Some Workflow requests are incorrectly being sent to the Default Approver

book

Article ID: 5743

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

Some Workflow requests are incorrectly being sent to the Default Approver - Approval requests being sent to the Default Approver even if the Approvers Group is OK.

Cause

This exception occurs when Active Directory determines a connection has remained idle for too long and closes it on the Active Directory side. As a result, when user actions trigger LDAP searches to use the closed connection and throws an exception. To resolve the problem, Set the JVM argument com.sun.jndi.ldap.connect.pool.timeout to a small timeout value, forcing application to close the connection before the Active Directory server closes the connection. 

Environment

CA Privileged Identity Manager r12.8MS Active Directory 2008 R2

Resolution

Please following the below instructions to add the timeout value to JVM argument: 

Note: This needs to be done in all the ENTM and LB's 

 

Windows: 

 

1. Stop the JBoss 

2. Navigate to <JBOSS_HOME>/bin 

3. Backup the existing run_idm.bat file 

4. Add the following line above the set JAVA_OPTS=-Djava.security.policy=.\workpoint_client.policy -Xms512m -Xmx1024m -XX:MaxPermSize=256m %JAVA_OPTS% 

 

set LDAP_OPTS=-Dcom.sun.jndi.ldap.connect.pool.maxsize=20 -Dcom.sun.jndi.ldap.connect.pool.prefsize=10 -Dcom.sun.jndi.ldap.connect.pool.timeout=10000 

 

5. Now add LDAP_OPTS to the JAVA_OPTS 

 

set JAVA_OPTS=%IDM_OPTS% %JAVA_OPTS% %DEBUG_OPTS% %LDAP_OPTS% 

 

6. Start the JBoss 

 

Linux: 

 

1. Stop the JBoss 

2. Navigate to <JBOSS_HOME>/bin 

3. Backup the existing run_idm.sh file 

4. Add the following line above the JAVA_OPTS="$IDM_OPTS -Djava.security.policy=workpoint_client.policy -Xms256m -Xmx512m -XX:MaxPermSize=128m" 

 

LDAP_OPTS="-Dcom.sun.jndi.ldap.connect.pool.maxsize=20 -Dcom.sun.jndi.ldap.connect.pool.prefsize=10 -Dcom.sun.jndi.ldap.connect.pool.timeout=10000" 

 

5. Now add LDAP_OPTS to the JAVA_OPTS 

 

JAVA_OPTS="$IDM_OPTS -Djava.security.policy=workpoint_client.policy -Xms256m -Xmx512m -XX:MaxPermSize=128m $LDAP_OPTS" 

 

6. Start the JBoss

 

It is important to set the value of "com.sun.jndi.ldap.connect.pool.maxsize" correctly. Setting a value that is too high may affect performance; setting a value too low will impact concurrent logins capacity.