Usage problems

This section describes problems with using the product.

Search limit exceeded

The ISIM_HOME/data/ui.properties file limits the number of results for accounts with default group attribute widget of the type search filter list box. The limit is 1000. The search returns only the first 1000 entries.

To access the remaining entries you must modify the account form to include a filter field so that you can narrow the search.

  1. Log on to the IVIG Console.
  2. Click Configure System > Design Forms.
  3. Click Accounts.
  4. Double-click the account you want to modify.
  5. Double-click the attribute on which you are searching on. It is identified as [ListBox].
  6. Specify the object class.
  7. Select the Show Query UI check box and click OK.
  8. Click Save.
  9. Click OK.

Error page displays as blank during uninstallation

The uninstaller program stops abruptly when you run the uninstaller.exe program and click the upper right X in the frame of the uninstaller window.

The program loses the Java™ Virtual Machine (JVM) and cannot generate a correct error message.

To avoid this situation, wait for all panels to display and close them with Close or Cancel.

Out-of-memory error occurs while generating a report in PDF

An out-of-memory error occurs while generating a report in portable document format (PDF). This error is unlikely to occur when generating comma-separated value (CSV) reports.

This error can occur if the JVM heap does not have enough available space to transform the XML to PDF format. In addition, the error can occur for double byte character set (DBCS) languages that have larger space requirements.

Use this procedure to increase the JVM heap size maximum:
  1. Access the WebSphere® Liberty administrative console.
  2. Use the following URL to log on to the WebSphere Liberty:

    http://machine name:port_number/ibm/console/

    Example: The local host is localhost. The connection port is 9060. Use http://localhost:9060/ibm/console/ to log on to the local host.

  3. Select Servers > Application Servers > server1. Use an equivalent name if you are not using the default server name.
  4. Select Java and Process Management > Process Definition > Java Virtual Machine.
  5. Go to the Maximum Heap Size parameter and set this value to 1024 or higher. If the physical memory is greater, the maximum heap size can be set higher.
  6. Save the configuration.
  7. Restart Verify Identity Governance Server.
    1. Access the WebSphere Liberty administrative console main window.
    2. Select Applications > Enterprise Applications.
    3. Select the check box next to the ITIM application.
    4. Click Stop.
    5. Wait for the following message:
      Application ITIM on server server_name and node node_name stopped successfully.
    6. Select the check box next to the ITIM application.
    7. Click Start.
    8. Wait for the following message:
      Application ITIM on server server_name and node node_name started successfully.
  8. Run the PDF report again.

Information is garbled in a CSV-formatted report

If you save or view a report in CSV format, UTF-8 encoding is used to format the output file. This format is supported by most CSV-compatible applications for viewing or manipulating CSV information. Some viewers might not support UTF-8 encoding or might not be set to open UTF-8 formatted files.

If the information in a CSV report does not render successfully, ensure that the application supports UTF-8 encoding and is set to use UTF-8 encoding.

Out-of-memory error causes server failure

IVIG fails with an out-of-memory condition when the following conditions exist:
Many concurrent users exit the software without properly logging out in a 10-minute window.
Example: Several concurrent users close their web browsers by clicking X, the Close icon, while logged on to IVIG.
The amount of physical memory and the JVM heap size settings are not high enough.
An out-of-memory condition occurs when the memory used by the total number of sessions exceeds the amount of memory allocated for the server.
If this problem occurs, complete one or more of the following tuning tasks:
Limit the number of in-memory sessions that WebSphere Liberty provides.
  1. Access the WebSphere Liberty administrative console.
  2. Click Applications > Enterprise Applications > ITIM > Web Module > app_web.war > Session Management.
  3. Select Override session management.
  4. Clear the Allow overflow check box.
  5. Reduce the value in the Maximum in-memory session count field. This value depends on the amount of memory allocated to your servers.

    This value specifies the maximum number of concurrent live web browser sessions for IVIG.

  6. Reduce the value in the Set timeout field from 30 minutes to a smaller value.
  7. Click OK and save the changes to the master configuration.
Restart the Verify Identity Governance Server.
  1. Access the WebSphere Liberty administrative console main window.
  2. Select Applications > Enterprise Applications.
  3. Select the check box next to the ITIM application.
  4. Click Stop.
  5. Wait for the following message:
    Application ITIM on server server_name and node node_name stopped successfully.
  6. Select the check box next to the ITIM application.
  7. Click Start.
  8. Wait for the following message:
    Application ITIM on server server_name and node node_name started successfully.

Generating large CSV reports results in out of memory errors

Generating a large CSV report might result in an out of memory error. Adjust the value of the reportBatchSize property in the adhocreporting.properties file to avoid Java OutOfMemory errors for large reports.

The reportBatchSize property specifies number of items requested from the reporting tables at one time. If no value is set or the line is commented out, all items are retrieved.
  1. Access the adhocreporting.properties file.
  2. Change the reportBatchSize property to 10000, as follows:
    reportBatchSize=10000
  3. Make sure that the line is not commented out.
  4. Change all nodes in a clustered environment.
  5. Restart the IVIG application for the change to take effect.
Note: If you use Microsoft Internet Explorer to generate the report, enable Automatic prompting for file downloads in the web browser security setting.

Generating a PDF report with an active report file open fails

You generated a report output file as a Portable Document Format (PDF) file and either minimized the displayed information or left the file open.

You cannot generate another report until you close the active report file.

Report has Deprecated label Access Control Information

The report feature uses a deprecated label called Access Control Information. The new label is Access Control Item (ACI).

You might see the deprecated label if you:
  • View the Access Control Information {ACIs} report builder.
  • Click Run report > Access Reports > Access Control Information {ACIs} on the Reports tab.

Edit the ISIM_HOME/data/reportingLabels.properties file and manually change the value for accessControlInformation. For example, the deprecated value is accessControlInformation=Access Control Information {ACIs}, and the correct value is accessControlInformation=Access Control Item {ACIs}.

The font in a report is too small

If the font in the report is too small to read, save the report in PDF format or in CSV format and print the report.

To save the report, complete these steps:
  1. Select File > Save As from the report output window.
  2. Browse to the directory where you want to save the file.
  3. Enter a valid file name.
  4. Save the document.

You can print both PDF and CSV format reports. You can print PDF reports in portrait or landscape modes. CSV can print reports that do not fit on a single page horizontally.

To print a CSV report, complete these steps:
  1. Select the CSV report format when generating the report.
  2. Select the Save As option in the dialog box.
  3. Provide a valid location and file name for saving the report.
  4. Use Microsoft Excel or any other CSV file reader to open the report.
  5. Use the print option to print the document.

Adding the owner attribute causes an UnsupportedOperationException error

Adding the owner attribute on an account form might cause a java.lang.UnsupportedOperationException error.

The message is:
CTGIMO002E. An unhandled exception occurred.
Error: java.lang.UnsupportedOperationException: the owner and (or) service 
or an account cannot be changed.

Do not use the Form Designer to add the owner attribute to an account form.

Use the IVIG account adoption and orphan operations to set or clear the owner of an account.

An organizational unit name with more than 128 characters is not created

If the organizational unit name exceeds 128 characters, the name is not created. Do not enter a value greater than 128 characters for the organizational unit name.
Note: A long name within the 128-character limit does not wrap when displayed.

IVIG fails because of an out of memory condition

IVIG can fail with an out of memory condition when the following conditions occur simultaneously:
Many concurrent users quit without properly logging out in a 30-minute window.
Example: All the concurrent users close their web browsers by clicking X, the Close icon, while remaining logged on.
The Verify Identity Governance Server physical memory and Java heap size settings are not high enough.
An out of memory condition occurs when the memory used by the total number of sessions exceeds the amount of memory allocated for the server.
To correct this problem, do either one or both of the following tuning tasks:
Limit the number of in-memory sessions for WebSphere Liberty.
  1. Access the WebSphere Liberty administrative console.
  2. Click Applications > Enterprise Applications > ITIM > Manage Modules > ITIM Console > Session Management.
  3. Select Override session management.
  4. Clear Allow overflow.
  5. Reduce the value in the Maximum in memory session count field. The value limits the number of concurrent web browser sessions. This value depends on the amount of memory allocated to your servers and the number of WebSphere clustered nodes used by IBM Verify Identity Governance.
  6. Click OK and save the changes to the master configuration.
  7. Repeat the previous steps from Step 2. But select the module ITIM Self Service in Step 2.
Reduce the session inactivity time to less than 30 minutes.
  1. Click Applications > Enterprise Applications > ITIM > Manage Modules > ITIM Console > Session Management.
  2. Select Override session management.
  3. Select Set timeout.
  4. Reduce the value of the timeout to less than 30 minutes.
  5. Click OK and save the changes to the master configuration.
  6. Repeat the previous steps. But select the module ITIM Self Service in Step 1.

The authenticated token can call only the SelfPasswordManager.resetPassword() API after authentication by using the challenge-response authentication system

If the system configuration property Lost password question behavior is set to Reset Password, the authenticated token can call only the SelfPasswordManager.resetPassword() API after the challenge-response authentication system authenticates a user.

Set the system configuration property Lost password question behavior to Direct Entry, so that the authenticated token can be used to call any API.

Perform either of these tasks after upgrading to IVIG Version 6.0:
  • Use only the SelfPasswordManager.resetPassword() API to reset a password after authentication by using the challenge-response authentication system.
  • Make any API call valid by changing the Lost password question behavior system configuration property to Direct Entry.

Forms generate an authorization exception

A user without attribute-level permission to read or write for a field tries to set a value for a drop-down list or plain list box. The form designer generates an authorization exception. When the field value is not set, the form viewer sets the value to the first item in the list.

Take one of the following actions:
  • Designate a user with the appropriate attribute-level permission to set the value of the problem field. After the field is set to any value, the user without read and write permissions can modify the entity without authorization violations.
  • Add a blank value to the top of the list. If the form viewer selects the blank value, no authorization violation occurs because a blank value and no selection are treated as the same condition.
  • Check the Use Blank Row check box on all drop-down lists that use Form Customization.
  • If the data is not sensitive, grant both read and write permissions for this attribute to the user.

Making multiple modifications to a IVIG object gives an unexpected outcome or failure with warning messages

A concurrent operation on the same object causes a trace condition that makes the outcome unpredictable. This problem occurs when using the APIs, such as submitting multiple requests to modify the same object in a while-for loop.

To ensure that all pending actions complete successfully, pause for an interval, such as a minute, before making a second modification to the same object. Alternatively, collect all the attribute changes on the same object and submit the changes as a single modify request. When you use IVIG APIs, consider collecting all your attribute changes to the object in the while-for loop. Then submit the changes as a single modify request.

LDAP version 3 filters cause adapter problems

Using LDAP Version 3 filters causes inconsistent results from an adapter, or might not be accepted by the adapter as input. Using more than two arguments in a reconciliation filter might cause an error unless multiple operators are used.

For example, the following filter causes a FilterException error:
(&(eruid=a*)(ersql2000defdatabase=i*)(ersql2000deflanguage=E*))
Use filters that are compliant with LDAP Version 2.
(&(&(eruid=a*)(ersql2000defdatabase=i*))(ersql2000deflanguage=E*))