Usage problems

Search limit exceeded

The ui.properties file limits the number of results for accounts with default group attribute widget of the type search filter list box. The limit is 1000. The search returns only the first 1000 entries.

To access the remaining entries we must modify the account form to include a filter field so that we can narrow the search.

1. Log on to the IBM Security Identity Manager virtual appliance console.

2. From the Quick Links widget on the Appliance Dashboard, click Identity Administration Console.

3. Log on to ISIM Console.

4. Click Configure System > Design Forms.

5. Click Accounts.

6. Double-click the account to modify.

7. Double-click the attribute on which we are searching on. It is identified as [ListBox].
8. Specify the object class.

9. Select the Show Query UI check box and click OK.

10. Click Save.

11. Click OK.

Information is garbled in a CSV-formatted report

If you save or view a report in CSV format, UTF-8 encoding is used to format the output file. This format is supported by most CSV-compatible applications for viewing or manipulating CSV information. Some viewers might not support UTF-8 encoding or might not be set to open UTF-8 formatted files.

If the information in a CSV report does not render successfully, ensure that the application supports UTF-8 encoding and is set to use UTF-8 encoding.

Generating a PDF report with an active report file open fails

You generated a report output file as a Portable Document Format (PDF) file and either minimized the displayed information or left the file open.

We cannot generate another report until you close the active report file.

Report has Deprecated label Access Control Information

The report feature uses a deprecated label called Access Control Information. The new label is Access Control Item (ACI). We might see the deprecated label if you:

• View the Access Control Information {ACIs} report builder.

• Click Run report > Access Reports > Access Control Information {ACIs} on the Reports tab.

Edit the reportingLabels.properties file and manually change the value for accessControlInformation. For example, the deprecated value is accessControlInformation=Access Control Information {ACIs}, and the correct value is accessControlInformation=Access Control Item {ACIs}. To update the reportingLabels.properties file:

1. Log on to the IBM Security Identity Manager virtual appliance console.

2. From the top-level menu of the Appliance Dashboard, select Configure > Advanced Configuration > Update Property

3. In the Update Property page, do these steps.

   1. In the All properties tab, click Identity server property files.

   2. Select reportingLabels.properties.

   3. Select accessControlInformation in the right pane and click Edit.

      See Manage the server properties.

The font in a report is too small

If the font in the report is too small to read, save the report in PDF format or in CSV format and print the report. To save the report:

1. Select File > Save As from the report output window.
2. Browse to the directory where to save the file.

3. Enter a valid file name.
4. Save the document.

We can print both PDF and CSV format reports. We can print PDF reports in portrait or landscape modes. CSV can print reports that do not fit on a single page horizontally. To print a CSV report:

1. Select the CSV report format when generating the report.

2. Select the Save As option in the dialog box.
3. Provide a valid location and file name for saving the report.
4. Use Microsoft Excel or any other CSV file reader to open the report.
5. Use the print option to print the document.

Add the owner attribute causes an UnsupportedOperationException error

Add the owner attribute on an account form might cause a java.lang.UnsupportedOperationException error. The message is:

CTGIMO002E. An unhandled exception occurred.
Error: java.lang.UnsupportedOperationException: the owner and (or) service 
or an account cannot be changed.

Do not use the Form Designer to add the owner attribute to an account form.

Use ISIM account adoption and orphan operations to set or clear the owner of an account.

An organizational unit name with more than 128 characters is not created

If the organizational unit name exceeds 128 characters, the name is not created. Do not enter a value greater than 128 characters for the organizational unit name. A long name within the 128-character limit does not wrap when displayed.

The authenticated token can call only the SelfPasswordManager.resetPassword() API after authentication using the challenge-response authentication system

If the system configuration property Lost password question behavior is set to Reset Password, the authenticated token can call only the SelfPasswordManager.resetPassword() API after the challenge-response authentication system authenticates a user.

Set the system configuration property Lost password question behavior to Direct Entry, so that the authenticated token can be used to call any API.

Forms generate an authorization exception

A user without attribute-level permission to read or write for a field tries to set a value for a drop-down list or plain list box. The form designer generates an authorization exception. When the field value is not set, the form viewer sets the value to the first item in the list.. Take one of the following actions:

• Designate a user with the appropriate attribute-level permission to set the value of the problem field. After the field is set to any value, the user without read and write permissions can modify the entity without authorization violations.
• Add a blank value to the top of the list. If the form viewer selects the blank value, no authorization violation occurs because a blank value and no selection are treated as the same condition.
• Check the Use Blank Row check box on all drop-down lists that use Form Customization.

• If the data is not sensitive, grant both read and write permissions for this attribute to the user.

Making multiple modifications to a Security Identity Manager object gives an unexpected outcome or failure with warning messages

A concurrent operation on the same object causes a trace condition that makes the outcome unpredictable. This problem occurs when using the APIs, such as submitting multiple requests to modify the same object in a while-for loop.

To ensure that all pending actions complete successfully, pause for an interval, such as a minute, before making a second modification to the same object. Alternatively, collect all the attribute changes on the same object and submit the changes as a single modify request. When we use ISIM APIs, consider collecting all your attribute changes to the object in the while-for loop. Then submit the changes as a single modify request.

LDAP version 3 filters cause adapter problems

Using LDAP Version 3 filters causes inconsistent results from an adapter, or might not be accepted by the adapter as input. Using more than two arguments in a reconciliation filter might cause an error unless multiple operators are used. For example, the following filter causes a FilterException error:

(&(eruid=a*)(ersql2000defdatabase=i*)(ersql2000deflanguage=E*))

Use filters that are compliant with LDAP Version 2.

(&(&(eruid=a*)(ersql2000defdatabase=i*))(ersql2000deflanguage=E*))

Parent topic: Troubleshooting ISIM Server problems