IBM Security Verify

 View Only
  • 1.  Issue with SDI after upgrade

    Posted Tue October 31, 2023 10:37 AM

    Hi,

    I am using SDI to update accounts in ISVA using the ISAM v2 Connector.

    Recently I've upgraded SDI on my windows laptop with FP0010

    applyUpdates.bat -queryreg
    Information from .registry file in: C:\Beheer\SDI\IBM\TDI\V7.2
    Edition: Identity
    Level: 7.2.0.10
    License: Full

    Fixes Applied
    =-=-=-=-=-=-=
    SDI-7.2-FP0010(7.2.0.6)SDI-7.2-FP0006(7.2.0.3)SDI-7.2-FP0003(7.2.0.0)

    Components Installed
    =-=-=-=-=-=-=-=-=-=
    BASE
       -SDI-7.2-FP0010
       -SDI-7.2-FP0006
       -SDI-7.2-FP0003
    SERVER
       -SDI-7.2-FP0010
       -SDI-7.2-FP0006
       -SDI-7.2-FP0003
    CE
       -SDI-7.2-FP0010
       -SDI-7.2-FP0006
       -SDI-7.2-FP0003
    JAVADOCS
       -SDI-7.2-FP0010
    EXAMPLES
       -SDI-7.2-FP0010
       -SDI-7.2-FP0006
       -SDI-7.2-FP0003
    IEHS
    EMBEDDED WEB PLATFORM
    AMC
       Deferred: false

    When I start my assembly line I get the following error:

    15:04:55,333 INFO  - CTGDIS255I AssemblyLine AssemblyLines/CleanupCIAM is started.
    15:04:56,083 INFO  - Scripts functions : Initialise
    15:04:56,184 INFO  - [InputFromISAM] CTGDIH401I ISAM v2 Connector version 20210114 .
    15:04:56,825 ERROR - [InputFromISAM] CTGDIS810E handleException - cannot handle exception , initialize 
    com.tivoli.pd.rgy.exception.ServerDownRgyException: HPDAA0278E   None of the configured LDAP servers of the appropriate type for the operation can be contacted.
        at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.getBestServerWithRecovery(LdapRgyHandleMgr.java:694)
        at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.setupHandle(LdapRgyHandleMgr.java:734)
        at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.access$500(LdapRgyHandleMgr.java:66)
        at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr$JndiOperation.retryJndiOperation(LdapRgyHandleMgr.java:2307)
        at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.searchAndFetch(LdapRgyHandleMgr.java:1554)
        at com.tivoli.pd.rgy.ldap.LdapRgyServerInfo.determineLdapServerType(LdapRgyServerInfo.java:925)
        at com.tivoli.pd.rgy.ldap.LdapRgyServerInfo.getLdapServerType(LdapRgyServerInfo.java:378)
        at com.tivoli.pd.rgy.ldap.LdapRgyDomainInfo.getSecAuthInfo(LdapRgyDomainInfo.java:210)
        at com.tivoli.pd.rgy.ldap.LdapRgyDomainInfo.get(LdapRgyDomainInfo.java:139)
        at com.tivoli.pd.rgy.ldap.LdapRgyDomainMgr.getDomainInfo(LdapRgyDomainMgr.java:184)
        at com.tivoli.pd.rgy.ldap.LdapRgyEntityMgr.listEntities(LdapRgyEntityMgr.java:1313)
        at com.tivoli.pd.rgy.ldap.LdapRgyUserMgr.listUsers(LdapRgyUserMgr.java:772)
        at com.tivoli.pd.rgy.ldap.LdapRgyRegistry.listUsers(LdapRgyRegistry.java:456)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
        at java.lang.reflect.Method.invoke(Method.java:508)
        at com.ibm.jscript.types.JavaAccessObject.call(JavaAccessObject.java:321)
        at com.ibm.jscript.types.FBSObject.call(FBSObject.java:161)
        at com.ibm.jscript.ASTTree.ASTCall.interpret(ASTCall.java:175)
        at com.ibm.jscript.ASTTree.ASTAssign.interpret(ASTAssign.java:91)
        at com.ibm.jscript.ASTTree.ASTIf.interpret(ASTIf.java:85)
        at com.ibm.jscript.std.FunctionObject._executeFunction(FunctionObject.java:261)
        at com.ibm.jscript.std.FunctionObject.executeFunction(FunctionObject.java:185)
        at com.ibm.jscript.std.FunctionObject.call(FunctionObject.java:171)
        at com.ibm.di.script.ScriptEngine.call(ScriptEngine.java:477)
        at com.ibm.di.script.ScriptEngine.call(ScriptEngine.java:418)
        at com.ibm.di.connector.ScriptConnector.selectEntries(ScriptConnector.java:203)
        at com.ibm.di.server.AssemblyLineComponent.executeOperation(AssemblyLineComponent.java:3377)
        at com.ibm.di.server.AssemblyLineComponent.doConnectorSelectEntries(AssemblyLineComponent.java:1268)
        at com.ibm.di.server.AssemblyLineComponent.doInitialize(AssemblyLineComponent.java:1209)
        at com.ibm.di.server.AssemblyLineComponent.initialize(AssemblyLineComponent.java:1151)
        at com.ibm.di.server.AssemblyLine.initConnectors(AssemblyLine.java:1932)
        at com.ibm.di.server.AssemblyLine.msInitConn(AssemblyLine.java:3609)
        at com.ibm.di.server.AssemblyLine.executeMainStep(AssemblyLine.java:3419)
        at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:3032)
        at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:3015)
        at com.ibm.di.server.AssemblyLine.executeAL(AssemblyLine.java:2972)
        at com.ibm.di.server.AssemblyLine.run(AssemblyLine.java:1339)

    Can anyone point me in the right direction to debug this?

    Thanks in advance!

    Regards,
    Paul van den Brink



    ------------------------------
    Paul van den Brink
    ------------------------------


  • 2.  RE: Issue with SDI after upgrade

    Posted Tue October 31, 2023 10:56 AM

    This does not look like a problem of the upgrade but a network connectivity problem.

    The error message you are receiving tells you that none of the ldap servers in your config file can be contacted.

    So take a look in the conf file and try connect to the ldap servers to verify the connectivity.

    Of course something can have been impacted the upgrade - but as the biggest difference between FP6 and FP10 is the removal of the old log4j logging and there is nothing pointing to a problem in that direction...

    HTH   



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 3.  RE: Issue with SDI after upgrade

    Posted Wed November 01, 2023 02:31 AM

    Hi Franz,

    Thans for taking an interest in this issue.

    And yes, my thoughts exactly, so I checked connectivity using jXplorer, this worked.

    The upgrade of SDI also implied an upgrade to JAVA8:
    C:\Beheer\SDI\IBM\TDI\V7.2\jvm\jre\bin\java.exe -version
    java version "1.8.0_351"
    Java(TM) SE Runtime Environment (build 8.0.7.20 - pwa6480sr7fp20-20221020_01(SR7 FP20))
    IBM J9 VM (build 2.9, JRE 1.8.0 Windows 10 amd64-64-Bit Compressed References 20220929_37824 (JIT enabled, AOT enabled)
    OpenJ9   - 02180fe
    OMR      - 48fc32a
    IBM      - bf759bf)
    JCL - 20220922_01 based on Oracle jdk8u351-b10

    With Wireshark I see a ClientHello when I use use jXplorere, but I see a FIN/ACK using SDI.
    So maybe there is an TLS issue.

    How to enable more logging to check this?

    Regards,

    Paul



    ------------------------------
    Paul van den Brink
    ------------------------------



  • 4.  RE: Issue with SDI after upgrade

    Posted Wed November 01, 2023 02:54 AM

    The best way to get this resolved is probably using IBM Support as the problem seems to be related to the upgrade and the supported ISAM V2 Connector.

    As I do not know your environment it is difficult for me to guess on distance where the problem is - but a couple of guesses :

    1. If you have multiple network cards in you machine the AL may use the wrong network to connect to the ldap servers (Wireshark should show that quite clearly)
    2. You may want to try to reconfigure the ISAM V2 Connector (generating a new conf/keystore pair) as the JVM has been upgraded  

    This technote documents a lot of good points (including SSL tracing) that may help you : https://www.ibm.com/support/pages/collecting-data-read-first-all-ibm-security-directory-integrator-products

    HTH



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------