JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

Thanks

I have rebuilt my dev server from scratch, carried out the following tasks, install Tomcat and Postgresql onto the SLES11SP3 Apps server, there were no error reported during this process, installed OSP only, I'm using the SSPR appliance and would integrate this if Identity Apps worked, as I was not using SSPR at this stage I did not select SSL or HTTPS.
An error was seen in the installer stating warnings occurred and check the logs, the log showed a non fatal warning that there was a keytool execution error, although the execute command: keytool showed a successful status.
Looking at the keytool-log showed an error where the key pair was not generated because alias <osp> already exists, I suspect this has more to do with the UserApp configupdate.sh.

I started the UserApp install, this is very similar to every RBPM install I've done over the last 8 years, the install went fine until the process spawned the configupdate.sh, I added all the IDV information and it looked ok, I clicked ok and the installer produced an error pop up saying that the was an error configuring the application server, is it ok to continue, I clicked yes to continue. There were no errors in the user_app_install_log, the NetIQ-Custom-install.log showed an error with the config tool: com.netiq.installer.idm.ldap.ConfigStoreException: ERROR storing configuration. The installer finished and I checked the ism-properties file and it was very sparse, I ran the configupdate a second time and added the information. this saved correctly as it has done every time I've run it after the install version failures.

I do believe that the auditing element has not been configured correctly by the installer process, the catalina.out file shows an error where it cannot configure logging, I ignored this thinking it was like the old jboss logs in 4.0.2, elements not configured could be ignored, but I read a forum thread that it expects certain elements of auditing to be configured correctly or it throws an illegalStateException
https://forums.novell.com/showthread.php/487321-UA-4-5-unable-configure-logging-IDMProv-fails?highlight=unable+configure+logging
Although unlike the above thread I have not configured HTTPS or SSL as this is a DEV test of the install routine compared against 4.0x. Is there an easy fix for this error as this is a clean server patched to Sept 2016 and simply doing the three product installs, there is nothing complex or difficult, yet it fails constantly.

The whole install was run as root at the server.

When installing Tomcat what is the best practice for ports? Do the Identity Apps sit on the Tomcat server as a separate application and use whatever port specified, or do you align the tomcat and IDM App ports.
0 Likes
spsivasubramanian Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

JonH67;2455223 wrote:
Thanks

I started the UserApp install, this is very similar to every RBPM install I've done over the last 8 years, the install went fine until the process spawned the configupdate.sh, I added all the IDV information and it looked ok, I clicked ok and the installer produced an error pop up saying that the was an error configuring the application server, is it ok to continue, I clicked yes to continue. There were no errors in the user_app_install_log, the NetIQ-Custom-install.log showed an error with the config tool: com.netiq.installer.idm.ldap.ConfigStoreException: ERROR storing configuration. The installer finished and I checked the ism-properties file and it was very sparse, I ran the configupdate a second time and added the information. this saved correctly as it has done every time I've run it after the install version failures.


Dear JonH,

Thanks for your detailed description.

Could you please check couple of things from your eDirectory tree level(Identity Vault Server):

- Login to IDV tree using iManager, navigate 'View Objects' -> Expand 'Security Container'; check 'Default Notification Collection' is present? If not, Kindly deploy 'Default Notification Collection' using Designer [I assume, here we're using 'English-US Language, not Localization boxes and ensure 'Default Notification Collection' string is in 'English']

- In the same page Security Container, check 'SecretStore' got created?

- Also, ensure 'SAML Assertion method' is present in 'Authorized Login Methods, Login Policy sequence available for the same [could check the same from iMonitor as well https://<ipaddr>:8030]

When installing Tomcat what is the best practice for ports? Do the Identity Apps sit on the Tomcat server as a separate application and use whatever port specified, or do you align the tomcat and IDM App ports
<
We need to ensure, we are using free/unused ports for Tomcat webapplication server; the same port will be used for Identity Applications;
say ex: if iManager installed on the same server which listens on port 8080; before invoking convenience installation(Tomcat installer) ensure 'free port' is available ex: http/8180 and assign the same;
so iManager tomcat uses 8080; whereas Identity Apps Tomcat uses 8180 - later you could configure https/SSL channel for Identity Applications by importing right certificates in cacerts and keystores
>

Thanks and Best Regards,
SivaPrakasamS
Micro Focus.
0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

Thanks for the pointers.

The Default Notification Collection is in place. The SAML assertion is in the Login Methods container, although this was not created by the configupdate.sh routine, the install configupdate and running after the install didn't update eDirectory even when setting the change to Auto. I had to extract SAML from the UA 4.0.2 Patch E and install and configure using those instructions.
According to eDirectory, the server and SSSCFG, SecretStore is all good, although the ssspolicyobject has not been created in the security Container. I'll rectify that issue and reinstall the apps from scratch.
0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

Secret Store was reinitialized and the object cannot be seen in the security container using the normal Directory Administration plugin. The policy has been created and can be seen using the SecretStore plugin under SecretStore Servers, the policy SecretStore.Security exists and shows the SecretStore server, the IPAdress and states LDAP is OFF and SSL is OFF. Are there required settings for User App?
0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

I reinstalled the Identity Apps from scratch, so Tomcat-PostgreSQL-OSP-User App, exactly the same errors were seen, firstly cannot store configuration in the ism properties file. I ran configupdate.sh a second time and filled in all the missing information, I did find that under the SSO Client tab, reporting is not optional, if you do not fill in the reporting information it produces pop ups saying that the information cannot be left blank and doesn't allow you to continue.
Restart the server, same error in catalina.out, Unable to configure logging and illegalStateException.

I'm not sure whether SecretStore is configured and if this is the problem. I built a new eDirectory server OES11SP2 and did not select SecretStore for install, this would be the normal setting I've come across. The novell-sss rpm is installed, the sssv3.sch file is there, but ssscfg does not exist on the server. The only way to configure is to use the sssv3 command, unrem the ssncp in nds-modules and restart the server, this then creates the policy in the security container, but the secretstore plugin is required and the edir 8.8.8 or IDM docs rely on ssscfg -c to configure. There is no way to analyze the SS settings and correct them.
0 Likes
spsivasubramanian Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

JonH67;2455314 wrote:

I'm not sure whether SecretStore is configured and if this is the problem. I built a new eDirectory server OES11SP2 and did not select SecretStore for install, this would be the normal setting I've come across. The novell-sss rpm is installed, the sssv3.sch file is there, but ssscfg does not exist on the server. The only way to configure is to use the sssv3 command, unrem the ssncp in nds-modules and restart the server, this then creates the policy in the security container, but the secretstore plugin is required and the edir 8.8.8 or IDM docs rely on ssscfg -c to configure. There is no way to analyze the SS settings and correct them.


Dear JonH,

Thanks for your information.

Yes, SecretStore is needed [That will be created and configured as part of eDirectory installation, if we've chosen 'SecretStore' configuration during eDir installation/configuration]

Before invoking UserApplication installer, make sure 'Default Notification Collection'(got created as part of Identity Manager Engine Installation or we could deploy 'Default Notification Collection' using Designer) and 'SecretStore' container present.

com.netiq.installer.idm.ldap.ConfigStoreException: ERROR storing configuration - may occurs, if above objects not available.

- Also, could you please let us know - what is our Tree name and container structure.[Would trying to understand and help you to resolve this]; Sorry for any inconvenience.

Thanks and Best Regards,
SivaPrakasamS.

0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

The default notification collection has been deployed since the driverset was created, The secretstore object does exist, although I had to create it manually as ssscfg does not exist on the server. The failure to store configuration during the user app install because of these missing objects would be feasible if the error was seen constantly, it is only seen during the user application install routine. when I run the configupdate.sh after the user app install has finished, it updates or stores the configuration correctly in the ism-properties file.

I have built another eDirectory server and manually configured eDirectory to install SecretStore, after the install has finished, the SecretStore policy is created in the Security container, when trying to check the configuration, SSSCFG does not exist on the server, is this a bug or are the IDM and eDirectory docs incorrect? I searched from / at the server terminal using find | grep ssscfg and found nothing, I checked the validity of the find function and it correctly found ndsstat, sssv3.sch and other files.

The environment I have been using is a dev lab environment, but it is based on a customers vault configuration. The structure is T=IDMAPPS, O=Admin, O=People. O=Admin contains the admin and svc users, it has OU=IDM for IDM objects, it has an OU for the servers in the tree. O=People contains all the normal users, these are all IDM enabled.
0 Likes
stevewdj Acclaimed Contributor.
Acclaimed Contributor.

Re: 4.5 Identity Apps Install and Configupdate.sh

On 4/20/17 4:44 AM, JonH67 wrote:
>
> The default notification collection has been deployed since the
> driverset was created, The secretstore object does exist, although I had
> to create it manually as ssscfg does not exist on the server. The
> failure to store configuration during the user app install because of
> these missing objects would be feasible if the error was seen
> constantly, it is only seen during the user application install routine.
> when I run the configupdate.sh after the user app install has finished,
> it updates or stores the configuration correctly in the ism-properties
> file.
>
> I have built another eDirectory server and manually configured
> eDirectory to install SecretStore, after the install has finished, the
> SecretStore policy is created in the Security container, when trying to
> check the configuration, SSSCFG does not exist on the server, is this a
> bug or are the IDM and eDirectory docs incorrect? I searched from / at
> the server terminal using find | grep ssscfg and found nothing, I
> checked the validity of the find function and it correctly found
> ndsstat, sssv3.sch and other files.
>
> The environment I have been using is a dev lab environment, but it is
> based on a customers vault configuration. The structure is T=IDMAPPS,
> O=Admin, O=People. O=Admin contains the admin and svc users, it has
> OU=IDM for IDM objects, it has an OU for the servers in the tree.
> O=People contains all the normal users, these are all IDM enabled.
>
>

Greetings,
There is information that is read and stored in eDirectory, the
UserApp Driver, and the ism-configuration.properties file

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

Thanks Steve

I have resolved the problem although it is not an ideal solution. It is down to SecretStore, the configuration utility for SecretStore ssscfg is missing from the OES11 eDirectory install, without this I could not configure (this step is in the IDM APPS doc) or check the configuration of SecretStore after the object was created. The iManager SecretStore plugins must miss certain mandatory configuration requirements when creating or managing the objects.
I had to build a new OES11 server, manually select Install SecretStore and build the server from there, pointing the apps server at this new server in a new tree worked, I can access IDMProv. This is not ideal as adding a new server to an existing tree to get SecretStore working may not gain a lot of support, and few customers in my experience own OES, eDirectory and SLES from a licensing persepective.
0 Likes
spsivasubramanian Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

Dear JonH,

Good and Glad to know, it's working for you now.

Thanks and we narrowed down to SecretStore object and Configuration at last. Sorry for multiple iterations, since you have mentioned this issue is consistent - we shall have eDirectory bug to track the same on OES as SecretStore would be created or configured as part of eDir installation/Configuration. If missed/corrupted SecretStore may lead UserApp installer to fail with 'Error Storing Configuration'(cause here). Any suggestions also welcome.

Thanks and Best Regards,
SivaPrakasamS
Micro Focus.
0 Likes
Highlighted
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

Thanks for the pointer to SecretStore, it would appear that running the sssv3.sch creates a SecretStore Policy in the Security container, but it is only visible when using the iManager SecretStore plugins, it seems to be an incomplete eDirectory object at this stage, that's why I decided to try the manual creation in iManager.
I would say that the doc should contain a caveat that if eDirectory has been installed and configured as part of OES and Install SecretStore has not been specifically selected during install this condition will exist as SSSCFG does not exist on the OES server. A non-oes eDirectory install has the SSSCFG, I checked with a new server this morning.
Are there any config files that control the mandatory requirements and config for the SecretStore policy? Is there any way of configuring the SecretStore objects via files rather than SSSCFG?
I did find one difference between the policy object I created manually and the Install version, using iManager and selecting SecretStore/SecretStore Servers, the manually created policy showed LDAP= off and SSL=off, whereas the policy created during the eDirectory install showed LDAP=on SSL=off, which I would have expected as I had set the server LDAP group object to Require TLS for simple binds = off. I had no idea how to change the LDAP=off to LDAP=on with the manually created object, this might have been all it required.
0 Likes
JonH67 Absent Member.
Absent Member.

Re: 4.5 Identity Apps Install and Configupdate.sh

To try and get more understanding on the error storing configuration and Steven saying that info is stored in eDir and the UA driver. I did some checking of objects and timestamps, I think the whole process is reliant on the RBPMTrustedRootContainer and certificate being created first. Without SecretStore being configured correctly configupdate can't create the RBPM container, although it isn't used at this stage and the cert is garbage, it still needs to exist, if this doesn't happen then ism-properties isn't updated with all the information. Running configupdate a second time after the install updates some information, but there is Vault information that is not added to the ism-properties file that must be very critical to the app configuration and running.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.