EEM lost all applications after restart or upgrade and does allow to log users from AD/internal store

Products

CA Service Management - Service Desk Manager CA Service Catalog Process Automation Manager CA IT Asset Manager CA IT Asset Manager Asset Portfolio Management ASSET PORTFOLIO MGMT- SERVER CA Service Management - Asset Portfolio Management CA Process Automation Base

Issue/Introduction

Error in the EEM logs: itechpoz_warn_XXXX.log under C:\Program Files\CA\Directory\dxserver\logs (XXXX is the current date stamp value)

WARN : Setting pswitch to autodetect StartTLS protocol [116]
WARN : Certificate 'config/ssld/personalities/itechpoz.pem' is outside of validity date range
WARN : Unable to get certificate from 'config/ssld/personalities/itechpoz.pem' [116]
WARN : set_cert_stuff failed [116] 
WARN : Cannot get personality [116]
WARN : Cannot create an SSL context
WARN : Cannot StartTLS: operations error

Error seen in the ldap.log under C:\Program Files\CA\SC\EmbeddedEntitlementsManager\logs

[eiam.server.ldap.ldaputil] LdapUtil::newLdapConnection: error starting TLS [name: datastore, ldapurl: ldap://EEM-SERVER:509, ldap: 000001AC62A337B0, rc: -1, error: Can't contact LDAP server]

You may also see errors related to LDAP, such as "failed to create ldap connection" in the server.log under C:\Program Files\CA\SC\EmbeddedEntitlementsManager\logs

EEM Web UI may also present with this message when trying to login via EiamAdmin user:

Error:    EE_AUTHFAILED Authentication Failed
ISE_BACKENDDOWN backend is down

The above may also be encountered when attempting to migrate to 17.4 RU5, which requires an EEM update.

Environment

Service Management 17.x / EEM 12.6 - 12.7

Service Management 17.4 RU5 upgrade / EEM 12.7.2.0

Cause

Issue with the itechpoz.pem certificate configuration in EEM. Certificate needs to be recreated

Resolution

Follow the steps below to re-create certificate and replace with a self-signed certificate:

1. On the CA EEM Server where the certificates have to be issued, navigate to the following location:

EIAM_HOME/bin

EIAM_HOME is the EEM install location, such as C:\Program Files\CA\SC\EmbeddedEntitlementsManager

2. Execute the following command:

<JAVA_HOME>\bin\java -jar eiam-clustersetup.jar

3. A confirmation message appears.
Type Y and press Enter.

4. Execute the following command

modifycerts

5. Follow the prompts to re-create the certificate

Additional Information

For purposes of demonstration, the following is the output from such a run, performed on the EEM Server. Highlighted entries indicate user interaction entered via keyboard

C:\Program Files\CA\SC\EmbeddedEntitlementsManager\bin>"C:\Program Files\CA\SC\JRE\11.0.18\bin\java.exe" -jar eiam-clustersetup.jar
Oct 02, 2025 6:58:09 PM IclUtil itechLibInit
INFO: iTechSDK initialized successfully
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
INFO  - EIAM_HOME [C:\Program Files\CA\SC\EmbeddedEntitlementsManager\]
INFO  - IGW_LOC [C:\Program Files\CA\SC\iTechnology\]
INFO  - DXHOME [C:\Program Files\CA\Directory\dxserver/]
INFO  - Hostname identified as [EEM-SERVER]
INFO  - Failover tool is running on primary server
INFO  - Checking server status
18:58:10.938 [main] ERROR com.ca.eiam.poz.PozFactory - checkForFailoverNumber - Could not communicate with the EEM Server [], server returned with errorcode - 846
INFO  - igateway status      [stopped]
INFO  - dxserver status      [started]

Are you sure you want to continue? [Y/N]:Y
[EEM-SERVER]>modifycerts
INFO  - Enter Certificate Key Length [default = 1024]
INFO  -    [1] 1024
INFO  -    [2] 2048
INFO  -    [3] 4096
Select key length from [1 - 3] : 3
Enter Digest Algorithm [default = SHA256]
INFO  - Enter Digest Algorithm [default = SHA256]
INFO  -    [1] SHA1
INFO  -    [2] SHA256
INFO  -    [3] SHA384
INFO  -    [4] SHA512
Select Digest algorithm from [1 - 4] : 4
=======================================================
INFO  - Summary
=======================================================
INFO  - Upgrading all certificates to key length: [4096]
INFO  - Upgrading all certificates to [digest algorithm : SHA512]
-------------------------------------------------------
Are you sure you want to continue? [Y/N]:Y
INFO  - Stopping dxserver service
INFO  - Stopping igateway service
INFO  - Generating : iAuthority certificates [key length: 4096, digest algorithm: SHA512
INFO  - Generating : iControl certificates [key length: 4096, digest algorithm: SHA512
INFO  - Generating : iGateway certificates [key length: 4096, digest algorithm: SHA512
INFO  - Generating : iauthority sdk configuration [C:\Program Files\CA\SC\iTechnology\iAuthority.iTechSDK.xml]
INFO  - Generating : DSA certificates [key length: 4096, digest algorithm: SHA512
INFO  - Generating file : C:\Program Files\CA\Directory\dxserver/config\ssld\itechpoz-trusted.pem
INFO  - Starting dxserver service
INFO  - Starting igateway service
INFO  - Run [status] to get server details.
[EEM-SERVER]>status
INFO  - Checking server status
INFO  - igateway status      [started]
INFO  - dxserver status      [started]
[EEM-SERVER]>exit

C:\Program Files\CA\SC\EmbeddedEntitlementsManager\bin>