PostCreate errors when creating new directories or environments on Identity Manager after upgrading SiteMinder policy server

Document ID : KB000046846
Last Modified Date : 09/05/2018
Show Technical Document Details
Introduction:

Symptoms: 

After upgrading SiteMinder Policy Server from 12.0 to SiteMinder Policy Server 12.5x, importing Identity Manager directories and environments fail with a postCreate error. Viewing the SMPS.log for the same time as the PostCreate error, you will find a "Duplicate Object" error.

Environment:  

Any IM version integrated with SiteMinder 12.5x that was upgraded from an earlier policy store

Cause: 

This is caused by data integrity problems between the Identity Manager object store and the Policy Server's XPS layer. When integrated, Identity Manager has a copy of the IM objects in the Identity Manager object store, and a separate copy in the Policy Store on the policy server machine.

Typically, customers migrating their policy server versions will export the data from the existing policy store and import the data into the new store, while creating a brand new, blank Identity Manager object store.

In versions prior to Policy Server 12.51, customers could use the smobjexport tool with the -m option so that the Identity Manager objects in the Policy Store were excluded in the export files. However, in more modern Policy Server installations, xpsexport must be used, and that tool does not have any options to exclude the Identity Manager objects in the export.

In this case, the IM object store does not have any record of the Identity Manager objects, but the SiteMinder policy server does. The user goes to create the desired objects using exported directory.xml files or environment.zip files and then encounters the postCreate/duplicate object errors.

Resolution

There are two approaches to resolve this issue.

The first and more proactive approach is to export the IM directory and IM environment objects from the old environment first. If SiteMinder Integration was enabled after the creation of the IM Directory and IM Environment, you will need to disable the integration first in order for the export to proceed. Then delete those objects from the /immanage console before doing the XPSExport command to move the policy store data to the new policy store. This method ensures that all related realms and user directories are removed. This way, the duplicate objects have been removed before ever starting the new policy store.

The second approach is to use the XPSExplorer utility to delete all IMSDirectories and IMSEnvironments objects as well as the related user directories (these objects have OIDs that begin with 20-), and domains (these OIDs will begin with 03). This will allow IM to recreate the objects cleanly, avoiding the duplicate object errors.

For further details on the tool, please refer to the documentation for XPSExplorer, or open a ticket with CA Support.

** We don't recommend disabling IM/SM Integration in order to make an import work. It'll work, however it won't be fully functional and can lead to difficulties.

 

Instructions:
Please Update This Required Field