Symantec Identity Governance - Error Connecting IG to IM: IM Server is not available at caim-srv:80
Article ID: 253863
Updated On:
Products
Issue/Introduction
We receive an error following the directions for connecting Identity Governance to Identity Manager. We have tried both the names in /etc/hosts file (caim-srv and caim-srv-02) and by IP address.
Error:
IM Server is not available at caim-srv:80
Environment
Release : 14.4
Resolution
The issue was caused by VAPP not inserting the IM cert into the IG keystore. Follow the below steps to import the cert:
1. Go to the IM node home directory, and run the following command to export the certificate.
"$JAVA_HOME/bin/keytool" -export -alias caim-srv -keystore "$JAVA_HOME/jre/lib/security/cacerts" -rfc -file caim-srv.cer
2. Go to the IG node, and run the following command to import the certificate.
"$JAVA_HOME/bin/keytool" -import -file "caim-srv.cer" -keystore "$JAVA_HOME/jre/lib/security/cacerts" -alias "caim-srv"
3. Make sure that the alias "caim-srv" exists now in the IG node using the following command.
"$JAVA_HOME/bin/keytool" -list -v -keystore "$JAVA_HOME/jre/lib/security/cacerts" | grep Alias
4. If the certificate is imported successfully, do the test connection from IG using the node name "caim-srv" or "caim-srv-0X" and confirm the resolution.
Additionally, you can run the -list command from step 3 prior to performing the export/import to confirm if the certs do or do not exists.
Additional Information
If you are FIPS enabled, you must declare the FIPS key location.
For VAPP the default location for the FIPS key is here:
/opt/CA/wildfly-ig/modules/com/ca/iam/crypto/main/config/com/netegrity/config/keys/FIPSkey.dat
or
/opt/CA/wildfly-ig/fips/FIPSkey.dat
The below documentation covers enabling FIPS for IG. https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-governance/14-4/configuring/security-and-encryption/how-to-enable-fips-140-2-encryption.html
Additional Confirmation Steps:
If you follow all the above steps and you continue to have connection issues. Confirm that the task "Create Web Services Configuration" exists with your Identity Manager Environment. If this task is missing then you will continue to have connection issues between IM and IG. Open a support ticket and request the "Create Web Services Configuration" task within an XML file, import the role within the management console, and add it to the System Manager role. Once these steps are completed you can test your connection once more and it should be successful at this time.
NOTE:
If the problem still persists and we have the error below in the Identity Governance log, make sure to import the UserStore certificate from CentOS8 since 14.4.1 updated the OS from CentOS6 to CentOS8
That's the error when the IG cacerts do not have the UserStore certificate from CentOS8
ERROR [stderr] (default task-109) ERROR ConnectionObject IMConnectionObject.getLdapContext: Failed to get LDAP context
ERROR [stderr] (default task-109) javax.naming.CommunicationException: simple bind failed: caim-srv:19289 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Feedback
