Common issues

You might encounter common issues during the deployment and usage of IBM® Security Identity Manager in the IBM Security Identity Manager virtual appliance. For more information, see the following common issues and workaround sections.

Data store configuration fails

Check the configuration of the database system.
  • On the Log Retrieval and Configuration page, click the Appliance tab and check the Identity data store configuration, server system out, and server messages.
  • If your configuration is not successful, try to configure again. In case of any problems, you might want use a previously taken snapshot to restore the virtual appliance to its previous state.

In the database server configuration, the certificate information window displays repeatedly even after you accept the certificate for the first time. The reason might be due to a cipher mismatch between your database server and virtual appliance cipher configuration.

Directory server configuration fails

Check the configuration of the directory server:
  • On the Log Retrieval and Configuration page, click the Appliance tab and check the directory server configuration, server system out, and server messages.
  • If your configuration is not successful, try to configure again. In case of any problems, you might want use a previously taken snapshot to restore the virtual appliance to its previous state.

In the directory server configuration, the certificate information window displays repeatedly even after you accept the certificate for the first time. The reason might be due to a cipher mismatch between your directory server and virtual appliance cipher configuration.

Unable to access the IBM Security Identity Manager virtual appliance console

View to make sure that the network configuration link IP, Subnet Mask, DNS, and Gateway are correct.

High disk usage notification on the dashboard

Reduce the setting for the Maximum size for log file rotation and Maximum number of historical log files.

Reduce the trace level from the command-line interface.

Clean the log files from Manage > Maintenance > Log Retrieval and Configuration.

For any other unrecoverable issues

Generate a support file by using the command-line interface or the IBM Security Identity Manager virtual appliance console for the IBM Support Team.

CLI
isimva.example.com> support 
isimva.example.com:support> create
isimva.example.com:support> download 
1: isim_1.0.1.1_20130925-014609_isimva.example.com.zip 
2: isim_1.0.1.1_20130925-015645_isimva.example.com.zip 
Enter index: 1 
Insert a USB drive into the USB port on the appliance. 
Enter 'YES' to confirm: YES
Console
  1. Log on to the IBM Security Identity Manager virtual appliance console.
  2. Select Manage > System Settings > Support Files.
  3. Click New to create a new file.
  4. Click download to save a copy of the support file.

Unable to connect the IBM Security Identity Manager Server even with the correct host name

To resolve this issue, add the certificate to the client.
  1. Log on with Administrator privileges on the client computer.
  2. Start a web browser and go to the HTTPS URL for the IBM Security Identity Manager Server https://hostname where host name is the name of the computer that has the IBM Security Identity Manager virtual appliance Server.
  3. In the web browser, export the security certificates to a file.
  4. Complete the following instructions:
    1. On the Microsoft Internet Explorer, click File > Properties.
    2. Click Certificates.
    3. Click the Certification Path tab.
    4. Click the Details tab.
    5. For each certificate marked with a red X in the certificate hierarchy, do the following actions.
      1. Click View Certificate.
      2. Click Details.
      3. Click Copy to File.
      4. Follow the instructions in the wizard with the following considerations:
        • When the Export format page is displayed, select the DER encode binary x.509 (CER) format.
        • Save the certificates on your local computer. For example: webhost.cer.
  5. Restart the computer.

Unable to establish connection between IBM Security Identity Manager virtual appliance cluster nodes

Symptoms

The communication between IBM Security Identity Manager virtual appliance cluster node fails when IBM Security Identity Manager virtual appliance is unable to resolve another node name. The IBM Security Identity Manager virtual appliance liberty logs (trace*.log) contains an error message, for example: 

getStatus Status of Node <ISIM_VA_NodeName> is unavailable

You can view the liberty logs by using the using virtual appliance CLI :

  1. Navigate to the monitor command.
    
<ISIMVA_SERVER> > isim
<ISIMVA_SERVER>: isim> logs
<ISIMVA_SERVER>: logs> monitor
<ISIMVA_SERVER>: monitor>
  2. Select option 2, and then option 4 to view the trace.log file contents.

You can also find these logs in support files at: <SupportFile_ExtractedDirectory>/tmp/liberty_dump/logs/trace*.log

Diagnosing the problem

Use the following CLI commands to verify that the network connection between the IBM Security Identity Manager virtual appliance can be established.

  1. <isimva_server>: tools> connect
  2. <isimva_server>: tools> ping
  3. <isimva_server>: tools> traceroute

For more information on the connect, ping, and traceroute commands, see tools command.

Causes

Possible reasons:
  • The IBM Security Identity Manager virtual appliance has short host name.
  • The short host name does not map to the same IP address as the long host name.

Resolving the problem

  1. Ensure that the IBM Security Identity Manager virtual appliance cluster nodes have fully qualified domain names (FQDN) as a host name.

    To change the host name, see Changing host name of the IBM Security Identity Manager virtual appliance.

  2. Ensure that the hosts file is correctly configured with the fully qualified domain names of IBM Security Identity Manager virtual appliance cluster nodes.

    To manage hosts file, see Manage hosts file.

Unable to establish connection between IBM Security Identity Manager virtual appliance and external systems

Symptoms

Network problems make it difficult to establish a connection between IBM Security Identity Manager virtual appliance and external systems.

Diagnosing the problem

Use the following CLI commands to verify that the network connection between the IBM Security Identity Manager virtual appliance and external systems can be established.

  1. <isimva_server>: tools> connect
  2. <isimva_server>: tools> ping
  3. <isimva_server>: tools> traceroute

For more information on the connect, ping, and traceroute commands, see tools command.

Causes

  • Firewall exists between IBM Security Identity Manager virtual appliance and external system and it is blocking incoming traffic from IBM Security Identity Manager virtual appliance.
  • Firewall exists on external system and it is blocking incoming traffic from IBM Security Identity Manager virtual appliance or outgoing traffic from an external system.
  • Issue with the subnet and subnet mask. Should the system belong to the same subnet or different subnets?
  • Another DNS entry for some other system by using the same IP address.

Resolving the problem

  • Modify the firewall setting to allow the incoming and outgoing traffic between IBM Security Identity Manager virtual appliance and external systems.
  • The DNS must not grant entry to another system with the same IP address.
  • Ensure that the correct subnet and subnet mask details are set. If IBM Security Identity Manager virtual appliance and external systems belong to different subnets, then make sure that you have added a static route. To add a static route, see Configuring static routes.

Troubleshooting IBM Security Identity Manager failures in an IBM Security Identity Manager virtual appliance cluster environment

IBM Security Identity Manager operations go into a hanging or pending state.

Diagnosing the problem

For debugging the IBM Security Identity Manager performance and hang related issues, generate a core dump. See Managing the core and heap dump files.

Symptoms

IBM Security Identity Manager issues warnings about database connection pool being used up during reconciliation or other IBM Security Identity Manager operations causes IBM Security Identity Manager to fail.

The WebSphere® Application Server SystemOut*.log or IBM Security Identity Manager trace*.log files show that the database connection pool is all used up and no free connections available.

To view the log files use the "Log Retrieval and Configuration" panel. The SystemOut*.log of the application server can be viewed using IBM Security Identity Manager VA CLI:

  1. Navigate to the monitor command.
    
<ISIMVA_SERVER> > isim
<ISIMVA_SERVER>: isim> logs
<ISIMVA_SERVER>: logs> monitor
<ISIMVA_SERVER>: monitor>
  2. Select option 5, and then option 2 to view the SystemOut*.log file contents.

    You can also find SystemOut *.log files in support file at: <SupportFile_ExtractedDirectory>/opt/ibm/WebSphere/AppServer/profiles/<NodeName>/logs/<APP_MEMBER_NAME>/SystemOut*.log

  1. View the trace*.log of IBM Security Identity Manager by using ISIM VA CLI .
  2. Browse for the monitor command.
    
<ISIMVA_SERVER> > isim
<ISIMVA_SERVER>: isim> logs
<ISIMVA_SERVER>: logs> monitor
<ISIMVA_SERVER>: monitor>

    You can find trace*.log files in support files at: <SupportFile_ExtractedDirectory>/var/ibm/tivoli/common/CTGIM/logs/trace*.log

Resolving the problem

To check the existing database connection pool setting, see Managing database connection pool settings.

To calculate the maximum and minimum number of physical connections that are required in your case, see "Configuring WebSphere JDBC Connections” topic in IBM Security Identity Manager Versions 6.0/7.0 Performance Tuning Guide. After pool values are identified, change the database connection pool settings.

Troubleshooting messaging, transactions issues, and tables that are involved in it

Diagnosing the problem

The messaging and transactions are managed by IBM WebSphere Application Server. You must check the SystemOut*.log of the messaging server.

You can view the SystemOut*.log files by using the IBM Security Identity Manager VA CLI:

  1. Navigate to the monitor command.
    
<ISIMVA_SERVER> > isim
<ISIMVA_SERVER>: isim> logs
<ISIMVA_SERVER>: logs> monitor
<ISIMVA_SERVER>: monitor>
  2. Select option 6, and then option 2 to view the SystemOut*.log file contents.

    You can also find SystemOut *.log files in support file at: <SupportFile_ExtractedDirectory>/opt/ibm/WebSphere/AppServer/profiles/<NodeName>/logs/<MSG_MEMBER_NAME>/SystemOut*.log

    For more information about how messaging and transactions work, see the IBM WebSphere Application Server product documentation.

    To check the SIB tables that are involved in messaging, see Clearing the service integration bus.