IBM Verify

 View Only
  • 1.  Issue with SDI after upgrade

    Posted Tue October 31, 2023 10:37 AM

    Hi,

    I am using SDI to update accounts in ISVA using the ISAM v2 Connector.

    Recently I've upgraded SDI on my windows laptop with FP0010

    applyUpdates.bat -queryreg
    Information from .registry file in: C:\Beheer\SDI\IBM\TDI\V7.2
    Edition: Identity
    Level: 7.2.0.10
    License: Full

    Fixes Applied
    =-=-=-=-=-=-=
    SDI-7.2-FP0010(7.2.0.6)SDI-7.2-FP0006(7.2.0.3)SDI-7.2-FP0003(7.2.0.0)

    Components Installed
    =-=-=-=-=-=-=-=-=-=
    BASE
       -SDI-7.2-FP0010
       -SDI-7.2-FP0006
       -SDI-7.2-FP0003
    SERVER
       -SDI-7.2-FP0010
       -SDI-7.2-FP0006
       -SDI-7.2-FP0003
    CE
       -SDI-7.2-FP0010
       -SDI-7.2-FP0006
       -SDI-7.2-FP0003
    JAVADOCS
       -SDI-7.2-FP0010
    EXAMPLES
       -SDI-7.2-FP0010
       -SDI-7.2-FP0006
       -SDI-7.2-FP0003
    IEHS
    EMBEDDED WEB PLATFORM
    AMC
       Deferred: false

    When I start my assembly line I get the following error:

    15:04:55,333 INFO  - CTGDIS255I AssemblyLine AssemblyLines/CleanupCIAM is started.
    15:04:56,083 INFO  - Scripts functions : Initialise
    15:04:56,184 INFO  - [InputFromISAM] CTGDIH401I ISAM v2 Connector version 20210114 .
    15:04:56,825 ERROR - [InputFromISAM] CTGDIS810E handleException - cannot handle exception , initialize 
    com.tivoli.pd.rgy.exception.ServerDownRgyException: HPDAA0278E   None of the configured LDAP servers of the appropriate type for the operation can be contacted.
        at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.getBestServerWithRecovery(LdapRgyHandleMgr.java:694)
        at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.setupHandle(LdapRgyHandleMgr.java:734)
        at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.access$500(LdapRgyHandleMgr.java:66)
        at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr$JndiOperation.retryJndiOperation(LdapRgyHandleMgr.java:2307)
        at com.tivoli.pd.rgy.ldap.LdapRgyHandleMgr.searchAndFetch(LdapRgyHandleMgr.java:1554)
        at com.tivoli.pd.rgy.ldap.LdapRgyServerInfo.determineLdapServerType(LdapRgyServerInfo.java:925)
        at com.tivoli.pd.rgy.ldap.LdapRgyServerInfo.getLdapServerType(LdapRgyServerInfo.java:378)
        at com.tivoli.pd.rgy.ldap.LdapRgyDomainInfo.getSecAuthInfo(LdapRgyDomainInfo.java:210)
        at com.tivoli.pd.rgy.ldap.LdapRgyDomainInfo.get(LdapRgyDomainInfo.java:139)
        at com.tivoli.pd.rgy.ldap.LdapRgyDomainMgr.getDomainInfo(LdapRgyDomainMgr.java:184)
        at com.tivoli.pd.rgy.ldap.LdapRgyEntityMgr.listEntities(LdapRgyEntityMgr.java:1313)
        at com.tivoli.pd.rgy.ldap.LdapRgyUserMgr.listUsers(LdapRgyUserMgr.java:772)
        at com.tivoli.pd.rgy.ldap.LdapRgyRegistry.listUsers(LdapRgyRegistry.java:456)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
        at java.lang.reflect.Method.invoke(Method.java:508)
        at com.ibm.jscript.types.JavaAccessObject.call(JavaAccessObject.java:321)
        at com.ibm.jscript.types.FBSObject.call(FBSObject.java:161)
        at com.ibm.jscript.ASTTree.ASTCall.interpret(ASTCall.java:175)
        at com.ibm.jscript.ASTTree.ASTAssign.interpret(ASTAssign.java:91)
        at com.ibm.jscript.ASTTree.ASTIf.interpret(ASTIf.java:85)
        at com.ibm.jscript.std.FunctionObject._executeFunction(FunctionObject.java:261)
        at com.ibm.jscript.std.FunctionObject.executeFunction(FunctionObject.java:185)
        at com.ibm.jscript.std.FunctionObject.call(FunctionObject.java:171)
        at com.ibm.di.script.ScriptEngine.call(ScriptEngine.java:477)
        at com.ibm.di.script.ScriptEngine.call(ScriptEngine.java:418)
        at com.ibm.di.connector.ScriptConnector.selectEntries(ScriptConnector.java:203)
        at com.ibm.di.server.AssemblyLineComponent.executeOperation(AssemblyLineComponent.java:3377)
        at com.ibm.di.server.AssemblyLineComponent.doConnectorSelectEntries(AssemblyLineComponent.java:1268)
        at com.ibm.di.server.AssemblyLineComponent.doInitialize(AssemblyLineComponent.java:1209)
        at com.ibm.di.server.AssemblyLineComponent.initialize(AssemblyLineComponent.java:1151)
        at com.ibm.di.server.AssemblyLine.initConnectors(AssemblyLine.java:1932)
        at com.ibm.di.server.AssemblyLine.msInitConn(AssemblyLine.java:3609)
        at com.ibm.di.server.AssemblyLine.executeMainStep(AssemblyLine.java:3419)
        at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:3032)
        at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:3015)
        at com.ibm.di.server.AssemblyLine.executeAL(AssemblyLine.java:2972)
        at com.ibm.di.server.AssemblyLine.run(AssemblyLine.java:1339)

    Can anyone point me in the right direction to debug this?

    Thanks in advance!

    Regards,
    Paul van den Brink



    ------------------------------
    Paul van den Brink
    ------------------------------


  • 2.  RE: Issue with SDI after upgrade

    Posted Tue October 31, 2023 10:56 AM

    This does not look like a problem of the upgrade but a network connectivity problem.

    The error message you are receiving tells you that none of the ldap servers in your config file can be contacted.

    So take a look in the conf file and try connect to the ldap servers to verify the connectivity.

    Of course something can have been impacted the upgrade - but as the biggest difference between FP6 and FP10 is the removal of the old log4j logging and there is nothing pointing to a problem in that direction...

    HTH   



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 3.  RE: Issue with SDI after upgrade

    Posted Wed November 01, 2023 02:31 AM

    Hi Franz,

    Thans for taking an interest in this issue.

    And yes, my thoughts exactly, so I checked connectivity using jXplorer, this worked.

    The upgrade of SDI also implied an upgrade to JAVA8:
    C:\Beheer\SDI\IBM\TDI\V7.2\jvm\jre\bin\java.exe -version
    java version "1.8.0_351"
    Java(TM) SE Runtime Environment (build 8.0.7.20 - pwa6480sr7fp20-20221020_01(SR7 FP20))
    IBM J9 VM (build 2.9, JRE 1.8.0 Windows 10 amd64-64-Bit Compressed References 20220929_37824 (JIT enabled, AOT enabled)
    OpenJ9   - 02180fe
    OMR      - 48fc32a
    IBM      - bf759bf)
    JCL - 20220922_01 based on Oracle jdk8u351-b10

    With Wireshark I see a ClientHello when I use use jXplorere, but I see a FIN/ACK using SDI.
    So maybe there is an TLS issue.

    How to enable more logging to check this?

    Regards,

    Paul



    ------------------------------
    Paul van den Brink
    ------------------------------



  • 4.  RE: Issue with SDI after upgrade

    Posted Wed November 01, 2023 02:54 AM

    The best way to get this resolved is probably using IBM Support as the problem seems to be related to the upgrade and the supported ISAM V2 Connector.

    As I do not know your environment it is difficult for me to guess on distance where the problem is - but a couple of guesses :

    1. If you have multiple network cards in you machine the AL may use the wrong network to connect to the ldap servers (Wireshark should show that quite clearly)
    2. You may want to try to reconfigure the ISAM V2 Connector (generating a new conf/keystore pair) as the JVM has been upgraded  

    This technote documents a lot of good points (including SSL tracing) that may help you : https://www.ibm.com/support/pages/collecting-data-read-first-all-ibm-security-directory-integrator-products

    HTH



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 5.  RE: Issue with SDI after upgrade

    Posted Mon July 01, 2024 10:41 AM

    Currently we are on V 7.2.0.9 SDI and we received a notification from IBM regarding the FP00013. We have the following questions on the latest FP00013.

    1. Do we need to upgrade SDI Java, if we go with FP13 of SDI?
    2. Do we need to upgrade RMI dispatcher if we go with FP13 of SDI?
    3. Will SDI FP13 work with our current version of ISVG 10.0.2.1 ?
    4. Will RHEL 8.9 OS version work with SDI FP13?


    ------------------------------
    Kadumuri Sagar Krishna
    ------------------------------



  • 6.  RE: Issue with SDI after upgrade

    Posted Tue July 02, 2024 03:22 AM

    The questions you raise are something that cannot be answered 100% without knowing your local dependencies.

    Let me answer the easiest first - SDI 7.2 should work fine with RHEL 8.9 independently of what FP and JRE is deployed. The JRE is "local" to SDI so there is no dependencies to other Java environments installed on the machine.

    Answering the other questions is more subtle - if you ask a Service Consultant like me the answer is : it depends. Otherwise the IBM guidelines are that you should always run on the latest level of all you components to ensure security and functionality is optimal. The FP13 together with the latest JRE release solves problems for the ISIM DSMLV2 (JNDI) connector that is the primary connector for loading HRFeed data into ISVG IM - so if you are using this and you due to other problems/security issues needs to update you should go to this level. Be aware that much of the updates are not in SDI itself but in the supporting opensource components that needed updates due to vulnerabilities.

    I would as a general recommendation always recommend to update both SDI/JRE and Dispatcher at the same time. One deployment pattern that I have used is to have 2-3 SDI/Dispatcher instances on the Adapter Server - that way you can easily maintain different levels if needed and upgrades are easier as you can move your services around the different dispatchers - the downside is that you need to understand how SDI ports are allocated (and that can be a little complicated if you are using the builtin database/queues) 

    The last question - ISVG 10.0.2.1 is not a well defined thing - I assume this is Identity Manager (but can be IGI) - it really does not matter - yes it works - of course there can be new problems that our development has not foreseen but this is always a risk - so test before deployment :-)

    Just to throw in some more complication - prepare to move to ISVDI 10 - this is the current version of SDI - not all IBM adapters can run on this yet but as a new version always at some time will mean that the old version will be deprecated/EOS it is due diligence to start planning upgrading. And as usual with SDI (as outlined above) you can run the versions on the same server (if you manage the ports) .  ISVDI 10 is moving to Java 17 and is having a new install methodology which is slightly different. Also - as with most of our products - it is also available in a container form factor which gives a lot of new possibilities :-) 

    HTH 



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------