Symantec IGA

Hello

I have a system with below configuration

1.        CA IDM 12.6

2.       JBoss 5.1.0 eap version

3.       Sql server 2005 sp4

4.       Windows server 2003 sp2

1.       Installed and configured CA IDM server with user store and provisioning user store.

2.       User store is connected to SQL server 2005 (taken neteauto environment)

3.       Provision store is connected  to provisioning server

4.       Provisioning server is integrated with end point (active directory – created neteauto directory structure in ADs) using provisioning manager

5.       Able to see active directory from provisioning manager ( this shows provisioning server is correctly integrated to endpoint)

6.       Done synchronization using Configure Synchronization in the Provisioning Manager referring CA Identity Minder Configuration guide.

7.       The above all IDM components are installed on single machine except endpoint ( AD installed on other machine)

I am facing an issue with following things 

1.       After all the above configuration done, when we create a user in IDM server, it is getting reflected in relational database  but not synchronized with AD please help me on this.

2.      I am trying to create an user in provisioning manager but its not been reflecting in user store(SQL server 2005).

1) To get an account created in the AD when you create a user in IM you will need to assign the user created with a provisioning role containing an account template for Active Directory.

2) When creating a user in provisioning manager, the user will be reflected up to the IM userstore as long as the inbound and reverse sync is set up and working.

Cheers, Atle

Hi Anand

1) You can set up this both in IM and in provisioning. I am much more familliar with the provisioning part.

Create an account template in Provisioning manager. Create a role in provisioning manager and add the newly created account template to this role.

Go to IM GUI and to Roles and task. Access the provisioning roles submenu. Do a view provisioning roles and see if you can see the new provisioning role you created. If you cannot see it, access the "Reset provisioning role owner". You should see it there. Select the new role and add yourself as owner.

When creating a new user you can now go to the provisioning role tab and add the newly created provisioning role to the user

2) The inbound sync is normally set up when you install the system. Go to provisioning manager / system / identity manager setup. Verify that the data here is OK. However, this is more for when an account is created/changed.

For getting a new user created in prov server, the inbound sync needs to be working. And the inbound mapping needs to be verified. Open up immanage, go into the environment /advanced setting / provisioning and look at your mapping. Also look at your application log (if jboss, server.log) and see if you can see any messages about not being able to create im user when creating prov user

Cheers, Atle

Hi Anand

This error is typical when you have different shared secrets.

The shared secret is created during the installation process.
 
You can verify/reset the shared secret like this:
 
From the Provisioning Manager side:
===================================
System > Identity Manager Setup > Shared secret, Confirm shared secret
 
 
From the Identity Manager side:
===============================
Verify that the file
deploy\iam_im.ear\custom\identitymanager\systemWideProperties.properties
contains the hashed value of the shared secret you used in provisioning manager. The attribute holding the hashed secret is IMeTASharedSecret.
This can be done by using the password tool found in ..\IAM Suite\Identity Manager\tools\PasswordTool

If the hash from the password tool is not the same as in the file, please copy the new hash in..... or find out exactly what the Shared Secret is.

And copy the encrypted shared secret to this file.

 
NOTE: If this is a FIPS installed (i.e. if the Provisioning Manager field for password is grayed out) then you would need to re-install and make sure the same FIPS key is used for IM and Provisioning.
NOTE2: I think the file containing IMeTASharedSecret has changed name over the years. The name I used should be the last. If not, just do a search for the attribute

Cheers, Atle

Hi Atle,

1. I have reinstalled the provisioning server with new shared secret.
2. Generated encrypted password using ..\IAM Suite\Identity Manager\tools\PasswordTool.
3. Stored encrypted pwd in deploy\iam_im.ear\custom\identitymanager\systemWideProperties.properties file.

when I have created an global user in provisioning manager, it is not reflected in IM server. When I verified etanotify log file,I am getting below errors

20140109:064352:TID=00128c:I: =================================================

20140109:064352:TID=00128c:I: START: Notify Batch Processing

20140109:064352:TID=00128c:I: Sending Notification: eTNotifyOpID=65ae8b3a-6453-43e6-a225-56fbcd93002b

20140109:064352:TID=00128c:I:   Event: Assign_Unassign_Admin_Profile (eTGlobalUserName=etaadmin)

20140109:064352:TID=00128c:I:   SeqNo: 0000000001

20140109:064352:TID=00128c:I: Try sending payload to http://xxxx:8080/iam/im/ETACALLBACK/?env=demo1

20140109:064422:TID=00128c:E: FAILED(http://xxxx:8080/iam/im/ETACALLBACK/?env=demo1): [rc=28] Operation timed

20140109:064422:TID=00128c:E:+out after 30 seconds

20140109:064422:TID=00128c:E: Error in notification processing: Reason: Operation failed. ALERT: Unable to contact any IMS. Processi

20140109:064422:TID=00128c:E:+ng aborted.

20140109:064422:TID=00128c:E: Originated from: .\EtaNotifyTools.cpp [1071].

20140109:064422:TID=00128c:I: DONE: Notifications Processed: 0/100+ [FAILED]

And also

20140109:070422:TID=00128c:I: =================================================

20140109:070422:TID=00128c:I: START: Notify Batch Processing

20140109:070422:TID=00128c:I: Sending Notification: eTNotifyOpID=65ae8b3a-6453-43e6-a225-56fbcd93002b

20140109:070422:TID=00128c:I:   Event: Assign_Unassign_Admin_Profile (eTGlobalUserName=etaadmin)

20140109:070422:TID=00128c:I:   SeqNo: 0000000001

20140109:070422:TID=00128c:I: Try sending payload to http://xxxx:8080/iam/im/ETACALLBACK/?env=demo1

20140109:070422:TID=00128c:E: ERROR: There was an error in Decrypting the inbound payload from the provisioning server. This could b

20140109:070422:TID=00128c:E:+e due to mismatched shared secrets.

20140109:070422:TID=00128c:E: Error in notification processing: Reason: Operation failed. ERROR: IMS was not able to consume the not

20140109:070422:TID=00128c:E:+ification successfully.

20140109:070422:TID=00128c:E: Originated from: .\EtaNotifyTools.cpp [1102].

20140109:070422:TID=00128c:I: DONE: Notifications Processed: 0/100+ [FAILED]

Note :

IM server and provisioning server are in different domains.

Thanks,

Anand

Hi Anand

I assume this to be a test system?

If so, I suggest to clean out the notify database. When cleaning out the notify database all "pending" notifications between provisioning server and IM will be removed.

1. Stop JBoss / websphere / weblogic (not sure what you have)
2. Stop IM Provisioning Server
3. Stop IM Connector Server
4. Open up a dos commandline window on the provisioning directory server
5. dxserver stop all
6. dxserver status
7. see the correct name of DSA "<machine-name>-impd-notify" and update the command below
8. dxemptydb <machine-name>-impd-notify
9. dxserver start all
10. Start IM Provisioning Server
11. Start IM Connector Server
12. Start JBoss  / websphere / weblogic
 

Cheers, Atle

Hi Atle,

I have cleared all the notification from provisioning directory as you said in last thread but still not working.

Here I want to tell you about my configuration, I have not used provisioning directory (this is installed on separate machine). I have connected from IM server to provisioning server using configuration file (provisioning directory ) in IM server ( Home-> Directories option) since I am using relational database as corporate user store . And created an end point user store in Provisioning manager(explore and correlate is not working too) .

Planning to implement inbound and outbound synchronization using provision manager but not working.

Find the attached log from IM server machine for more information.

Thanks,

Anand

Hi Anand

All indications so far indicates problems with the encryption.

You are now sure that the shared secret is the same on all places.

And you have deleted the notify database (which uses existing shared secret while storing stuff)

You do not use SSL for this connection.

This means that we probably need to do some deeper analyzes of what the problem is.

I suggest that you open up an issue with support. That way we can allocate some time to your issue

Cheers, Atle