search cancel

"Get Suffixes" button does not retrieve values into the combo list on IM provisioning Manager CA ACF2 or CA TSS endpoint properties. "Searching the mainframe LDAP Server failed, rc=0". Message is received.

book

Article ID: 50376

calendar_today

Updated On:

Products

CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

When opening the Mainframe Security endpoint property tabs (of CA-ACF2 or CA-Top Secret), and then clicking on "Get Suffixes" button the system does not retrieve values into the combo list, but returns the following message box:

"Searching the mainframe LDAP Server failed, rc=0. Please verify that the IP and port information is correct. Also ensure you have the latest LDAP server and maintenance installed and re-try."

Explanation:

With CA LDAP Server for z/OS R14 installed , to get suffixes, IM Mainframe connector performs an anonymous one level search against the LDAP server. It is searching using "cn=config" as Base DN with "objectClass=olcDatabaseConfig" search filter, it then loops through attributes to find the "olcSuffix" value when the naming mode is "im".

Here, the request has not failed (rc=0) but no object, with a suffix value and a naming mode set to "im", has been found.

Troubleshooting:

Try running this LDAP request against IMPS from command line as shown on the example below:: (ACF2 e.g.)

CA\Identity Manager\Provisioning Server\bin>ldapsearch -LLL -h <HOST> -p <PORT>
-D cn=<USER> -w <PASWORD> -b cn=config -s one
(objectClass=olcDatabaseConfig) olcSuffix acfHostNamingMode

Note: (For TSS: change acfHostNamingMode to tssHostNamingMode)

Check if you have one resulting record with acfHostNamingMode set to im (ACF2 e.g.)

Note: the second entry deals with the "im" naming mode.

If this entry is missing you will receive the error previously described.

The search request should return lines as following:

dn: olcDatabase={1} caacf2_utf,cn=config
olcSuffix: host=xxxxxxxx,o=yyyyyyyy,c=zzzzzzzz
dn: olcDatabase={2} caacf2_utf,cn=config
olcSuffix: host= xxxxxxxx _im,o=yyyyyyyy,c=zzzzzzzz
acfHostNamingMode: im

Note: Running slapd in debug mode (e.g. : slapd -d 5 -f ./slapd.conf) will not provide pertinent info since there is no failure(slapd returns code 0).

Solution:

Configure the database statement for the CA LDAP Server to run as CA Web Administrator mode.

To do that please follow this 2 steps procedure below:

(Documentation references here come from CA LDAP Server for z/OS Product Guide r14)

  1. On Main Frame side manually edit the slapd.conf file in USS using oedit or vi. (Chapter 4: Configuration)

    You need to uncomment and change the Web Admin definition in this file to have at least the 3 following lines (based on caacf2_utf database suffix):

    database caacf2_utf
    suffix "host= xxxxxxxx _im,o=yyyyyyyy,c=zzzzzzzz"
    naming_mode im

    Note: CA Web Administrator naming_mode is explained in Chapter 5: CAACF2_UTF Back-end / Page 65.

  2. Stop and restart the CA LDAP Server. This can be done via operator commands at the console interface. (See Chapter 2: Startup Options)

    Note: This is the same procedure for TSS.

Environment

Release:
Component: IDMGR