Symantec IGA

  • 1.  CA Identity Manager 12.6 sp 8: User store & Prov. store issues.

    Posted May 05, 2017 03:21 AM

    Hi All,

     

    I have a setup of SM 12.52 sp1 and IM 12.6 sp8, which are in integrated mode.
    My issue is this newer version of IM, this uses two separate stores while configuring an environment. 

    So while create an IME , i have to provide a Userstore which is supposed to be of type LDAP and then there is an optional choice of Provisioning store.

    In earlier versions of IM, the environment asks for only 1 directory which is of type Provisoning and the flow goes as required.

    Now even if i create an IME with two different stores i.e. one of type LDAP (connection with AD) and other of type Provisioning(connection with Provisioning server), i can just login via etaadmin (superuser) into IME protected console but i am unable to create any user or perform any activity.

     

    Other than this i checked my provisioning setup and verified the provisioning manager is working fine. 
    The creation of IME in this version has some issues which should only use provisioning store but is by default asking for another user store of type LDAP.

    I can think of one thing that, the IME requires a connection with provisioning server to create user or perform any task but as it is being pointed to AD, it is throwing unwanted errors. SO in order to point to Prov server,i need help.

     

    Any suggestions.?

     

    As i'm unable to get update from last few days,so i would like your help here..! 
    Please help me out Bill , losru01  & william .

     

    Regards,

    Hridyesh



  • 2.  Re: CA Identity Manager 12.6 sp 8: User store & Prov. store issues.
    Best Answer

    Broadcom Employee
    Posted May 08, 2017 07:42 AM

    Hydrish,

      What you are describing seems like what we call a corp == prov environment.

      This type of environment was never really supported, but was officially dropped from product support some time ago.

     

      You can read about the separation here:

    https://docops.ca.com/ca-identity-manager/12-6-5/EN/installing/ca-identity-manager-components/user-store-and-provisioning-directory

     

      With out this separation there used to be many complaints about double synchronizations and benign errors due to synchronizing users that had already been created. Example:

    IM creates a user in the corp store (prov store in this case) and is assigned a provisioning role, we then send a user create command to the prov store but receive and error because the user already exist from the first step. In this use case the "user already exists" error is benign, but when troubleshooting issues how do you know where to begin?

     

      Long story short, you can no longer use the provisioning server as the corp directory.

     

      The errors during creation of the IME probably have something to do with this as the attributes that the screen reference are things like etfirstname and userid references etGlobalUserName, these of course may not be in the new corp directory.

     

      My guess for the create user task or any other task is that the screen fields probably have the same issue as above.

     

      Honestly, you are better off starting from scratch with a new IME based on the OOTB screens.

     

    Thanks,

    Bill



  • 3.  Re: CA Identity Manager 12.6 sp 8: User store & Prov. store issues.

    Broadcom Employee
    Posted May 09, 2017 09:41 AM

    Agreed. There are just a handful of implementations (probably less than 5) still using this corp==prov model, and the ones I'm aware of are actively working to migrate to a supported deployment with a separate corporate user store and provisioning store. This does involve building a parallel environment with separate user stores, and doing a migration of configurations and users between the environments.