CA Identity Manager Startup Error - No user IDM found.

Document ID : KB000011247
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

When starting up Identity Manager r12 the following error is logged through the WebSphere Application Server:

Exception stack trace: javax.naming.NamingException: Error during resolve [Root exception is javax.naming.AuthenticationException: Authentication failed: cannot login [Root exception is com.ibm.websphere.security.auth.WSLoginFailedException: No user IDM found]]

Answer:

For this issue you must configure Global Security in WebSphere and create an Identity Manager User in the Auth Directory that you've chosen in Websphere, under Workflow for this to work.

The following outlines the steps necessary:

To configure the WebSphere Connection Factory

  1. Configure InSession workflow.

    Verify that workflow is configured correctly by:

    • Executing a workflow-enabled task

    • Approving a work list item

  2. Configure WebSphere Global Security using the instructions in the tech note "Configuring IdentityMinder for WebSphere v5.1.1.3," which is available on the Identity Manager Support site. In the Ask a Question field, type the name of the tech note.

  3. Create a group called "WorkPointUsers" on the local operating system or where the global user is registered.

  4. Make the global user a member of the WorkPointUsers group.

  5. In the WebSphere Administrative Console, navigate to WebSphere JMS Provider, WebSphere Queue Connection Factories, wpConnectionFactory.

  6. Specify the global user in the following fields:

    • Component Managed Authentication Alias

    • Container Manager Authentication Alias

To update the IdentityMinder.EAR file

  1. Open the application.xml file, which is located in <was_im_tools_dir>\WebSphere-ear\IdentityMinder.ear\META-INF, in an XML editor.

    For example, the default location is:

    • For Windows: C:\Program Files\CA Identity Manager\WebSphere-ear\IdentityMinder.ear\META-INF

    • For UNIX: <home_dir>/CA/CA_Identity_Manager/WebSphere-ear/IdentityMinder.ear/META-INF

  2. Add the following entries before the </application> tag in the application.xml file:

    <security-role id="SecurityRole_1">
    <description>All Authenticated users in the enterprise.</description>
    <role-name>WorkPointUsers</role-name>
    </security-role>

Package the IdentityMinder EAR

Packaging the IdentityMinder EAR creates a Java archive file that you can deploy in a WebSphere application server.

To package the IdentityMinder EAR

  1. Ensure that Sun's JDK 1.4.2_07 or higher is installed on the system where the Identity Manager tools for WebSphere are installed.

  2. From the command line, navigate to <was_im_tools_dir>\WebSphere-tools.

  3. In package.bat (for Windows) or package.sh (for UNIX), set the JAVA_HOME variable as follows:

    SET JAVA_HOME=path to JDK

    where path to JDK is the path to the JDK from Step 1.

    For example:

    SET JAVA_HOME=c:\Program Files\Java\j2re1.4.1_13

    Be sure to uncomment the SET JAVA_HOME entry.

  4. Run package.bat or package.sh.

After running package.bat or package.sh, be sure that the <was_im_tools_dir>\WebSphere-tools directory contains a was_im.ear file.

Note: When you run package.bat or package.sh, the temp directory might not be deleted. Even if it is not deleted, the EAR file is created with no problem.

Install the IdentityMinder EAR

Once you package the IdentityMinder EAR, you install it using the imsInstall utility.

To install the IdentityMinder EAR

  1. Copy one of the following install scripts from <was_im_tools_dir>\WebSphere-tools\imsInstall.jacl to <was_home>\bin:

    • For WebSphere 5.1: imsInstall.jacl

    • For WebSphere 6.0: ims6Install.jacl

  2. From the command line, navigate to <was_home>\bin.

  3. Make sure the WebSphere application server is running.

  4. Run the imsInstall.jacl script as follows:

    Note : The imsInstall.jacl script may take several minutes to complete.

    • For Windows:

      wsadmin -f <imsInstall script> "<path to was_im.ear>" <node> <server> -username <global user> -password <password>
      where:
      <imsInstall script> is imsInstall.jacl for WebSphere 5.1 or Ims6Install.jacl for WebSphere 6.0
      <path to was_im.ear> is the full path to the was_im.ear file that you created in Package the IdentityMinder EAR.
      <node> is the optional name of the node where the was_im.ear file will be installed
      <server> is the optional server name of the node where the was_im.ear file will be installed
      <global user> is the name of the WebSphere administrator. Use this parameter if Global Security is enabled.
      <password> is the password for the administrator account.

      Note: Use forward slashes (/) instead of back slashes (\) when you specify the path to was_im.ear.

      For example:

      wsadmin -f imsInstall.jacl "c:/Program Files/CA/CA Identity Manager/WebSphere-tools/was_im.ear" nodeName server1 -username global_user -password myPassword

    • For UNIX:

      ./wsadmin.sh -f <imsInstall script> <path to was_im.ear> <node> <server> -username <global user> -password <password>
      where:
      <imsInstall script> is imsInstall.jacl for WebSphere 5.1 or Ims6Install.jacl for WebSphere 6.0
      <path to was_im.ear> is the full path to the was_im.ear file that you created in Package the IdentityMinder EAR.
      <node> is the optional name of the node where the was_im/ear file will be installed
      <server> is the optional server name of the node where the was_im.ear file will be installed
      <global user> is the name of the WebSphere administrator. Use this parameter if Global Security is enabled.
      <password> is the password for the administrator account.

      For example:

      ./wsadmin.sh -f imsInstall.jacl /CA/CA_ Identity Manager/websphere-tools/was_im.ear nodeName server1 -username global_user -password myPassword

  5. Complete the post-installation steps and restart the WebSphere server.

To assign users to the WorkPointUsers role

  1. Navigate to Applications, Enterprise Applications, Netegrity IdentityMinder, Map Security Roles to Users and Groups in the WebSphere Administration Console.

  2. Select the WorkPointUserRole and select everyone.

  3. Restart the application server.

To configure support for the WorkPoint Designer

  1. Copy the <was_home>\WebSphere\AppServer\properties\sas.client.groups file to

    <im_admin_tools_dir> \Workpoint\conf.

  2. Edit the sas.client.groups file as follows:

    com.ibm.CORBA.securityServerHost=<name of your WAS node, defaults to machine OS identity>
    com.ibm.CORBA.securityServerPort=2809
    com.ibm.CORBA.loginTimeout=300
    com.ibm.CORBA.loginSource=prompt
    # RMI/IIOP user identity
    com.ibm.CORBA.loginUserid=<your Global User ID>
    com.ibm.CORBA.loginPassword=<your Global User password>
    com.ibm.CORBA.principalName=<your Global User ID>

 

Additional Information:

Question:
Can you configure it to not use the Id? (In case you do not want to create a generic id in the User Store)

Answer:
The Workflow component requires this ID association. There is no other way this will work without it.