Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
abergvall Trusted Contributor.
Trusted Contributor.
141 views

First identity collector failure

Jump to solution

Hello,

IGA 3.5.1 on windows 2016 fresh install.

DB MSSQL 2017

eDir - latest fully patched 8.8

Login with igadmin works so basic stuf works. 

Trying to add first Identity Collector version: Identity Manager Identity Collector - Template Version 3.5.0

Filling in IP port and so on, requests the certficate and approves that, then clicking "Test Connection" and... Failure.

 

Log looks like this:

[INFO] 2019-09-18 15:09:53 com.netiq.daas.daaservice.DaaService <init> - [DAAS] Configuration file path: D:\netiq\idm\apps\tomcat\webapps\daas\daasconfig
[FINE] 2019-09-18 15:09:53 com.netiq.daas.daaservice.ServiceMap loadServiceInstance - [DAAS] Received request to load service: IDMIdentityTemplate-4-5-18c4de4980c24aebb7518e02ff361fdd
[FINE] 2019-09-18 15:09:53 com.netiq.daas.daaservice.ServiceMap loadServiceInstance - [DAAS] Loaded service: IDMIdentityTemplate-4-5-18c4de4980c24aebb7518e02ff361fdd, load count: 1
[FINE] 2019-09-18 15:09:53 com.netiq.daas.daaservice.ServiceProviderMap clean - [DAAS] Collection cleaner running...
[FINE] 2019-09-18 15:09:53 com.microfocus.daas.ldap.Connector <init> - [DAAS] Server URL: ldaps://10.0.0.2:636/
[FINE] 2019-09-18 15:09:53 com.netiq.daas.common.SrvInstance <init> - [DAAS] New service instance. TTL: 60
[FINE] 2019-09-18 15:09:53 com.netiq.daas.common.SrvInstance resetTimeout - [DAAS] Reset timeout for service instance to TTL: 60
[FINE] 2019-09-18 15:09:53 com.netiq.daas.common.JcceLoggerAdapter log - [DAAS] Creating TLS certificate truststore:
Certificate:
Type: X.509
Subject: CN=server.xxx.yyy, O=IDV
Issuer: O=IDV, OU=Organizational CA
Adding certificates to truststore:
Alias: O=IDV, OU=Organizational CA
(Elapsed time: 1.799 milliseconds)
[FINE] 2019-09-18 15:09:53 com.microfocus.daas.nativeldapservice.SSLSocketFactoryPrivate <init> - [DAAS] Creating TrustManager...
[FINE] 2019-09-18 15:09:53 com.microfocus.daas.nativeldapservice.SSLSocketFactoryPrivate <init> - [DAAS] Setting up SSLContext environment...
[FINE] 2019-09-18 15:09:53 com.microfocus.daas.nativeldapservice.TrustManagerPrivate checkServerTrusted - [DAAS] In checkServerTrusted()...
[FINE] 2019-09-18 15:09:53 com.microfocus.daas.nativeldapservice.TrustManagerPrivate isChainTrusted - [DAAS] Inspecting certificate chain. length is: 2
[FINE] 2019-09-18 15:09:53 com.microfocus.daas.nativeldapservice.TrustManagerPrivate isChainTrusted - [DAAS] Issuer Cert 1: O=IDV, OU=Organizational CA
[FINE] 2019-09-18 15:09:53 com.microfocus.daas.nativeldapservice.TrustManagerPrivate isChainTrusted - [DAAS] Subject Cert 1: O=IDV, OU=Organizational CA
[FINE] 2019-09-18 15:09:53 com.microfocus.daas.nativeldapservice.TrustManagerPrivate checkServerTrusted - [DAAS] Server certificate is trusted...
[FINE] 2019-09-18 15:09:53 com.microfocus.daas.nativeldapservice.TrustManagerPrivate getAcceptedIssuers - [DAAS] In getAcceptedIssuers()...
[FINEST] 2019-09-18 15:09:53 com.microfocus.daas.ldap.DirectoryCache getDirectoryInfo - [DAAS] Caching directory information:
Class: DirectoryInfo
Host: 10.0.0.2
Port: 636
Type: EDIR
Class: EDirectorySchema

...whole schema goes here...

[SEVERE] 2019-09-18 15:09:53 org.apache.catalina.core.StandardWrapperValve invoke - Servlet.service() for servlet [daas] in context with path [/daas] threw exception [java.lang.NullPointerException] with root cause
java.lang.NullPointerException
at com.microfocus.daas.ldap.edir.NameMap$LdapMapping.<init>(NameMap.java:1264)
at com.microfocus.daas.ldap.edir.NameMap$LdapMapping.<init>(NameMap.java:1248)

...full javablob here...

[FINE] 2019-09-18 15:09:54 com.netiq.daas.daaservice.ServiceMap unloadServiceInstance - [DAAS] Received request to unload service: IDMIdentityTemplate-4-5-18c4de4980c24aebb7518e02ff361fdd
[FINE] 2019-09-18 15:09:54 com.netiq.daas.daaservice.ServiceMap unloadServiceInstance - [DAAS] Decremented load count on service: IDMIdentityTemplate-4-5-18c4de4980c24aebb7518e02ff361fdd, load count: null
[SEVERE] 2019-09-18 15:09:54 com.netiq.iac.server.rest.ConnectionService testConnection - [IG-SERVER] Test Connection error: Encountered unexpected error: Entity input stream has already been closed.

 

And for sure nothing works. Amazing that it can get the schema.

Can't do collect, can't test collection etc. 

Added the ldap server CA cert to cacerts as trusetd - based on guesswork - no change. 

So obviously there is something completely obvious that I missed - but what?

 

br

/Anders

 

1 Solution

Accepted Solutions
abergvall Trusted Contributor.
Trusted Contributor.

Re: First identity collector failure

Jump to solution
And so I have found the issue.
Correct rights in the tree.
Correct rights in the tree.
Correct rights in the tree.

I hope I don't forget it again.
3 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: First identity collector failure

Jump to solution

Anders,

My first thought is watch out for timeouts.  If you are were I knew you were working, might be the query is taking too long. But you do actually get a timeout like error in the logs for that. (I had a query to lock down the collected identities that was not using indexed attrs that took over 15 seconds and died.  Indexing the attrs did fix it.  But first I changed my query to remove one extra attr and it helped as well).

 

Actually that was OSP on login now that I think about it.

Does your schema have anything 'goofy' in it?  Since it read your schema, I wonder if it is parsing it, missing some expected data element and bombing. 

 

0 Likes
abergvall Trusted Contributor.
Trusted Contributor.

Re: First identity collector failure

Jump to solution

Hi,

 

Sorry for the late response - you know me - just at another customer 🙂 

I don't think its timeout related - I have no bad stuff in the log. Will take a look at rights for the user I'm using doing the connect, I have some sort of recollection that it might be in play here.

0 Likes
abergvall Trusted Contributor.
Trusted Contributor.

Re: First identity collector failure

Jump to solution
And so I have found the issue.
Correct rights in the tree.
Correct rights in the tree.
Correct rights in the tree.

I hope I don't forget it again.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.