Provisioning operation fails with DSA is unavailable error (code 52) in the provisioning server log
Article ID: 210558
Updated On:
Products
Issue/Introduction
When trying to do a provisioning operation, including an attempt to retrieve endpoint properties, the operation fails with Connector Server "Timed out" error:
Provisioning server log (etatrans) contains 'DSA is unavailable' error:
20210309:144357:TID=ff1b70:Search :E066:----:F: FAILURE: External Search (eTDYNDirectoryName=XXXXXXXXXXXX)
20210309:144357:TID=ff1b70:Search :E066:----:F: rc: 0x0034 (DSA is unavailable)
20210309:144357:TID=ff1b70:Search :E066:----:F: msg: :ETA_E_0019<RDI>, Endpoint 'XXXXXXXXXXXX' read failed: Connector Serve
20210309:144357:TID=ff1b70:Search :E066:----:F:+r Read failed: Timed out (ldaps://XXXXXXXXXXXX:20411)
20210309:144357:TID=ff1b70:Search :E066:----:P: base-dn: eTDYNDirectoryName=XXXXXXXXXXXX,eTNamespaceName=UNIX v2,dc=im
20210309:144357:TID=ff1b70:Search :E066:----:P: scope : BASE
20210309:144357:TID=ff1b70:Search :E066:----:P: filter : (objectClass=eTDYNDirectory)
20210309:144357:TID=ff1b70:Search :E066:----:P: attrs : <ALL>
20210309:144357:TID=ff1b70:Search :E066:----:P: size-limit: 1000
20210309:144357:TID=ff1b70:Search :E066:----:P: time-limit: 90
Previously provisioning worked fine.
Environment
Release : 14.x
Component : CA IDENTITY MANAGER
Cause
The problem is that Connector Server does not respond to Provisioning Server requests.
The reason for that can be:
- Connector Server is not running
- Connector Server is up and running but is unresponsive
- Networking problem prevents communication between Provisioning Server and Connector Server
Resolution
To rectify the problem:
- Check if Connector Server is up and running
Ensure that the machines where Provisioning Server and Connector Server are installed can communicate
Use ping, traceroute and nslookup to ensure there are no networking issues - Ensure that no other program is using Connector Server ports
Default ports are: 20410 (ldap) and 20411 (ldaps) - Try to connect to the Connector Server from Provisioning Server machine using LDAP client
Use the following command if ldapsearch or dxsearch is available. dxsearch is installed with every Provisioning Directory.
Do not use ldaps port (20411) for this check to simplify things.
dxsearch -h <Connector Server Host> -p 20410 -D "uid=admin,ou=system;sa" -w <Connector Server password> -b "dc=etasa" -s base
The result should be like this (i.e. one entry returned - domain component object dc=etasa):
# extended LDIF
#
# LDAPv3
# base <dc=etasa> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# etasa
dn: dc=etasa
dc: etasa
objectClass: domain
objectClass: top
# search result
# search: 2
# result: 0 Success
# numResponses: 2
# numEntries: 1
This error message: 'ldap_bind: Can't contact LDAP server (-1)' indicates that connector server cannot be reached.
Sometimes the result can be something like this:
# extended LDIF
#
# LDAPv3
# base <dc=etasa> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# search result
# search: 2
# result: 32 No such object
text: code 32 (NO_SUCH_OBJECT): failed on search operation: dc=etasa: dc=etasa
This indicates that Connector server is responding, but there is some problem with it.
Restart Connector Server and try again.
If the problem persists after restart try to cleanup Connector Server cache:
- Stop Connector Server
- Remove the following folders with all the content:
<Connector Server Home>/data/activemq
<Connector Server Home>/data/cache - Start Connector Server
Connector Server Home is by default:
on Windows: C:/Program Files (x86)/CA/Identity Manager/Connector Server/
on Linux: /opt/CA/IdentityManager/ConnectorServer/
Please note that Connector Server cache clean-up removes custom connector bundles (if deployed), and they need to be re-deployed.
Please also note that Connector Server cache clean-up cannot be done in Virtual Appliance.
Feedback
