Modifying a Identity Manager Directory with SiteMinder integration fails with postCreate error

Document ID : KB000031038
Last Modified Date : 14/02/2018
Show Technical Document Details

There have a been a series of issues opened with support where the IM directory cannot be created from the management console when IM is integrated with Siteminder 12.0 and 12.5.

 

When creating a SiteMinder integrated IM Directory, the IM application server first creates a copy of the directory object in the IM object store and then does a post-create step using the SetLinkedData method to create a copy of the directory object in SiteMinder’s policy store. It’s in this post-create step that error occurs.

 

Typically, you’ll see a postCreate failure, “object not found” or “duplicate object ID” in the errors.

 

When integrated with SiteMinder, updating IM Directories forces the IM app to synchronize the changes to the SiteMinder's copy of the directory. This happens after the modification/creation of the IM directory, so this is the "postCreate" phase and this is where the error occur. For details on these failures, please see this tech note: http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1595544.aspx

 

In 95% of cases, the synchronization of the SiteMinder directory is unnecessary. If we can verify that the changes that you are making will not be used by SiteMinder, we can safely disable IM/SM integration for the import process and then reactivate it when the import has been completed.

 

If any of the updated attributes are used by SiteMinder for password policies or access role membership, this will not be feasible.

 

Changes to any of these attributes will require an additional step at the end:

 

Figure A

UserID

Password

Password Data

Enabled

Email

Password Hint

 

Otherwise, you can disable the integration this way:

 

Navigate to the \policysever.rar\META-INF folder located within the iam_im.ear on the application server that is running CA IdentityMinder.

 

Open the ra.xml file in an editor.

 

Search for the Enabled config-property, and then change the config-property-value to false

 

Save your changes and restart the application server.

 

Import the modified directory.xml.

 

If you modified any of the attributes in Figure A, you'll need to open the SiteMinder UI and modify the SiteMinder user directory to make the desired changes.

 

Stop the application server and undo the change the enabled attribute in the ra.xml back to true. Restart the application server.

 

 

Your update of the directory should now be complete.