Symantec Identity Governance - Error Connecting IG to IM: IM Server is not available at caim-srv:80
search cancel

Symantec Identity Governance - Error Connecting IG to IM: IM Server is not available at caim-srv:80

book

Article ID: 253863

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Governance

Issue/Introduction

We receive an error following the directions for connecting Identity Governance to Identity Manager.  We have tried both the names in /etc/hosts file (caim-srv and caim-srv-02) and by IP address.

Error:

IM Server is not available at caim-srv:80

Environment

Release : 14.4

Resolution

The issue was caused by VAPP not inserting the IM cert into the IG keystore. Follow the below steps to import the cert:

1. Go to the IM node home directory, and run the following command to export the certificate. 
"$JAVA_HOME/bin/keytool" -export -alias caim-srv -keystore "$JAVA_HOME/jre/lib/security/cacerts" -rfc -file caim-srv.cer

2. Go to the IG node, and run the following command to import the certificate.
"$JAVA_HOME/bin/keytool" -import -file "caim-srv.cer" -keystore "$JAVA_HOME/jre/lib/security/cacerts" -alias "caim-srv"

3. Make sure that the alias "caim-srv" exists now in the IG node using the following command.
"$JAVA_HOME/bin/keytool" -list -v -keystore "$JAVA_HOME/jre/lib/security/cacerts" | grep Alias

4. If the certificate is imported successfully, do the test connection from IG using the node name "caim-srv" or "caim-srv-0X" and confirm the resolution.

Additionally, you can run the -list command from step 3 prior to performing the export/import to confirm if the certs do or do not exists.

Additional Information

If you are FIPS enabled, you must declare the FIPS key location.

For VAPP the default location for the FIPS key is here:

 /opt/CA/wildfly-ig/modules/com/ca/iam/crypto/main/config/com/netegrity/config/keys/FIPSkey.dat

or

/opt/CA/wildfly-ig/fips/FIPSkey.dat

The below documentation covers enabling FIPS for IG. https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-governance/14-4/configuring/security-and-encryption/how-to-enable-fips-140-2-encryption.html

Additional Confirmation Steps:

If you follow all the above steps and you continue to have connection issues. Confirm that the task "Create Web Services Configuration" exists with your Identity Manager Environment. If this task is missing then you will continue to have connection issues between IM and IG. Open a support ticket and request the "Create Web Services Configuration" task within an XML file, import the role within the management console, and add it to the System Manager role. Once these steps are completed you can test your connection once more and it should be successful at this time.

NOTE:

If the problem still persists and we have the error below in the Identity Governance log, make sure to import the UserStore certificate from CentOS8 since 14.4.1 updated the OS from CentOS6 to CentOS8

That's the error when the IG cacerts do not have the UserStore certificate from CentOS8

ERROR [stderr] (default task-109) ERROR ConnectionObject IMConnectionObject.getLdapContext: Failed to get LDAP context
ERROR [stderr] (default task-109)  javax.naming.CommunicationException: simple bind failed: caim-srv:19289 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]