(iSeries) Enterprise Identity Mapping troubleshooting tips

The following information provides troubleshooting information for Enterprise Identity apping (EIM) configuration or connection factory configuration.

AdminControl service is not available

Symptom	Explanation
The following message is displayed: Message: WASX7017E: Exception received while running file "/QIBM/ProdData/OS400/Java400/cfgIdToken.jacl"; exception information: com.ibm.ws.scripting.ScriptingException: AdminControl service not available.	The application server or deployment manager of the WebSphere Application Server profile is not started, or the wsadmin option -conntype NONE is specified.

Configuration-related messages returned by the sample application to the web browser session

Symptom	Explanation
The following message is displayed: Message: com.ibm.as400.access.AS400SecurityException: User ID is not known.	The EIM does not contain a mapping for the user ID used to log in to the sample application.
The following message is displayed: Message: com.ibm.as400.access.ServerStartupException: Password encryption indicator is not valid.	The target iSeries server is not configured for Enterprise Identity Mapping (EIM).
The following message is displayed: Message: java.net.ConnectException: A remote host refused an attempted connect operation.	The target server is not an iSeries server.
The following message is displayed: Message: The lookup for the connection factory failed. Either the connector is not configured, or the servlet resource reference (JNDI name) is not set correctly in the web.xml file. The servlet expects the resource reference in the web.xml file to be eis/IdentityToken_Shared_Reference.	Either the connector is not configured, or the servlet resource reference (JNDI name) is not set correctly in the web.xml file. The servlet expects the resource reference in the web.xml file to be eis/IdentityToken_Shared_Reference.
The following message is displayed: Message: The JAAS Subject object was not passed to the Java 2 Connector (J2C) connector because WAS security is not correctly configured for the servlet.	WAS administrative security is not enabled.
The following message is displayed: Message: javax.resource.ResourceException: com.ibm.eim.jndi.DomainJNDI:method_name: failed to connect to initial directory context.	This message is caused by one of the following issues: The authentication data entry configured for the connection factory contains an incorrect LDAP distinguished name. The authentication data entry configured for the connection factory contains an incorrect LDAP password. The LDAP host name configured for the connection factory is incorrect. The LDAP port configured for the connection factory is incorrect. The LDAP server is not started. The Enterprise Identity Mapping (EIM) domain name configured for the connection factory is incorrect. The EIM parent name configured for the connection factory is incorrect.
The following message is displayed: Message: javax.resource.ResourceException: Input URL is null or not valid.	An LDAP host name is not configured for the connection factory.
The following message is displayed: Message: com.ibm.as400.access.AS400SecurityException: An unknown problem occurred.	The target iSeries server is not joined to the EIM domain configured for the connection factory, or the EIM source registry name is incorrect.

Enable trace for EIM

Perform the following steps to enable trace for EIM:

This trace is only available for idTokenRA.JCA15.rar.

1. From the administrative console, select Servers > Application Servers > server > Change Log Details Levels.

2. Click the Runtime tab.

3. Select Save runtime changes to configuration as well.

4. Remove any previous entries in the text field, and type the following:
   com.ibm.jca.idtoken.*=all: com.ibm.eim.token.*=all

5. Click Apply and save the changes.

Troubleshoot security configurations

Configure SSO capability with Enterprise Identity Mapping