Original Message:
Sent: Wed November 15, 2023 02:09 AM
From: Franz Wolfhagen
Subject: Single Sign-On Configuration Failed during ISVG 10.0.1.5 Upgrade
Do not get me wrong - but I am not going to try to debug your problem based on a single log - that is not how problem determination/debugging works.
As you have raised a case that is the correct way of getting the problem solved - the support professional knows which logs they need and should also b able to help you resolve the problem quicker than I can.
That said - did you reregister your ISVA Java runtime - the fixpack probably have changed the Java version which means that you need to reregister the pdjrte - and there has been a lot of problems related to this using the correct versions of the ISVA jar...
------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Wed November 15, 2023 12:59 AM
From: Rachit Bansal
Subject: Single Sign-On Configuration Failed during ISVG 10.0.1.5 Upgrade
Hello Franz,
Support case already raised but no solution yet.
Sharing logs if you have get some information about the issue.
[11/14/23 22:40:54:448 EST] 00000042 com.ibm.identity.utils.IdentityCommand I Command to executed : /usr/sbin/mesa_control -e -v commit /etc/undeployed_policies
[11/14/23 22:41:10:447 EST] 00000042 com.ibm.identity.utils.IdentityCommand I Reading an errorstream of subprocess.
[11/14/23 22:41:13:252 EST] 00000042 com.ibm.identity.utils.IdentityCommand I Reading an errorstream of subprocess.
[11/14/23 22:41:13:252 EST] 00000042 com.ibm.identity.utils.IdentityUtils I Executing Mesa commands for Single Sign-On
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> mesa_control[10391]: Debug: Executing command: commit
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> mesa_control[10391]: Acquiring lock: /var/run/mesa_control.translate.lock
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> mesa_control[10391]: Acquired lock: /var/run/mesa_control.translate.lock
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> mesa_control[10391]: Translating policy dir=/etc/undeployed_policies out=/etc/settings.tmp
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> mesa_control[10391]: Translate policy succeeded
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> mesa_control[10391]: Committing policy changes
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >>
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> Warning:
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/ibm/wlp/usr/servers/default/certs/lmi.jks -destkeystore /opt/ibm/wlp/usr/servers/default/certs/lmi.jks -deststoretype pkcs12".
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> JVMJ9VM039I -Xscmx is ignored if -Xshareclasses is not specified
[11/14/23 22:41:13:253 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> Exception in thread "main"
[11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> [java.lang.NullPointerException
[11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> ]
[11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >>
[11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> Wrappered Exception:
[11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> java.lang.NullPointerException
[11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.invoke(SvrSslCfg.java:708)
[11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.main(SvrSslCfg.java:451)
[11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> Caused by: java.lang.NullPointerException
[11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jadmin.PDAppSvrConfig.unconfigureAppSvr(PDAppSvrConfig.java:1446)
[11/14/23 22:41:13:254 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.unconfig(SvrSslCfg.java:780)
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at java.lang.reflect.Method.invoke(Method.java:508)
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.invoke(SvrSslCfg.java:686)
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> ... 1 more
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> Exception in thread "main"
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> [com.tivoli.pd.jutil.AuthResponseException: HPDBA0235I The server lost the client's authentication, probably because of session expiration.
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> ]
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >>
[11/14/23 22:41:13:255 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> Wrappered Exception:
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> com.tivoli.pd.jutil.AuthResponseException: HPDBA0235I The server lost the client's authentication, probably because of session expiration.
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jts.RemoteConnection.doIt(RemoteConnection.java:357)
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jts.RemoteConnection.sendRequest(RemoteConnection.java:138)
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jts.Connection.sendRequest(Connection.java:108)
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jadmin.PDAppSvrConfig$1.run(PDAppSvrConfig.java:279)
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at java.security.AccessController.doPrivileged(AccessController.java:747)
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jadmin.PDAppSvrConfig.getMgrCert(PDAppSvrConfig.java:273)
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jadmin.PDAppSvrConfig.configureAppSvr(PDAppSvrConfig.java:911)
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.config(SvrSslCfg.java:764)
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[11/14/23 22:41:13:256 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
[11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
[11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at java.lang.reflect.Method.invoke(Method.java:508)
[11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.invoke(SvrSslCfg.java:686)
[11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jcfg.SvrSslCfg.main(SvrSslCfg.java:451)
[11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> Caused by: com.tivoli.pd.jutil.AuthResponseException: HPDBA0235I The server lost the client's authentication, probably because of session expiration.
[11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jauthn.AuthGetPeerCertificateCmd.doIt(AuthGetPeerCertificateCmd.java:44)
[11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> at com.tivoli.pd.jts.RemoteConnection.doIt(RemoteConnection.java:345)
[11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> ... 13 more
[11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils I MesaConfig Output >> mesa_control[10391]: Error: Failed to commit policy changes
[11/14/23 22:41:13:257 EST] 00000042 com.ibm.identity.utils.IdentityUtils E Error while executing command : [Ljava.lang.String;@99a0fa0d
[11/14/23 22:41:13:258 EST] 00000042 com.ibm.identity.utils.IdentityUtils I Deleted undeployed policies for component Single Sign-On
[11/14/23 22:41:13:258 EST] 00000042 com.ibm.identity.isim.sso_config.SsoConfigServlet E Single Sign-On configuration was not successful
[11/14/23 22:41:13:263 EST] 00000042 com.ibm.identity.isim.sso_config.SsoConfigServlet E Single Sign-On configuration failed.
------------------------
------------------------------
rachit bansal
Original Message:
Sent: Tue November 14, 2023 08:01 AM
From: Franz Wolfhagen
Subject: Single Sign-On Configuration Failed during ISVG 10.0.1.5 Upgrade
My recommendation is to raise a support case - there is so little information in your question that it is not possible to give you any decent advice...
HTH
------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Tue November 14, 2023 06:29 AM
From: rachit bansal
Subject: Single Sign-On Configuration Failed during ISVG 10.0.1.5 Upgrade
Hello All,
I am facing an issue while applying ISVG FP5 on ISVG-IM 10.0.1.4. After uploading and upgrading the FP5, it says firmware upgrade failed. As I checked in the logs, it failed due to Single Sign-On configuration. So, I applied the FP5 again after unconfiguring the SSO configuration from ISVG LMI and FP5 upgraded successfully.
Now, I am trying to configuring again SSO configuration but it is giving below error (The Single Sign-On configuration is not successful). If anyone faced such issue or have any idea about this issue, please share your suggestions.
Thanks!
---------------------------------
Rachit Bansal
---------------------------------
------------------------------
rachit bansal
------------------------------