IBM Security Verify

 View Only
  • 1.  Single Sign-On Configuration Failed during ISVG 10.0.1.5 Upgrade

    Posted Tue November 14, 2023 06:30 AM

    Hello All,

    I am facing an issue while applying ISVG FP5 on ISVG-IM 10.0.1.4. After uploading and upgrading the FP5, it says firmware upgrade failed. As I checked in the logs, it failed due to Single Sign-On configuration. So, I applied the FP5 again after unconfiguring the SSO configuration from ISVG LMI and FP5 upgraded successfully.

    Now, I am trying to configuring again SSO configuration but it is giving below error (The Single Sign-On configuration is not successful). If anyone faced such issue or have any idea about this issue, please share your suggestions.
    Thanks!

    ---------------------------------
     Rachit Bansal
    ---------------------------------



    ------------------------------
    rachit bansal
    ------------------------------


  • 2.  RE: Single Sign-On Configuration Failed during ISVG 10.0.1.5 Upgrade

    Posted Tue November 14, 2023 08:02 AM

    My recommendation is to raise a support case - there is so little information in your question that it is not possible to give you any decent advice...

    HTH 



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 3.  RE: Single Sign-On Configuration Failed during ISVG 10.0.1.5 Upgrade

    Posted Wed November 15, 2023 12:59 AM

    Hello Franz,

    Support case already raised but no solution yet.

    Sharing logs if you have get some information about the issue. 
    [11/14/23 22:40:54:448 EST] 00000042 com.ibm.identity.utils.IdentityCommand                       I Command to executed : /usr/sbin/mesa_control -e -v commit /etc/undeployed_policies 
    [11/14/23 22:41:10:447 EST] 00000042 com.ibm.identity.utils.IdentityCommand                       I Reading an errorstream of subprocess.
    [11/14/23 22:41:13:252 EST] 00000042 com.ibm.identity.utils.IdentityCommand                       I Reading an errorstream of subprocess.
    [11/14/23 22:41:13:252 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I Executing Mesa commands for Single Sign-On
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> mesa_control[10391]: Debug: Executing command: commit
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> mesa_control[10391]: Acquiring lock: /var/run/mesa_control.translate.lock
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> mesa_control[10391]: Acquired lock: /var/run/mesa_control.translate.lock
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> mesa_control[10391]: Translating policy dir=/etc/undeployed_policies out=/etc/settings.tmp
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> mesa_control[10391]: Translate policy succeeded
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> mesa_control[10391]: Committing policy changes
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> 
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> Warning:
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/ibm/wlp/usr/servers/default/certs/lmi.jks -destkeystore /opt/ibm/wlp/usr/servers/default/certs/lmi.jks -deststoretype pkcs12".
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> JVMJ9VM039I -Xscmx is ignored if -Xshareclasses is not specified
    [11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> Exception in thread "main" 
    [11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> [java.lang.NullPointerException
    [11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> ]
    [11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> 
    [11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> Wrappered Exception:
    [11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> java.lang.NullPointerException
    [11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.invoke(SvrSslCfg.java:708)
    [11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.main(SvrSslCfg.java:451)
    [11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> Caused by: java.lang.NullPointerException
    [11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jadmin.PDAppSvrConfig.unconfigureAppSvr(PDAppSvrConfig.java:1446)
    [11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.unconfig(SvrSslCfg.java:780)
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at java.lang.reflect.Method.invoke(Method.java:508)
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.invoke(SvrSslCfg.java:686)
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> ... 1 more
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> Exception in thread "main" 
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> [com.tivoli.pd.jutil.AuthResponseException: HPDBA0235I   The server lost the client's authentication, probably because of session expiration.
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> ]
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> 
    [11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> Wrappered Exception:
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> com.tivoli.pd.jutil.AuthResponseException: HPDBA0235I   The server lost the client's authentication, probably because of session expiration.
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jts.RemoteConnection.doIt(RemoteConnection.java:357)
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jts.RemoteConnection.sendRequest(RemoteConnection.java:138)
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jts.Connection.sendRequest(Connection.java:108)
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jadmin.PDAppSvrConfig$1.run(PDAppSvrConfig.java:279)
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at java.security.AccessController.doPrivileged(AccessController.java:747)
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jadmin.PDAppSvrConfig.getMgrCert(PDAppSvrConfig.java:273)
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jadmin.PDAppSvrConfig.configureAppSvr(PDAppSvrConfig.java:911)
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.config(SvrSslCfg.java:764)
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
    [11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
    [11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at java.lang.reflect.Method.invoke(Method.java:508)
    [11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.invoke(SvrSslCfg.java:686)
    [11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.main(SvrSslCfg.java:451)
    [11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> Caused by: com.tivoli.pd.jutil.AuthResponseException: HPDBA0235I   The server lost the client's authentication, probably because of session expiration.
    [11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jauthn.AuthGetPeerCertificateCmd.doIt(AuthGetPeerCertificateCmd.java:44)
    [11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> at com.tivoli.pd.jts.RemoteConnection.doIt(RemoteConnection.java:345)
    [11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> ... 13 more
    [11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I MesaConfig Output >> mesa_control[10391]: Error: Failed to commit policy changes
    [11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         E Error while executing command : [Ljava.lang.String;@99a0fa0d
    [11/14/23 22:41:13:258 EST] 00000042 com.ibm.identity.utils.IdentityUtils                         I Deleted undeployed policies for component Single Sign-On
    [11/14/23 22:41:13:258 EST] 00000042 com.ibm.identity.isim.sso_config.SsoConfigServlet            E Single Sign-On configuration was not successful
    [11/14/23 22:41:13:263 EST] 00000042 com.ibm.identity.isim.sso_config.SsoConfigServlet            E Single Sign-On configuration failed.
    ------------------------


    ------------------------------
    rachit bansal
    ------------------------------



  • 4.  RE: Single Sign-On Configuration Failed during ISVG 10.0.1.5 Upgrade

    Posted Wed November 15, 2023 02:09 AM

    Do not get me wrong - but I am not going to try to debug your problem based on a single log - that is not how problem determination/debugging works.

     As you have raised a case that is the correct way of getting the problem solved - the support professional knows which logs they need and should also b able to help you resolve the problem quicker than I can.

    That said - did you reregister your ISVA Java runtime - the fixpack probably have changed the Java version which means that you need to reregister the pdjrte - and there has been a lot of problems related to this using the correct versions of the ISVA jar...



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Engineer - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 5.  RE: Single Sign-On Configuration Failed during ISVG 10.0.1.5 Upgrade

    Posted Wed November 15, 2023 02:27 AM

    Thanks for your suggestions and clarification comments. 



    ------------------------------
    Rachit Bansal
    ------------------------------