Common issues

Common issues

We might encounter common issues during the deployment and usage of IBM Security Identity Manager in ISIM virtual appliance. See the following common issues and workaround sections.

Data store configuration fails
Check the configuration of the database system.

On the Log Retrieval and Configuration page, click the Appliance tab and check the Identity data store configuration, server system out, and server messages.
If your configuration is not successful, try to configure again. In case of any problems, we might want use a previously taken snapshot to restore the virtual appliance to its previous state.

In the database server configuration, the certificate information window displays repeatedly even after you accept the certificate for the first time. The reason might be due to a cipher mismatch between your database server and virtual appliance cipher configuration.

Directory server configuration fails
Check the configuration of the directory server:

On the Log Retrieval and Configuration page, click the Appliance tab and check the directory server configuration, server system out, and server messages.
If your configuration is not successful, try to configure again. In case of any problems, we might want use a previously taken snapshot to restore the virtual appliance to its previous state.

In the directory server configuration, the certificate information window displays repeatedly even after you accept the certificate for the first time. The reason might be due to a cipher mismatch between your directory server and virtual appliance cipher configuration.

Unable to access ISIM virtual appliance console

View to verify the network configuration link IP, Subnet Mask, DNS, and Gateway are correct.

High disk usage notification on the dashboard

Reduce the setting for the Maximum size for log file rotation and Maximum number of historical log files.
Reduce the trace level from the command-line interface.
Clean the log files from Manage > Maintenance > Log Retrieval and Configuration.

For any other unrecoverable issues

Generate a support file using the command-line interface or ISIM virtual appliance console for the IBM Support Team.

CLI

isimva.example.com> support isimva.example.com:support> create isimva.example.com:support> download 1: isim_1.0.1.1_20130925-014609_isimva.example.com.zip 2: isim_1.0.1.1_20130925-015645_isimva.example.com.zip Enter index: 1 Insert a USB drive into the USB port on the appliance. Enter 'YES' to confirm: YES

Console

Log on to ISIM virtual appliance console.
Select Manage > System Settings > Support Files.
Click New to create a new file.
Click download to save a copy of the support file.

Unable to connect ISIM Server even with the correct host name
To resolve this issue, add the certificate to the client.

Log on with Administrator privileges on the client computer.
Start a web browser and go to the HTTPS URL for ISIM Server https://hostname where host name is the name of the computer that has ISIM virtual appliance Server.
In the web browser, export the security certificates to a file.
Complete the following instructions:

On the Microsoft Internet Explorer, click File > Properties.
Click Certificates.
Click the Certification Path tab.
Click the Details tab.
For each certificate marked with a red X in the certificate hierarchy, do the following actions.

Click View Certificate.
Click Details.
Click Copy to File.
Follow the instructions in the wizard with the following considerations:

When the Export format page is displayed, select the DER encode binary x.509 (CER) format.
Save the certificates on your local computer. For example: webhost.cer.

Restart the computer.

Unable to establish connection between IBM Security Identity Manager virtual appliance cluster nodes

Symptom.
The communication between IBM Security Identity Manager virtual appliance cluster node fails when IBM Security Identity Manager virtual appliance is unable to resolve another node name. The IBM Security Identity Manager virtual appliance liberty logs (trace*.log) contains an error message, for example:.
getStatus Status of Node <ISIM_VA_NodeName> is unavailable

We can view the liberty logs using the using virtual appliance CLI :.

Navigate to the monitor command.
<ISIMVA_SERVER> > isim <ISIMVA_SERVER>: isim> logs <ISIMVA_SERVER>: logs> monitor <ISIMVA_SERVER>: monitor>

Select option 2, and then option 4 to view the trace.log file contents.

We can also find these logs in support files at: <SupportFile_ExtractedDirectory>/tmp/liberty_dump/logs/trace*.lo.
Diagnosing the proble.
Use the following CLI commands to verify the network connection between the IBM Security Identity Manager virtual appliance can be established.

<isimva_server>: tools> connect
<isimva_server>: tools> ping
<isimva_server>: tools> traceroute

For more information on the connect, ping, and traceroute commands, see tools command.
Cause. Possible reasons:

The IBM Security Identity Manager virtual appliance has short host name.
The short host name does not map to the same IP address as the long host name.

Resolving the proble.

Ensure that ISIM virtual appliance cluster nodes have fully qualified domain names (FQDN) as a host name.
To change the host name, see Change host name of ISIM virtual appliance.
Ensure that the hosts file is correctly configured with the fully qualified domain names of IBM Security Identity Manager virtual appliance cluster nodes.
To manage hosts file, see Manage hosts file.

Unable to establish connection between IBM Security Identity Manager virtual appliance and external systems

Symptom.
Network problems make it difficult to establish a connection between IBM Security Identity Manager virtual appliance and external systems.
Diagnosing the proble.
Use the following CLI commands to verify the network connection between ISIM virtual appliance and external systems can be established.

<isimva_server>: tools> connect
<isimva_server>: tools> ping
<isimva_server>: tools> traceroute

For more information on the connect, ping, and traceroute commands, see tools command.
Cause.

Firewall exists between IBM Security Identity Manager virtual appliance and external system and it is blocking incoming traffic from IBM Security Identity Manager virtual appliance.
Firewall exists on external system and it is blocking incoming traffic from IBM Security Identity Manager virtual appliance or outgoing traffic from an external system.
Issue with the subnet and subnet mask. Should the system belong to the same subnet or different subnets?
Another DNS entry for some other system using the same IP address.

Resolving the proble.

Modify the firewall setting to allow the incoming and outgoing traffic between IBM Security Identity Manager virtual appliance and external systems.
The DNS must not grant entry to another system with the same IP address.
Ensure that the correct subnet and subnet mask details are set. If IBM Security Identity Manager virtual appliance and external systems belong to different subnets, then make sure that we have added a static route. To add a static route, see Configure static routes.

Troubleshooting IBM Security Identity Manager failures in an IBM Security Identity Manager virtual appliance cluster environment

IBM Security Identity Manager operations go into a hanging or pending state.
Diagnosing the proble.
For debugging ISIM performance and hang related issues, generate a core dump. See Manage the core and heap dump files.
Symptom.
IBM Security Identity Manager issues warnings about database connection pool being used up during reconciliation or other IBM Security Identity Manager operations causes IBM Security Identity Manager to fail..
The WebSphere Application Server SystemOut*.log or IBM Security Identity Manager trace*.log files show that the database connection pool is all used up and no free connections available..
To view the log files use the "Log Retrieval and Configuration" panel. The SystemOut*.log of the application server can be viewed using IBM Security Identity Manager VA CLI: .

Navigate to the monitor command.
<ISIMVA_SERVER> > isim <ISIMVA_SERVER>: isim> logs <ISIMVA_SERVER>: logs> monitor <ISIMVA_SERVER>: monitor>

Select option 5, and then option 2 to view the SystemOut*.log file contents.
We can also find SystemOut *.log files in support file at: <SupportFile_ExtractedDirectory>/opt/ibm/WebSphere/AppServer/profiles/<NodeName>/logs/<APP_MEMBER_NAME>/SystemOut*.lo.

View the trace*.log of ISIM by using ISIM VA CLI .
Browse for the monitor command.
<ISIMVA_SERVER> > isim <ISIMVA_SERVER>: isim> logs <ISIMVA_SERVER>: logs> monitor <ISIMVA_SERVER>: monitor>

We can find trace*.log files in support files at: <SupportFile_ExtractedDirectory>/var/ibm/tivoli/common/CTGIM/logs/trace*.lo.

Resolving the proble.
To check the existing database connection pool setting, see Manage database connection pool settings.
To calculate the maximum and minimum number of physical connections required in your case, see "Configuring WebSphere JDBC Connections” topic in ISIM Versions 6.0/7.0 Performance Tuning Guide. After pool values are identified, change the database connection pool settings.

Troubleshooting messaging, transactions issues, and tables that are involved in it

Diagnosing the proble.
The messaging and transactions are managed by WebSphere Application Server. We must check the SystemOut*.log of the messaging server.
We can view the SystemOut*.log files using ISIM VA CLI:.

Navigate to the monitor command.
<ISIMVA_SERVER> > isim <ISIMVA_SERVER>: isim> logs <ISIMVA_SERVER>: logs> monitor <ISIMVA_SERVER>: monitor>

Select option 6, and then option 2 to view the SystemOut*.log file contents.
We can also find SystemOut *.log files in support file at: <SupportFile_ExtractedDirectory>/opt/ibm/WebSphere/AppServer/profiles/<NodeName>/logs/<MSG_MEMBER_NAME>/SystemOut*.lo.
For more information about how messaging and transactions work, see the IBM WebSphere Application Server product documentation.
To check the SIB tables that are involved in messaging, see Clearing the service integration bus.

Parent topic: Troubleshooting virtual appliance problems