Symantec Identity Manager - IMSException Corrupted buffer returned from server
search cancel

Symantec Identity Manager - IMSException Corrupted buffer returned from server

book

Article ID: 192638

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

When trying to execute a password reset task or any user modification Identity Manager throws the below error or similar.

IMSException in BLTH handleTask:Password validation failed: Corrupted buffer returned from the server.

Environment

Release : 14.X

Component : IdentityMinder(Identity Manager)

Component: IdentitySuite(Virtual Appliance)

Cause

Most likely the cause of the issue is corruption within the Policy Server DSA itself.

Resolution

The quickest resolution is to restore the policy server DSA to a previous point in time where it worked.

Another resolution is to try and reimport all your directory.xmls within the identity manager management console.

1) Take a snapshot of all SSO Policy Store machines and IDM Machines

2) Reimport the IDM Schema into the SSO Policy Store:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-manager/14-3/configuring/ca-single-sign-on-integration/integrate-ca-single-sign-on-with-ca-identity-manager/import-ca-identity-manager-schema-into-the-policy-store.html

3) Confirm if 'Disable Policy Store Update' is checked or unchecked ( Recommend unchecking this setting while doing the import then revert it)

Selecting this option disables the synchronization between the policy store in CA Single Sign-on (formerly SiteMinder) and Identity Manager from both the Directory or the Role Definition XML. This feature only applies to a pairing of CA Single Sign-on and Identity Manager. A message is displayed during the XML file's import that the associated Policy Store will not be updated for this environment. 

4) Import your directory xmls

5) If on Virtual Appliance run (deleteIDMJMSqueue) on all nodes, if on Standalone then shutdown all nodes and clear tmp folders.

6) Make a password policy change via IDM UI. This will ensure pwd polices are sync'd between IM and SM.

7) Attempt reproduction

 

Finally if all the above fails then you may need to resort to backing up all your directories and environment, clearing all knowledge of IDM objects within the policy store, deleting your environment and directories then importing them back and reconfiguring your policy store.

NOTE: When doing this any pending workflow tasks or tasks in progress will most likely reference an old OID and will be considered lost data. The tasks will need to be resubmitted.

Additional Information

How to determine Policy Store corruption:

In most cases, a customer will have multiple environments. The best thing to do is to run an XPSexport on a nonworking policy server and a working policy server.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/administrating/policy-server-tools/xpsexport.html

Once you have these two exports the next step is to search for the keyword 'CA.SM::IMSManagedObjectAttr' within the files.

Start at the top of the list and highlight all objects down until you reach the bottom of the 'CA.SM::IMSManagedObjectAttr' listed objects and copy this to a new file.

Once you have two new files with only 'CA.SM::IMSManagedObjectAttr' objects you will need to run a compare against the two files. This will show you what objects are missing from your corrupted policy store.

Sample object:

<Object Class="CA.SM::IMSManagedObjectAttr" Xid="CA.SM::IMSManagedObjectAttr@34-2ea0d196-d7cf-1052-92ca-84f96df20000" CreatedDateTime="2019-11-26T15:59:44" UpdatedBy="IDMAdmin" UpdateMethod="Internal">
                    <Property Name="CA.SM::IMSManagedObjectAttr.Options">
                        <NumberValue>17</NumberValue>
                    </Property>
                    <Property Name="CA.SM::IMSManagedObjectAttr.BindType">
                        <StringValue>String</StringValue>
                    </Property>
                    <Property Name="CA.SM::IMSManagedObjectAttr.MaxLen">
                        <NumberValue>0</NumberValue>
                    </Property>
                    <Property Name="CA.SM::IMSManagedObjectAttr.WellKnown">
                        <StringValue>%USER_ID%</StringValue>
                    </Property>
                    <Property Name="CA.SM::IMSManagedObjectAttr.DisplayName">
                        <StringValue>User ID</StringValue>
                    </Property>
                    <Property Name="CA.SM::IMSManagedObjectAttr.Description">
                        <StringValue>User ID</StringValue>
                    </Property>
                    <Property Name="CA.SM::IMSManagedObjectAttr.Name">
                        <StringValue>uid</StringValue>
                    </Property>

If any attributes are missing from your policy store it can cause issues when submitting tasks within IDM if they are apart of the screen.