vIDM 3.3.x AD Sync Stuck Due to Calculator stuck Issue
search cancel

vIDM 3.3.x AD Sync Stuck Due to Calculator stuck Issue

book

Article ID: 381347

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

The vIDM 3.3.x (Identity Manager) AD sync was stuck, and the vRA IDM connector was not syncing with the AD directory. The issue was caused by a stalled Entitlement Calculator, preventing the sync process from completing.

Additionally, the Admin UI > Directories page displayed a "Refresh Page to see sync status" link instead of the "Sync Now" button, as WS1A incorrectly assumed the Entitlement Calculation had not finished yet.

Environment

VMware Identity Manager (IDM) 3.3.x

Cause

The issue is typically caused when the Entitlement Calculator is unable to process entitlement changes due to a stalled process or dead thread.

How to Detect Stuck Calculator:

Symptoms of a stuck Entitlement Calculator in WS1A may include:

  1. New entitlement changes not reflected in the End User Portal: Newly entitled applications may not appear in the End User catalog, even though the Admin UI shows the changes.

  2. UI indicates "Refresh Page to see sync status": On the Directories page in Admin UI, the "Sync Now" button is replaced with the "Refresh Page to see sync status" link, indicating that the Entitlement Calculator process has stalled.

  3. Database Query to Detect Stuck Calculator:
    To detect whether the calculator is stuck, execute the following query to check the Last Process Finished Time of the calculator processes:

     
    SELECT * FROM saas.GlobalConfigParameters WHERE id IN ('LatestUserEntitlementVersion','LatestUserGroupVersion','LatestSearchVersion');

    Example output:

     
    SELECT * FROM saas.GlobalConfigParameters WHERE id IN ('LatestUserEntitlementVersion','LatestUserGroupVersion','LatestSearchVersion');
              id              | idEncryptionMethod |       strData       |      timestamp
------------------------------+--------------------+---------------------+---------------------
 LatestSearchVersion          |                  3 | 1536790408602000000 | 1536790413670384220
 LatestUserEntitlementVersion |                  3 | 1536792842410000000 | 1536792847418084130
 LatestUserGroupVersion       |                  3 | 1536792841581000000 | 1536792846584074518
(3 rows)

    The Last Process Finished Time value should be close to the current time. If the value is delayed by days, it is an indication that the Entitlement Calculator is stuck.

Resolution

Note: Take a snapshot of a VMware Identity Manager (vIDM) cluster before performing the steps.

1. Identify the Node Holding the Calculator Lock

First, determine which server node is holding the lock for the Entitlement Calculator by executing the following query:

SELECT * FROM saas.SyncTokenLock ORDER BY id;

This query will return the instanceName of the node holding the lock, for example:

instanceName ------------------------- node1-test.xxxxlabs.com
 

2. Restart the Service on the Affected Node

Once the node holding the lock is identified, perform a service restart on that node to release the lock and allow the Calculator to process:

service horizon-workspace restart
 

3. Verify the Issue is Resolved

After restarting the service, run the previous database query again to check if the Last Process Finished Time values have been updated and are closer to the current time.

Additionally, verify that the newly entitled applications are now visible in the End User Portal catalog.

 

Note : If the issue persist, open a service request with the Broadcom Technical Support and reference this KB. 

Additional Information

 

 

Powered by Wolken Software