I did a "count" of support tickets with this issue; and the majority were resolved by update of the ra.xml to use a single SSO (SM) Policy Server during creation.
The latest tech note, mentions that ALL SSO Policy Servers may be shutdown but one. However, this may not be possible if SSO servers are being used for non-IM activity, e.g. Federation and/or other 100's of applications that would have production outage.
- If IM is pointed to a series of Policy Servers, IM uses round robin to talk to the Policy Server. In some cases, IM sends a command to the second Policy Server node before the first command has been replicated from the first Policy Server. To avoid this, please shut down all SM Policy Server nodes for the length of the import process.
Alternative approach, per Support Notes (with some modification):
Per notes:
When the IM is "tightly integrated" with SSO (uses ra.xml) and if 'FailoverServers' option is populated in ra.xml, the SSO directory attempts replication of the data from one SSO policy store to another. However, because of various user directories set their replication different ways, most of the times, the directory creation fails with the error message "Object not found".
This is because, ra.xml uses round-robin with the list of servers + failoverServers listed.
The object was created in the server 1 but not replicated on time in server 2 when the next request (create and/or validation) related to that object comes in (ex. creating the directory object in Server 1 and use that ID to create the attribute of that object in the Server 2).
The recommended practice is during the creation of the directory and the environments:
1) Select one (1) J2EE server; and make a backup copy of ra.xml
2) Disable Failover and the FailoverServers properties in the ra.xml
3) Restart the J2EE server (just need one)
4) Create IMCD Directory (corporate user store) & IMPS Directory (provisioning user store) in IM Management Console
5) Create IME in IM Management Console
6) Validate success for #3 and #4.
7) Login to IME (IM User Console)
8) Shutdown the J2EE server
9) Re-enable Failover and FailoverServer properties
10) Restart all SM Servers (if they were shutdown)
11) Restart the (all) J2EE servers
12) Validate / Login to IME (IM User Console)
Example: ra.xml
<config-property>
<config-property-name>FailoverServers</config-property-name>
<config-property-type></config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<config-property-name>FailOver</config-property-name>
<config-property-type></config-property-type>
<config-property-value></config-property-value>
</config-property>
Edit: 2/12/2016 Follow up note:
Prior to any work with SSO (SiteMinder), please do a complete export with sm object export CLI (smobjexport) or XPSexport processes.
- Example: Common questions on using smobjexport and XPSExport
Use Mark O'Donohue tool of SM Policy Reader to view the data: Siteminder Policy Reader
If there were ANY failures of creating an IM object, there will be data that is in a partial state within the SM policy Store.
These objects will NOT be viewable by the SMWAMUI nor SMFSSUI, but only via XPSExplorer or SM Policy Reader tool.
To remove these objects, use XPSExplore to delete the unused objects.
Cheers,
A.