Error messages and problem solving

You might encounter some problems at run time. Use this information to resolve some of these common runtime problems.

Runtime Problems and corrective actions are described in the following table:

Table 1. Runtime Problems
Problem Corrective Action
Reconciliation does not return all IBM® Security Verify Access accounts. It returns 500 or 2048 accounts only. The default settings for LDAP and IBM Security Verify Access have constraints on the search size limit. The best practice is as follows:
  1. Modify the IBM Tivoli® Directory Server configuration file, ibmslapd.conf. This file is in the etc directory of the IBM Security Directory Server. Set the ibm-slapdSizeLimit variable to 0 (no limit).
  2. Modify the IBM Security Verify Access LDAP ldap.conf configuration file in the etc directory of the IBM Security Verify Access Policy Server. Set the max-search-size variable to greater than 2048 (the default setting). Setting the max-search-size to 0 means that the search size is unlimited.
  3. Modify the IBM Security Verify Access configuration file, pd.conf, in the etc directory of the IBM Security Verify Access Policy Server. Set the ssl-v3-timeout variable to 84600 (the maximum setting) and set the ssl-io-inactivity variable to 0 (no limit).

For ADAM only:

Change the MaxResultSetSize and the MaxPageSize attribute to increase the search size limit on ADAM by using dsmgmt. The following example demonstrates setting the value of MaxResultSetSize and MaxPageSize to 200000 with the ADAM Tools Command Prompt:

C:\WINDOWS\ADAM>dsmgmt 
dsmgmt: LDAP Policies 
ldap policy: Connections
server connections: Connect to server localhost:389 
Binding to localhost:389 ... 
Connected to localhost:389 using credentials 
of locally logged on user. 
server connections: Quit
ldap policy: Show Values
ldap policy: Set MaxResultSetSize to 200000
ldap policy:Set MaxPageSize to 200000
ldap policy:Commit Changes

For more information, see the ADAM Help.
Reconciliation does not return all IBM Security Verify Access accounts. Reconciliation is successful but some accounts are missing. For the adapter to reconcile many accounts successfully, you can increase the WebSphere JVM memory. The following steps must be completed on the WebSphere® host computer:
Note: Do not increase the JVM memory to a value higher than the System memory.
  1. Log in to the WebSphere Administrative Console.
  2. Expand Servers in the left menu and select Application Servers.
  3. A table displays the names of known application servers on your system. Click the link for your primary application server.
  4. Select Process Definition from within the Configuration tab.
  5. Select the Java Virtual Machine property.
  6. Enter a new value for the Maximum Heap Size. The default value is 256 MB.
The allocated JVM memory might not be large enough. In this case, an attempt to reconcile many accounts by using the IBM Security Verify Access adapter results in log file errors. The reconciliation process is not completed successfully. The adapter log files contain entries that state ErmPduAddEntry failed. The WebSphere_install_dir/logs/itim.log file contains java.lang.OutOfMemoryError exceptions.
The reconciliation of large numbers of IBM Security Verify Access accounts times out During the reconciliation of large numbers of IBM Security Verify Access accounts (in the hundreds of thousands or millions), initialization of the reconciliation might take some time. This delay is hardware and performance-tuning dependent. Problems might occur as a result of timeout issues if you have IBM Security Directory Server and DB2®configured against your IBM Security Verify Access Policy Server. Refer to the IBM Security Directory Server user guides for information about configuring the ibm-slapdIdleTimeOut value in the ibmslapd.conf file. As a guideline, this value can be increased to greater than 10,000 for the reconciliation of approximately 5 million accounts.
A search filter with an asterisk character returns more accounts that expected A Search Filter can be specified for the IBM Security Verify Access reconciliation query. You can provide an LDAP filter in the Query page to specify a subset of accounts only (no supporting data) to be included in the reconciliation.

Both the IBM Security Verify Access Administration API and Registry Direct API reconciliation methods support IBM Security Verify Access user account filtering. A subset of user accounts might be required. In this case, a Search Filter can be supplied that conforms to the IBM Security Verify Access pattern that was used to list User accounts.

For example, a Search Filter to reconcile a subset of IBM Security Verify Access User accounts that include JaneDoe, JonDoe and JimDolt might be: (eruid=J*Do*). The pattern for the eruid attribute is interpreted as a literal string. The asterisk (*) character, which is interpreted as a metacharacter that matches zero or more characters is the exception. Asterisks can be at the beginning, in the middle, or at the end of the pattern, and the pattern can contain multiple asterisks.
Enabling the option Do not reconcile SSO credentials removes all credentials IBM Security Identity registry.

Selecting this check box removes any current account credentials from IBM Security Identity registry after first successful reconciliation. The IBM Security Identity server considers any non-returned credential to mean that the credential no longer exists for the account.

However, it is possible to retain any credentials that were reconciled previously by excluding the SSO credentials attribute from the reconciliation query.
The Test operation failed. During a test of the IBM Security Verify Access service, the following message might be observed: 
    CTGIMT605E An error occurred while processing 
    the CTGIMT401E
    An error occurred while starting the 
    tamTest_TAMCombo on 
    my_server-requestid_4329bac6-
    28ad-11b2-d8dc-00000930ab5b 
    agent. Error:
    java.lang.NoClassDefFoundError: 
    com/tivoli/pd/jutil/PDException operation
    on the IBM Security Directory Integrator 
    server. Error: {1}

This error might be because of either of the following reasons:

  • The IBM Security Directory Integrator JVM is not configured with IBM Security Verify Access.
  • The Dispatcher was not stopped and restarted to pick up the change.

Ensure that the IBM Security Verify Access Runtime for Java™ is installed and configured correctly. Alternatively, restart the Dispatcher as described in the Dispatcher Installation and Configuration Guide.
When you use the Registry Direct API, the first request after an extended time takes a long time to complete. By default, the connection between the IBM Security Verify Access Registry Direct API and the LDAP servers is open indefinitely. If the connection is closed by a firewall, it might take 15-20 minutes for the API to detect this outage and open a new connection.
In that situation, the following setting must be added to the tam.conf file used by the IBM Security Verify Access Adapter:
ldap.connection-inactivity = <value in seconds>
This setting must be set lower than the firewall stale connection timeout value. After you update the tam.conf file, restart the Directory Integrator process.