Topic
  • 7 replies
  • Latest Post - ‏2013-04-29T04:39:25Z by aanoufal
Adrian.Liu
Adrian.Liu
9 Posts

Pinned topic Met errors while installing ammger policy server

‏2013-04-23T05:58:38Z |

Recently, I met a problem: install and configurate AMMgr Policy Server failed due to the "Invalid credentials" problem. And I remembered that I 've already input the correct password of TDS while installing AMMgr.

 

====================================== Enrvironment ===================================================

Operation System: Windows 2008 R2 Standard 64bit  English edition

Tivoli Directory Server Version: 6.3

Tivoli Access Management Version: 6.1

====================================================================================================

 

After installing, I tried to restart the 'Access Manager Policy Server' manually in Windows Services Panel, then following errors arose.

 ===================  (C:\Program Files (x86)\Tivoli\Policy Director\log\msg__pdmgrd_utf8.log) ========================

2013-04-22-22:17:50.765-07:00I----- 0x14C521D3 pdmgrd NOTICE mis ivcore E:\build\am611\src\ivmgrd\pdmgrapi\cfgmgr.cpp 226 0x000010f4 HPDMS0467I Server startup
2013-04-22-22:17:50.765-07:00I----- 0x14C526F2 pdmgrd NOTICE mis ivmgrd E:\build\am611\src\ivmgrd\pdmgrapi\cfgmgr.cpp 231 0x000010f4 HPDMS1778I Loading configuration
2013-04-22-22:17:50.781-07:00I----- 0x16B480C9 pdmgrd ERROR rgy ira E:\build\am611\src\ivrgy\ira_handle.c 878 0x000010f4 HPDRG0201E Error code 0x31 was received from the LDAP server. Error text: "Invalid credentials".
2013-04-22-22:17:50.781-07:00I----- 0x14C526F3 pdmgrd NOTICE mis ivmgrd E:\build\am611\src\ivmgrd\pdmgrapi\daMgmtDomain.cpp 274 0x000010f4 HPDMS1779I Open database
2013-04-22-22:17:50.781-07:00I----- 0x14C526F4 pdmgrd NOTICE mis ivmgrd E:\build\am611\src\ivmgrd\pdmgrapi\daMgmtDomain.cpp 279 0x000010f4 HPDMS1780I Creating database
2013-04-22-22:17:50.797-07:00I----- 0x16B480C9 pdmgrd ERROR rgy ira E:\build\am611\src\ivrgy\ira_handle.c 878 0x000010f4 HPDRG0201E Error code 0x31 was received from the LDAP server. Error text: "Invalid credentials".
2013-04-22-22:17:50.797-07:00I----- 0x1005B1C6 pdmgrd ERROR acl acldb E:\build\am611\src\ivmgrd\pdmgrapi\daMgmtDomain.cpp 396 0x000010f4 HPDAC0454E Could not initialize the authorization policy database (0x14c01300).
2013-04-22-22:17:50.797-07:00I----- 0x1354A558 pdmgrd FATAL ivc general E:\build\am611\src\ivmgrd\pdmgrapi\daMgmtDomain.cpp 167 0x000010f4 HPDCO1368E An error occurred while trying to initialize the domain.
2013-04-22-22:17:50.797-07:00I----- 0x14C010A4 pdmgrd FATAL mgr general E:\build\am611\src\ivmgrd\ivmgrd.cpp 256 0x000010f4 HPDMG0164E The Policy Server could not be started

========================================================================================================

 

I've looked through all the config file under 'C:\Program Files (x86)\Tivoli\Policy Director\etc' directory, and couldn't find out how to config username/password to solve "Invalid credentials" problem.

I couldlogin TDS successfully by command: 'ldapsearch -D cn=root -w ? -s base objectclass=*' with proper password, so TDS worked fine.

Could you tell me how to handle it as I was a new comer of Tivoli family?

 

Updated on 2013-04-26T05:29:59Z at 2013-04-26T05:29:59Z by Adrian.Liu
  • aanoufal
    aanoufal
    10 Posts

    Re: Met errors while installing ammger policy server

    ‏2013-04-23T07:25:54Z  

    can you pleas try /opt/ibm/ldap/V6.0/sbin/idscfgsuf -I ldapdb2 -s secAuthority=Default. This would create the domain in the TDS.

     

    Good luck.

    Cheeers

    Nowfal

  • Adrian.Liu
    Adrian.Liu
    9 Posts

    Re: Met errors while installing ammger policy server

    ‏2013-04-26T01:31:59Z  
    • aanoufal
    • ‏2013-04-23T07:25:54Z

    can you pleas try /opt/ibm/ldap/V6.0/sbin/idscfgsuf -I ldapdb2 -s secAuthority=Default. This would create the domain in the TDS.

     

    Good luck.

    Cheeers

    Nowfal

    Thanks for you help, it's been very helpful.

    But after setting 'secAuthority=Default' in the suffixes and starting the TDS server, I tried to restarted the Policy Server, and it still put 'Error code 0x31 was received from the LDAP server. Error text: "Invalid credentials"' in the log.

     

    And I noticed that there were new logs appeared in the TDS ibmslapd.log file every time I tried to start Policy Server.

     "Apr 25 18:16:50 2013 GLPRDB060E Entry CN=IVMGRD/MASTER,CN=SECURITYDAEMONS,SECAUTHORITY=DEFAULT specified on bind does not exist."

    It seemed the  'secAuthority=Default' wasn't in force.

    Is there anything else I need to configure or did I make any mistakes? (The settings are shown in the Attachment)

    Attachments

  • Adrian.Liu
    Adrian.Liu
    9 Posts

    Re: Met errors while installing ammger policy server

    ‏2013-04-26T01:45:37Z  
    • aanoufal
    • ‏2013-04-23T07:25:54Z

    can you pleas try /opt/ibm/ldap/V6.0/sbin/idscfgsuf -I ldapdb2 -s secAuthority=Default. This would create the domain in the TDS.

     

    Good luck.

    Cheeers

    Nowfal

    And there's also another detail.

    I met a error after installing and confinguring the Policy Server immediately:

    ======================================================================================

    Installed: IBM License Agreement Files
    Installed: IBM Tivoli Access Manager runtime
    Installed: IBM Tivoli Access Manager Policy Server
    Configured: IBM Tivoli Access Manager runtime
    Errors occurred running: C:\PROGRA~1\Tivoli\POLICY~1\sbin\IVMGRD~1.EXE
    Errors occurred configuring: IBM Tivoli Access Manager Policy Server

    =======================================================================================

    I looked through the internet, a lot of people had met the same problem but no proper solution can be refered.

  • Adrian.Liu
    Adrian.Liu
    9 Posts

    Re: Met errors while installing ammger policy server

    ‏2013-04-26T02:57:11Z  
    • aanoufal
    • ‏2013-04-23T07:25:54Z

    can you pleas try /opt/ibm/ldap/V6.0/sbin/idscfgsuf -I ldapdb2 -s secAuthority=Default. This would create the domain in the TDS.

     

    Good luck.

    Cheeers

    Nowfal

    I figured this problem happened in this way:

    During the process of installation, Policy Server needed to restart the Operation System, and after it started,  Policy Server automatically initialized the 'secAuthority=Default' and related configuration in TDS, but this action took place before the TDS started, so it can not connect to TDS server.

    I thought this might be the most probable cause of this problem. Then I need to resgiter 'secAuthority=Default' manually to solve it.

    But there might be a series of configuration in a 'ldif' file apart from registering  'secAuthority=Default' in the suffixes, this was why 'CN=IVMGRD/MASTER,CN=SECURITYDAEMONS,SECAUTHORITY=DEFAULT specified on bind does not exist' happened.

    So could you show me how to write ldif file along with 'secAuthority=Default', as I'm a new comer of TAM family I would say.

  • Adrian.Liu
    Adrian.Liu
    9 Posts

    Re: Met errors while installing ammger policy server

    ‏2013-04-26T05:25:03Z  
    • aanoufal
    • ‏2013-04-23T07:25:54Z

    can you pleas try /opt/ibm/ldap/V6.0/sbin/idscfgsuf -I ldapdb2 -s secAuthority=Default. This would create the domain in the TDS.

     

    Good luck.

    Cheeers

    Nowfal

    I also tried to run ivmgrd_uninst.exe and ivmgrd_setup.exe to reconfigure Policy Server:

    ivmgrd_uninst.exe -deconfig -d cn=root -w XXX

    ivmgrd_setup.exe -f no -d "cn=root" -w XXX -v yes -m XXX-r 7135

     

    And there was a error message "An error occurred configuring the Access Manager Policy Server service.", and no other information in the log file, so I couldn't know what the problem was. After that "The specified service has been marked for deletion."

     

  • aanoufal
    aanoufal
    10 Posts

    Re: Met errors while installing ammger policy server

    ‏2013-04-29T04:19:33Z  

    Thanks for you help, it's been very helpful.

    But after setting 'secAuthority=Default' in the suffixes and starting the TDS server, I tried to restarted the Policy Server, and it still put 'Error code 0x31 was received from the LDAP server. Error text: "Invalid credentials"' in the log.

     

    And I noticed that there were new logs appeared in the TDS ibmslapd.log file every time I tried to start Policy Server.

     "Apr 25 18:16:50 2013 GLPRDB060E Entry CN=IVMGRD/MASTER,CN=SECURITYDAEMONS,SECAUTHORITY=DEFAULT specified on bind does not exist."

    It seemed the  'secAuthority=Default' wasn't in force.

    Is there anything else I need to configure or did I make any mistakes? (The settings are shown in the Attachment)

    Hello  Adrian,

    It looks like you need to reconfigure the Policy Server. When you create the secAuthoritySuffix, it is empty. The reconfiguration of Policy Server will add the entries to the suffix and that should resolve the Apr 25 18:16:50 2013 GLPRDB060E Entry CN=IVMGRD/MASTER,CN=SECURITYDAEMONS,SECAUTHORITY=DEFAULT specified on bind does not exist

    Can you please tell me the platform on which you are setting this up ?

  • aanoufal
    aanoufal
    10 Posts

    Re: Met errors while installing ammger policy server

    ‏2013-04-29T04:39:25Z  

    I figured this problem happened in this way:

    During the process of installation, Policy Server needed to restart the Operation System, and after it started,  Policy Server automatically initialized the 'secAuthority=Default' and related configuration in TDS, but this action took place before the TDS started, so it can not connect to TDS server.

    I thought this might be the most probable cause of this problem. Then I need to resgiter 'secAuthority=Default' manually to solve it.

    But there might be a series of configuration in a 'ldif' file apart from registering  'secAuthority=Default' in the suffixes, this was why 'CN=IVMGRD/MASTER,CN=SECURITYDAEMONS,SECAUTHORITY=DEFAULT specified on bind does not exist' happened.

    So could you show me how to write ldif file along with 'secAuthority=Default', as I'm a new comer of TAM family I would say.

    Adrian, The policy server registers the secAuthority suffix during the configuration phase itself. Now I am wonderiing if you ever got through the configuration phase successfully during the first attempt. Are you sure the Policy Server configuration was successful.

    Now, If you are setting up a whole new environment, I would suggest you to unconfigure and uninstall the TAM Base packages, lookup and remove any TAM related entries in the Directory Server including the secAuthority Suffix(use LDAP Browser for the UI purpose) and do it over again.

    Good luck