Hi Mohd,
Did you make any changes to the environment recently ? like
- upgrading Siteminder/IDM ?
- Re-pointing IDM to a newly built Siteminder environment ?
- Migrating Policies from one environment to other ? Did you even try to delete/modify Policy objects using XPS tools ?
- this behavior is even noticed, if you restart IDM while SM is down and bring up SM later.
From my past experience, there are 2 ways to resolve this issue.
1. If there were no changes made to the environment and issue has been occurring intermittently then Restarting of IDM and SM in the below sequence may resolve this issue.
--> Restart SM first
--> Then Restart IDM
Chances are very little with this option #1, but it's worth to try it out, if you haven't done already.
2. If there were changes made to the environment like upgrade or policy migration etc, then dropping and re-creating the IDM IME's and Directories is only available option.
Note:
- I would suggest to have this as a last option, if support team is not able to identify the root cause.
- This worked for me with SSO 12.52 SP1 CR06 & IDM 12.6.8
- I see you are in the latest version of IDM and SSO products, there might have been improvements made in these versions to take care of this scenario.
If this is a pre-prod environment and you still want to give it a try with the option#2, then here are the high-level steps:
Make sure that you have necessary backup's, in case of rollback or failure.
1. IDM objectstore backup at DB level
2. IME's and Directories backup by exporting it through IDM Management console
3. IDM Specific Configuration changes ( eg: SelectBox data, workflow...etc) which are not getting exported as part of IME's
4. Policy Store, you may use XPSExport option.
5. SSO Side --> capture screen prints or make a note of assigned Autheschemes's, Password Policies, any custom responses....etc. (suggest to export the password policies separately and keep it ready for re-import post IME recreation, as IME deletion will delete Password polices too). If your environment's password policies are basic and simpler to create it manually then you can ignore this additional backup.
Actual Steps start here:
6. Keep only one Policy Server up and running(stop others) and delete IME's (which ever is having trouble) first and then corresponding Directories.
7. On Policy server side, make sure that corresponding Domain and Directories are getting deleted successfully. Most of the time, though it is getting deleted successfully on the AdminUI GUI some of the Objects would still remain in Policystore and give trouble while re-importing back the IME's and Directories.
8. Restart the IDM servers post deleting IME's and Directories.
9. Try to Re-import the Directories from step#2 and them IME's. Follow the below KB article if you run into any errors while re-importing.
PostCreate errors when creating new directories or environments on Identity Manager after upgrading SiteMinder policy se…
10. On successful re-import, make sure that required Domain's and user Directories have been created on SSO side and then Start the IME's and remaining Policy servers.
11. You may want to take care of Authscheme's and password policies on SSO side.
12. If everything is back up and IME's are accessible then verify the critical use cases and make sure everything is working as expected. Also remember to take care of SelectBox data and workflow's (if any).
Hope this helps.
Thanks
Ashok