This may help as well.
If you are using Oracle DB, ensure that you are using the latest recommended NSL_LANG character set (from both Oracle and Broadcom) of "AL32UTF8"
To find out which character set you are using, please check with this select query (using Oracle SQL Developer UI)
- Note: You may need a higher Oracle privileged account to view this system parameter.
Why this is important? If an older character set is used, you may be hit with the "long dash" (aka emdash) character that is unknown to Oracle with the older character sets. If your users use copy-n-paste between Outlook email or MS Office (Word/Excel), the hyphen (short dash) character may be replaced by the emdash (long dash) when the user creates new IM objects, especially IM Prov Roles. With the older character set, Oracle will replace the 'unknown' characters with an upside down question mark. And when you attempt to export the IME, IM will check the IM_ROLE tables for the name, and then attempt to use that name for a validation query to the Provisioning Server, before adding this file to the export list. Unfortunately, the names do not match, as the Provisioning Server is using UTF8 character set, and allows for most characters. Therefore when the names do not match, the IM Export Process does not know how to manage this error and will fail at this step. This can be observed with the above-mentioned loggers.
To check your Oracle DB, if it has these 'unknown' characters, query your IM Role table with the below select statement:
- Note: Replace the schema name with your own schema name.
Original Message:
Sent: May 10, 2022 12:40 PM
From: Alan Baugher
Subject: Re: Identity Manager IME export fails
Follow up observation:
If you have a star character "*" in any of your objects, the solution will generate a replacement character of "%" as the SQL wildcard.
This conversion will confuse the solution during an export, and you will see this exact error message.
Resolution: Search all provisioning roles under the IM_ROLE database table (or use the IM UI or Prov Manager UI) to find any PR with the "*" character. Use the Prov Manager UI to rename or delete the PR object. Then re-attempt your export of the IME.
The below four (4) loggers helped to isolate this issue:
com.ca.commons.jndi.beans.operations
im.provisioning.provisioningrole
ims.jdbc.JDBCManagedObjectProvider
ims.jdbc.JDBCManagedObject
Example: Please note the queries fail with delta where the pattern "*" is replaced with "%".
11:23:17,829 [192.168.2.220] [iamnode1] DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-299) SELECT DISTINCT("IM_ROLE"."UNIQUE_NAME") FROM "IM_ROLE" WHERE { fn LCASE("FRIENDLYNAME")} LIKE testwithstar% ESING NCHAR_CS) AND "TYPE"=2 AND "IM_ROLE"."ENV_OID"='1' {com.netegrity.llsdk6.imsimpl.jdbcmanagedobject.JDBCManagedObjectProvider.findUniqueAttribute(JDBCManagedObjectProvider.java:823)}
11:23:17,829 [192.168.2.220] [iamnode1] DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-299) SELECT DISTINCT("IM_ROLE"."UNIQUE_NAME") FROM "IM_ROLE" WHERE { fn LCASE("FRIENDLYNAME")} LIKE ? ESCAPE TRANSLA) AND "TYPE"=? AND "IM_ROLE"."ENV_OID"=? (testwithstar%,2,1) {com.netegrity.llsdk6.imsimpl.jdbcmanagedobject.JDBCManagedObjectProvider.findUniqueAttribute(JDBCManagedObjectProvider.java:826)}
11:23:17,842 [192.168.2.220] [iamnode1] DEBUG [im.provisioning.provisioningrole] (default task-299) getIAMRole: retrieving provisioning role: 'testwithstar*' y.llsdk6.imsimpl.managedobject.ProvisioningRoleImpl.getIAMRole(ProvisioningRoleImpl.java:727)}
11:23:17,842 [192.168.2.220] [iamnode1] DEBUG [com.ca.commons.jndi.beans.operations] (default task-299) Search[44] Started: base=eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im,dc=eta filter=(&(eTRol2a)(objectClass=eTRole)) controls=[scope=one level, returning objects=false, count limit=0, time limit=0, return=eTCustomField08,eTCustomField07,eTDescription,eTCustomField09,eTAllowPartialResult,eTRoleName,eTCustld01,eTID,eTCustomField02,eTCustomField04,eTCustomField03,eTComments,eTCustomField05,eTDepartment,eTCustomField06] {java.util.logging.Logger.doLog(Logger.java:765)}
------------------------------
Alan Baugher
ANA
Original Message:
Sent: May 03, 2022 10:30 AM
From: Alan Baugher
Subject: Re: Identity Manager IME export fails
To assist with identifying the "bad" object that may be impacting the IME export, you may wish to enable the loggers that have the most information. This process below will enable three (3) loggers for jdbc and provisioning roles to a new appender file under the Wildfly log folder. Allow this process to run when you execute your export IME process. Afterward execution of the export IME process, adjust this script then re-run the script with the replacement strings of ":remove" of the four (4) loggers/appender items.
Script: Use jboss-cli.sh process.
#######################################################################
# Name: Trace the Symantec Identity Manager Export of the IME
# Goal: Find any object that may need to be removed or adjusted to avoid a failure during an export.
# - Focus on jdbc and provisioning role loggers.
# Monitor: tail -f /opt/CA/wildfly-idm/standalone/log/im_export_debug.log
# Tool: /opt/CA/IdentityManager/IAM_Suite/IdentityManager/tools/ImportExportUtility/
#
# Ref: https://knowledge.broadcom.com/external/article/210825/identity-manager-role-definition-export.html
# FileName: im_export_debug.cli
# Execute the following:
#
# /opt/CA/wildfly-idm/bin/jboss-cli.sh --connect --user=jboss-admin --password=Password01! --file=im_export_debug.cli
#
# Optional: Add management user to allow access to jboss-cli.sh to adjust Wildfly logging.
# sudo /opt/CA/wildfly-idm/bin/add-user.sh -m -u jboss-admin -p Password01! -g SuperUser
#
# ANA/2022
connect
:take-snapshot
batch
/subsystem=logging/periodic-rotating-file-handler=im_export:add(file={"path"=>"im_export_debug.log", "relative-to"=>"jboss.server.log.dir"}, suffix=".yyyy.MM.dd", level=DEBUG, append=true, autoflush=false, suffix=".yyyy-MM-dd-HH", formatter="%d{HH:mm:ss,SSS} [${jboss.bind.address}] [${jboss.node.name}] %-5p [%c] (%t) %-120s%E {%l}%n")
/subsystem=logging/logger=ims.jdbc.JDBCManagedObjectProvider:add(handlers=["im_export"], level=DEBUG, use-parent-handlers=false)
/subsystem=logging/logger=ims.jdbc.JDBCManagedObject:add(handlers=["im_export"], level=DEBUG, use-parent-handlers=false)
/subsystem=logging/logger=im.provisioning.provisioningrole:add(handlers=["im_export"], level=DEBUG, use-parent-handlers=false)
run-batch
# To remove - make a copy of this script and change the four (4) strings :add(XXXXXXXXXXXXX) to :remove
------------------------------
Alan Baugher
Original Message:
Sent: Apr 29, 2022 11:18 AM
From: Alan Baugher
Subject: Re: Identity Manager IME export fails
There are likely three (3) possible challenges.
1) Your IME has grown with the additions of new objects, e.g. Admin Roles, and Provisioning Roles, so that the expected export size of the XML file will be greater than the default max-post-size.
- /opt/CA/VirtualAppliance/custom/IdentityManager/config/max-post-size
Update the default value of 50MB to 100MB, recycle the Wildfly/JBOSS service, and re-attempt the export.
2) There is an object in the IME that is causing an export challenge. You need to find it with the logging.jsp using full debug during a failed export, ims=debug and im=debug. This should output a debug statement in server.log to help you identify it.
Tech note: https://knowledge.broadcom.com/external/article/210825/identity-manager-role-definition-export.html
3) Possible timeout of your ssh sessions that takes longer than the export.
Run your export in the background.
nohup ./ImportExportUtil.sh > notes.txt 2>&1 &
Note: Avoid the SelectiveExport process, as this will perform a referential query before export, and therefore will take longer to export your objects. Use the ImportExportUtil.sh
Enhance the ImportExportUtil.sh script with additional JAVA_OPT to allow it to have additional memory.
BEFORE:
#JAVA_OPTS="-Xms256m -Xmx512m $JAVA_OPTS"
AFTER:
JAVA_OPTS="-Xms256m -Xmx4g -Djava.net.preferIPv4Stack=true -Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true $JAVA_OPTS"
------------------------------
Alan Baugher
Original Message:
Sent: Apr 26, 2022 05:27 AM
From: Calmis Marcel
Subject: Re: Identity Manager IME export fails
Hello,
Did someone solved the problem??? I receiving now the same error and can't export my environment, can you please help me and provide the resolution that worked for you? @Kamala Ramarao @Michael London
Thank you.
Original Message:
Sent: Dec 19, 2018 12:07 PM
From: Michael London
Subject: Re: Identity Manager IME export fails
I am receiving this same error when using ImportExportUtil. Has anyone seen a solution for this? I can't export this or my Roles and Tasks.
Thank you.