Identity Manager r12.5 - Provisioning Directory Creation Fails
When running the Provisioning Directory creation through the IDMManage UI, the following error is thrown:
An error occurred while configuring Identity Manager. Reverting configured objects...
There are a few different configuration problems that could cause this error condition, and therefore a few different areas that need to be checked and verified. Any or All of the below actions may be necessary to resolve this issue so the recommendation would be to verify each step listed below before proceeding to the next.
Things To Check:
- Which method are you using to create the Directory in the IDM Manage UI, the 'Create From Wizard' option, or the 'Create or Update from XML' option?
- Whichever you are using, try using the other to see if that has any effect.
- Verify that the Provisioning Server is up/running/functional.
- Make sure you can access everything properly through the Provisioning Manager UI.
- Verify that the IM SiteMinder extensions are installed on the Policy Server prior to running the Provisioning Directory creation.
- Verify that the Provisioning Directory Server's host name is resolving on the Policy Server.
- Test by pinging via Host name and IP to/from the IDM and SM Policy Store Servers.
- If basic pinging fails, add the host name and IP to the hosts file on the Policy Server and restart the Policy Server.
- Then try the Provisioning Directory creation again.
Check the IM and SiteMinder logs for connectivity errors such as:
ERROR [ims.llsdk.managedobjectdefinition.attributedefinition][facility=4 severity=3 reason=0 status=22 message=Operation has failedSmImsComman (returnManagedObjectAttributes) Provider call failed
Error Code was: -2140798856
Error Message: IM Directory Service: Failed to load the associated SiteMinder user directory ID:176]
- Check the SiteMinder UI to verify the available Directory names, they must match exactly otherwise it can cause this sort of error.
- Verify that the correct SiteMinder port is being used during the Provisioning Directory creation, as well as what port is defined in the Dir.xml.
- The Policy Server needs to contact the Provisioning Server, Ports 20389/20390 are used for communication.
Are you using SiteMinder to protect the Identity Manager URL?
If so, you would need to extend the Policy Store Schema.
The following error in the IDM log is pointing to a problem with the SiteMinder connectivity, specifically with the Policy Store Schema which should be extended properly when the IM extensions are installed..
ERROR [ims.llsdk.environment] Could not delete the directory in Siteminder.
ERROR [ims.llsdk.environment] AttributeNotPresentException:
This method requires the presence of an attribute which was not provided.
The attribute is named smOID.
The following error points to the smOID attribute not being present:
ERROR [ims.llsdk.environment] AttributeNotPresentException: This method requires the presence of an attribute which was not provided. The attribute is named smOID.
The smOID attr not being present tells us its a SM Schema problem.
This error points to additional IM/SM communication problems:
IM Directory Service:Failed to load the associated SiteMinder user directory ID:176]
Once you install the CA Identity Manager Extensions for SiteMinder on the system with the Policy Store, extend the policy store schema for CA Identity Manager.
To extend the schema to the policy store, use the Identity Manager Administrative Tools.
Install Identity Manager Administrative Tools using the CA Identity Manager installation program, without installing the Identity Manager Server.
To extend the Policy Store Schema run one of the following scripts for CA Identity Manager on the Policy Store database:
SQL: C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\policystore-schemas\MicrosoftSQLServer\ims8_mssql_ps.sql
If this was already done, or if this does not resolve the problem, there is a Registry modification that can be made that may addresses this.
Make the following Registry modification to the sm.registry:
Note: Before making ANY Registry modifications make sure you have a full system backup!!
After making this modification restart the Policy Server.
At that point re-attempt the Provisioning Directory creation.
Clean up objects in the Policy store that didn't get cleaned up by the IDM create process(even though the error states 'Reverting configured objects' when it fails):
- There is the 32-xxxxxx object created by Identity Manager for the provisioning directory in the policy store(visable through JXplorer).
- If you open this object up, it points to an impropcolid6 20-xxxxxxx object.
- It also points to the directory in siteminder --imsmidirid6 - 0e-xxxxxx
- Clean out these object trees, then restart the Identity Manager, Provisioning, and Policy Servers.