Unable to Import Identity Mapping Domain Object

Document ID : KB000039005
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

A Policy Server Admin is trying to export a domain and its associated objects from one policy store and import them into another policy store. The target policy store does not contain the incoming domain. Both policy stores were created independently of each other. Both policy stores have a user directory object called 'USERSTORE', however this object has different XIDs in each store. The source policy store has an identity mapping called "LDAP-ODBC-ID-MAPPING " that is associated with 'USERSTORE' and a realm in the domain being exported, so it is included in the export. The target store has an identity mapping called "LDAP-ODBC-ID-MAPPING-1" that is also associated with 'USERSTORE'.  The identity mappings XIDs are different in the source and target policy stores.

The command

XPSExport export2.xml -ra –xo CA.SM::Domain@<XID of domain from the source policy store> –npass

is issued to export the domain and associated objects from the source policy store. The export succeeds. The admin then attempts to import that data into the target store using the command

XPSImport export2.xml -npass –validateOnly

but the command fails with:

[smuser@ machine1 tmp]$ XPSImport –ra export2.xml -npass -validateOnly
[XPSImport - XPS Version 12.52.0102.766]
Log output: /opt/netegrity/siteminder/log/XPSImport.2016-01-21_105025.log
Initializing XPS, please wait...
Log Time Phase/Section #Objects %age Elapsed
-------- ------------------------ --------------- ----------- -----------------
10:50:37 Initializing
10:50:37 Reading 00:00:00
10:50:37 Reading 00:00:00 00:00:00
10:50:37 Analyzing 0/46 00:00:00
(ERROR) : [sm-xpsxps-01830] An object with XID "CA.SM::IdentityMapping@<XID of Identity Mapping from the target policy store>" as specified in the object reference with Reference ID "Ref00006" in the XML file does not exist in the policy store. (Line:unavailable, XID not found)
10:50:37 Analyzing/Reference 5/46 10% 00:00:00 00:00:00
10:50:37 Complete 00:00:00
(FATAL) : [sm-xpsxps-05810] Import failed


Resolution:

Follow the steps to manually fix the Identity Mapping Object definition:

==========================

1.  Modify/update "SITEMINDER_INSTALLED_LOCATION\xps\dd\SmObjects.xdd" as below for IdentityMapping object on both the source and target policy servers.

     Add "ImportType=Add" to the [class] IdentityMapping

Ex: 

[Class]

Parent=CA.SM

Name=IdentityMapping

Description=Defines collection of Identity Mapping Entries to represent order of the location of the user in the target user directory.

ExtensionClass=no

 

Update as below:

[Class]

Parent=CA.SM

Name=IdentityMapping

Description=Defines collection of Identity Mapping Entries to represent order of the location of the user in the target user directory.

ImportType=Add

ExtensionClass=no

 

2.  Go to SITEMINDER_INSTALLL_LOCATION\xps\dd in command prompt and run the below command

      XPSDDInstall SmObjects.xdd

 

3.      Restart policy server

 

4.      Export the domain and associated objects using the command

 

XPSExport export_domain.xml -ra -xo CA.SM::Domain@<XID of domain from the source policy store> –npass

 

5.      Import into the target policy store using the  command

 

"XPSImport export_domain.xml -npass"

 

The Domain, IdentityMapping, and all other objects except the user store object, from the exported source policy store are exported and imported correctly.  The user store object is exported from the source policy store but is not imported into the target policy store as there is already a user store object with the same name in the target policy store.

 

Additional Information: 

The SmObjects.xdd file has been fixed as noted in step #1 above.  It will be released in an upcoming CR.