IBM Support

Federated Directory Server fails to provision ISAM account

Troubleshooting


Problem

Attempts to provision users to ISAM using IBM Security Federated Directory Server result in the error: CTGDIH403E ISAM Initialization failed: com.tivoli.pd.rgy.exception.ConfigurationErrorRgyException

Symptom

On review of the ibmdi.log a complete stack trace of the error is found:


    CTGDIH403E ISAM Initialization failed: com.tivoli.pd.rgy.exception.ConfigurationErrorRgyException:
    HPDAA0333E Unable to determine the registry server type. Error message
    The credentials provided can not be authenticated by the registry..
    ...
    HPDAA0329E     Caused by: com.tivoli.pd.rgy.exception.InvalidCredentialsRgyException: HPDAA0329E The credentials provided can not be authenticated by the registry.
    ...
    Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]

Once this error occurs, further execution of the AssemblyLines/ProvisionISAM in the Flow will show the following irrelevant message in the ibmdi.log:

    java.lang.Exception: CTGDIS483E Function has not been initialized.

Cause

The password defined for the 'ldap.bind-pwd' property(s) is incorrectly defined in the LDAPSync/ISAM_API.properties file.

Environment

ISAM8 for Mobile does not support the 'basic user' of ISAM8 for Web.  As of this writting, ISAM8 for Mobile requires the user metadata to reside in a secAuthoriy suffix.  FDS (SDI 7.2.0.3) can be used to populate the secAuthority suffix of ISAM accounts

Diagnosing The Problem

  • In the FDS Console, the HPDAA0333E will be viewable in the 'Error Log' tab of the effected Flow.
  • The same error will be found in the LDAPSync/logs/<FlowName>-ProvisionISAM.log associated with the Flow.
  • If multiple 'ldap.bind-pwd' properties are defined in the ISAM_API.properties, a review of the ISAM RgyDirect output can isolate the effected DN. A review of the RgyDirect output will show a "javax.naming.AuthenticationException: [LDAP: error code 49]". Reviewing the output a few lines before the error will show the Directory Server and Bind DN effected.
    ** Please refer to IBM Technote #1976574 for instruction to enable ISAM RgyDirect logging in FDS.

Resolving The Problem

Confirm and reset the ldap.bind-pwd password located in the LDAPSync/ISAM_API.properties file. If multiple 'ldap.bind-pwd' properties are found in the ISAM_API.properties file, refer to the RgyDirect log out to determine the effected DN.


The the RgyConfig command to obfuscate the password is:


    <SDI_Install_Directory>/jvm/jre/bin/java -cp jars/com.tivoli.pd.rgy.jar com.tivoli.pd.rgy.util.RgyConfig LDAPSync/ISAM_API.properties set <property_name> <password>

[{"Product":{"code":"SSCQGF","label":"Tivoli Directory Integrator"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21976571

Page Feedback