Troubleshooting
Problem
Configuration of the Runtime Component fails on the IBM Security Access Manager ( ISAM ) appliance with several errors shown on the Local Management Interface ( LMI ) screen.
Symptom
The following errors are displayed on the LMI screen during the Runtime Component configuration:
HPDCO0164W Could not start background process.
HPDRG0201E Error code 0x31 was received from the LDAP server. Error text: "Invalid credentials".
HPDAC0454E Could not initialize the authorization policy database (0x14c01300)
HPDCO1368E An error occurred while trying to initialize the domain.
HPDMG0164E The Policy Server could not be started (0x1005b1c7).
Cause
During the configuration of the Runtime Component the value of the Management Suffix is set as secAuthority=Default on the Policy Server tab.
Environment
ISAM appliance,
external user registry.
Diagnosing The Problem
The following steps assume secAuthority=Default suffix has been configured on the external user registry.
Configure Runtime Component Secure Web Settings > Manage > Runtime Component > Click Configure
On the "Main" tab select "Local" for the Policy Server and "LDAP Remote" for the User Registry. Click Next.
On the "Policy Server" -tab provide
Management Suffix: secAuthority=Default
Management Domain: Default ( default value )
Administrator Password: <password for the sec_master>
Confirm Administrator Password: <repeat password for the sec_master>
Leave the rest as default ( see picture below ).
Click Next.
On the "LDAP" tab provide Host name or IP for the user registry server as well as the port. Provide DN of the admin id to bind to user registry and provide password for the admin id. The rest of the fields can be left as their default values. Click Finish.
Error is shown on the screen.
Notice! The full error message might vary a bit compared between the versions of the ISAM appliance.
The full error message on the screen:
System Error
* Configuring the server.
Generating the server certificates. This may take a few minutes.
Creating the SSL certificate. This might take several minutes.
The SSL configuration of the Security Access Manager policy server
has completed successfully.
The policy server's signed SSL certificate is base-64 encoded and
saved in text file "/var/PolicyDirector/keytab/pdcacert.b64."
This file is required by the configuration program on each machine
in your secure domain.
The SSL configuration of Access Control Runtime has completed successfully.
Security Access Manager policy server domain name: Default
Security Access Manager policy server host name: isam8
Security Access Manager policy server listening port: 7135
* Starting the server.
Security Access Manager policy server v8.0.0.2 (Build 140204191423)
Copyright (C) IBM Corporation 1994-2014. All Rights Reserved.
2015-01-27-20:26:46.946+01:39I----- 0x14C521D3 pdmgrd NOTICE mis ivcore cfgmgr.cpp 239 0x7fe7e5ef3720
HPDMS0467I Server startup
2015-01-27-20:26:46.947+01:39I----- 0x14C526F2 pdmgrd NOTICE mis ivmgrd cfgmgr.cpp 244 0x7fe7e5ef3720
HPDMS1778I Loading configuration
2015-01-27-20:26:46.975+01:39I----- 0x1354A0A4 pdmgrd WARNING ivc general IVServer.cpp 894 0x7fe7e5ef3720
HPDCO0164W Could not start background process
2015-01-27-20:26:46.946+01:39I----- 0x14C521D3 pdmgrd NOTICE mis ivcore cfgmgr.cpp 239 0x7fe7e5ef3720 HPDMS0467I Server startup
2015-01-27-20:26:46.947+01:39I----- 0x14C526F2 pdmgrd NOTICE mis ivmgrd cfgmgr.cpp 244 0x7fe7e5ef3720 HPDMS1778I Loading configuration
2015-01-27-20:26:46.968+01:39I----- 0x16B480C9 pdmgrd ERROR rgy ira ira_handle.c 1142 0x7fe7e5ef3720 HPDRG0201E Error code 0x31 was received from the LDAP server. Error text: "Invalid credentials".
2015-01-27-20:26:46.969+01:39I----- 0x14C526F3 pdmgrd NOTICE mis ivmgrd daMgmtDomain.cpp 929 0x7fe7e5ef3720 HPDMS1779I Open database
2015-01-27-20:26:46.969+01:39I----- 0x14C526F4 pdmgrd NOTICE mis ivmgrd daMgmtDomain.cpp 939 0x7fe7e5ef3720 HPDMS1780I Creating database
2015-01-27-20:26:46.972+01:39I----- 0x16B480C9 pdmgrd ERROR rgy ira ira_handle.c 1142 0x7fe7e5ef3720 HPDRG0201E Error code 0x31 was received from the LDAP server. Error text: "Invalid credentials".
2015-01-27-20:26:46.972+01:39I----- 0x1005B1C6 pdmgrd ERROR acl acldb daMgmtDomain.cpp 1067 0x7fe7e5ef3720 HPDAC0454E Could not initialize the authorization policy database (0x14c01300).
2015-01-27-20:26:46.973+01:39I----- 0x1354A558 pdmgrd FATAL ivc general daMgmtDomain.cpp 189 0x7fe7e5ef3720 HPDCO1368E An error occurred while trying to initialize the domain.
2015-01-27-20:26:46.973+01:39I----- 0x14C010A4 pdmgrd FATAL mgr general ivmgrd.cpp 235 0x7fe7e5ef3720 HPDMG0164E The Policy Server could not be started (0x1005b1c7).
2015-01-27-20:26:46.975+01:39I----- 0x1354A0A4 pdmgrd WARNING ivc general IVServer.cpp 894 0x7fe7e5ef3720 HPDCO0164W Could not start background process
Could not start the server.
Error: DPWAP0003I An error occured while executing the command: /opt/PolicyDirector/sbin/PDMgr_config -s TRUE -y no -v TRUE -d cn=root -w <password> -L 389 -S secAuthority=Default -C none -D Default -m Passw0rd -l 1460 (0x1)
Resolving The Problem
On the "Policy Server" tab of the Runtime Component configuration the "Management Suffix" field should be empty. By default the "secAuthority=Default" suffix is used for the ISAM secAuthority data and it is not requred to define the suffix when the default tree structure is planned to be used. Only set the "Management Suffix" field in a case something different suffix than "secAuthority=Default" is going to be used.
Recovering the environment
If the Runtime Component is configured using the "secAuthority=Default" value in the "Management Suffix" field the Runtime Component configuration status on the ISAM appliance and the data in the user registry are in inconsistent state. For example, if the Runtime Component is configured with an empty value on the "Management Suffix" field an error is shown on the LMI screen.
The "A policy server is already configured to this LDAP server." error is shown because the "secAuthority=Default" tree structure was created in to the user registry at the failing attempt. In order to successfully continue the configuration the secAuthority data has to be cleaned from the user registry.
For example, when IBM Security Directory Server is used as for the ISAM external user registry run the next commands from the command line on the TDS server in order to clean the secAuthority data:
1. Check whether the secAuthority data exist in the user registry in the "secAuthority=Default" tree
idsldapsearch -h <hostname> -D cn=root -w <password> -b 'secAuthority=Default' -s sub '(objectclass=*)'
2. Clean the data
idsldapdelete -D cn=root -w <password> cn=Subdomains,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=Resources,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=ResourceGroups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=Default,cn=Policies,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=SecurityGroup,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=SecurityGroup,cn=Groups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=ivacld-servers,cn=SecurityGroups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=ivacld-servers,cn=Groups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=remote-acl-users,cn=SecurityGroups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=remote-acl-users,cn=Groups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=SecurityMaster,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=Policy,cn=Policies,principalName=sec_master,cn=Users,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=Policy,cn=Policies,principalName=ivmgrd/master,cn=Users,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=Policies,principalName=sec_master,cn=Users,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=Policies,principalName=ivmgrd/master,cn=Users,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=ivmgrd-servers,cn=SecurityGroups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=ivmgrd-servers,cn=Groups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=iv-admin,cn=SecurityGroups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=iv-admin,cn=Groups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=secmgrd-servers,cn=SecurityGroups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=secmgrd-servers,cn=Groups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=webseal-servers,cn=SecurityGroups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=webseal-servers,cn=Groups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=webseal-mpa-servers,cn=SecurityGroups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=webseal-mpa-servers,cn=Groups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=ivmgrd/master,cn=SecurityDaemons,secAuthority=Default
idsldapdelete -D cn=root -w <password> principalName=ivmgrd/master,cn=Users,secAuthority=Default
idsldapdelete -D cn=root -w <password> principalName=sec_master,cn=Users,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=Users,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=Groups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=SecurityGroups,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=Policies,secAuthority=Default
idsldapdelete -D cn=root -w <password> cn=SecurityDaemons,secAuthority=Default
idsldapdelete -D cn=root -w <password> secAuthority=Default
Once the secAuthority data is cleaned from the user registry configuration of the Runtime component can continue.
Product Synonym
TAM;ITAM;ISAM
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21696445