Issue with SDI after upgrade

View Only

Expand all | Collapse all

1. Issue with SDI after upgrade

0 Like
Paul van den Brink
Posted Tue October 31, 2023 10:37 AM

Reply
Hi,

I am using SDI to update accounts in ISVA using the ISAM v2 Connector.

Recently I've upgraded SDI on my windows laptop with FP0010

applyUpdates.bat -queryreg
Information from .registry file in: C:\Beheer\SDI\IBM\TDI\V7.2
Edition: Identity
Level: 7.2.0.10
License: Full

Fixes Applied
=-=-=-=-=-=-=
SDI-7.2-FP0010(7.2.0.6)SDI-7.2-FP0006(7.2.0.3)SDI-7.2-FP0003(7.2.0.0)

Components Installed
=-=-=-=-=-=-=-=-=-=
BASE
-SDI-7.2-FP0010
-SDI-7.2-FP0006
-SDI-7.2-FP0003
SERVER
-SDI-7.2-FP0010
-SDI-7.2-FP0006
-SDI-7.2-FP0003
CE
-SDI-7.2-FP0010
-SDI-7.2-FP0006
-SDI-7.2-FP0003
JAVADOCS
-SDI-7.2-FP0010
EXAMPLES
-SDI-7.2-FP0010
-SDI-7.2-FP0006
-SDI-7.2-FP0003
IEHS
EMBEDDED WEB PLATFORM
AMC
Deferred: false

When I start my assembly line I get the following error:

15:04:55,333 INFO - CTGDIS255I AssemblyLine AssemblyLines/CleanupCIAM is started.
15:04:56,083 INFO - Scripts functions : Initialise
15:04:56,184 INFO - [InputFromISAM] CTGDIH401I ISAM v2 Connector version 20210114 .
15:04:56,825 ERROR - [InputFromISAM] CTGDIS810E handleException - cannot handle exception , initialize
com.tivoli.pd.rgy.exception.ServerDownRgyException: HPDAA0278E None of the configured LDAP servers of the appropriate type for the operation can be contacted.
at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.getBestServerWithRecovery(LdapRgyHandleMgr.java:694)
at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.setupHandle(LdapRgyHandleMgr.java:734)
at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.access$500(LdapRgyHandleMgr.java:66)
at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr$JndiOperation.retryJndiOperation(LdapRgyHandleMgr.java:2307)
at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.searchAndFetch(LdapRgyHandleMgr.java:1554)
at com.tivoli.pd.rgy.ldap.LdapRgyServerInfo.determineLdapServerType(LdapRgyServerInfo.java:925)
at com.tivoli.pd.rgy.ldap.LdapRgyServerInfo.getLdapServerType(LdapRgyServerInfo.java:378)
at com.tivoli.pd.rgy.ldap.LdapRgyDomainInfo.getSecAuthInfo(LdapRgyDomainInfo.java:210)
at com.tivoli.pd.rgy.ldap.LdapRgyDomainInfo.get(LdapRgyDomainInfo.java:139)
at com.tivoli.pd.rgy.ldap.LdapRgyDomainMgr.getDomainInfo(LdapRgyDomainMgr.java:184)
at com.tivoli.pd.rgy.ldap.LdapRgyEntityMgr.listEntities(LdapRgyEntityMgr.java:1313)
at com.tivoli.pd.rgy.ldap.LdapRgyUserMgr.listUsers(LdapRgyUserMgr.java:772)
at com.tivoli.pd.rgy.ldap.LdapRgyRegistry.listUsers(LdapRgyRegistry.java:456)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at com.ibm.jscript.types.JavaAccessObject.call(JavaAccessObject.java:321)
at com.ibm.jscript.types.FBSObject.call(FBSObject.java:161)
at com.ibm.jscript.ASTTree.ASTCall.interpret(ASTCall.java:175)
at com.ibm.jscript.ASTTree.ASTAssign.interpret(ASTAssign.java:91)
at com.ibm.jscript.ASTTree.ASTIf.interpret(ASTIf.java:85)
at com.ibm.jscript.std.FunctionObject._executeFunction(FunctionObject.java:261)
at com.ibm.jscript.std.FunctionObject.executeFunction(FunctionObject.java:185)
at com.ibm.jscript.std.FunctionObject.call(FunctionObject.java:171)
at com.ibm.di.script.ScriptEngine.call(ScriptEngine.java:477)
at com.ibm.di.script.ScriptEngine.call(ScriptEngine.java:418)
at com.ibm.di.connector.ScriptConnector.selectEntries(ScriptConnector.java:203)
at com.ibm.di.server.AssemblyLineComponent.executeOperation(AssemblyLineComponent.java:3377)
at com.ibm.di.server.AssemblyLineComponent.doConnectorSelectEntries(AssemblyLineComponent.java:1268)
at com.ibm.di.server.AssemblyLineComponent.doInitialize(AssemblyLineComponent.java:1209)
at com.ibm.di.server.AssemblyLineComponent.initialize(AssemblyLineComponent.java:1151)
at com.ibm.di.server.AssemblyLine.initConnectors(AssemblyLine.java:1932)
at com.ibm.di.server.AssemblyLine.msInitConn(AssemblyLine.java:3609)
at com.ibm.di.server.AssemblyLine.executeMainStep(AssemblyLine.java:3419)
at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:3032)
at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:3015)
at com.ibm.di.server.AssemblyLine.executeAL(AssemblyLine.java:2972)
at com.ibm.di.server.AssemblyLine.run(AssemblyLine.java:1339)

Can anyone point me in the right direction to debug this?

Thanks in advance!

Regards,
Paul van den Brink

------------------------------
Paul van den Brink
------------------------------
2. RE: Issue with SDI after upgrade

0 Like
Franz Wolfhagen
Posted Tue October 31, 2023 10:56 AM

Reply
This does not look like a problem of the upgrade but a network connectivity problem.

The error message you are receiving tells you that none of the ldap servers in your config file can be contacted.

So take a look in the conf file and try connect to the ldap servers to verify the connectivity.

Of course something can have been impacted the upgrade - but as the biggest difference between FP6 and FP10 is the removal of the old log4j logging and there is nothing pointing to a problem in that direction...

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message
3. RE: Issue with SDI after upgrade

0 Like
Paul van den Brink
Posted Wed November 01, 2023 02:31 AM

Reply
Hi Franz,

Thans for taking an interest in this issue.

And yes, my thoughts exactly, so I checked connectivity using jXplorer, this worked.

The upgrade of SDI also implied an upgrade to JAVA8:
C:\Beheer\SDI\IBM\TDI\V7.2\jvm\jre\bin\java.exe -version
java version "1.8.0_351"
Java(TM) SE Runtime Environment (build 8.0.7.20 - pwa6480sr7fp20-20221020_01(SR7 FP20))
IBM J9 VM (build 2.9, JRE 1.8.0 Windows 10 amd64-64-Bit Compressed References 20220929_37824 (JIT enabled, AOT enabled)
OpenJ9 - 02180fe
OMR - 48fc32a
IBM - bf759bf)
JCL - 20220922_01 based on Oracle jdk8u351-b10

With Wireshark I see a ClientHello when I use use jXplorere, but I see a FIN/ACK using SDI.
So maybe there is an TLS issue.

How to enable more logging to check this?

Regards,

Paul

------------------------------
Paul van den Brink
------------------------------

Original Message
4. RE: Issue with SDI after upgrade

0 Like
Franz Wolfhagen
Posted Wed November 01, 2023 02:54 AM

Reply
The best way to get this resolved is probably using IBM Support as the problem seems to be related to the upgrade and the supported ISAM V2 Connector.

As I do not know your environment it is difficult for me to guess on distance where the problem is - but a couple of guesses :

If you have multiple network cards in you machine the AL may use the wrong network to connect to the ldap servers (Wireshark should show that quite clearly)

You may want to try to reconfigure the ISAM V2 Connector (generating a new conf/keystore pair) as the JVM has been upgraded

This technote documents a lot of good points (including SSL tracing) that may help you : https://www.ibm.com/support/pages/collecting-data-read-first-all-ibm-security-directory-integrator-products

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message
5. RE: Issue with SDI after upgrade

0 Like
Kadumuri Sagar Krishna
Posted 2 days ago

Reply
Currently we are on V 7.2.0.9 SDI and we received a notification from IBM regarding the FP00013. We have the following questions on the latest FP00013.

Do we need to upgrade SDI Java, if we go with FP13 of SDI?

Do we need to upgrade RMI dispatcher if we go with FP13 of SDI?

Will SDI FP13 work with our current version of ISVG 10.0.2.1 ?

Will RHEL 8.9 OS version work with SDI FP13?

------------------------------
Kadumuri Sagar Krishna
------------------------------

Original Message
6. RE: Issue with SDI after upgrade

0 Like
Franz Wolfhagen
Posted 22 hours ago

Reply
The questions you raise are something that cannot be answered 100% without knowing your local dependencies.

Let me answer the easiest first - SDI 7.2 should work fine with RHEL 8.9 independently of what FP and JRE is deployed. The JRE is "local" to SDI so there is no dependencies to other Java environments installed on the machine.

Answering the other questions is more subtle - if you ask a Service Consultant like me the answer is : it depends. Otherwise the IBM guidelines are that you should always run on the latest level of all you components to ensure security and functionality is optimal. The FP13 together with the latest JRE release solves problems for the ISIM DSMLV2 (JNDI) connector that is the primary connector for loading HRFeed data into ISVG IM - so if you are using this and you due to other problems/security issues needs to update you should go to this level. Be aware that much of the updates are not in SDI itself but in the supporting opensource components that needed updates due to vulnerabilities.

I would as a general recommendation always recommend to update both SDI/JRE and Dispatcher at the same time. One deployment pattern that I have used is to have 2-3 SDI/Dispatcher instances on the Adapter Server - that way you can easily maintain different levels if needed and upgrades are easier as you can move your services around the different dispatchers - the downside is that you need to understand how SDI ports are allocated (and that can be a little complicated if you are using the builtin database/queues)

The last question - ISVG 10.0.2.1 is not a well defined thing - I assume this is Identity Manager (but can be IGI) - it really does not matter - yes it works - of course there can be new problems that our development has not foreseen but this is always a risk - so test before deployment :-)

Just to throw in some more complication - prepare to move to ISVDI 10 - this is the current version of SDI - not all IBM adapters can run on this yet but as a new version always at some time will mean that the old version will be deprecated/EOS it is due diligence to start planning upgrading. And as usual with SDI (as outlined above) you can run the versions on the same server (if you manage the ports) . ISVDI 10 is moving to Java 17 and is having a new install methodology which is slightly different. Also - as with most of our products - it is also available in a container form factor which gives a lot of new possibilities :-)

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message

IBM Security

Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity.

IBM Security Verify

Issue with SDI after upgrade

Paul van den BrinkTue October 31, 2023 10:37 AM

Franz WolfhagenTue October 31, 2023 10:56 AM

Paul van den BrinkWed November 01, 2023 02:31 AM

Franz WolfhagenWed November 01, 2023 02:54 AM

Kadumuri Sagar Krishna2 days ago

Franz Wolfhagen22 hours ago

1. Issue with SDI after upgrade

2. RE: Issue with SDI after upgrade

3. RE: Issue with SDI after upgrade

4. RE: Issue with SDI after upgrade

5. RE: Issue with SDI after upgrade

6. RE: Issue with SDI after upgrade

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.