7.0 Troubleshooting Identity Manager

Keep in mind the following information when you install Identity Manager by using the integrated installer:

Figuring out installation issues

Action: If errors occur during Identity Manager installation, ensure that you refer to the log files depending on your platform:

  • Linux/Solaris: /var/opt/novell/idm/install/logs/

  • Windows: The default location is C:\novell\IdentityManager\install\logs\. You can change the location of the log files based on the install location you specify.

Action: For detecting typical failures, see the ii_install.log file for installation issues, ii_configure.log file for configuration issues, and ii_uninstall.log file for uninstallation issues. In the log files, look for text exitValue = xxx. If the value is not 0, a particular command execution has failed which in turn generates a log file. Refer to that log file for further details on the failure.

For example,

"/home/siva/build/products/Reporting/IDMReport.bin" -DIA_USER_JRE_HOME="/opt/nov
ell/idm/jre" -i silent -f "/tmp/idmreporting_configure.properties"
execute command
  exitValue = 1
log file location   :/tmp/idmreporting_configure.properties
log file location   :/opt/novell/idm/rbpm/IDMReporting//RPT_Install.log

The above snippet from the ii_install.log file indicates that the command has failed, because the exitValue is 1 (non-zero). For further analysis, refer to the /opt/novell/idm/rbpm/IDMReporting/RPT_Install.log as displayed in the command.

Passing mandatory parameters during configuration

Source: During configuration, the installer might display the following error message after the configuration parameters are specified: 
Some of the inputs are not proper. They are highlighted in Red.
Possible Cause: Based on the highlighted parameter, the cause of the error message could be one of the following:

  • The port number is already in use.

  • The passed DNS hostname is invalid.

  • The DN format is incorrect.

Action: Do the following:

  • Use a different port number if the port is already in use.

  • Specify a valid DNS name or specify a valid IP address if you don’t want to specify a DNS name.

  • Verify that a valid DN is specified in LDAP format.

Configuration fails if the hosts file contains 127.0.0.2 entry

Possible Cause: If the /etc/hosts file has an entry with the 127.0.0.2 loopback address, the default IP certificate is created for the 127.0.0.2 loopback address.
Action: Do the following:

Edit the /etc/hosts file if the hosts file has an entry with the 127.0.0.2 loopback address.

For example, 127.0.0.2 hostname. Comment it and make sure that the real IP address entry is in the file.

Installer throws java.io.FileNotFoundException

Possible Cause: If the systems tmp directory is not present, the installer throws this exception soon after invoking the installer.
Action: Create the systems tmp directory.

Issues with invoking installer in the GUI mode

Possible Cause: An error message displays when integrated installer is invoked in the GUI mode if the required RPMs are not present in the system. The integrated installer automatically switches to the console mode, which is not supported.
Action: Install the required RPMs before invoking the Identity Manager installer.

See Identity Manager 4.0.2 Readme for a list of RPMs required for a successful installation and configuration of Identity Manager.

On Linux, the Remote Loader does not install through integrated installer

Possible Cause: This issue occurs only with the Identity_Manager_4.0.2_Linux_Advanced.iso or the Identity_Manager_4.0.2_Linux_Standard.iso files.
Action: You must install the Remote Loader through the framework installer. Select either a 32-bit Remote Loader or a 64-bit Remote Loader in one installation instance, then run installation separately for each of them. The installation fails if you select both Remote Loaders in one installation instance. Only one Remote Loader can be installed at a time.

Also, port 8000 must be free to ensure a successful Identity Manager installation.

Tree name is auto generated when the tree name already exists

Source: The integrated installer tries to automatically generate the tree name if that tree name already exists.

Secondary server installation

Explanation: The integrated installer adds the replica holding the server object on all secondary server installations. It waits for the replica to turn on.

Check for free ports before starting the installation

Explanation: Some services might not run because the ports required by them are occupied.
Action: Ensure that the following ports are free before you start the installation. Run the netstat -anp | egrep command to check if these ports are free. 
netstat -anp | egrep
':(524|389|636|8028|8030|8090|8000|7707|8006
|8009|8081|8443|8009|8080|8443|1199|1198|119
0|3973|4544|4545|4546|4557|4812|4813|8109|81
83|8180|8543|29007|37022|8180|10013|10014|61
616|61617|1514|15432|5556|1289|1443|1468)'

For more information, see Section 3.3, Ports Used by the Identity Manager Services.

Detecting the current state of the system

Explanation: Ensure that you back up the installer state file. The integrated state file is an important configuration file used by the installer for information including the current state of the system, installed components, configured components, or uninstalled components.
Action: Locate the state file, then take a back up of the file.

  • Linux/Solaris: The back up file is in the /etc/opt/novell/idm/install/conf/install_state.conf location.

  • Windows: The back up file is in the C:\Novell\conf\install_state.conf location.

Changing password in RBPM

Possible Cause: The RBPM expects the eDirectory server be set to require the use of NMASLOGIN_FIRST environment variable during login. The Identity Manager integrated installer automatically handles this by modifying the pre_ndsd_start script for Linux or the HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\Environment registry key for Windows.

If you perform a default eDirectory installation and apply a password policy to an existing user, then login as this user and perform a forgotten password procedure, you might see a message that says the Universal Password is not set after answering the challenge response questions.

Action: To work around this issue,

  1. Linux/UNIX: Add the following two lines to the pre_ndsd_start script located at /opt/novell/eDirectory/sbin (formerly in /etc/init.d):

    NDSD_TRY_NMASLOGIN_FIRST=true

    export NDSD_TRY_NMASLOGIN_FIRST

    IMPORTANT:When NDSD_TRY_NMASLOGIN_FIRST is set to true, the user's password is set to expired and is configured to permit grace logins. If the user's password policy does not use grace logins, the user is not prompted to use grace logins. Instead, the user is prompted to change the password. This is because NMAS removes the loginGraceLimit and loginGraceRemaining attributes during login if the password policy does not use grace logins.

    If NDSD_TRY_NMASLOGIN_FIRST is not set to true, eDirectory does not enforce case sensitivity for passwords during login.

    Windows: Right-click My Computer and select Properties. In the Advanced tab, click Environment Variables. Under System Variables, add the variable and set the value to True. This should be done on any server that might handle NMAS logins via LDAP.

  2. Restart eDirectory to apply the change.

The integrated installer does not properly handle the RBPM error codes

Possible Cause: In some situations, the integrated installer does not properly handle the Roles Based Provisioning Module setup errors. This can happen when the Roles Based Provisioning Module configuration fails because of a problem with the driver configuration process. In this case, the integrated installer configuration summary displays a message indicating that the Roles Based Provisioning Module configuration passed, but the Roles Based Provisioning Module configuration has setup errors.
Action: When you encounter a problem, review the install logs located in the logs folder to determine the cause of the problem (var\opt\novell\idm\install\logs).

Error displayed if the Identity Reporting Module and RBPM are separately configured

Possible Cause: The integrated installer displays the following error if Identity Reporting Module and the Roles Based Provisioning Module are separately configured: 
'Failed to load users/passwords/role files'
Action: To work around this issue, either stop JBoss before installing the Identity Reporting Module or restart JBoss after installing the Identity Reporting Module.

The Restore Default button does not work during Identity Manager installation

Source: During the Identity Manager installation, if you return to the Installation Location page from the subsequent page, the Restore Default button does not work as expected.

On Windows, the Metadirectory server uninstallation does not remove the lib directory

Source: The jar files that reside in the lib directory are not removed. The uninstaller uninstalls other installed components.
Action: Manually remove the jar files.

Integrated installer might hang during the Identity Manager uninstallation on Windows

Possible Cause: The installer tries to stop all the dependent services before uninstalling Identity Manager. Sometimes installer might not be able to stop the DHost service because some services depend on DHost.
Action: Do the following steps to check whether the installer hanged during the Identity Vault uninstallation:

  1. Goto the Control Panel, open the Novell eDirectory Services, then click the Startup button. If the installer hangs, the following message displays: 

    Novell eDirectory Service is in a NT service Stop Pending State.

  2. To continue with the uninstall, manually stop the DHost service from the Task Manager.

Windows runtime distribution installation might force a reboot because of an install failure

Explanation: The Metadirectory installation fails with the following message in the <Install Location>\ii_install.log file: 
:\Users\Administrator\IDM4\products\eDirectory\x64\windows\x64\redist_pkg\vcredist_x86.exe" /q:a /c:"msiexec /i vcredist.msi /qn /l C:\Users\ADMINI~1\AppData\Local\Temp\vcredist32_Windows_x64_Install.log"
execute command exitValue = 3010
Action: The 3010 error code returned by the vcredist executable is a success, which means that you must reboot the Windows machine. After the rebooting process, relaunch the installer and the installation continues normally. Rebooting the machine does not affect the earlier successful installations.

Configuring the ISO extracted through third-party ISO extraction tools on UNIX

Explanation: The Identity Manager 4.0.2 integrated installer fails to configure if the ISO is extracted through third-party ISO extraction tools on UNIX.
Action: For successful configuration, use the mount -o loop command.

The integrated installer does not add a replica of an existing driver set during configuration

Explanation: The integrated installer does not add a replica of an existing driver set during configuration.
Action: To workaround the issue, perform the following steps:

  1. Launch iManager.

  2. Click Roles and Tasks > Partitions and Replicas > Replicas view, select the existing driver set, then click Add Replica.

  3. Select the server name from the drop-down list and click OK.

Enabling XDAS degrades performance

Possible Cause: With XDAS event logging enabled, Identity Manager engine performance is degraded without SLP configuration.
Action: SLP should be correctly configured and running to ensure that performance is not affected.

Identity Manager component uninstallation issues

Source: During uninstallation if one or more components fail to uninstall, the Uninstall option is disabled if you retry uninstallation. One of the reasons for the uninstallation failure on Windows could be that the JAVA_HOME and PATH variables are not set.
Action: Execute the individual component uninstallers as follows:

  • Linux/Solaris: Run the following command to uninstall the individual components:

    • Metadirectory: Uninstall the Identity Manager framework:

      /root/idm/Uninstall_Identity_Manager/Uninstall_Identity_Manager

      Uninstall the Identity Vault:

      /opt/novell/eDirectory/sbin/nds-uninstall

    • JBoss: Run the following command:

      $IA_RBPM_POSTGRESQL_INSTALL_PATH$/JBossPostgreSQL_Uninstaller/Uninstall_JBossPostgreSQL

    • Roles Based Provisioning Module: Run the following command:

      java -jar /opt/novell/idm/rbpm/RemoveUserApp/uninstaller.jar

    • Identity Reporting Module: Run the following command:

      /opt/novell/idm/rbpm/Uninstall_Identity Reporting/Uninstall Identity Reporting

    • Event Auditing Service: Run the following command:

      /opt/novell/sentinel_eas/Uninstall_Event Auditing Service/Uninstall Event Auditing Service

    • Role Mapping Administrator: Run the following command:

      /opt/novell/idm/rma/rma-uninstall.sh -s

    • Designer: Run the following command:

      /opt/novell/idm/Designer/UninstallDesigner/Uninstall Designer for Identity Manager

    • Analyzer: Run the following command:

      /opt/novell/idm/Analyzer/UninstallAnalyzer/Uninstall Analyzer for Identity Manager

    • iManager: Run the following command:

      /var/opt/novell/tomcat5/webapps/nps/UninstallerData/UninstalliManager

  • Windows: Except for the Role Mapping Administrator, uninstall all the components from Windows > Add/Remove Programs. To uninstall the Role Mapping Administrator, run C:\novell\IdentityManager\RMA\rma-uninstall.bat from the command prompt.

NoClassDefFound Exception in IBM WebSphere MQ V7.5

Action: When you encounter this error, add com.ibm.mq.jmqi.jar in the classes folder.