Unable to export IME using the IM Management Console (blank screen when trying to export) logs stop processing messages with no error present
search cancel

Unable to export IME using the IM Management Console (blank screen when trying to export) logs stop processing messages with no error present

book

Article ID: 138874

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

I am trying to export IME/roles definitions but browser goes blank and nothing happens, the logs show no errors and stops processing messages for export.
 
 
 
 

Environment

component : IdentityMinder(Identity Manager)

Cause

There can be a few causes for this:

Cause 1) This issue happens when there is a missing user scope rule in the Admin Rule inside Administrators tab of Admin Role as seen below:

Cause 2) Another example of this was inactive active directory endpoint that was still tied to an account template.

Cause 3) When incremental imports are done of the role definitions to promote different functionality into environments such as Dev to QA this can happen. When a new task is created in DEV, a full export is performed, then trimmed down to that task, then only the task is imported into the QA environment. If the task is imported but other objects associated to that task are not imported you can have orphaned information on a task that tell the export to search for other data that does not exist.

 

Resolution

Resolution 1:

Modify the Admin Role with the proper user scope rules for the Admin Rule.  Once this is complete, the export should complete. If you cannot find the Admin Role, see Resolution 3, the same process can be used.

Resolution 2:

Removing the AD endpoint from the account template resolved the issue.

Resolution 3:

debug needs to be turned on. on debug in the log4j file, You will notice that when we get redirected to a blank page during the export that the logs stop generating when querying items.

In this log example you will see this:

2024-08-29 16:38:14,574 DEBUG [ims.jdbc.JDBCManagedObject] (default task-6) ref_id=6841
2024-08-29 16:38:14,582 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) SELECT DISTINCT("IM_TAB"."UNIQUE_NAME") FROM "IM_TAB" WHERE "TASKOID"='6841' AND "IM_TAB"."ENV_OID"='29'
2024-08-29 16:38:14,582 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) SELECT DISTINCT("IM_TAB"."UNIQUE_NAME") FROM "IM_TAB" WHERE "TASKOID"=? AND "IM_TAB"."ENV_OID"=? (6841,29)
2024-08-29 16:38:14,588 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) SELECT "IM_APPROVAL_POLICY"."UNIQUE_NAME", "EVALUATIONTYPE", "RULETYPE", "POLICYTAG", "TABLEOFALLSCOPERULES", "TASKOID", "EVENTNAME", "DESCRIPTION" FROM "IM_APPROVAL_POLICY" WHERE "UNIQUE_NAME"=? AND "ENV_OID"=? (cf7a441b-0a1c486b-3468bf6e-77409fda,29)
2024-08-29 16:38:14,589 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) Is scroll insensitive result set type: true
    Is forward only result set type: false
2024-08-29 16:38:14,591 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) No results found from the query: SELECT  FROM  WHERE "UNIQUE_NAME"='cf7a441b-0a1c486b-3468bf6e-77409fda'
2024-08-29 16:38:14,593 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) SELECT "IM_APPROVAL_POLICY"."UNIQUE_NAME", "EVALUATIONTYPE", "RULETYPE", "POLICYTAG", "TABLEOFALLSCOPERULES", "TASKOID", "EVENTNAME", "DESCRIPTION" FROM "IM_APPROVAL_POLICY" WHERE "ENV_OID"=? AND "POLICYTAG"=? AND "ENV_OID"=? (29,cf7a441b-0a1c486b-3468bf6e-77409fda,29)
2024-08-29 16:38:14,594 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) Is scroll insensitive result set type: true
    Is forward only result set type: false
2024-08-29 16:38:14,601 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) SELECT "IM_APPROVAL_POLICY"."UNIQUE_NAME", "EVALUATIONTYPE", "RULETYPE", "POLICYTAG", "TABLEOFALLSCOPERULES", "TASKOID", "EVENTNAME", "DESCRIPTION" FROM "IM_APPROVAL_POLICY" WHERE "UNIQUE_NAME"=? AND "ENV_OID"=? (cb7c1887-0a1c486a-426799ce-d2bf4e08,29)
2024-08-29 16:38:14,602 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) Is scroll insensitive result set type: true
    Is forward only result set type: false
2024-08-29 16:38:14,603 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) No results found from the query: SELECT  FROM  WHERE "UNIQUE_NAME"='cb7c1887-0a1c486a-426799ce-d2bf4e08'
2024-08-29 16:38:14,604 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) SELECT "IM_APPROVAL_POLICY"."UNIQUE_NAME", "EVALUATIONTYPE", "RULETYPE", "POLICYTAG", "TABLEOFALLSCOPERULES", "TASKOID", "EVENTNAME", "DESCRIPTION" FROM "IM_APPROVAL_POLICY" WHERE "ENV_OID"=? AND "POLICYTAG"=? AND "ENV_OID"=? (29,cb7c1887-0a1c486a-426799ce-d2bf4e08,29)
2024-08-29 16:38:14,606 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-6) Is scroll insensitive result set type: true
    Is forward only result set type: false

The problem can be either with the IM_TASK, or the IM_TASK_HANDLER for the task printed above.

However since it is possible to have a task without a task handler, The problem could also be with the next task in line

Since The last object that exports is:

Loading linked Data for the managed object - 6841, object type=IM Task
 
We must find all of the data for the next task in the list.
 
That object should be 6842
 
Please collect the information for these queries.
SELECT * FROM IM_TASK WHERE "UNIQUE_NAME"='6842';
 
SELECT SECTION_NAME, ATTRIBUTE_NAME, ATTRIBUTE_VALUE FROM IM_TASK_LD WHERE REF_ID ='6842';
 
SELECT DISTINCT("IM_TAB"."UNIQUE_NAME") FROM "IM_TAB" WHERE "TASKOID"='6842' AND "IM_TAB"."ENV_OID"='29';
 
If these do not return anything, then the next number in line in case 6842 did exist at one time but was deleted.

Using the method outlined above in the example above we  ran the export on a successful environment, and found that after the IM_APPROVAL_POLICY table that the logs continued to the next step to query IM_TAB. After looking at the tables, we found that the specific task and approval policy were referring to a task that had been duplicated a couple months ago. That task was duplicated in the failing test environment and in production, but not in the working test environment. I believe this issue must have been caused possibly by having a duplicate entry in the database for a user profile tab that was mapped to two separate tasks because after I removed the duplicate and rebuilt, I was successfully able to export the environment.

There is nothing in our documentation that states we support this type of migration.
  
Instead we do document this type of migration using the selective utility:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-5/configuring/production-environments/update-identity-manager-in-a-production-environment/migrate-a-identity-manager-environment.html

 

Powered by Wolken Software