After either rebooting the Provisioning Server machine or restarting all DSAs and the Provisioning Server, the Provisioning Server service does not start.
From Service window we have the error message:
"error code 21"
The im_ps.log file display the following messages:
[14:21:06.078:00000B38] reading config file D:\Program Files (x86)\CA\Identity Manager\Provisioning Server\data\tls\server\fips.conf
TLS: can't connect.
[14:21:09.218:00000B38] backend_startup: bi_db_open 0 failed!
[14:21:09.265:00000B38] slapd stopped.
[14:21:09.265:00000B38] connections_destroy: nothing to destroy.
Cause could be bad or expired DSA personality certs and/or the trusted root CA has a mismatch with DSA personality certs.
Because the certificate may have expired or no trust between trusted root CA and personality certs, recreate all DSAs certificates.
Follow these steps:
1. Backup your existing %DXHOME%\config\ssld folder.
2. Stop all Connector Servers C++ and Java.
3. Stop all DSAs by running "dxserver stop all" at the command prompt.
4. Regenerate the certs from command prompt by running following command.
dxcertgen -d <Number_of_Days> certs
e.g. dxcertgen -d 3650 certs (This will generate new certificates with 10 years validity)
5. Copy the content of 'trusted.pem' (the last part including ----BEGIN CERTIFICAT---- and ----END CERTIFICATE---- lines) to the existing 'impd_trusted.pem' file as this is the trusted root CA that IMPD DSAs will read from.
IMPORTANT NOTE: If running in a cluster only perform the above steps on one node and copy the resulting files (i.e. impd_trusted.pem and all personalities certs) to the other node(s)
6. Start all DSAs by running "dxserver start all" at the command prompt.
7. Start both Connector Servers C++ and Java.
8. Start Provisioning Server service.