XPSExport fails with error: "Unable to read attribute "CA.SM::<Object Class>.<AttributeName> of Object"

book

Article ID: 4453

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

We're running XPSExport command, and this one fails with error :

  "Unable to read attribute "CA.SM::<Object Class>.<AttributeName> of Object"

How can we fix this ?

 

Cause

 

The object has an attribute which is essentially a link to another
object. That attribute is populated with an object XID which doesn't
exist in the Policy Store.

To illustrate :

Unable to read attribute 

  CA.SM::ServiceProviderUsers.UserPolicyLink[0]

of object

  CA.SM::[email protected]

The XID of the object is

  CA.SM::[email protected]

This object class has an attribute named "UserPolicyLink"

   CA.SM::ServiceProviderUsers.UserPolicyLink

This attribute would normally be populated with the XID of a
UserPolicyLink 

  
  CA.SM::[email protected]<OID>

In this case, the attribute is empty. In some cases, it might occur
that this attribute has been populated with an XID which doesn't
exist. In either case it will need to be fixed in order for the
XPSExport to complete successfully.

 

Environment

 

All Policy Server versions;
All Policy Store versions;

 

Resolution

 

Use XPSExplorer to Delete the Object :

  1. Run XPSExplorer and review the XID of the object
     (CA.SM::[email protected]).
     Verify whether the 'UserPolicyLink' attribute is populated.  If so,
     search for that XID. If the field is empty or the XID does not
     exist, then the object will need to be removed;

  2. Attempt to delete the object in XPSExplorer;

  3. If the object cannot be deleted in XPSExplorer we will need to
     delete the object manually;


Manually Delete the Object :

  1) Execute an LDIF export of the policy store using the 3rd party
     LDAP tools provided by the LDAP Vendor;

  2) Locate the XID of the object. Record the Distinguished Name (DN);

  3) Locate the XPSNumber of the object :

     xpsXID=CA.SM::[email protected],OU=XPS,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,DC=CA,DC=com

     xpsNumber=0000005579\0ACNF:24d7d641-3e21-44f1-a79d-da78efc924ba,OU=XPS,OU=PolicySvr4,OU=SiteMinder,OU=Netegrity,DC=CA,DC=com

  4) Delete the DN's manually;