Hi Ranga,
Here is a process I have used. It aligns with what you have described.
IM is integrated to allow "auto-build" of these IMS objects in the SSO data store.
When there are issues with duplicates or moving the data tier, these issues may be seen.
As you have indicated, it is best to perform a "clean-up" activity, then allow IM to recreate the same object.
#### ####
For additional details on a full clean up process, I am outlining steps below that assisted for a full rebuild of all IMS objects in earlier releases of IM r12.5.x/IMr12.6.x & SSO.
#### ####
Steps to rebuild IMS objects in SiteMinder
"00. Backup IM databases / SM policy store using database tools/directory tools & XPSExport -xb (all) & -xa (env)
- Oracle DBA confirmed successful backup.
- xa, xb backup done, with warnings
- XPSSweeper done, with warnings
- dsa .db files copied and dxdumpdb is done. (on all 4 servers), all dsa restarted."
0. View IM database tables to capture/record current SMOID number for UserStores and IME. This will be used to validate that IM was updated with new SMOID #s.
Capture IME (eiam) SMOID: 35-XXXXXXXX-XXXXX-XXXX-XXXX-XXXX-XXXXddb00000
Capture IMCD (Corporate Directory) SMOID: 32-XXXXXXXX-XXXX-XXXX-XXXX-XXXXddb00000
Capture IMPD ( Provisioning Directory) SMOID: 32-*********-XXXX-XXXX-XXXX-XXXXddb00000
1. Configure the SiteMinder Policy Store for CA IdentityMinder.
2. Import the CA IdentityMinder Schema into the Policy Store.
3. Create a SiteMinder 4.X agent object.
4a.Export the CA IdentityMinder directories and environments.
4b. Open the ENV_environment_roles.xml with NotePadd++/TextPad;
search for object=""UNKNOWN"" to see if any issues will occur upon re-importing of this file.
These issue appear if missing custom java jar files. Replace missing java jar files; then re-export IME.
- IAM.zip exported, still have 6 UNKNOWN AD screens and 3 UNKNOWN UNIX screens.
- directory.xml exported (ACD + Prov Store)" 4. Export the CA IdentityMinder directories and environments.
4c Shutdown all but only keep one SM Policy Server running (001)
4d shutdown all but only keep one IDM J2EE (Jboss/Weblogic/WebSphere) server running (002)
5. Delete all directory and environment definitions.
IME delete at X:XXam EST, deleted by 10:00am EST
IMCD and IMPD are deleted at 10:00am EST.
"Use XPSExplorer to check: IMSEnvironment entry: one deleted (IME entry), one left over, IMSDirectory: 1 deleted (IMPD entry), 12 left over. Delete all these manually.
IMSAdditionalProperties: 6 left. (manual delete as well). Run ""XPSEsweeper"" after all this, no more wanrings."
perform a XPSExport (xa/xb) one more time.
Note: If we are unable to delete due to SM error messages, we will disabled SM in ra.xml and web.xml; then re-perform this step. This will require the WAS server to be restarted. [Shutdown ALL WAS servers to ensure process is clean and logging is restricted to one server.]
6. Enable the SiteMinder Policy Server Resource Adapter.
7. Disable the native CA IdentityMinder Framework Authentication Filter.
7.1 run "XPSSweeper" on the SM Policy Server to make sure no issues with the SM Policy Store
7.2. Manually delete all remaining entries from IMSEnvionrment and IMSDirectory, and check IMSManagedObjects.
7.3XPSExport -xa / -xb to keep a clean copy (on 001).
8. Restart the application server. [Shutdown ALL WAS servers; only restart one] 8. Restart the application server.
9. Configure a data source for SiteMinder.
10a. Import the directory definitions.
Note: If we are unable to import due to SM error messages, we will use XPSExplorer to delete all IMS (IM objects) in SM PolicyStore;
Re-export SMPS data with XPSExport -xb (all) to check that all IMS objects were removed; then validate SMPS has no issues with XPSSweeper tool. Using logging.jsp; enabled ims=DEBUG to monitor "cloning" activity to SM IMS objects during import process on the one WAS server.
10b Create a empty IME to make sure we can re-create objects
11. Update and import environment definitions.
- manual import settings.xml (with NO custom components).
- restart J2EE (Jboss/Weblogic/WebSphere), WF is not auto-enabled, manual enable WF, oK.
- manual create custom components: EventListener, WFParticipantResolver, LAH, restart J2EE (Jboss/Weblogic/WebSphere)
- manual import of the roles.xml (15 minutes, 0 errors, 0 warnings)."
"11.5 run ""XPSSweeper"" on the SM Policy Server to make sure no issues with the SM Policy Store
- ""undefined Class"" error.
- ran ""SmMaster.xdd"", ""smpolicy.xml"", and ""IdmSmObjects.xdd"", still ""undefined Class"" error, but IMS objects are showing up now." SCHEDULED
12. Restart the application server. [Restart only ONE server.]
13. Install the web proxy server plug-in.
14. Associate the SiteMinder Agent with an CA IdentityMinder domain.
15. Configure SiteMinder LogOffUrl Parameter.
16. Export SM PolicyStore with XPSExport -xb & View IM database tables; Check that SMOID match between IM tables and SM's IMS objects for User Directories and IME. Use SM PolicyReader tool to compare deltas between XPSExport -xb of prior and after operation & no other unexpected changes were made. SCHEDULED
17. Validate issue is resolved by using the IM Management Console to export the IMCD and reimport the IMCD over itself.
17.5. loginto SM WAMUI, create a dummy domain. (need to restart SM Policy Server)
18. Restart all other application servers of the IM cluster.
19. Restart all other SM Policy Servers
20. Manually Rebuild IM Realms Objects/Update AuthSchema/Rules in SiteMinder to match prior state. Any object under default IME domain has been rebuilt with defaults.
Reference:
https://supportcontent.ca.com/cadocs/0/CA%20IdentityMinder%2012%206%202-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?HowResourcesareProtected439059.html
https://supportcontent.ca.com/cadocs/0/CA%20IdentityMinder%2012%206%202-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?259286.html
####
Cheers,
A.