After either rebooting the Provisioning Server machine or restarting all DSAs and the Provisioning Server, the Provisioning Server service does not start.

From Service window we have the error message:

"error code 21"

The im_ps.log file display the following messages:

[14:21:06.078:00000B38] reading config file D:\Program Files (x86)\CA\Identity Manager\Provisioning Server\data\tls\server\fips.conf

TLS: can't connect.

[14:21:09.218:00000B38] backend_startup: bi_db_open 0 failed!

[14:21:09.265:00000B38] slapd stopped.

[14:21:09.265:00000B38] connections_destroy: nothing to destroy.

Cause could be bad or expired DSA personality certs and/or the trusted root CA has a mismatch with DSA personality certs.

Because the certificate may have expired or no trust between trusted root CA and personality certs, recreate all DSAs certificates.

Follow these steps:

1. Backup your existing %DXHOME%\config\ssld folder.

2. Stop all Connector Servers C++ and Java.

3. Stop all DSAs by running "dxserver stop all" at the command prompt.

4. Regenerate the certs from command prompt by running following command.

       dxcertgen -d <Number_of_Days> certs

e.g. dxcertgen -d 3650 certs  (This will  generate new certificates with 10 years validity)

5. Copy the content of 'trusted.pem' (the last part including ----BEGIN CERTIFICAT---- and ----END CERTIFICATE---- lines) to the existing 'impd_trusted.pem' file as this is the trusted root CA that IMPD DSAs will read from.

IMPORTANT NOTE: If running in a cluster only perform the above steps on one node and copy the resulting files (i.e. impd_trusted.pem and all personalities certs) to the other node(s)

6. Start all DSAs by running "dxserver start all" at the command prompt.

7. Start both Connector Servers C++ and Java.

8. Start Provisioning Server service.