Modifying a Identity Manager Directory with SiteMinder integration fails with postCreate error
search cancel

Modifying a Identity Manager Directory with SiteMinder integration fails with postCreate error

book

Article ID: 31038

calendar_today

Updated On: 10-11-2023

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

There have a been a series of issues opened with support where the IM directory cannot be created from the management console when IM is integrated with Siteminder

 

 



Environment

Release:
Component: IDMGR

Cause

When creating a SiteMinder integrated IM Directory, the IM application server first creates a copy of the directory object in the IM object store and then does a post-create step using the SetLinkedData method to create a copy of the directory object in SiteMinder’s policy store. It’s in this post-create step that error occurs.

 Typically, you’ll see a postCreate failure, “object not found” or “duplicate object ID” in the errors.

 
When integrated with SiteMinder, updating IM Directories forces the IM app to synchronize the changes to the SiteMinder's copy of the directory. This happens after the modification/creation of the IM directory, so this is the "postCreate" phase and this is where the error occurs.

In 95% of cases, the synchronization of the SiteMinder directory is unnecessary. If we can verify that the changes that you are making will not be used by SiteMinder, we can safely disable IM/SM integration for the import process and then reactivate it when the import has been completed.

Resolution

Please note: 
If any of the updated attributes are used by SiteMinder for password policies or access role membership, this will not be feasible.  If you need to modify an attribute used by Sieminder for password policies you will need to rebuild the SSO integration.

Additionally, changes to any of these attributes will require an additional step documented in the Additional Information section:

 Figure A

UserID
Password
Password Data
Enabled
Email
Password Hint

 

As long as we are not updating one of the above attribute we can avoid the postecreate error by temporarily disabling the Siteminder integration, importing the environment, then reenabling SSO.


Navigate to the \policysever.rar\META-INF folder located within the iam_im.ear on the application server that is running CA IdentityMinder.

Open the ra.xml file in an editor.

Search for the Enabled config-property, and then change the config-property-value to false

Save your changes and restart the application server.

Import the modified directory.xml.

Stop the application server and undo the change to the Enabled config-property setting the Enabled property in the ra.xml back to true.

Restart the application server.

 

 

Your update of the directory should now be complete. 

Additional Information

 If you modified any of the attributes in Figure A, you'll need to open the SiteMinder UI and modify the SiteMinder user directory to make the desired changes. 

 

Powered by Wolken Software