By Ranvijay Singh and Kanad Jadhav

Here we will be discussing the common checks that need to be performed before upgrading the IBM Security Identity Manager(ISIM). Missing some parameters may cause failure in upgrade. In order to upgrade the ISIM nodes without causing any issues or creating support case with IBM follow the below points: 

NOTE :-- Before upgrade its strongly recommend to take the backup of ISIM environment  

• ISIIM VA (Primary and Members) 
• LDAP 
• Database 

Here you need to login to ISIM VA console with admin user. Then navigate to Manage, under System Settings you can find the option Advanced Tuning Parameters. Select that to see the available parameters. From that you are required to select the key “lmi.customfiles.accepted.filetypes” and set the value to ALL (Figure - 1). The all value allows all file types to upload from the Custom File Management page. Also, during upgrade the custom files can be rejected and upgrade might fail. [1] 

Figure – 1 

Another reason of upgrade failure is due to connectivity issue between ISIM node and the ISAM components. So if you have configured ISIM with ISAM then you need to follow the preliminary check with the help of ping, connect, etc. We have an option in ISIM Command Line Interface (CLI) to check the connection with the target machine. Once you login to ISIM CLI type tools and then help to check the available tools using which you can test the connection (Figure - 2). To find more details on the same you can click here. [2] 

Figure – 2  

You need to confirm that the protocol set on the Primary and member nodes are same. You can find the protocol setting under Advance Tuning Parameters from the ISIM VA console (Figure - 3). There are multiple values which can be specified here like TLS, TLSv1.1 and TLSv1.2. [3] 

Figure – 3 

You need to make sure that the time across all the components of ISIM is constant. Sometimes if there is any mismatch of time then it may result in upgrade failure. So, always check that the time is synchronized between the components and nodes as well. 

Figure – 4 [4] 

Make sure that you always upgrade the primary node first and then move to member nodes. Once the primary node is upgrade, verify that it is successful. If the upgrade on primary node is successful then you can safely move to upgradation of member nodes. 

You are required to check the Local Management Interface (LMI) and Identity logs from the support file. You can share the preliminary observation from these logs to the IBM Support team so that the root cause can be identified easily. Check the LMI logs under “/tmp/liberty/log” and Identity logs under “/opt/ibm/Identity/logs/” directories for details regarding the failure of the add node or synchronization. 

Usually when you add member node the process goes through without any issues but it may happen that the process is hung for a while in some of the steps. In hung state you can restart the node from CLI to proceed again with the add node process. In the CLI you need to navigate to isim then nodes_administration and restart option to restart the node (Figure – 4) [5]. The restart should resolve the hung issue and you should be able to add the node successfully. 

Note: Check with IBM Support team before you try this step 

Figure - 5 

The above mentioned checks should definitely be useful if you are stuck in cluster upgrade of IBM Security Identity Manager. Also, always perform the above mentioned preliminary checks even if the upgrade is successful to avoid any other issues. 

References: 

1. https://www.ibm.com/support/knowledgecenter/SSRMWJ_7.0.1.7/com.ibm.isim.doc/admin/ref/r_adv_tuning.htm 
2. https://www.ibm.com/support/knowledgecenter/SSRMWJ_7.0.1.11/com.ibm.isim.doc/reference/ref/ref_ic_cmd_tools.htm 
3. https://www.ibm.com/support/knowledgecenter/SSRMWJ_7.0.1.7/com.ibm.isim.doc/admin/tsk/t_manage_protocols.htm 
4. https://time.is 
5. https://www.ibm.com/support/knowledgecenter/SSRMWJ_7.0.1.11/com.ibm.isim.doc/reference/ref/ref_ic_cmd_nodes_administration.htm