Symantec IGA

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Define a IG Connector to CA Identity Manager

  • 1.  Define a IG Connector to CA Identity Manager

    Posted Aug 06, 2018 12:01 PM

    HI All,

     

    I am trying to integrate IG(14.1) and IM(14.1)

    I created a universe first for IM ---> Selected connector type as identity minder from connectivity tab----> Completed connection setting form

    Also had imported smart provisioning role def in IM, I can connect IG from IM without any issue(System, CA Identity Governance Configuration, Define Configuration,test connection)

    Issue is with IG trying to connect with IM, It seems like siteminder integration with IM might be a cause

    Below is the connection setting wizard data:

    •Required Host Name: IMSERVER

    •Required Port: 80(Because of siteminder presence)

    •Required Login Name: imadmin/also tried full dn

    •Required Password:

    Secured: no

    •Required Environment: IDM

    Error in IG logs:

     

    08:32:57,240 ERROR [com.netegrity.crypto.PBEMD5RC2CBCPKCS5PBE100064Handler] (default task-13) javax.crypto.BadPaddingException: Error finalising cipher data: pad block corrupted
    08:32:57,240 ERROR [com.ca.clientconnection.WebServiceHandler] (default task-13) decryption: Failed decrypting s4zRnioKso+hv18UEpLU3n7rxm9MILHfRwiiqHOOe4uG8eITBIs5KEpUiVecXb91+n+tV2X8UsCbQpwNsIpVks299dQavgQnl2gTkWeQBKJkO+okNbwgxGHafkkWdzPAwJyKSV+xCeppHJjNcDWr9YEw63Kda6pyw/g/pmlPw98L9JdW1BzcyeFhuIvFXPiG41nfltX4k+UyvZxSYbbRIuLhZM9zDvcCk13aZfFk50S2HwgUJFsXXKBGDCJn+KAJbjM6s0Vux03O6kd97Xi7/l27gl89JcgPXKC6bM2yVCU0sCOAtGYwrCyChuXR87oBITFwW+cpdFgwsBr2eFsB47pSh/BXe6E6ff8ijgob9tdxwiEP/jAc0yuvW++9EpvAnVkheNk7GSio/N9uJUQt+mXOYHU1cY2mG9flIOrdZsVjHOK0hcw5yNe7HYw5xfiOP11jyWV0QUCEFA4BlvW7FKUT2kgM9cfefjn1ck6a0V3G0yTeyO+0ImLjuvqZTdCuKnfx3ZUr0lvyTl7IPr9d0Y5IQS8NPq5caB+S0mJzSEBB4SQIeYKs6/k3S2nPTnPAagJeZTjVNf/D/NpsC28vemyXZrkd7oeeJgcKJTaIbdec3sBk0ypxbnvmnBUdf6LVII+UsO4PKjRule03L6rmVSs783RUIc5CxWR6Qgkt5S5GGnHXPL6nok+h2sTdoCi1g554uDS1CuGaeWr/qjbt6IEl9iBUjudEhu6ui7pw1oIqG4NeUKnJ2PSteQxvcCN+3a6yHMRDydRJK8oSKHzYecEhBYt/w0mgQUZ/5f3adQGOjkHsgaj161hDDvnPvhCX: null: java.lang.NullPointerException

    08:32:57,240 ERROR [com.ca.clientconnection.WebServiceHandler] (default task-13) WebServiceHandler.getJSONObject: Failed to get information from IM for managed object type configuration: java.lang.NullPointerException: com.ca.clientconnection.clientapi.ClientConnectionException: java.lang.NullPointerException
    at com.ca.clientconnection.clientimpl.util.WebServiceHandler.decryption(WebServiceHandler.java:718) [clientconnection-impl-14.1.0-327.jar:]
    at com.ca.clientconnection.clientimpl.util.WebServiceHandler.getJSONObject(WebServiceHandler.java:362) [clientconnection-impl-14.1.0-327.jar:]
    at com.ca.clientconnection.clientimpl.IMConnectionObject.loadDirectoryConfiguration(IMConnectionObject.java:238) [clientconnection-impl-14.1.0-327.jar:]
    at com.ca.clientconnection.clientimpl.IMConnectionObject.<init>(IMConnectionObject.java:91) [clientconnection-impl-14.1.0-327.jar:]

     

    Thanks in Advance!!! 

     

    Regards,

    Amit



  • 2.  Re: Define a IG Connector to CA Identity Manager
    Best Answer

    Broadcom Employee
    Posted Aug 06, 2018 02:15 PM

    Don't connects through the SSO agent, connect directly to the application server port.

    IM is protecting the IM via the internal agent



  • 3.  Re: Define a IG Connector to CA Identity Manager

    Posted Aug 07, 2018 02:19 AM

    Hello Sir,

    I have IM integrated with SSO(thru tunnel agent), Now i am trying integrating IM with IG.

    While creating IM connector I first tried with webserver details, As per CA docs :

    "Note: If you have CA Single Sign On in your deployment, set the CA Identity Manager port to 80."

    Now I tried connecting directly to application server port(8080), I am getting below error:

    23:07:07,676 INFO [com.eurekify.connectors.ccl.session.SessionFactoryImpl] (default task-13) Testing connection using the following connection settings:
    <xml-fragment xmlns:im="http://www.ca.com/rcm/connectors/im" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <im:host-name>imserver</im:host-name>
    <im:port>8080</im:port>
    <im:login-name>imadmin</im:login-name>
    <im:secured>false</im:secured>
    <im:im-connection>
    <im:environment>IDM</im:environment>
    <im:rcm-host-name xsi:nil="true"/>
    <im:rcm-port xsi:nil="true"/>
    <im:rcm-universe>IDM Universe</im:rcm-universe>
    <im:rcm-login-name xsi:nil="true"/>
    <im:rcm-secured>false</im:rcm-secured>
    <im:rcm-connection-disabled>true</im:rcm-connection-disabled>
    </im:im-connection>
    </xml-fragment>
    23:07:29,754 ERROR [com.ca.clientconnection.WebServiceHandler] (default task-13) WebServiceHandler.getWSConfigurationJSON: Failed to get configuration from IM for: Failed to get configuration from IM: Internal Server Error: com.ca.clientconnection.clientapi.ClientConnectionException: Failed to get configuration from IM: Internal Server Error

     

    Thanks,

    Amit



  • 4.  Re: Define a IG Connector to CA Identity Manager

    Broadcom Employee
    Posted Aug 07, 2018 02:50 AM

    Sometimes this error indicates that the pre-requisites are not met on the IM side of the connection.  Make sure you have the 6 required web services enabled and the account you connect with has the right to use those web services.



  • 5.  Re: Define a IG Connector to CA Identity Manager

    Posted Aug 07, 2018 03:53 AM

    Hello Ricky,

     

    web service is enabled for all 6 tasks, I have verified it. Also I see the tasks when I hit TEWS URL or via SOAPUI.

    imadmin user has access to all these tasks

     

    I tried enabling debug logs for com.ca.clientconnection.WebServiceHandler, Did not get much in logs:

     

    <xml-fragment xmlns:im="http://www.ca.com/rcm/connectors/im" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <im:host-name>IMSERVER</im:host-name>
    <im:port>80</im:port>
    <im:login-name>imadmin</im:login-name>
    <im:secured>false</im:secured>
    <im:im-connection>
    <im:environment>Amitnew</im:environment>
    <im:rcm-host-name xsi:nil="true"/>
    <im:rcm-port xsi:nil="true"/>
    <im:rcm-universe>IDM Universe</im:rcm-universe>
    <im:rcm-login-name xsi:nil="true"/>
    <im:rcm-secured>false</im:rcm-secured>
    <im:rcm-connection-disabled>true</im:rcm-connection-disabled>
    </im:im-connection>
    </xml-fragment>
    00:44:52,437 DEBUG [com.ca.clientconnection.WebServiceHandler] (default task-7) WebServiceHandler.getWSConfigurationJSON: : Get configuration from IM
    00:45:15,451 DEBUG [com.ca.clientconnection.WebServiceHandler] (default task-7) WebServiceHandler.getWSConfigurationJSON: Failed to get configuration from IM: Internal Server Error
    00:45:15,451 ERROR [com.ca.clientconnection.WebServiceHandler] (default task-7) WebServiceHandler.getWSConfigurationJSON: Failed to get configuration from IM for: Failed to get configuration



  • 6.  Re: Define a IG Connector to CA Identity Manager

    Posted Aug 07, 2018 04:18 AM

    Ricky,

    I might have missed below prerequisite: 

    Verify that the systems that host CA Identity Governance and CA Identity Manager meet the Integration" class="conf-macro output-inline" data-hasbody="true" data-macro-name="sp-plaintextbody-link">prerequisites.

     

    I have no idea what does it mean

     

    Regards,

    Amit



  • 7.  Re: Define a IG Connector to CA Identity Manager

    Posted Aug 07, 2018 12:52 PM

    latest error:

     

    <xml-fragment xmlns:im="http://www.ca.com/rcm/connectors/im" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <im:host-name>imserver</im:host-name>
    <im:port>80</im:port>
    <im:login-name>imadmin</im:login-name>
    <im:secured>false</im:secured>
    <im:im-connection>
    <im:environment>amitnew</im:environment>
    <im:rcm-host-name xsi:nil="true"/>
    <im:rcm-port xsi:nil="true"/>
    <im:rcm-universe>IDM Universe</im:rcm-universe>
    <im:rcm-login-name xsi:nil="true"/>
    <im:rcm-secured>false</im:rcm-secured>
    <im:rcm-connection-disabled>true</im:rcm-connection-disabled>
    </im:im-connection>
    </xml-fragment>
    09:47:23,085 DEBUG [com.ca.clientconnection.WebServiceHandler] (default task-15) WebServiceHandler.getWSConfigurationJSON: : Get configuration from IM
    09:47:41,710 DEBUG [com.ca.clientconnection.WebServiceHandler] (default task-15) WebServiceHandler.getJSONObject: : Get definitions from IM for managed object type configuration
    09:47:41,710 DEBUG [com.ca.clientconnection.WebServiceHandler] (default task-15) WebServiceHandler.generateDigest data:GET-imrcm-amitnew
    09:47:42,741 ERROR [com.netegrity.crypto.PBEMD5RC2CBCPKCS5PBE100064Handler] (default task-15) javax.crypto.BadPaddingException: Error finalising cipher data: pad block corrupted

    09:47:42,756 ERROR [com.ca.clientconnection.WebServiceHandler] (default task-15) decryption: Failed decrypting s4zRnioKso+hv18UEpLU3n7rxm9MILHfRwiiqHOOe4uG8eITBIs5KEpUiVecXb91+n+tV2X8UsCbQpwNsIpVks299dQavgQnl2gTkWeQBKJkO+okNbwgxGHafkkWdzPAwJyKSV+xCeppHJjNcDWr9YEw63Kda6pyw/g/pmlPw98L9JdW1BzcyeFhuIvFXPiG41nfltX4k+UyvZxSYbbRIuLhZM9zDvcCk13aZfFk50S2HwgUJFsXXKBGDCJn+KAJbjM6s0Vux03O6kd97Xi7/l27gl89JcgPXKC6bM2yVCU0sCOAtGYwrCyChuXR87oBITFwW+cpdFgwsBr2eFsB47pSh/BXe6E6ff8ijgob9tdxwiEP/jAc0yuvW++9EpvAnVkheNk7GSio/N9uJUQt+mXOYHU1cY2mG9flIOrdZsVjHOK0hcw5yNe7HYw5xfiOP11jyWV0QUCEFA4BlvW7FKUT2kgM9cfefjn1ck6a0V3G0yTeyO+0ImLjuvqZTdCuKnfx3ZUr0lvyTl7IPr9d0Y5IQS8NPq5caB+S0mJzSEBB4SQIeYKs6/k3S2nPTnPAagJeZTjVNf/D/NpsC28vemyXZrkd7oeeJgcKJTaIbdec3sBk0ypxbnvmnBUdf6LVII+UsO4PKjRule03L6rmVSs783RUIc5CxWR6Qgkt5S5GGnHXPL6nok+h2sTdoCi1g554uDS1CuGaeWr/qjbt6IEl9iBUjudEhu6ui7pw1oIqG4NeUKnJ2PSteQxvcCN+3a6yHMRDydRJK8oSKHzYecEhBYt/w0mgQUZ/5f3adQGOjkHsgaj161hDDvnPvhCX: null: java.lang.NullPointerException
    at java.lang.String.<init>(String.java:491) [rt.jar:1.8.0_171]



  • 8.  Re: Define a IG Connector to CA Identity Manager

    Posted Aug 13, 2018 05:30 AM

    Hi Amit ,

     

    I am Facing the same issue , i had 2 questions

    1)is this issue  fixed?

     

    2) What are 6 Webservices  which need to enable webservices?

    web service is which need  enabled for all 6 tasks 



  • 9.  Re: Define a IG Connector to CA Identity Manager

    Posted Aug 13, 2018 05:37 AM

    Hi Sudheer,

     

    Issue is not yet resolved, I suggest you to raise a case with CA.

     

    Thanks,

    Amit



  • 10.  Re: Define a IG Connector to CA Identity Manager

    Posted Aug 13, 2018 06:07 AM

    Thanks Amit ,

     

    I already raised an issue with CA support waiting for there comments , its already now 2 months 



  • 11.  Re: Define a IG Connector to CA Identity Manager

    Posted Aug 08, 2018 08:39 AM

    The URL that IG was sending to agent was not protected hence the above error(http://IMSERVER.***.***/iam/im/ws/amitnew/wsconfiguration )

    After creating a realm for above url, I am not seeing the pad block corrupted error instead I am now getting forbidden error


    05:18:02,462 ERROR [com.ca.clientconnection.WebServiceHandler] (default task-6) WebServiceHandler.getWSConfigurationJSON: Failed to get configuration from IM for: Failed to get configuration from IM: Forbidden: com.ca.clientconnection.clientapi.ClientConnectionException: Failed to get configuration from IM: Forbidden
    at com.ca.clientconnection.clientimpl.util.WebServiceHandler.getWSConfiguration(WebServiceHandler.java:418) [clientconnection-impl-14.1.0-327.jar:]

     

    CA docs does not mention anything to be done in case CA identity minder and siteminder are integrated but what I have seen so far something is missing at SM as the request itself not reaching IM.

    Where the siteminder trace logs seems okay except it never checks for IMADMIN user.

     

    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:155][CSm_Az_Message::ProcessMessage][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::ProcessMessage]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][s197/r2][][][][][][][][][][][][][][][][][][][*10.0.0.6][Receive request attribute 208, data size is 9]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][s197/r2][][][][][][][][][][][][][][][][][][][00000000000000000000000001000000-155c-5b6adf7a-1374-01fa074d][Receive request attribute 221, data size is 60]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][s197/r2][iisagentidm][][][][][][][][][][][][][][][][][][imserver][Receive request attribute 200, data size is 11]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][s197/r2][iisagentidm][][][][][][][][][][][][][][][][][][http://IMSERVER.amit.com][Receive request attribute 217, data size is 24]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][s197/r2][iisagentidm][][][][][][][][][][][][][][][][][][/iam/im/ws/wsconfiguration/amitnew][Receive request attribute 201, data size is 34]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][s197/r2][iisagentidm][][][][][][][][][][][][][][][][][][POST][Receive request attribute 202, data size is 4]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][s197/r2][iisagentidm][][][][][][][][][][][][][][][][][][FALSE][Receive request attribute 134, data size is 5]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:208][CSm_Az_Message::ProcessMessage][s197/r2][iisagentidm][][][][][][][][][][][][][][][][][][imserver][** Received agent request.]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmObjCache.cpp:779][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][][][][][Look up a cached object.]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:390][CSm_Az_Message::AnalyzeAzMessage][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::AnalyzeAzMessage]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:398][CSm_Az_Message::AnalyzeAzMessage][][][][][][][][][][][][][true][][][][][][][][Leave function CSm_Az_Message::AnalyzeAzMessage]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][IsProtected.cpp:52][CSm_Az_Message::IsProtected][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::IsProtected]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][IsProtected.cpp:75][CSm_Az_Message::IsProtected][][iisagentidm][][][][][][][][][][][][][10.0.0.4][][][][][1542][Received request from agent, check agent api version.]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][IsProtected.cpp:98][CSm_Az_Message::IsProtected][][iisagentidm][/iam/im/ws/wsconfiguration/amitnew][][][][][][][][][][][][http://IMSERVER.amit.com][][][][][][Starting IsProtected processing.]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmAuthorization.cpp:544][CSmAz::IsProtected][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::IsProtected]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmObjCache.cpp:779][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][][][][][Look up a cached object.]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmAuthorization.cpp:620][CSmAz::IsProtected][][][/iam/im/ws/wsconfiguration/amitnew][][][Amitnew_ims_realm][AmitnewDomain][][][][][][][][][][][][][][Resource is protected by realm.]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmAuthorization.cpp:622][CSmAz::IsProtected][][][][][][][][][][][][][Realm][][][][][][][][Leave function CSmAz::IsProtected]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmObjCache.cpp:779][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][][][][][Look up a cached object.]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmAuthDir.cpp:22][SmAuthQuery][][][][][][][][][][][][][][][][][][][][][Enter function SmAuthQuery]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][SmAuthDir.cpp:41][SmAuthQuery][][][][][][][][][][][][][Sm_AuthApi_Success][][][][][][][][Leave function SmAuthQuery]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:409][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::SendReply]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s197/r2][iisagentidm][][][][Amitnew_ims_realm][AmitnewDomain][][][][][][][][][][][][][03-a8e8837d-4e75-490a-b4a0-9cb798c993c5][Send response attribute 150, data size is 39]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s197/r2][iisagentidm][][][][Amitnew_ims_realm][AmitnewDomain][][][][][][][][][][][][][06-bfaa6136-09e2-4495-a70c-968dbfe611ee][Send response attribute 204, data size is 39]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s197/r2][iisagentidm][][][][Amitnew_ims_realm][AmitnewDomain][][][][][][][][][][][][][Amitnew_ims_realm][Send response attribute 203, data size is 17]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s197/r2][iisagentidm][][][][Amitnew_ims_realm][AmitnewDomain][][][][][][][][][][][][][1][Send response attribute 219, data size is 1]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s197/r2][iisagentidm][][][][Amitnew_ims_realm][AmitnewDomain][][][][][][][][][][][][][][Send response attribute 220, data size is 0]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s197/r2][iisagentidm][][][][Amitnew_ims_realm][AmitnewDomain][][][][][][][][][][][][][][Send response attribute 146, data size is 0]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s197/r2][iisagentidm][][][][Amitnew_ims_realm][AmitnewDomain][][][][][][][][][][][][][][Send response attribute 147, data size is 0]
    [08/08/2018][05:18:02.559][05:18:02][2848][2980][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s197/r2][iisagentidm][][][][Amitnew_ims_realm][AmitnewDomain][][][][][][][][][][][][][][** Status: Protected. ]
    [08/08/2018][0