting the Identity Applications and RBPM Installation

The following table lists the issues you might encounter and the suggested actions for working on these issues. If the problem persists, contact your NetIQ representative.

Issue

Suggested Actions

The Roles and Self tasks widgets on the Dashboard page do not display any data. If you check in your browser’s Console, a 404 error is displayed. This issue is observed when the default IDMProv deployment context is changed to a custom context.

To resolve this issue, you must change the REST API URL on the impacted widgets. Perform the following steps:

  1. Log in to the Identity Manager Dashboard as an administrator.

  2. Navigate to the Dashboard page and click Manage Dashboard.

  3. To edit the widget configuration in the Roles widget:

    1. Click .

    2. In the URL field, change the default IDMProv context to a custom context as follows: /<custom-context>/rest/access/assignments/advanced?nextIndex=1&sortBy=name&sortOrder=ASC&forceRefresh=true&searchScope=role&size=20

      Where, <custom-context> is the context that you are using in your Identity Manager deployment.

    3. Click Apply.

  4. To edit the widget configuration in Self tasks widget:

    1. Click .

    2. In the URL field, change the default IDMProv context to a custom context as follows: /<custom-context>/rest/access/tasks/list?fromIndex=1&size=10&q=*&sortOrder=asc&sortBy=createTime&assignedTo=assignedTo&recipient=recipientAsMe&expireUnit=weeks&expireWithin=&proxyUser=&assignStatus=&delegatedTasks=false&status=

    3. Click Apply.

  5. Click Edit Done.

When Identity Applications installed in a cluster is upgraded and Tomcat is restarted, clustering does not work as expected.

Perform the following actions in all the nodes of the cluster:

  1. Navigate to the server.xml file located at the C:\NetIQ\IDM\apps\tomcat\conf folder.

  2. Uncomment the following line in the server.xml.

    <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>

  3. Restore all the custom configurations from the backed up Tomcat directory.

  4. Restart Tomcat.

The upgrade process does not set the default Identity Applications Administrative account as cn=uaadmin.ou=sa.o=data. The following error is logged to the catalina.out file.

AuthorizationManagerService [RBPM] Error occured calculating effective rights for attribute: nrfAccessMgrRevokeRole on object: cn=complianceAdmin,cn=System,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=Driver Set,o=system for trustee: cn=uaadmin,ou=sa,o=data.com.novell.srvprv.spi.security.IDMAuthorizationException: Error occured calculating effective rights for attribute: nrfAccessMgrRevokeRole on object: cn=complianceAdmin,cn=System,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=Driver Set,o=system for trustee: cn=uaadmin,ou=sa,o=data.at com.novell.idm.security.authorization.ldap.LdapRightsUtil.getPropertyRights(LdapRightsUtil.java:152)
Unable to fetch roles from edirectory in the predefined time set.

  1. Navigate to the setenv.bat file and change the value for -Dncpclient_req_timeout property to 1150 in the CATALINA_OPTS entry.

  2. Restart Tomcat.

You want to modify one or more of the following the Identity Applications configuration settings created during installation:

  • Identity Vault connections and certificates

  • E-mail settings

  • Identity Manager Engine User Identity and User Groups

  • Access Manager or iChain settings

Run the configuration utility independent of the installer.

Run the following command from the installation directory (by default, C:\NetIQ\idm\apps\UserApplication\):

configupdate.bat

Starting Tomcat causes the following exception:

port 8180 already in use

Shut down any instances of Tomcat (or other server software) that might already be running. If you reconfigure Tomcat to use a port other than 8180, edit the config settings for the User Application driver.

When Tomcat starts, the application reports it cannot find trusted certificates.

Ensure that you start Tomcat by using the JDK specified during the installation of the Identity Applications.

Cannot log in to the portal admin page.

Ensure that the Identity Applications Administrator account exists. This account is not the same as your iManager administrator account.

Cannot create new users even with administrator account.

The Identity Applications Administrator must be a trustee of the top container and should have Supervisor rights. You can try setting the Identity Applications Administrator’s rights equivalent to the LDAP Administrator’s rights (using iManager).

Starting application server throws keystore errors.

Your application server is not using the JDK specified during the installation of the Identity Applications.

Use the keytool command to import the certificate file:

keytool -import -trustcacerts -alias aliasName -file certFile -keystore ..\lib\security\cacerts -storepass changeit

  • Replace aliasName with a unique name of your choice for this certificate.

  • Replace certFile with the full path and name of your certificate file.

  • The default keystore password is changeit (if you have a different password, specify it).

Email notification not sent.

Run the configupdate utility to check whether you supplied values for the following Identity Applications configuration parameters: Email From and Email Host.

Run the following command from the installation directory (by default, C:\NetIQ\idm\apps\UserApplication\):

configupdate.bat