6.1 Troubleshooting the Role Mapping Administrator

A Tomcat port conflict error occurs when you are starting the Role Mapping Administrator

Explanation: If you have the Role Mapping Administrator and the Roles Based Provisioning Module installed on the same server, the Tomcat shutdown ports conflict.
Action: To solve the problem:

  1. Stop Role Mapping Administrator.

  2. Edit the /installation_directory/idmrmap/tomcat/conf/server.xml file.

  3. Find the line <Server port=“8006” shutdown=“SHUTDOWN”>.

  4. Change the port to another port that is not in use.

  5. Save the changes, then restart the Role Mapping Administrator by using the following command from the <rma_install_path>/rma/ location.

    Linux: ./start.sh

    Windows: start.bat

The Role Mapping Administrator uses the following default ports:

  • 8081: Used for HTTP access.

  • 8443: Used for secure HTTP access.

  • 8006: Used by the Tomcat application server.

The Role Mapping Administrator is not accessible when Tomcat is already installed in a system using port 8443

Source: See the catalina.out file from the <rma_install_path>/rma/tomcat/logs/ location to find the java.net.BindException: Address already in use<null>:8080 error.
Action: To solve the problem:

  1. Stop the Role Mapping Administrator.

  2. Change the port. For more information, see Changing the Port Number in the Identity Manager Role Mapping Administrator 4.0.2 Installation and Configuration Guide.

  3. Restart the Role Mapping Administrator.

You cannot authenticate to the Role Mapping Administrator

Action: Check the following items to correct the authentication problem. If the authentication issues continue, contact your system administrator.

  • The password is not correct.

  • The username does not exist in the user store.

  • There are multiple user accounts matching the specified username. Use the distinguished name (DN) instead of the common name (CN).

  • There are network problems. The user’s credentials are verified against the user store through an LDAP connection.

  • The LDAP server is not communicating.

  • If the eDirectory connection is using SSL, the certificate might have expired. Check with your system administrator to confirm whether the eDirectory certificate is valid or has expired.

  • The user account you are using does not have sufficient rights in the Roles Based Provisioning Module. Check with your administrator to verify that you have sufficient rights to use the Role Mapping Administrator.

You cannot access the Role Mapping Administrator after a successful installation

Action: Use the following procedure to resolve the problem:

  1. Start the Role Mapping Administrator after installing it.

  2. Check the <rma_install_path>/rma/tomcat/conf/logging.properties file. Use a different port if the port is already in use.

  3. Stop the Role Mapping Administrator.

  4. Change the port to another port in the <rma_install_path>/rma/tomcat/conf/server.xml file.

  5. Start Role Mapping Administrator.

Expected roles are not being displayed

Explanation: Not all of the roles from the Roles Based Provisioning Module are being displayed, or too many roles are being displayed.
Action: If a user belongs to the Role Module Administrator role in the Roles Based Provisioning Module, the Role Mapping Administrator uses the proxy admin credentials defined in the Role Mapping Administrator configuration. Verify that the proxy admin user has the correct rights to the Identity Vault that contains the User Application driver.

Expected roles from the SAP Portal are not being displayed

Explanation: When you load authorizations from the SAP Portal system, groups that start with SAP_, are not being displayed.
Action: If the SAP Portal is using an ABAP server as the Authentication DataSource, then by default the UME cannot assign ABAP roles (which appear as groups in the SAP Portal) directly to ABAP users. Most of these ABAP roles begin with SAP_. The SAP Portal driver is configured to filter these roles when the Role Mapping Administrator queries for the available groups.

The filter is an XML filter element that is appended to the entitlement configuration object. By default, the filter element contains an attribute type that has a value of exclude. The filter element holds individual filters. Each filter contains the following attributes:

  • read-attr: The source for the match.

  • source-name: The attribute on which the regular expression is evaluated against.

  • regex: The regular expression that is used.

You can modify the regular expression value or remove the value to change how the Role Mapping Administrator filters the results. By default, the regular expression is ^SAP_, which is evaluated as start with SAP underscore.

Figure 6-1 XML Filter Element

To change the filter so you can see all groups:

  1. Using Designer or iManager, edit the SAP Portal driver policy pub-its-InitEntitlementConfigurationResource on the Publisher channel.

  2. In Policy Builder, select the Entitlements rule.

  3. In the for each action, find the XML element of the filter.

  4. Change the type attribute value from exclude to include.

  5. Remove the regular expression value of ^SAP_.

  6. Save the changes, then restart the driver to have the changes take effect.

Authorizations are not being displayed

Explanation: Even after the authorizations being loaded, they are not displayed in the Authorizations panel.
Possible Cause: One of the reasons for this issue could be because of shutting down the Tomcat server by pressing the CTRL+C key combination, which stops the Tomcat server but not the Role Mapping Administrator database server.
Action: To shut down the Role Mapping Administrator service, use the stop.sh/stop.bat command from the <rma_install_path>/rma/ directory.

Drivers are not being displayed

Explanation: After configuring the new driver for role mapping, the driver is not displayed in the Authorizations panel.
Possible Cause: One of the reasons for this issue could be because of shutting down the Tomcat server by pressing the CTRL+C key combination, which stops the Tomcat server but not the Role Mapping Administrator database server.
Action: To shut down the Role Mapping Administrator service, use the stop.sh/stop.bat command from the <rma_install_path>/rma/ directory.