ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

IDM changes/cache not getting updated on other cluster nodes

book

Article ID: 236870

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

We have 4 nodes jboss cluster in production environment. IDM 14.4 deployed on RHEL 8.x servers. We recently discovered any changes done from one node is not reflected when we login to the other nodes. Such as when an admin role is enabled / disabled, it gets updated on the node that currently connected but when we login to the other nodes, the change doesn't show up. Only restarting all IDM nodes works for the changes to take place.

 

Cause

The issue really started after applying some PenTest fixes recommnded by RedHat. We reverted back the following Penetration Test fixes and the cache replication is working fine now. For the cache replication to work we needed to enable non-ssl port 8080 and remove the JSESSIONID security. We need to however make it work over the SSL port and with  JSESSIONID security enabled.

These are the two changes recommended by RedHat that caused IM to stop updating its cache on the cluster.

1.

<http-listener name="default" socket-binding="http" enabled="false" max-parameters="5000" redirect-socket="https" enable-http2="true"/>

 

2.

<session-cookie http-only="true" secure="true"/>

Environment

Release : 14.4

Component : IdentityMinder(Identity Manager)

Resolution

RH Support provided a configuration solution:

The issue was with the SSL not being configured for the JMS transport.  The process is documented in the below link.

https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/configuring_messaging/index#securing_the_transport

 

All components need to be SSL enabled when you block the http 8080 port and secure JSESSIONID e.g. client to server connection, JMS session transport, management console access, etc. We were missing the SSL on JMS transport.