It seems that customer struggle with updates to the ra.xml file when CA Identity Manager is deployed in IBM's Web Sphere.
ra.xml file is the file that holds the connection parameters to Site Minder. Therefore, if you need to enable (or disable) this integration and/or if any of the details about this connection change then you will need to update this file.
There is a major difference between JBoss, Web Sphere and Web Logic (all of Identity Manager's supported application servers) in this regard.
In JBoss, all that's required is to edit the file in its deployed location inside the /iam_im.ear/ folder (relative full path is: /iam_im.ear/policyserver.rar/meta-inf/ra.xml) , make the changes, save the file and restart the app server (Of course for each cluster member in case of multi-node cluster).
In Web Sphere (and Web Logic) this is not enough. Web Sphere is caching the ra.xml and will continue to work with the cached file. Therefore, updating the file under the deployed ear location will not help until the cache is updated.
It's important to indicate that this issue is a Web Sphere issue relating to the required actions to update a deployed application. This is not a question for Identity Manager. You do need to have Web Sphere knoweldge. There are different options to install and deploy applications into Web Sphere. The option you selected might influence the possible updates you can then make to the application. See the following article that provides more information about these possibilities (also Google for more information on deploying applications into Web Sphere and their permissions): http://www.packtpub.com/article/deploying-applications-on-websphere-application-server-7.0-part1
In general, You have two options:
1. Option #1: Full Redeploy.
Use the web sphere tools (administration console) to export the ear folder, delete it from web sphere, edit the ra.xml file (and web.xml file) , repackage and
redeploy using the web sphere admin console. This will create the application again and will remove the previous cache.Therefore upon your next restart all of web sphere's objects should be updated with the new information. This is the safest way to get this change in. However, it might take longer and require change window time frame on your web sphere.
2. Option #2: Direct Update.
You need to update the ear folder plus the cache.
The ra.xml file is installed into the installedApps location - as you probably know.
The ra.xml file is cached in:
profiles\Dmgr01\config\cells\<cell name>\applications\iam_im.ear\deployments\iam_im\policyserver.rar\META-INF
Further, there are J2C connection factories that hold the information that's in ra.xml and they as well require an update if ra.xml changes.
- Prepare a new version of ra.xml and do a WebSphere "update" via the admin UI to re-deploy just that one file to the live app. This pushes the file out to the appropriate file systems for the deployment manager and cluster node. The custom properties of the J2C connection factories for PolicyServerRA will still need to get rebuilt in the live system. There are
3 sets of "custom properties" in the admin UI under the Manage Modules for PolicyServerRA that are affected.
- Use the WebSphere admin UI to edit 2 of the 3 sets of custom properties, but the third set might be set to read-only which prevents from using the admin UI to update the properties. This, again, depends on how you originally deployed the application into web sphere and what permissions you selected (see article reference above).
- Manually edit deployment.xml to get the third set of custom properties updated. There are foursections in deployment.xml that hold the custom properties which you should edit to have the new values.
You will then need to restart the web sphere application server. Note: in case of a cluster you will need to make the file changes in all your cluster members.
Yours,
Sagi Gabay,
CA Technologies