search cancel

Symantec Identity Governance - Error Connecting IG to IM: IM Server is not available at caim-srv:80

book

Article ID: 253863

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Governance

Issue/Introduction

We receive an error following the directions for connecting Identity Governance to Identity Manager.  We have tried both the names in /etc/hosts file (caim-srv and caim-srv-02) and by IP address.

Error:

IM Server is not available at caim-srv:80

Environment

Release : 14.4

Resolution

The issue was caused by VAPP not inserting the IM cert into the IG keystore. Follow the below steps to import the cert:

1. Go to the IM node home directory, and run the following command to export the certificate. 
"$JAVA_HOME/bin/keytool" -export -alias caim-srv -keystore "$JAVA_HOME/jre/lib/security/cacerts" -rfc -file caim-srv.cer

2. Go to the IG node, and run the following command to import the certificate.
"$JAVA_HOME/bin/keytool" -import -file "caim-srv.cer" -keystore "$JAVA_HOME/jre/lib/security/cacerts" -alias "caim-srv"

3. Make sure that the alias "caim-srv" exists now in the IG node using the following command.
"$JAVA_HOME/bin/keytool" -list -v -keystore "$JAVA_HOME/jre/lib/security/cacerts" | grep Alias

4. If the certificate is imported successfully, do the test connection from IG using the node name "caim-srv" or "caim-srv-0X" and confirm the resolution.

Additionally, you can run the -list command from step 3 prior to performing the export/import to confirm if the certs do or do not exists.

Additional Information

If you are FIPS enabled, you must declare the FIPS key location.

For VAPP the default location for the FIPS key is here:

 /opt/CA/wildfly-ig/modules/com/ca/iam/crypto/main/config/com/netegrity/config/keys/FIPSkey.dat

or

/opt/CA/wildfly-ig/fips/FIPSkey.dat

The below documentation covers enabling FIPS for IG. https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-governance/14-4/configuring/security-and-encryption/how-to-enable-fips-140-2-encryption.html

 

NOTE:

If the problem still persists and we have the error below in the Identity Governance log, make sure to import the UserStore certificate from CentOS8 since 14.4.1 updated the OS from CentOS6 to CentOS8

That's the error when the IG cacerts do not have the UserStore certificate from CentOS8

ERROR [stderr] (default task-109) ERROR ConnectionObject IMConnectionObject.getLdapContext: Failed to get LDAP context
ERROR [stderr] (default task-109)  javax.naming.CommunicationException: simple bind failed: caim-srv:19289 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Attachments