We have recently had an increased number of customers reporting errors when creating, updating or importing directory xml files via the IDM management console when Site Minder is integrated with IDM (note that without this integration the error is not reported). There are a number of contributing factors and we at CA are learning the subject. However, we wanted to highlight the below section from the IDM Configuration Guide that basically suggests you can't have IDM be connected (not even with failover) to more than one policy server for the purpose of creating,updating or importing the Dir xml file and/or creating, updating or importing the IME envrionment files.
Make sure that before such changes you ensure your IDM app servers only have one policy server in the <ConnectionURL> tag in the ra.xml file (under /iam_im.ear/policyserver.rar/meta-inf). Make sure to set <FailOver> = 'false' and <FailOverServers> to be empty. If this was already the case then no problem. If not, then back up your ra.xml file, then make the changes in all app servers in the environment, restart the app servers, perform the import and then later restore your ra.xml file.
Please note: under web sphere and web logic you will need to make sure to eliminate the app server cache or update it as well in order for this to take effect. Changing just the ra.xml will not be enough.
Note: When you are creating a CA IdentityMinder directory or an environment or modifying directory or environment settings, set SiteMinder Failover and FailoverServers to false. Otherwise, the directory object could be created but not replicated in time to be used. For example, you create a directory in Server 1. Then, you create an attribute using the object ID of that directory on Server 2, but the second directory does not exist yet. You receive an Object not Found error.