Skip navigation
All People > Bill_Patton > WILLIAM PATTON's Blog > 2015 > July
2015

We now have a tech doc about this:

Setting Garbage collection logging for the JVM

 

This tech doc was created based on a recent support case being opened.

 

I will blog more about this later.

As of 12.6.3  This is a hardcoded limit, configurable only by changing an OOTB file that will be overwritten next time you upgrade.

 

By default, out of the box, the worklist can only show 100 items.

Edit the file iam_im.ear\workflow.rar\META-INF\ra.xml as follows to

raise the limit:

 

<config-property>

<config-property-name>SQLQueryLimit</config-property-name>

<config-property-type>java.lang.Integer</config-property-type>

<config-property-value>100</config-property-value> </config-property>

 

Note:

 

raising this limit too high can cause performance issues. Let me

know if this resolves the issue. This will be overwritten on upgrade.

 

 

Thanks,

Bill Patton

javax.servlet.ServletException: Filter [FacesFilter]: could not be initialized

 

Recently I had a customer report  this issue and after logging into the Websphere admin server and checking the parent first class loading and the MyFaces implementation for the castyles ear and the iam_im.ear, the only way I could get this error to disappear

Stop WAS server

Clean up temp directories

$> rm -rf /<WAS_HOME>/profiles/EntNodeProfile01/temp/*

$> rm -rf /<WAS_HOME>/profiles/EntNodeProfile01/wstemp/*

$> rm -rf /<WAS_HOME>/profiles/EntNodeProfile01/tranlog/*

$> rm -rf /<WAS_HOME>/profiles/EntNodeProfile01/configuration/*

Start WAS server

 

  The start-up error below was gone after this change and I can log into the UI.

 

Thanks,

Bill Patton

You can use this process, It is the one that I use when I create my test environment

You can also download the schema file here:

idmPerson.dxc


you will need to run the dxnewdsa command, here is the example:

 

dxnewdsa [-t type] [-l dblocation] [-s dbsize] dsaname port [prefix]

 

here is my typical command:

dxnewdsa -tdata -s500 imcorpstore 5000 ou=people,dc=im,dc=corpstore

 

After Creation check the imcoprstore.dxi
# operational settings
source "../settings/default.dxc";

open the settings file and check for:
# security controls
set min-auth = none;

Open the imcorpstore.dxc and check for:
    auth-levels   = anonymous,

Open jexplorer and connect

create an extended schema for IM:
create a file in:
D:\Program Files\CA\Directory\dxserver\config\schema

called:
idmPerson.dxc

 

Populate it with this data all the way down to the next set of double hashtags:

Or download a copy of the schema file from the link at the start of this post.

#########################################################
## Start IDMPerson attributes
#########################################################
#########################################################
## Start user attributes  Next attribute UID :205
#########################################################

schema set attribute (1.3.6.1.4.1.2552.2.2.3.200) = {
name = IDMAdminRoles
ldap-names = IDMAdminRoles
syntax = caseIgnoreString
multi-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.201) = {
name = IDMDisabled
ldap-names = IDMDisabled
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.202) = {
name = IDMForgottenQuestions
ldap-names = IDMForgottenQuestions
syntax = caseIgnoreString
multi-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.203) = {
name = IDMPasswordData
ldap-names = IDMPasswordData
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.204) = {
name = IDMIdentityPolicy
ldap-names = IDMIdentityPolicy
syntax = caseIgnoreString
multi-valued
};
#########################################################
## Stop user attributes
#########################################################
#########################################################
## Start Group attributes Next attribute UID :304
#########################################################
schema set attribute (1.3.6.1.4.1.2552.2.2.3.300) = {
name = IDMSelfSubscribing
ldap-names = IDMSelfSubscribing
syntax = caseIgnoreString
multi-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.301) = {
name = IDMDynamicGroupMembership
ldap-names = IDMDynamicGroupMembership
syntax = caseIgnoreString
multi-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.302) = {
name = IDMNestedGroupMembership
ldap-names = IDMNestedGroupMembership
syntax = caseIgnoreString
multi-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.303) = {
name = IDMAdminGroupAdmin
ldap-names = IDMAdminGroupAdmin
syntax = caseIgnoreString
multi-valued
};
#########################################################
## Stop Group attributes
#########################################################
#########################################################
## Start Custom attributes Next attribute UID :410
#########################################################
schema set attribute (1.3.6.1.4.1.2552.2.2.3.400) = {
name = idmCustom01
ldap-names = idmCustom01
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.401) = {
name = idmCustom02
ldap-names = idmCustom02
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.402) = {
name = idmCustom03
ldap-names = idmCustom03
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.403) = {
name = idmCustom04
ldap-names = idmCustom04
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.404) = {
name = idmCustom05
ldap-names = idmCustom05
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.405) = {
name = idmCustom06
ldap-names = idmCustom06
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.406) = {
name = idmCustom07
ldap-names = idmCustom07
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.407) = {
name = idmCustom08
ldap-names = idmCustom08
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.408) = {
name = idmCustom09
ldap-names = idmCustom09
syntax = caseIgnoreString
single-valued
};
schema set attribute (1.3.6.1.4.1.2552.2.2.3.409) = {
name = idmCustom10
ldap-names = idmCustom10
syntax = caseIgnoreString
single-valued
};
#########################################################
## Stop Custom attributes
#########################################################
#########################################################
## End of idmPerson attributes
#########################################################

#########################################################
## idmPerson object class (optional)
#########################################################

schema set object-class (1.3.6.1.4.1.2552.2.2.3.0) = {
name = IDMPerson
ldap-names = IDMPerson
subclass-of inetOrgPerson
may-contain
  IDMAdminRoles,
  IDMDisabled,
  IDMForgottenQuestions,
  IDMPasswordData,
  IDMIdentityPolicy,
  idmCustom01,
  idmCustom02,
  idmCustom03,
  idmCustom04,
  idmCustom05,
  idmCustom06,
  idmCustom07,
  idmCustom08,
  idmCustom09,
  idmCustom10
};

#########################################################
## End of idmPerson object class
#########################################################

#########################################################
## idmGroup object class (optional)
#########################################################

schema set object-class (1.3.6.1.4.1.2552.2.2.3.250) = {
name = IDMGroup
ldap-names = IDMGroup
subclass-of groupOfUniqueNames
may-contain
  IDMSelfSubscribing,
  IDMAdminGroupAdmin,
  IDMNestedGroupMembership,
  IDMDynamicGroupMembership
};

#########################################################
## End of idmGroup object class
#########################################################

 

 

Open:
D:\Program Files\CA\Directory\dxserver\config\servers\imcorpstore.dxi


under this line:
# schema
source "../schema/default.dxg";

Add:
source "../schema/idmPerson.dxc";

in the command line run:
dxserver init imcorpstore

Open with jexplorer

Add a new user:
uid=superadmin
Class:
IDMPerson
inetOrgPerson
organizationPerson
person
top

in the password field, specify a password.
Specify SN and CN also

add a groups OU
ou=groups
Classes: organizationalUnit
          top

On the IM server in:
D:\Program Files (x86)\CA\Identity Manager\IAM Suite\Identity Manager\tools\directoryTemplates\eTrustDirectory

copy: directory.xml and rename the copy as idmcorpstore.xml

Open the file and change:
Change this line:
<ImsManagedObject name="User" description="My Users" objectclass="top,person,organizationalperson,inetorgperson" objecttype="USER">

To include:

<ImsManagedObject name="User" description="My Users" objectclass="top,person,organizationalperson,inetorgperson,IDMPerson" objecttype="USER">


Change these attributes:

##DISABLED_STATE        to: IDMDisabled
##ADMIN_ROLE_CONSTRAINT to: IDMAdminRoles
##PASSWORD_HINT         to: IDMForgottenQuestions
##PASSWORD_DATA         to: IDMPasswordData
##IDENTITY_POLICY       to: IDMIdentityPolicy

##SELF_SUBSCRIBING_FLAG     to: IDMSelfSubscribing
##DYNAMIC_GROUP_MEMBERSHIP  to: IDMDynamicGroupMembership
##NESTED_GROUP_MEMBERSHIP   to: IDMNestedGroupMembership
##ADMIN_GROUP_ADMIN         to: IDMAdminGroupAdmin

Anything that has a:
<DataClassification name="sensitive"/>
paste this below it:
<DataClassification name="AttributeLevelEncrypt"/>

Import the directory.xml

For this error post install trying t log into the management console:

 

"It seems to be a configuration error, no users have been granted access right to the directory"

 

Here is what I found in the knowledge base:

Disabled native authentication in the Management Console setting the Enable

parameter for ManagementConsoleAuthFilter to false in the <im-install>\

iam_im.ear\management_console.war\WEB-INF\web.xml file and restarting IM. Could

then access the Management Console in order to reload directory xml files. To

then reenable native authentication, also needed to add attribute MEMBER_RULE to

the IM_DIRECTORY_LD table with user configured in IM_AUTH_USER.

Looking in our knowledge base I found this write up:

 

Credit limit reached - This implies a configurable threshold being reached

rather than an actual problem occurring. In the case where all clients are

using LDAP, then this message means that a DSP backbone link from another

DSA has exceeded the value of "credits". Credits are the maximum number of

DSA operations in progress at the same time on a per user basis

 

 

Setting the DSA credits to 5 (for example, via the limits configuration

file) instructs the DSA that all user associations (meaning unique client

IP address and port pairs) can have a maximum of 5 operations outstanding at

any given time before the DSA will impose flow control."

 

If you are seeing "Credit limit reached", get you to up the number of

credits by a small amount, then stop and start the DSA's. If you are still

seeing the messages, then you may want to analyze their directory logs to

see which connection (application or user) is causing the credit limit to

pop. Please check the current "credit" value in the configuration file. You may

need change the value to a bigger number if you keep getting the problem.

 

The setting is:

set credits = <the number>;

The configuration file should be dxserver\config\limit\default.dxc

of the eTrust Directory server.

 

 

---

 

 

More explanation:

Credits are per "association" (which is a unique TCP connection), not per

IP address. There is no "shared pool".

 

The maximum number of DSA operations in progress at the same time on a per

user basis can be set using the credit limit, for example:

 

set credits = 5

 

To determine the maximum number of concurrent operations you can perform,

multiply the number of credits by the maximum number of users. When the

credit value is exceeded, the DSA delays the receipt of any new requests

from the DUA (client)

 

The credits parameter provides a mechanism to govern how many client

requests are outstanding at any given time for each association and to delay new

requests.

 

Please note that CA Support is not providing specific advice for tuning

parameters.

If you have not had the chance to visit this document yet, you should. It is a commonly asked question about active directory permissions and how to add exchange after you have already done the initial explore and correlate.

 

Permissions required for managing Active directory Endpoint Accounts.docx

I was recently asked this question:


" We are experiencing slow response times on IDM tews services.   We are unsure
at the moment the source of the delay but the DBA's have indicated wait times
at the IO level on IDM tables.    My question, based on a DBA report,
what is CA's stance on adding indexes to the tables for task persistence?"

 

The answer I gave was:
There is certainly nothing wrong with adding indexes to the taskpersistence tables and in this case it help with not only garbage collection clean up, but also with the processing of everyday user requests. the reason that we do not have these added OOTB is because they are only needed and created on a case by case bases based on the customers environment.

 

In more recent versions of IM there are some indexes on tables and these indexes are managed by IM, however you, as the customer that owns the database can create more if you need more.

 

 

Thanks,
Bill Patton

There is no export/import and as 12.6.5 and 12.5.17 this is the only example that we can provide it is for Active Directory, if you have other endpoints you will need to tailor this to it:

 

1)      To create a new AD Account Template based in one already existing:

etautil -u <<USER>> -p <<PASSWORD>> copy 'eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im,dc=eta' eTADSPolicy eTADSPolicyName=<<BASIC ACCOUNT TEMPLATE>> to eTADSPolicyName=<<NEW ACCOUNT TEMPLATE>> eTDescription='New Account Template Description'

 

2)      Then add the Endpoint to the new Account Template (I could verify that the copy does not brings the Endpoint)

etautil -u <<USER>> -p <<PASSWORD>> add 'eTNamespaceName=ActiveDirectory,dc=im,dc=eta' eTADSDirectory eTADSDirectoryName=<< ENDPOINT NAME>> in 'eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im,dc=eta' eTADSPolicy eTADSPolicyName=<<NEW ACCOUNT TEMPLATE>>

 

3)      Then update the Account Container rules for the new Account Template created and also correct the required groups (I could verify that the Account Template copy also messes the Account Container rules):

etautil -u <<USER>> -p <<PASSWORD>> update 'eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im,dc=eta' eTADSPolicy eTADSPolicyName=<<NEW ACCOUNT TEMPLATE>> eTAccountContainer=<<ACCOUNT CONTAINER RULES>> eTADSmemberOf=<<GRUP Full DN>>

 

PS: In this last command I was not able to handle multiple groups. I tried the commands with + eTADSmemberOf and - eTADSmemberOf but none have worked.

 

4)      Then create a new Provisioning Role:

etautil -u <<USER>> -p <<PASSWORD>> add 'eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTRole eTRoleName=<<PROVISIONING ROLE NAME>> eTCustomField01=XXXX eTCustomField02=XXXX eTCustomField03=*** eTComments='XXXXXXX *********' eTDescription='****** *********';

 

5)      And then assign the Account Template to the Provisioning Role:

etautil -u <<USER>> -p <<PASSWORD>> add 'eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' eTRole eTRoleName=<< PROVISIONING ROLE NAME>> in 'eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im' eTADSPolicy eTADSPolicyName=<<NEW ACCOUNT TEMPLATE>>

 

6)      Create an XML file to input the Provisioning Role data in the IdentityMinder web interface.

A customer recently asked:

We have IHS: (IBM HTTP server) and it is 32 bit, so we have to use the 32 bit siteminder protection agent.
We want to have a 64 bit protection agent, so we would like to switch to IIS. IS this possible?


The answer is yes, it is possible.

 

In order to do this you will need to:
Install the WAS plugin on IIS and test that with the Snoop.jsp (WebSphere OOTB sample)


Install the SM agent on IIS and test that with protecting a sample resource

For steps on installing agent on IIS please refer to Siteminder documentation

 

 

After the above WebSphere can be used to service requests from IIS The remaining steps are to update the IME to use the new agent.

Consider the reason that you use IHS though, it is easier to manage from the WAS console (stopping and starting the server) and can be run on linux or windows. IIS is only Windows.

 

The work is about 50% WAS 30% SM 20% IM.

Located here:

\CA\Identity Manager\IAM Suite\Identity Manager\tools\samples\Support\IMInfo

The readme states this:

====================================================

Note: You are welcomed to try it on windows, but PLEASE AVOID TO USE IT IN A PRODUCTION ENVIRONMENT.

This simple tool - IMInfo tool, was designed for collecting diagnostic information from Identity Manager Server automatically.

It is easy to use:
1. Copy all its files to a Server with IMS installed and unzip it if they has been compressed to a single file.
2. Run "Cmd.exe" to open windows console.
3. Change current directory to IMInfo's, input "iminfo all" and Enter. (if you type "iminfo" without any parameter and enter, you will get some help info)
4. You will see prompt on console, saying something like "load class..; Collecting OS info..", The last line indicates full path and name of the output file. The output file will be a zip file named iminfo_MMDDYYYY_HHMMSS.zip, where MMDDYYY ... means the time that the output file created.
5. Unzip the output file, here should be a file named "iminfo_report.html". Double click to open it, everything the IMInfo tool collected is in the file.

Currently, this simple tool has been tested under following Environments
1. JDK1.4.2_13 + IM R12CR2 + JBoss 4.0.5 + MSSQL Server 2005 + Windows 2008
2. JDK1.5 + IM R12CR8 + JBoss4.2.3  + MSSQL Server 2005 + Windows 2003
3. JDK1.5 + IM R12.5 + WebLogic9  + MSSQL Server 2005 + Windows 2003

Therefore, it should working well with all IM R12+ release and most application servers (Except for WebSphere).

Since it use JDBC to connect to DB, it should support Oracle DB as well. But we haven't test it yet.

This tool is till in prototype state. Therefore it would be highly appreciate if you can send the output file to the developer's mail box ryan.li@ca.com. And of course, feedback, issues.. are very desired.

====================================================

 

I hope that this can be used for WebSphere soon!!

Account Template:

 

If the account template
shows:

image1.png

 

 

You can run this command:

 

etautil.exe  -u superuser -p ******** update  'eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects' eTADSPolicy eTADSPolicyName=APJ_SUPPORT to AccountContainer='(eTTelephone=3334489);eTADSOrgUnitName=SUPPORT,eTADSOrgUnitName=APJ;'

 

you will see:

 

image2.png

When reviewing a customers log recently I cam across this error: JBAS014781

More specifically:
ERROR [org.jboss.as.controller.client] (Controller Boot Thread) JBAS014781: Step handler org.jboss.as.domain.management.security.SecurityRealmAddHandler$ServiceInstallStepHandler@3c34b64e for operation {"address" => [("core-service" => "management"),("security-realm" => "ApplicationRealm")],"operation" => "add","map-groups-to-roles" => undefined} at address [
    ("core-service" => "management"),
    ("security-realm" => "ApplicationRealm")


If I take this number and paste it into google it says:
=======================================================

https://developer.jboss.org/thread/250515


Re: Jboss EAP 6.3 :[org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS013412: 

Jay Kumar SenSharma  Master 

Due to the message [JBAS013412: Timeout after [300] seconds waiting for service container stability.] it looks like a timeout issue , may be your application deployment/ other management operations taking longer than 300 seconds (300 sec is the default value). So try testing with a larger value to see if you still face the same issue or not?

 

You can try increasing this value to a higher value using the following system property:

-Djboss.as.management.blocking.timeout=700
=======================================================


You are at start up step 5, and that is the longest startup step in the IM steps.

This step is where it is loading environments and contacting the provisioning servers to read Provisioning roles, account templates, and endpoint properties.

The more of these objects there are the longer this step takes.

it is unique to your customer environment and will need to be tuned.

Some customers take 5 minutes at this step: 300 seconds

Some customers take 10 minutes at this step: 600 Seconds

Some customers even take 2 hours at this step: 7200 seconds.

You will have to look at your previous server startup times and make sure what setting to use.

 

This is a java option and will need to set it in the bat file you are using to start identityMinder

 

Something like:

set JAVA_OPTS=%JAVA_OPTS%,-Djboss.as.management.blocking.timeout=700

 

Thanks,
Bill Patton