Symantec Identity Suite - Timeout after [900] seconds waiting for service
search cancel

Symantec Identity Suite - Timeout after [900] seconds waiting for service

book

Article ID: 234614

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Suite

Issue/Introduction

After upgrading to Identity Suite 14.4, Identity Suite will no longer start as it throws the below error:

[31m17:14:31,113 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) <Hostname>: Timeout after [900] seconds waiting for service container stability. Operation will roll back. Step that first updated the service container was 'add' at address '[
    ("core-service" => "management"),
    ("management-interface" => "http-interface")
]'

Environment

Release : 14.4

Component : IdentityMinder(Identity Manager)

Component : IdentitySuite(Identity Suite)

Cause

Starting with 14.4, Identity Suite uses a newer application server, which now challenges the Standalone.sh file which has the timeout value set to 900.

SERVER_OPTS="$SERVER_OPTS -b $BIND_ADDRESS -Djgroups.tcpping.initial_hosts=$JGROUPS_INITIAL_HOSTS -Djboss.node.name=$NODE_NAME -Djgroups.bind_addr=$JGROUPS_BIND_ADDRESS $IDM_OPTS -Djboss.as.management.blocking.timeout=900 -u $MULTI_CAST_ADDRESS -Djboss.smtp.host=$SMTP_HOST -Djboss.smtp.port=$SMTP_PORT"

Resolution

If you are on standalone (non-vApp) you can modify the Standalone.sh file with an increased timeout value set of 3600:

SERVER_OPTS="$SERVER_OPTS -b $BIND_ADDRESS -Djgroups.tcpping.initial_hosts=$JGROUPS_INITIAL_HOSTS -Djboss.node.name=$NODE_NAME -Djgroups.bind_addr=$JGROUPS_BIND_ADDRESS $IDM_OPTS -Djboss.as.management.blocking.timeout=3600 -u $MULTI_CAST_ADDRESS -Djboss.smtp.host=$SMTP_HOST -Djboss.smtp.port=$SMTP_PORT"

 

If you are on vApp then there are a set of published hotfixes that will increase the default timeout value to 3600. Please use the below links to download the version of the hotfix appropriate for the product version you are running.

14.4 GA vApp (CentOS 6)
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111400&os=COS

14.4 GA vApp (CentOS 8)
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111401&os=COS

14.4 CP1 vApp (CentOS 8)
https://support.broadcom.com/web/ecx/solutiondetails?aparNo=99111402&os=COS


Also note that if you need to increase the value higher than 3600 after the fix is applied then you can do so by setting -Djboss.as.management.blocking.timeout=XXX in the vApp's /opt/CA/VirtualAppliance/custom/IdentityManager/jvm-args.conf file as mentioned in the documentation for Customizing the JVM Startup Arguments:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/virtual-appliance/administering-virtual-appliance.html#concept.dita_484b93c7f06198e8b27adcc2537229358eb17777_CustomJVMArguments

Additional Information

The best way to determine this timeout is to understand your average start time. If it normally takes longer than 15 minutes for your environment to start, then this value will need to be increased.

If you are able to get your environment to start sporadically then you can utilize the Jboss CLI command to update this value:

Add a new user to JBoss:
sudo /opt/CA/wildfly-idm/bin/add-user.sh

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a): a
Username : YourJbossAdmin
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]:
Press Enter to leave blank
About to add user 'YourJbossAdmin' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user 'YourJbossAdmin' to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-users.properties'
Added user 'YourJbossAdmin' to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-users.properties'
Added user 'YourJbossAdmin' with groups  to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-groups.properties'
Added user 'YourJbossAdmin' with groups  to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? no


Navigate to /opt/CA/wildfly-idm/bin/
execute ./jboss-cli.sh
type: connect
Enter credentials

/system-property=jboss.as.management.blocking.timeout:add(value=N)

Example:

/system-property=jboss.as.management.blocking.timeout:add(value=3600)

If this does not work then you can try:

/system-property=jboss.as.management.blocking.timeout:write-attribute(value=3600)

Powered by Wolken Software