Symantec IGA

Hi All,

We have configured idm with site-minder , we don't see any issues in the log and it confirmed that idm connects to siteminder, but when import the env after adding the siteminder agent into env.xml file we get below error message

Deploying environment configuration...

Warning: Updating the IdentityMinder environment "sm-import"

Error: SmImsCommand (setLinkedData) Provider call failed

Error Code was: -2147418012

Error Message: Unknown Failure ID:379

*********

0 error(s), 1 warning(s

Any help is really appericated.

Regards,

Nazeem.

Hi Nazeem,

There are a number of issues that happen when importing directories or environments after IDM and SM are integrated. The information needs to be updated both in IDM object store and in SM policy store. Resolving these situations isn't always easy. Best I suggest is that you open a Support case.

Regards,

Sagi

There are so many things that can cause IME imports to fail, but here are a few things to check that are siteminder related.

Make sure your IDM config points to only one policy server during import of the IME. (remove redundant policy servers in the policyserver.rar ra.xml)

The reason for the step above is that we have seen IDM bounce between policy servers faster than the policy servers can see the changes in the policy store, so there will be objects missing, and that can cause import problems.

Ensure that the basic auth scheme in SiteMinder has not been renamed. IdentityManager calls out the auth scheme by name, not the OID, so renaming the basic auth schemes causes problems.

Also: I think CA support has an internal document that outlines a few of the issues that can cause these types of errors.

I did a "count" of support tickets with this issue; and the majority were resolved by update of the ra.xml to use a single SSO (SM) Policy Server during creation.

The latest tech note, mentions that ALL SSO Policy Servers may be shutdown but one.  However, this may not be possible if SSO servers are being used for non-IM activity, e.g. Federation and/or other 100's of applications that would have production outage.

• If IM is pointed to a series of Policy Servers, IM uses round robin to talk to the Policy Server. In some cases, IM sends a command to the second Policy Server node before the first command has been replicated from the first Policy Server. To avoid this, please shut down all SM Policy Server nodes for the length of the import process.

Alternative approach, per Support Notes (with some modification):

Per notes:

When the IM is "tightly integrated" with SSO (uses ra.xml) and if  'FailoverServers' option is populated in ra.xml, the SSO directory attempts replication of the data from one SSO policy store to another. However, because of various user directories set their replication different ways, most of the times, the directory creation fails with the error message "Object not found".

This is because, ra.xml uses round-robin with the list of servers + failoverServers listed. 

The object was created in the server 1 but not replicated on time in server 2 when the next request (create and/or validation) related to that object comes in (ex. creating the directory object in Server 1 and use that ID to create the attribute of that object in the Server 2).

The recommended practice is during the creation of the directory and the environments:

1) Select one (1) J2EE server; and make a backup copy of ra.xml

2) Disable Failover and the FailoverServers properties in the ra.xml

3) Restart the J2EE server (just need one)

4) Create IMCD Directory (corporate user store)  & IMPS Directory (provisioning user store) in IM Management Console

5) Create IME in IM Management Console

6) Validate success for #3 and #4. 

7) Login to IME (IM User Console)

8)  Shutdown the J2EE server

9) Re-enable Failover and FailoverServer properties

10) Restart all SM Servers (if they were shutdown)

11)  Restart the (all) J2EE servers

12) Validate / Login to IME (IM User Console)

Example:   ra.xml

<config-property>

<config-property-name>FailoverServers</config-property-name>

<config-property-type></config-property-type>

<config-property-value></config-property-value>

</config-property>

<config-property>

<config-property-name>FailOver</config-property-name>

<config-property-type></config-property-type>

<config-property-value></config-property-value>

</config-property>

Edit:  2/12/2016  Follow up note:

Prior to any work with SSO (SiteMinder), please do a complete export with sm object export CLI (smobjexport) or XPSexport processes.

- Example:  Common questions on using smobjexport and XPSExport

Use Mark O'Donohue tool of SM Policy Reader to view the data:  Siteminder Policy Reader

If there were ANY failures of creating an IM object, there will be data that is in a partial state within the SM policy Store.

These objects will NOT be viewable by the SMWAMUI nor SMFSSUI, but only via XPSExplorer  or SM Policy Reader tool.

To remove these objects, use XPSExplore to delete the unused objects.

Cheers,

A.

There is now a public tech doc available around this problem and ways to avoid it:

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1595544.aspx

Typically, this error occurs because IM creates its copy of the object in the IM object store, but SiteMinder fails to do so. Please attempt the suggestions from the tech doc and retry. If the problem persists, open an issue with support, if you have not already done so.