View
236
Download
5
Category
Preview:
Citation preview
IBM
Tivoli
Identity
Manager
Server
Troubleshooting
Guide
Version
4.5
SC32-1151-01
���
IBM
Tivoli
Identity
Manager
Server
Troubleshooting
Guide
Version
4.5
SC32-1151-01
���
Note:
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
“Notices,”
on
page
57.
Second
Edition
(September
2003)
This
edition
applies
to
version
4.5.0
of
Tivoli
Identity
Manager
(product
number
5724-C34)
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions.
©
Copyright
International
Business
Machines
Corporation
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
Contents
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
Who
Should
Read
This
Book
.
.
.
.
.
.
.
.
. v
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
Tivoli
Identity
Manager
Server
Library
.
.
.
. v
Prerequisite
Product
Publications
.
.
.
.
.
. vi
Related
Publications
.
.
.
.
.
.
.
.
.
. vi
Accessing
Publications
Online
.
.
.
.
.
.
. vii
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Contacting
Software
Support
.
.
.
.
.
.
.
. vii
Conventions
Used
in
This
Book
.
.
.
.
.
.
. viii
Chapter
1.
Troubleshooting
.
.
.
.
.
. 1
Using
Information
in
Event
Log
Files
.
.
.
.
.
. 1
Installation
Log
.
.
.
.
.
.
.
.
.
.
.
. 1
Audit
trail
in
Web
User
Interface
.
.
.
.
.
. 1
Tivoli
Identity
Manager
Server
Log
.
.
.
.
.
. 2
Application
Server
Log
.
.
.
.
.
.
.
.
.
. 2
Web
Server
Access
Log
.
.
.
.
.
.
.
.
.
. 2
Directory
and
Database
Server
Log
.
.
.
.
.
. 3
Common
Problems
.
.
.
.
.
.
.
.
.
.
.
. 4
Installation
and
Start-up
Problems
.
.
.
.
.
. 5
Logon
Failures
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Web
Browser
Problems
.
.
.
.
.
.
.
.
. 12
Internal
Server
Errors
.
.
.
.
.
.
.
.
.
. 13
WebLogic-specific
Problems
.
.
.
.
.
.
.
. 14
Data
Input
Problems
.
.
.
.
.
.
.
.
.
. 15
Remote
Communication
Problems
.
.
.
.
.
. 16
Problems
.
.
.
.
.
.
.
.
.
.
.
. 18
Miscellaneous
Problems
.
.
.
.
.
.
.
.
. 19
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
.
.
.
.
.
.
.
.
.
.
. 23
Tivoli
Identity
Manager
LDAP
Directory
Tree
.
.
. 24
General
Tivoli
Identity
Manager
Classes
.
.
.
.
. 27
erBPPersonItem
.
.
.
.
.
.
.
.
.
.
.
. 27
erBPOrg
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
erBPOrgItem
.
.
.
.
.
.
.
.
.
.
.
.
. 27
erDictionary
.
.
.
.
.
.
.
.
.
.
.
.
. 28
erDictionaryItem
.
.
.
.
.
.
.
.
.
.
. 28
erFormTemplate
.
.
.
.
.
.
.
.
.
.
.
. 28
erIdentityExclusion
.
.
.
.
.
.
.
.
.
.
. 28
erLocationItem
.
.
.
.
.
.
.
.
.
.
.
. 29
erManagedItem
.
.
.
.
.
.
.
.
.
.
.
. 29
erOrganizationItem
.
.
.
.
.
.
.
.
.
.
. 29
erOrgUnitItem
.
.
.
.
.
.
.
.
.
.
.
. 30
erPersonItem
.
.
.
.
.
.
.
.
.
.
.
.
. 30
erRole
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
erSecurityDomainItem
.
.
.
.
.
.
.
.
.
. 30
SecurityDomain
.
.
.
.
.
.
.
.
.
.
.
. 31
erTenant
.
.
.
.
.
.
.
.
.
.
.
.
.
. 31
erWorkflowDefinition
.
.
.
.
.
.
.
.
.
. 33
Service
Classes
.
.
.
.
.
.
.
.
.
.
.
.
. 35
erAccountItem
.
.
.
.
.
.
.
.
.
.
.
. 35
erAttributeConstraint
.
.
.
.
.
.
.
.
.
. 35
erChallenges
.
.
.
.
.
.
.
.
.
.
.
.
. 35
erDSMLInfoService
.
.
.
.
.
.
.
.
.
.
. 36
erDSML2Service
.
.
.
.
.
.
.
.
.
.
.
. 36
erDynamicRole
.
.
.
.
.
.
.
.
.
.
.
. 37
erHostedAccountItem
.
.
.
.
.
.
.
.
.
. 37
erHostedService
.
.
.
.
.
.
.
.
.
.
.
. 38
erHostSelectionPolicy
.
.
.
.
.
.
.
.
.
. 38
erITIMService
.
.
.
.
.
.
.
.
.
.
.
. 38
erJoinDirective
.
.
.
.
.
.
.
.
.
.
.
. 39
erObjectCategory
.
.
.
.
.
.
.
.
.
.
. 39
erObjectProfile
.
.
.
.
.
.
.
.
.
.
.
. 39
erRemoteServiceItem
.
.
.
.
.
.
.
.
.
. 40
erServiceItem
.
.
.
.
.
.
.
.
.
.
.
.
. 40
erServiceProfile
.
.
.
.
.
.
.
.
.
.
.
. 41
erSystemItem
.
.
.
.
.
.
.
.
.
.
.
.
. 41
erSystemRole
.
.
.
.
.
.
.
.
.
.
.
.
. 41
erSystemUser
.
.
.
.
.
.
.
.
.
.
.
.
. 42
Policy
Classes
.
.
.
.
.
.
.
.
.
.
.
.
. 43
erIdentityPolicy
.
.
.
.
.
.
.
.
.
.
.
. 43
erPasswordPolicy
.
.
.
.
.
.
.
.
.
.
. 43
erPolicyBase
.
.
.
.
.
.
.
.
.
.
.
.
. 43
erPolicyItemBase
.
.
.
.
.
.
.
.
.
.
. 44
erProvisioningPolicy
.
.
.
.
.
.
.
.
.
. 44
Chapter
3.
Database
Tables
.
.
.
.
.
. 45
Workflow
Tables
.
.
.
.
.
.
.
.
.
.
.
.
. 46
PROCESS
Table
.
.
.
.
.
.
.
.
.
.
.
. 46
PROCESSLOG
Table
.
.
.
.
.
.
.
.
.
. 47
PROCESSDATA
Table
.
.
.
.
.
.
.
.
.
. 47
ACTIVITY
Table
.
.
.
.
.
.
.
.
.
.
.
. 48
WORKITEM
Table
.
.
.
.
.
.
.
.
.
.
. 49
PASSWORD_TRANSACTION
Table
.
.
.
.
. 49
NEXTVALUE
Table
.
.
.
.
.
.
.
.
.
.
. 49
PENDING
Table
.
.
.
.
.
.
.
.
.
.
.
. 50
Services
Tables
.
.
.
.
.
.
.
.
.
.
.
.
. 51
RESOURCE_PROVIDERS
Table
.
.
.
.
.
.
. 51
REMOTE_SERVICES_REQUESTS
Table
.
.
.
. 52
REMOTE_RESOURCES_RECONS
Table
.
.
.
. 52
REMOTE_RESOURCES_RECON_QUERIES
Table
53
SCHEDULED_MESSAGE
Table
.
.
.
.
.
.
.
. 54
LISTDATA
Table
.
.
.
.
.
.
.
.
.
.
.
.
. 55
Appendix.
Notices
.
.
.
.
.
.
.
.
.
. 57
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
. 58
Glossary
.
.
.
.
.
.
.
.
.
.
.
.
.
. 61
Index
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
©
Copyright
IBM
Corp.
2003
iii
iv
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Preface
The
IBM
®
Tivoli
®
Identity
Manager
Troubleshooting
Guide
helps
administrators
to
troubleshoot
problems.
This
guide
enables
adminstrators
to
quickly
look
up
Tivoli
Identity
Manager
schema
and
IBM
DB2®
table
information
related
to
the
Tivoli
Identity
Manager
Server.
Who
Should
Read
This
Book
This
manual
is
intended
for
system
and
security
administrators
who
install,
maintain,
or
administer
software
on
their
site’s
computer
systems.
Readers
are
expected
to
understand
system
and
security
administration
concepts.
Additionally,
the
reader
should
understand
administration
concepts
for
the
following:
v
Directory
server
v
Database
server
v
WebSphere®
embedded
messaging
support
v
WebSphere
Application
Server
or
WebLogic
v
IBM
HTTP
Servers
Publications
Read
the
descriptions
of
the
Tivoli
Identity
Manager
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
Tivoli
Identity
Manager
Server
Library
The
publications
in
the
Tivoli
Identity
Manager
Server
library
are:
v
Online
user
assistance
for
Tivoli
Identity
Manager
Provides
integrated
online
help
topics
for
all
Tivoli
Identity
Manager
administrative
tasks.
v
Separate
versions
of
Tivoli
Identity
Manager
Server
Installation
Guide
on
either
UNIX
or
Windows,
using
either
WebSphere
or
WebLogic.
Use
the
version
appropriate
for
your
site.
Provides
installation
information
for
Tivoli
Identity
Manager.
v
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide
Provides
topics
for
Tivoli
Identity
Manager
administrative
tasks.
v
Tivoli
Identity
Manager
Server
Configuration
Guide
Provides
configuration
information
for
single-server
and
cluster
Tivoli
Identity
Manager
configurations.
v
Tivoli
Identity
Manager
End
User
Guide
Provides
beginning
user
information
for
Tivoli
Identity
Manager.
v
Tivoli
Identity
Manager
Release
Notes
Provides
software
and
hardware
requirements
for
Tivoli
Identity
Manager,
and
additional
fix,
patch,
and
other
support
information.
v
Tivoli
Identity
Manager
Troubleshooting
Guide
©
Copyright
IBM
Corp.
2003
v
Provides
additional
problem
solving
information
for
the
Tivoli
Identity
Manager
product.
Prerequisite
Product
Publications
To
use
the
information
in
this
book
effectively,
you
must
have
knowledge
of
the
products
that
are
prerequisites
for
Tivoli
Identity
Manager.
Publications
are
available
from
the
following
locations:
v
WebSphere
Application
Server
http://www.ibm.com/software/webservers/appserv/support.html
Note:
The
following
brief
list
of
Redbooks
describes
installing
and
configuring
WebSphere
Application
Server
and
providing
additional
security.
Although
the
list
was
current
when
this
publication
went
to
production,
publications
may
become
obsolete.
Contact
your
customer
representative
for
a
recommended
list
of
resource
information.
–
IBM
WebSphere
Application
Server
V5.0
System
Management
and
Configuration,
an
IBM
Redbook
–
IBM
WebSphere
Application
Server
V5.0
Security,
an
IBM
Redbookv
WebLogic
Application
Server
http://e-docs.bea.com/
v
Database
servers
–
IBM
DB2
http://www.ibm.com/software/data/db2/udb/support.html
http://www.ibm.com/software/data/db2
–
Oracle
http://technet.oracle.com/documentation/content.html
–
Microsoft
SQL
Server
2000
http://msdn.microsoft.com/library/v
Directory
server
applications
–
IBM
Directory
Server
http://www.ibm.com/software/network/directory
–
Sun
ONE
Directory
Server
http://www.ibm.com/software/network/directoryv
WebSphere
embedded
messaging
support
(or
IBM
MQSeries)
http://www.ibm.com/software/ts/mqseries
v
Web
Proxy
Server
–
IBM
HTTP
Server
http://www.ibm.com/software/webservers/httpservers/library.html
–
Microsoft
IIS
HTTP
Server
http://www.microsoft.com/technet/prodtechnol/iis/default.asp
–
Apache
HTTP
Server
http://httpd.apache.org/docs-project
Related
Publications
Information
related
to
Tivoli
Identity
Manager
Server
is
available
in
the
following
publications:
vi
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
v
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications
such
as
white
papers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/
v
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page:
http://www.ibm.com/software/tivoli/library/
Accessing
Publications
Online
The
IBM
publications
for
this
product
are
available
online
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both
at
the
Tivoli
Software
Library:
http://www.ibm.com/software/tivoli/library
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
Library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
Software
Information
Center
page.
Product
publications
include
release
notes,
installation
guides,
user’s
guides,
administrator’s
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→
Print).
Accessibility
The
product
documentation
includes
the
following
features
to
aid
accessibility:
v
Documentation
is
available
in
both
HTML
and
formats
to
give
the
maximum
opportunity
for
users
to
apply
screen-reader
software.
v
All
images
in
the
documentation
are
provided
with
alternative
text
so
that
users
with
vision
impairments
can
understand
the
contents
of
the
images.
Contacting
Software
Support
Before
contacting
IBM
Tivoli
Software
support
with
a
problem,
refer
to
the
IBM
Tivoli
Software
support
Web
site
at:
http://www.ibm.com/software/sysmgmt/products/support/
If
you
need
additional
help,
contact
software
support
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
This
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
v
A
list
of
information
you
should
gather
before
contacting
customer
support
Preface
vii
Conventions
Used
in
This
Book
This
reference
uses
several
conventions
for
special
terms
and
actions
and
for
operating
system-dependent
commands
and
paths.
The
following
typeface
conventions
are
used
in
this
book:
Bold
Bold
text
indicates
selectable
window
buttons,
field
entries,
and
commands
appearing
in
this
manual
except
from
within
examples
or
the
contents
of
files.
Monospace
Text
in
monospace
type
indicates
the
contents
of
files,
file
names
or
the
output
from
commands.
italic
Italic
text
indicates
context-specific
values
such
as:
v
path
names
v
file
names
v
user
names
v
group
names
v
system
parameters
v
environment
variables
%
The
percent
sign
(%)
indicates
the
C
shell
screen
prompt
as
part
of
examples
included
in
this
manual.
Your
system’s
C
shell
screen
prompt
may
be
different.
#
The
pound
sign
(#)
represents
the
screen
prompt
shown
to
users
logged
in
as
superusers
(root
access).
viii
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Chapter
1.
Troubleshooting
Tivoli
Identity
Manager
allows
you
to
use
a
logging
feature
to
help
identify
where
failures
occur
within
the
system.
This
chapter
describes
the
different
types
of
event
log
files
and
lists
a
set
of
common
problems
and
solutions.
Topic
index:
v
“Using
Information
in
Event
Log
Files”
on
page
1
v
“Common
Problems”
on
page
4
Using
Information
in
Event
Log
Files
Tivoli
Identity
Manager
has
logging
features
that
log
the
events
during
specific
transactions.
This
facilitates
isolating
and
debugging
the
problem.
There
are
several
types
of
logging
available
with
the
use
of
the
runConfig
utility:
v
Installation
log
v
Audit
trail
in
the
Web
user
interface
v
Tivoli
Identity
Manager
Server
log
v
Application
server
log
v
Web
server
access
log
v
Directory
and
database
server
logs
Standard
Tivoli
Identity
Manager
logging
properties
are
located
in
the
enRoleLogging.properties
file.
Tivoli
Identity
Manager
uses
the
Log4J
libraries
and
has
expanded
logging
capabilities.
For
more
information
about
the
features
using
the
Log4J
libraries,
refer
to
http://jakarta.apache.org/log4j
and
follow
the
link
to
the
Log4J
project.
For
more
information
about
the
Tivoli
Identity
Manager
logging
properties,
refer
to
the
Tivoli
Identity
Manager
Server
Configuration
Guide.
Installation
Log
Verbose
logging
to
the
console
can
be
enabled
to
the
installer
and
configuration
programs
(DBConfig,
LdapConfig,
and
RunConfig)
during
installation.
To
enable
logging
during
installation,
type
the
following
at
the
prompt:
UNIX
(AIX
and
Solaris):
#
LAX_DEBUG=true
#
export
LAX_DEBUG
Windows:
MSDOS>
set
LAX_DEBUG
=
true
Note:
These
commands
should
be
run
using
the
administrator
account.
The
administrator
account
should
use
a
Bourne
shell
or
Windows
command
prompt.
Installation
log
files
are
stored
at
<ITIM_HOME>/install_logs
directory.
Audit
trail
in
Web
User
Interface
The
audit
trail
in
the
web
user
interface
can
be
helpful
in
tracking
down
problems
with
agent
communication,
policy
enforcement,
and
request
approval.
This
logging
©
Copyright
IBM
Corp.
2003
1
option
is
accessible
from
the
Tivoli
Identity
Manager
user
interface.
Refer
to
the
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide
for
more
information
on
setting
the
audit
log
option.
For
example,
if
you
request
a
new
account
for
a
service
where
a
Tivoli
Identity
Manager
Agent
is
currently
not
running,
a
message
is
displayed
in
the
web
user
interface
indicating
that
the
connection
was
refused.
Tivoli
Identity
Manager
Server
Log
The
Tivoli
Identity
Manager
Server
logs
requests
to
the
command
line
and
can
log
requests
made
directly
to
the
console.
This
can
detect
problems
such
as
the
JAVA_HOME
variable
being
set
incorrectly
and
other
environment
problems.
The
server
log
file
is
located
at:
WebSphere:
<WAS_HOME>/logs/itim.log
WebLogic:
<BEA_HOME>/user_projects/itim/logs
Refer
to
the
Tivoli
Identity
Manager
Server
Configuration
Guide
for
more
information
on
configuring
the
Tivoli
Identity
Manager
Server
log.
Application
Server
Log
The
log
files
of
the
application
server
used
by
Tivoli
Identity
Manager
(WebSphere
Application
Server
or
WebLogic
Application
Server)
can
provide
useful
troubleshooting
information.
The
server
log
files
are
located
at:
WebSphere:
<WAS_HOME>/logs
WebLogic:
<BEA_HOME>/user_projects/itim/logs
Refer
to
the
IBM
Tivoli
Identity
Manager
Server
Configuration
Guide
for
more
information
on
configuring
the
Tivoli
Identity
Manager
Server
log.
Web
Server
Access
Log
The
HTTP
proxy
server
tracks
all
HTTP
and
HTTPS
requests
made
from
clients.
For
the
IBM
HTTP
Server
refer
to
the
IBM
HTTP
Server
documentation
for
more
information.
Go
to
the
following
Web
site:
http://www.ibm.com/software/webservers/httpservers/library.html
For
the
Microsoft
Internet
Information
Services
(IIS)
HTTP
Server,
refer
to
the
Microsoft
IIS
documentation
for
more
information.
Go
to
the
following
Web
site:
http://www.microsoft.com/technet/prodtechnol/iis
2
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
For
the
Apache
HTTP
Server,
refer
to
the
Apache
HTTP
Server
documentation
for
more
information.
Go
to
the
following
Web
site:
http://httpd.apache.org/docs-project
Directory
and
Database
Server
Log
The
directory
server
(IBM
Directory
Server
or
Sun
ONE
Directory
Server)
logs
directory
requests
into
separate
log
files.
The
location
of
these
files
are
specified
when
you
install
the
directory
server.
The
database
server
(IBM
DB2
UDB,
Oracle
8i
Database,
or
Microsoft
SQLServer)
logs
database
requests
into
their
own
log
files.
The
location
of
these
files
are
specified
when
you
install
the
database
server.
Chapter
1.
Troubleshooting
3
Common
Problems
There
are
several
classes
of
frequently
encountered
system
problems
that
may
arise
when
setting
up
and
operating
Tivoli
Identity
Manager:
v
“Installation
and
Start-up
Problems”
on
page
5
v
“Logon
Failures”
on
page
8
v
“Web
Browser
Problems”
on
page
12
v
“Internal
Server
Errors”
on
page
13
v
“WebLogic-specific
Problems”
on
page
14
v
“Data
Input
Problems”
on
page
15
v
“Remote
Communication
Problems”
on
page
16
v
Problems”
on
page
18
v
“Miscellaneous
Problems”
on
page
19
The
following
sections
describe
the
issues
that
can
occur
and
how
to
deal
with
them.
4
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Installation
and
Start-up
Problems
This
section
describes
commonly
encountered
installation
and
start-up
problems.
The
following
is
a
list
of
common
installation
and
start-up
problems:
v
“Problem:
Cannot
Install
the
Server”
on
page
5
v
“Problem:
Database
or
LDAP
Configuration
Program
Appears
to
stop”
on
page
5
v
“Problem:
Missing
E-fix
PQ76707”
on
page
5
v
“Problem:
Installation
Fails
to
Install
enrole.ear
File”
on
page
5
v
“Problem:
Cannot
Start
the
Server”
on
page
6
v
“Problem:
Server
Appears
to
Start
but
Cannot
Log
In
To
Server”
on
page
6
v
“Problem:
Datasource
Connection
Error”
on
page
7
Problem:
Cannot
Install
the
Server
If
you
cannot
install
the
Tivoli
Identity
Manager
Server,
enable
installation
logging
and
check
the
log.
Check
the
following:
v
$DISPLAY
variables
v
Authorization
to
the
X
server
v
File
permissions
v
Disk
capacity
A
common
mistake
is
to
log
into
the
desktop,
switch
to
another
user,
and
try
to
install
the
Tivoli
Identity
Manager
Server
without
enabling
X
server
permission
and
setting
the
$DISPLAY
variable.
The
<JAVA_HOME>
directory
could
be
incorrectly
set
or
be
using
the
wrong
version
of
the
JDK.
Verify
that
the
<JAVA_HOME>
directory
is
correct
and
that
the
JDK
is
version
1.3.1.
Problem:
Database
or
LDAP
Configuration
Program
Appears
to
stop
If
the
database
or
LDAP
configuration
program
appears
to
stop,
try
to
minimize
the
configuration
UI
windows
and
other
windows.
Configuration
may
have
been
completed
and
the
secondary
pop-up
window
may
be
hiding
behind
other
windows.
Problem:
Missing
E-fix
PQ76707
Show
to
support
only:
DevTrack
#
11893
During
installation,
an
installation
dialog
reports
that
the
system
does
not
have
WebSphere
Application
Server
e-fix
PQ76707
installed.
The
dialog
incorrectly
lists
e-fix
PQ76707.
The
correct
e-fix
to
apply
is
PQ77263.
Problem:
Installation
Fails
to
Install
enrole.ear
File
Configuration:
Tivoli
Identity
Manager
with
WebSphere
Application
Server
base
If
the
enrole.ear
file
fails
to
install
during
installation,
a
popup
window
will
appear
informing
you
of
the
failure
and
the
installation
will
continue.
However,
the
application
will
not
start
and
you
will
not
be
able
to
log
on
to
Tivoli
Identity
Manager
because
the
application
failed
to
install
properly.
To
correct
the
problem,
complete
the
following
procedures:
1.
Open
a
command
prompt
window
on
the
system
that
failed
to
install
the
enrole.ear
file.
2.
Change
to
the
<ITIM_HOME>/bin
directory.
Chapter
1.
Troubleshooting
5
3.
Execute
the
SetupEnrole
application
with
the
install
parameter.
The
following
line
is
an
example
of
the
command
to
execute:
<ITIM_HOME>/bin>
SetupEnrole
install
This
will
install
the
enrole.ear
file
in
the
proper
directory.
4.
Log
on
to
the
WebSphere
Application
Server
Network
Deployment
Manager
and
open
the
admin
console.
5.
Verify
that
the
changes
are
seen
by
the
Network
Deployment
Manager
by
selecting
Environment->Update
Web
Server
Plugin.
6.
Save
and
synchronize
the
changes
with
all
nodes.
7.
Start
the
Tivoli
Identity
Manager
Server
by
selecting
Enrole
under
Enterprise
Applications
in
the
admin
console
and
click
Start.
Problem:
Cannot
Start
the
Server
If
you
cannot
start
the
Tivoli
Identity
Manager
Server,
enable
logging
to
the
console.
Use
the
following
command
to
check
whether
there
any
of
the
processes
started:
ps
-ef
|
grep
java
If
none
of
the
processes
have
started,
check
the
environment
variables,
including
the
<JAVA_HOME>
directory,
and
<ITIM_HOME>
directory
in
the
startserver
file.
Also,
verify
that
the
log
is
owned
by
the
Tivoli
Identity
Manager
user
account
and
not
the
root
account.
If
the
log
is
owned
by
the
root
account,
the
system
will
not
be
able
to
start
from
the
Tivoli
Identity
Manager
user
account.
If
the
Tivoli
Identity
Manager
Server
did
start,
check
the
server
log
for
errors
and
check
file
permissions.
If
the
server
does
not
have
permission
to
read
library
files,
the
server
will
fail.
If
the
server
is
started
with
a
user
other
than
root,
it
will
not
be
able
to
listen
for
connection
requests
on
ports
80
and
443.
Problem:
Server
Appears
to
Start
but
Cannot
Log
In
To
Server
If
you
receive
the
following
error
message
when
starting
an
Tivoli
Identity
Manager
Server,
you
may
not
have
the
correct
system
configuration
or
you
may
have
a
corrupt
file.
...ConfigurationWarning:
No
server
target
found
for
application,
enRole...
To
resolve
this
exception,
complete
the
following
procedures.
Be
sure
to
stop
and
start
the
Tivoli
Identity
Manager
Server
after
each
procedure
to
test
whether
the
problem
has
been
fixed.
1.
Source
the
db2profile
file.
If
the
node
agents
in
the
cluster
are
started
before
the
db2profile
is
sourced,
the
WebSphere-based
applications
cannot
connect
to
the
data
source
and
throw
an
Unsatisfied
Link
exception.
To
source
the
db2profile,
complete
the
following
procedures:
a.
Logon
to
the
machine
with
the
IBM
DB2
Server.
b.
Type
the
following
command
in
a
command
prompt
window:
#
.
/db2InstanceHome/sqllib/db2profile
c.
Verify
that
the
profile
was
sourced
by
typing
the
following
command
in
the
command
prompt
window:
#
set
|
grep
-i
db2
If
the
db2profile
file
was
sourced
successfully,
you
will
see
a
display
similar
to
the
following:
6
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
CLASSPATH=/home/db2inst1...
DB2DIR=/usr/lpp/db2_07_01
DB2INSTANCE=db2inst1
2.
Update
the
httpd.conf
file
to
pick
up
the
plugin-cfg.xml
file
from
the
Network
Deployment
Manager.
To
update
the
httpd.conf
file,
complete
the
following
procedures:
a.
Back
up
the
httpd.conf
file.
The
httpd.conf
file
is
located
in
the
http_server/conf
directory.
b.
Open
the
httpd.conf
file
in
a
text
editor.
c.
Add
the
following
lines
to
the
end
of
the
file:
#WebSphere
plugin
settings
LoadModule
ibm_app_server_http_module
<WAS_HOME>/bin/mod_ibm_app_server_http.so
WebSpherePluginConfig
<WAS_NDM_HOME>/config/cells/plugin-cfg.xml
d.
Save
and
close
the
file.3.
Uninstall
and
re-install
the
enrole.ear
file
on
the
WebSphere
Administration
Console.
Refer
to
the
WebSphere
documentation
for
detailed
information
on
using
the
WebSphere
Administration
Console.
4.
Edit
the
server.xml
file
in
the
<WAS_HOME>/DeploymentManager/config/cells/<Network_Name>/nodes
directory
to
correctly
refer
to
the
cluster
names.
The
server.xml
file
may
be
corrupt
and
incorrectly
refer
to
the
cluster
names.
To
correct
this
issue,
complete
the
following
procedures:
a.
Back
up
the
server.xml
file.
b.
Open
the
server.xml
file
in
a
text
editor.
c.
Find
the
line
that
begins
with
xmi:id="Server_1"
in
the
process:server
tag.
For
example:
xmi:id="Server_1"
name="server1"
clusterName="MyCluster"
d.
Modify
the
clusterName
value
to
match
the
name
of
your
cluster.
If
clusterName
is
not
an
existing
attribute,
add
the
clusterName
attribute
and
its
corresponding
value
to
the
end
of
the
line.
e.
Save
and
close
the
file.
Problem:
Datasource
Connection
Error
Configuration:
Tivoli
Identity
Manager
using
WebSphere
Application
Server
After
installing
Tivoli
Identity
Manager,
it
is
recommended
that
you
test
the
JDBC
driver
connections
using
the
WebSphere
Administration
Console.
While
checking
the
datasource
connections,
if
the
connection
fails,
you
will
see
the
following
error
if
the
variables.xml
file
is
missing:
java.io.FileNotFoundException:<WebSphere_Home>/config/cells/ITIMMIX45CELL/nodes/
<serverName>/servers/<serverName>/variables.xml
If
you
encounter
this
error,
you
will
need
to
create
a
variables.xml
file
for
the
node
that
returns
the
error.
Complete
the
following
procedures
to
create
this
file:
1.
Log
on
to
the
WebSphere
Application
Server
Network
Deployment
Manager
and
open
the
admin
console,
if
it
is
not
already
open.
2.
Go
to
the
Environment
->
Manage
WebSphere
Variables
menu.
3.
Select
the
node
and
server
scope
for
the
server
with
the
connection
problem.
4.
Create
a
new
dummy
variable.
Creating
a
dummy
variable
creates
a
variables.xml
file
for
the
selected
server.
Chapter
1.
Troubleshooting
7
Logon
Failures
You
may
not
be
able
to
log
on
to
Tivoli
Identity
Manager
for
a
variety
of
reasons.
For
example,
you
may
be
using
a
non-supported
web
browser.
For
a
list
of
supported
browsers,
refer
to
the
Tivoli
Identity
Manager
Release
Notes.
A
number
of
other
processes
may
also
impact
your
access
to
Tivoli
Identity
Manager.
The
following
is
a
list
of
commonly
encountered
problems
that
can
cause
logging
on
to
Tivoli
Identity
Manager
to
fail:
v
“Problem:
Required
Processes
Are
Not
Running”
on
page
8
v
“Problem:
Initial
Logon
and
Change
Password
Fails”
on
page
10
Problem:
Required
Processes
Are
Not
Running
To
determine
if
required,
WebSphere-related
processes
are
running,
check
the
following:
v
“Is
the
HTTP
server
running?”
on
page
8
v
“Is
WebSphere
Application
Server
(server1)
Running?”
on
page
8
v
“Is
WebSphere
Embedded
Messaging
Support
Running?”
on
page
8
v
“Is
the
Directory
Server
Running?”
on
page
9
Is
the
HTTP
server
running?:
Is
the
HTTP
server
running?
Type
the
following:
#
ps
-ef
|
grep
httpd
You
should
observe
that
approximately
a
half
dozen
HTTP
processes
are
running.
To
start
the
HTTP
server,
type
the
following:
v
AIX:
/usr/IBMHttpServer/bin/apachectl
start
v
Solaris:
/opt/IBMHttpServer/bin/apachectl
start
Is
WebSphere
Application
Server
(server1)
Running?:
Is
the
server1
WebSphere
Application
Server
running?
Type
the
following:
<WAS_INSTALLDIR>/serverStatus.sh
-all
You
should
observe
a
server1
java
process
running.
If
not
found,
start
the
process
by
typing:
<WAS_INSTALLDIR>/bin/startServer.sh
server1
Additionally,
examine
the
<WAS_INSTALLDIR>/logs/server1
and
<WAS_INSTALLDIR>/logs/itim.log
files
for
entries
that
indicate
the
startup
status
of
server1.
Is
WebSphere
Embedded
Messaging
Support
Running?:
WebSphere
embedded
messaging
support
must
be
running.
The
following
WebSphere
MQ
commands
are
useful
to
determine
problems
with
the
WebSphere
embedded
messaging
support
used
in
cluster
configurations.
For
additional
information,
refer
to
the
WebSphere
MQ
administration
information
provided
by
the
WebSphere
Application
Server.
dspmq
Displays
the
queue
manager
for
WebSphere
Application
Server.
For
example:
QMNAME(WAS_hostname_server1)
STATUS(Running)
runmqsc
qmgrname
Starts
the
IBM
MQSeries
script
tool.
Within
this
environment,
you
can
issue
subcommands
such
as
DISPLAY
QMGR.
8
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Use
DISPLAY
QUEUE(*)
for
queue
details.
Use
CURDEPTH
to
display
the
number
of
messages
in
the
queue.
Compare
the
value
of
CURDEPTH
and
MAXDEPTH
to
determine
if
the
queue
is
full,
which
indicates
the
messages
in
the
queue
are
not
being
processed.
Is
the
Directory
Server
Running?:
This
section
describes
how
to
determine
whether
or
not
the
installed
directory
server
for
Tivoli
Identity
Manager
is
running.
v
“IBM
Directory
Server
(WebSphere
only)”
v
“Sun
ONE
Directory
Server”
IBM
Directory
Server
(WebSphere
only):
Determine
if
an
IBM
Directory
Server
process
is
running
by
typing
the
following
on
the
computer
on
which
the
directory
server
is
installed:
#
ps
-ef
|
grep
slapd
If
IBM
Directory
Server
is
running,
a
process
ID
(PID)
number
is
returned.
If
a
PID
number
is
not
returned,
start
the
process
by
typing:
v
AIX:
/usr/bin/slapd
v
Solaris:
/opt/bin/slapd
where
slapd
is
one
of
the
following:
v
IBM
Directory
Server
version
4.1:
slapd
v
IBM
Directory
Server
version
5.1:
ibmslapd
Type
the
following
again:
ps
-ef
|
grep
slapd.
You
should
observe
a
process
ID
for
IBM
Directory
Server.
Sun
ONE
Directory
Server:
Starting
and
Stopping
the
Server
From
the
Command
Line
(Unix):
If
your
directory
server
is
stopped
and
the
Directory
Server
console
is
not
running,
you
must
start
the
server
from
the
command
line.
If
you
do
not
wish
to
use
the
Directory
Server
console,
you
may
also
stop
the
server
from
the
command
line.
With
root
privileges,
run
one
of
the
following
commands:
Solaris
Packages:
#
/usr/sbin/directoryserver
start
#
/usr/sbin/directoryserver
stop
Other
installations:
#
<serverRoot>/slapd-<serverID>/start-slapd
#
<serverRoot>/slapd-<serverID>/stop-slapd
where
serverID
is
the
identifier
you
specified
for
the
server
during
installation.
On
UNIX,
both
of
these
scripts
must
run
with
the
same
UID
and
GID
as
the
Directory
Server.
For
example,
if
the
Directory
Server
runs
as
nobody,
you
must
run
the
start-slapd
and
stop-slapd
utilities
as
nobody.
Note
that
referral
mode
is
no
longer
available.
Starting
and
Stopping
the
Server
From
the
Control
Panel
(Windows):
Chapter
1.
Troubleshooting
9
If
you
are
using
a
Windows
system,
perform
the
following
steps
from
the
Services
Control
Panel:
1.
From
the
desktop,
select:
Start
>
Settings
>
Control
Panel
2.
Double-click
the
Services
icon.
3.
Scroll
through
the
list
of
services
and
select
the
Sun
ONE
Directory
Server.
The
service
name
is
″Sun
ONE
Directory
Server
5.2
(serverID)″,
where
serverID
is
the
identifier
you
specified
during
server
installation
or
configuration.
4.
Click
the
Start
or
Stop
button
to
perform
the
desired
action.
When
stopping
the
Directory
Server,
you
will
be
asked
to
confirm
that
you
want
to
stop
the
service.
Starting
and
Stopping
the
Server
From
the
Console
(All
Platforms):
When
the
Directory
Server
console
is
running,
you
may
start,
stop,
and
restart
your
directory
server
through
its
graphical
interface.
On
the
top-level
Tasks
tab
of
the
Directory
Server
console,
click
the
button
beside
Start
Directory
Server,
Stop
Directory
Server,
or
Restart
Directory
Server,
as
appropriate.
When
you
successfully
start
or
stop
your
Directory
Server
from
the
Directory
Server
console,
the
console
displays
a
message
dialog
stating
that
the
server
has
been
either
started
or
shut
down.
In
case
of
an
error,
the
console
will
show
all
messages
pertaining
to
the
error.
Problem:
Initial
Logon
and
Change
Password
Fails
Configuration:
Tivoli
Identity
Manager
with
WebSphere
Application
Server
base
in
a
functional
cluster
In
some
cases,
you
can
log
on
to
Tivoli
Identity
Manager
and
the
system
appears
to
work
correctly.
However,
when
you
attempt
to
change
the
password,
you
receive
a
CORBA
Exception
on
the
screen.
In
addition,
when
you
check
the
logs
on
the
various
nodes
in
the
cluster,
there
are
numerous
IBM
MQSeries
errors.
The
first
error
listed
is:
<FATAL:com.ibm.itim.messaging.MessageManagerListener>JMSException
on
queue
queue:///WQ_itim_wf?persistence=2
javax.jms.InvalidDestinationException:
MQJMS2008:
failed
to
open
MQ
queue
...
Note:
Not
all
nodes
in
the
cluster
will
have
this
error.
You
must
identify
the
node
or
nodes
that
have
this
error
listed
in
the
log
files.
If
you
encounter
this
problem,
complete
the
following
procedures
on
the
node
with
the
error
message
to
verify
that
the
Tivoli
Identity
Manager
queues
are
installed
in
IBM
MQSeries
properly:
1.
Log
on
to
the
IBM
MQSeries
queue
manager.
2.
Execute
the
following
command:
dspmq
This
command
should
be
run
from
a
command
line
prompt
and
displays
the
status
of
the
jmsserver
queue
manager.
The
status
for
the
queue
manager
should
be
″Running″.
Note:
Make
note
of
the
jmsserver
queue
manager
name.
Typically,
the
name
is
in
the
following
format:WAS_<nodename>jmsserver.
10
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
3.
Execute
the
following
command:
runmqsc
<queue_manager>
<queue_manager>
should
match
the
name
of
the
jmsserver
queue
manager
found
in
the
previous
procedures.
This
command
starts
the
queue
manager’s
command
line
processor.
4.
Execute
the
following
command:
display
ql(*)
This
command
displays
all
of
the
local
queues
created
on
the
queue
manager.
If
the
Tivoli
Identity
Manager
queues
are
missing,
there
is
a
problem
with
the
setup.
Continue
with
the
following
procedures
if
the
Tivoli
Identity
Manager
queues
are
not
listed.
5.
Log
on
to
the
WebSphere
Application
Server
Network
Deployment
Manager
and
open
the
admin
console.
6.
Click
Resources
->WebSphere
JMS
Provider
in
the
admin
console.
7.
Select
the
node
and
server
scope
and
click
Apply.
8.
Click
WebSphere
Queue
Connection
Factories.
9.
Delete
the
queue
connection
factory
named
″ITIM
Queue
Connection
Factory″
and
save
the
configuration.
10.
Select
″Synchronize
with
nodes″.
11.
Click
WebSphere
Queue
Destinations
under
the
WebSphere
JMS
Provider
node.
12.
Delete
all
of
the
Tivoli
Identity
Manager
queue
destinations
and
save
the
configuration.
13.
Click
Servers->JMS
Servers.
14.
Click
JMS
Server
for
the
node
that
has
the
problem
and
delete
the
queue
names
defined
on
that
JMS
Server.
15.
Save
the
configuration.
16.
Log
on
to
the
Tivoli
Identity
Manager
node
with
the
problem.
17.
Run
the
system
configuration
tool
with
the
install
option
by
executing
the
following
command
in
a
command
line
window:
runConfig
install
The
system
configuration
tool
opens.
18.
Verify
that
the
information
on
all
tabs
is
correct.
The
values
listed
should
match
the
values
initially
input
during
the
installation
process.
19.
Save
the
configuration
by
clicking
OK.
20.
Restart
the
Tivoli
Identity
Manager
Server.
If
you
have
additional
questions
regarding
this
problem,
please
contact
IBM
Customer
Support.
Chapter
1.
Troubleshooting
11
Web
Browser
Problems
This
section
describes
commonly
encountered
web
browser
problems.
The
following
is
a
list
of
common
web
browser
problems:
v
“Problem:
Web
Browser
Cannot
See
Any
Web
Pages”
on
page
12
v
“Problem:
Error
-
Current
workflow
design
is
used
by
others”
on
page
12
v
“Problem:
WebSphere
Application
Server
does
not
bring
up
Tivoli
Identity
Manager
Server”
on
page
12
Problem:
Web
Browser
Cannot
See
Any
Web
Pages
If
the
web
browser
cannot
see
any
of
the
Tivoli
Identity
Manager
Server
web
pages,
check
the
access
log.
All
the
requests
made
to
the
WebSphere
®
Application
Server
are
logged
in
the
access
log.
If
the
request
is
not
listed
in
the
access
log,
check
the
port
number
used
to
log
into
the
WebSphere
Application
Server.
If
the
port
number
is
correct,
there
may
be
a
problem
with
the
network
address
translation.
Problem:
Error
-
Current
workflow
design
is
used
by
others
If
the
following
error
appears
when
trying
to
access
a
workflow
and
no
other
users
are
modifying
the
workflow,
the
Jar
Cache
may
still
have
a
copy
of
the
workflow.
Current
workflow
design
is
used
by
others.
Please
try
again
later
Clear
the
Jar
Cache
by
going
into
the
Java
Plugin
Control
panel,
selecting
the
cache
tab
and
clicking
Clear
Jar
Cache.
Close
the
browser
window
and
open
a
new
window.
Use
the
new
window
to
access
the
Tivoli
Identity
Manager
system
and
modify
the
workflow,
as
desired.
Problem:
WebSphere
Application
Server
does
not
bring
up
Tivoli
Identity
Manager
Server
If
WebSphere
Application
Server
does
not
bring
up
the
Tivoli
Identity
Manager
Server,
increase
the
value
of
the
enrole.startup.delay
variable
in
the
enrole.startup.properties
file
located
in
<install_directory>/data.
The
default
setting
is
15000
milliseconds.
12
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Internal
Server
Errors
This
section
describes
commonly
encountered
internal
server
problems.
The
following
is
a
list
of
commonly
encountered
internal
server
problems:
v
“Problem:
Internal
Server
Error
Message”
on
page
13
v
“Problem:
All
Requests
are
Locked
in
Running
State”
on
page
13
Problem:
Internal
Server
Error
Message
If
you
encounter
an
internal
server
error,
check
the
server
log
and
the
WebSphere
Application
Server
console.
Verify
that
the
servlets
and
Enterprise
Java
Beans
have
deployed
using
the
WebSphere
Application
Server
console.
The
WebSphere
Application
Server
console
can
be
used
to
check
the
status
of
the
Enterprise
Java
Beans
deployment,
database
connection
pool,
and
message
queues.
The
WebSphere
Application
Server
console
can
also
be
used
to
check
additional
configuration
properties
and
queues.
Access
the
WebSphere
Application
Server
console
at
the
following
address:
http://<IPAddress>:9090/admin
Problem:
All
Requests
are
Locked
in
Running
State
If
all
requests
in
the
system
seem
to
be
stuck
in
the
running
state,
the
connection
between
the
Tivoli
Identity
Manager
Server
and
the
LDAP
Directory
Server
may
have
been
lost
or
become
corrupt.
Check
the
server
logs
and
look
for
any
errors.
In
particular,
look
for
the
SERVER_NOT_AVAILABLE
error.
Restart
the
LDAP
Directory
Server
and
then
the
Tivoli
Identity
Manager
Server.
Chapter
1.
Troubleshooting
13
WebLogic-specific
Problems
This
section
describes
commonly
encountered
problems
related
to
WebLogic.
The
following
is
a
list
of
these
problems:
v
“Problem:
WebLogic
fails
to
start;
no
information
in
server
log”
on
page
14
v
“Problem:
Tivoli
Identity
Manager
Windows
2000
Service
Fails
to
Start”
on
page
14
Problem:
WebLogic
fails
to
start;
no
information
in
server
log
The
information
may
have
been
sent
to
the
console.
Perform
the
following
steps
to
display
the
output
to
the
console:
UNIX:
1.
Locate
the
startup
script:
<ITIM_HOME>/itim.sh
2.
There
two
lines
in
itim.sh
that
contain
nohup
and
>
/dev/null
&.
Edit
the
first
line
to
remove
these
commands
if
your
installation
is
a
single
server.
Edit
the
second
line
to
remove
these
commands
if
your
installation
is
a
cluster.
3.
Start
the
server
again:
#
sh
itim.sh
start
Windows
2000:
1.
Stop
the
Tivoli
Identity
Manager
service.
2.
Start
the
server
interactively:
<ITIM_HOME>/bin/itim.cmd
Problem:
Tivoli
Identity
Manager
Windows
2000
Service
Fails
to
Start
If
the
Tivoli
Identity
Manager
Windows
2000
service
fails
to
start
or
does
not
start
properly,
try
to
uninstall
and
reinstall
the
service:
1.
Uninstall
the
service:
<ITIM_HOME>/bin/uninstallItimService.cmd
2.
Reinstall
the
service:
<ITIM_HOME>/bin/installItimService.cmd
14
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Data
Input
Problems
Data
input
problems
typically
occur
when
users
define
custom
data
structures
in
the
directory
structure
or
when
users
recently
installed
new
Tivoli
Identity
Manager
Agents.
If
you
cannot
input
data
for
a
custom
class,
check
the
Tivoli
Identity
Manager
server
log
and
the
directory
log.
LDAP
messages
such
as
object
error
32
are
typical
and
indicate
missing
data
for
required
fields
or
schema
problems.
Chapter
1.
Troubleshooting
15
Remote
Communication
Problems
This
section
describes
commonly
encountered
remote
communication
problems.
The
following
is
a
list
of
these
problems:
v
“Problem:
Tivoli
Identity
Manager
Server
Cannot
Connnect
to
IBM
DB2”
on
page
16
v
“Problem:
Cannot
Communicate
with
an
Agent”
on
page
17
v
“Problem:
Agent
Cannot
Communicate
with
the
Tivoli
Identity
Manager
Server”
on
page
17
v
“Problem:
Missing
CA
Certificate”
on
page
17
Problem:
Tivoli
Identity
Manager
Server
Cannot
Connnect
to
IBM
DB2
Configuration:
Tivoli
Identity
Manager
with
WebSphere
Application
Server
base
with
IBM
DB2
on
AIX
While
running
various
processes
and
requests
in
Tivoli
Identity
Manager,
it
is
possible
that
the
Tivoli
Identity
Manager
will
not
be
able
to
connect
with
IBM
DB2.
This
problem
occurs
when
IBM
DB2
runs
out
of
shared
memory
segments
available
for
connections.
By
default,
AIX
does
not
permit
32-bit
applications
to
attach
more
than
11
shared
memory
segments
per
process,
of
which
a
maximum
of
10
memory
segments
can
be
used
for
local
IBM
DB2
connections.
If
this
problem
occurs,
the
following
error
is
seen
in
the
Tivoli
Identity
Manager
log
file:
[IBM][CLI
Driver]SQL1224N
A
database
agent
could
not
be
started
to
service
a
request,
or
was
terminated
as
a
result
of
a
database
system
shutdown
or
a
force
command.
SQLSTATE=55032
To
resolve
this
issue,
the
environment
variable
EXTSHM
should
be
set
to
ON
to
increase
the
number
of
shared
memory
segments
to
which
a
single
process
can
be
attached.
After
EXTSHM
is
set
to
ON,
it
must
be
exported
in
the
shell
where
the
client
application
is
started
and
the
db2start
is
run.
The
following
procedures
describe
how
to
set
the
EXTSHM
environment
variable.
On
the
AIX
system
with
the
client
application
installed,
type
the
following
command
in
a
command
prompt
window:
#
export
EXTSHM=ON
On
the
AIX
system
where
the
IBM
DB2
Server
is
installed,
type
the
following
commands:
#
export
EXTSHM=ON
#
db2set
DB2ENVLIST=EXTSHM
#
db2set
-all
Add
the
following
lines
to
the
db2profile
file
on
the
system
where
the
IBM
DB2
Server
is
installed
and
source
the
file:
EXTSHM=ON
export
EXTSHM
The
db2profile
file
is
located
in
<db2instance_dir>/sqllib/db2profile.
If
you
have
IBM
DB2
in
a
clustered
configuration,
db2profile
must
be
modified
on
each
member
of
the
cluster.
16
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Problem:
Cannot
Communicate
with
an
Agent
If
you
encounter
communication
problems
between
the
Tivoli
Identity
Manager
Server
and
a
Tivoli
Identity
Manager
Agent,
verify
that
the
Tivoli
Identity
Manager
Server
has
the
correct
agent
information
by
navigating
to
the
agent’s
detailed
information
page
under
Service
Management
and
clicking
the
Test
button.
A
message
is
displayed
indicating
successful
communication
with
the
agent
or
failed
communication
with
an
explanation
of
the
failure.
Common
problems
are
mistyped
CA
Certificate
Store,
incorrect
user
IDs
or
passwords,
or
incorrect
URLs.
Problem:
Agent
Cannot
Communicate
with
the
Tivoli
Identity
Manager
Server
This
problem
is
only
encountered
during
asynchronous
notification
and
asynchronous
response.
If
a
Tivoli
Identity
Manager
Agent
cannot
communicate
with
the
Tivoli
Identity
Manager
Server,
check
the
access
log.
Error
Message
Possible
Causes
404
response
containing
notification
Agent
is
connecting
to
server
but
looking
for
an
incorrect
URL.
500
response
(internal
server
error)
Agent
is
using
an
incorrect
URL
that
does
not
connect
to
server
or
is
connecting
to
the
server
using
the
wrong
port.
Problem:
Missing
CA
Certificate
If
the
CA
certificate
store
path
is
incorrectly
specified
on
a
service
form,
the
following
error
will
occur
when
testing
the
connection
to
a
service:
Communications
error:
no
valid
CA
certificates
found
in
/.../.../...
Correct
the
path
in
the
service’s
form.
The
CA
certificate
store
path
is
typically
<ITIM_HOME>/cert.
Chapter
1.
Troubleshooting
17
Problems
This
section
describes
commonly
encountered
problems.
The
following
is
a
list
of
these
types
of
problems:
v
“Problem:
Cannot
Send
to
Users”
on
page
18
v
“Problem:
Cannot
Send
to
External
Addresses”
on
page
18
v
“Problem:
UnsatisfiedLinkError
Exception
when
Server-agent
Communication
is
Tested”
on
page
18
Problem:
Cannot
Send
to
Users
If
you
encounter
problems
sending
from
the
Tivoli
Identity
Manager
Server
to
a
user,
check
the
server
properties.
Refer
to
the
Tivoli
Identity
Manager
Server
Configuration
Guide
for
more
information
about
server
properties.
v
Verify
that
the
mailing
protocol
and
host
are
correct.
SMTP
is
the
most
commonly
used
protocol.
v
Check
the
server
log
for
related
messages.
v
Check
the
host
using
nslookup:
%
nslookup
>
set
type=MX
>
domain-name
where
domain-name
is
the
Internet
domain
name
of
your
organization’s
addresses.
This
command
lists
the
server
for
the
domain
name
that
you
typed.
Problem:
Cannot
Send
to
External
Addresses
In
some
cases,
you
may
be
able
to
send
to
internal
addresses
but
not
to
external
Internet
addresses.
This
problem
may
be
caused
by
the
relay
permission
on
your
server.
Your
server
must
be
set
up
to
allow
relaying
from
the
machine
that
runs
the
Tivoli
Identity
Manager
Server.
Problem:
UnsatisfiedLinkError
Exception
when
Server-agent
Communication
is
Tested
It
is
possible
in
a
WebSphere
environment
to
get
an
UnsatisfiedLinkError
exception
when
you
test
(by
clicking
the
Test
button
on
the
Service
form)
the
server-agent
communication
for
an
FTP
protocol
based
agent,
such
as
RACF.
The
problem
is
caused
by
not
adding
the
Tivoli
Identity
Manager
native
library
files
to
the
library
path
of
the
server.
Refer
to
the
Release
Note
for
details.
18
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Miscellaneous
Problems
This
section
describes
various
problems
that
may
be
encountered
when
administering
the
Tivoli
Identity
Manager
Server.
The
following
is
a
list
of
these
problems:
v
“Problem:
New
Attributes
Do
Not
Display
on
Form”
on
page
19
v
“Problem:
Tivoli
Identity
Manager
Accounts
are
Suspended
or
De-Provisioned”
on
page
19
v
“Problem:
Cannot
Delete
an
OU”
on
page
19
v
“Problem:
Things
are
Stuck
in
Workflow”
on
page
20
v
“Problem:
Workflow
Designer
Classes
Not
Loading
Correctly”
on
page
20
v
“Problem:
Adding
an
Account
Fails
with
a
NullPointerException”
on
page
20
v
“Problem:
NotLockedException
thrown”
on
page
21
v
“Problem:
Uncommited
Messages
Count
Error”
on
page
21
Problem:
New
Attributes
Do
Not
Display
on
Form
If
new
attributes
are
added
to
a
form
and
the
attributes
are
not
displayed
on
the
form,
these
attributes
may
be
listed
in
the
enRoleHiddenAttributes.properties
file.
Attributes
listed
in
this
file
are
not
displayed
on
the
forms.
To
display
these
attributes
on
the
form,
the
lines
for
these
attributes
must
be
commented
out
in
the
enRoleHiddentAttributes.properties
file.
This
file
is
located
in
the
following
directory:
<ITIM_HOME>/data
If
the
attributes
are
not
marked
as
hidden
in
the
enRoleHiddenAttributes.properties
file,
the
problem
may
be
a
cache
issue.
This
is
usually
the
case
if
a
new
attribute
was
just
added
to
an
objectclass.
To
solve
this
issue,
re-start
the
server.
Problem:
Tivoli
Identity
Manager
Accounts
are
Suspended
or
De-Provisioned
If
all
Tivoli
Identity
Manager
accounts
are
suspended
or
de-provisioned,
including
the
system
administrator
account,
the
system
administrator
account
can
be
restored
through
the
directory
server.
All
accounts,
except
the
built-in
System
Administrator
account,
can
be
deprovisioned
by
incorrectly
modifying
a
provisioning
policy.
To
re-activate
the
system
administrator
account,
access
the
directory
server
administration
console
and
navigate
through
to
the
following
location:
ou=SystemUsers,ou=Tivoli
Identity
Manager,o=<orgname>,dc=com
where
orgname
is
the
name
of
the
parent
organization.
Modify
the
Tivoli
Identity
Manager
manager
account
by
changing
the
eraccountstatus
value
from
1
to
0.
This
restores
the
Tivoli
Identity
Manager
manager
account.
Other
accounts
can
now
be
restored
using
the
Tivoli
Identity
Manager
manager
account.
Problem:
Cannot
Delete
an
OU
When
deleting
an
OU
(any
unit
within
the
organization),
all
dependent
units
must
be
deleted
before
the
OU
can
be
deleted.
Sometimes,
however,
dependent
units
may
still
exist
even
though
they
do
not
appear
in
the
organizational
tree.
If
this
occurs,
an
error
message
will
appear
in
a
pop-up
window
with
the
following
message:
Dependent
Unit(s)
exists.
Remove
all
dependent
Unit(s)
first,
then
Delete.
Chapter
1.
Troubleshooting
19
Check
the
Directory
Server
for
possible
dependencies
to
the
selected
OU
by
performing
a
search
in
the
Directory
Server.
The
search
is
performed
on
the
following:
erparent=<oudn>
where
oudn
is
the
distinguished
name
(DN)
of
the
OU.
If
any
dependencies
are
found,
remove
the
dependency
and
delete
the
OU
using
the
Tivoli
Identity
Manager
user
interface.
Problem:
Things
are
Stuck
in
Workflow
In
a
cluster
environment,
if
things
are
stuck
in
workflow,
for
example,
marked
as
Not
Started
in
the
Pending
Requests,
the
reason
could
be
that
QM_ENROLE
queue
manager
was
not
running
before
Tivoli
Identity
Manager
was
started.
Start
QM_ENROLE
queue
manager
before
starting
the
Tivoli
Identity
Manager
Server
group
in
WebSphere
Application
Server.
Problem:
Workflow
Designer
Classes
Not
Loading
Correctly
If
you
encounter
errors
with
the
loading
of
Workflow
Designer
classes,
the
reason
could
be
that
the
WebSphere
Application
Server
fix
packs
were
not
installed
correctly.
WebSphere
Application
Server
fix
packs
should
be
loaded
only
after
the
http
server
service
is
stopped.
In
addition,
in
a
cluster
environment,
ensure
that
you
have
applied
the
fix
packs
to
the
WebSphere
Application
Server
Network
Deployment
system.
Problem:
Adding
an
Account
Fails
with
a
NullPointerException
Configuration:
Tivoli
Identity
Manager
with
WebSphere
Application
Server
base
cluster
using
IBM
DB2
If
a
request
to
add
an
account
to
a
user
fails
with
a
NullPointerException,
the
queues
in
IBM
MQSeries
may
need
to
be
cleared
and
the
database
tables
on
the
Network
Deployment
Manager
may
need
to
be
re-created
before
the
account
can
be
added.
First,
attempt
to
clear
the
queues
for
the
cluster
by
deleting
the
following
four
files
on
each
member
node
machine:
v
XAresource1
v
XAresource2
v
tranlog1
v
tranlog2
The
files
are
located
in
the
following
directory:
<WebSphere
Application
Server
Home
Directory>/tranlog/<Node_Name>
If
deleting
the
previously
stated
files
does
not
resolve
the
problem,
complete
the
following
procedures
to
completely
clear
the
queues
on
the
member
nodes.
1.
Stop
the
Tivoli
Identity
Manager
cluster.
This
can
be
accomplished
by
stopping
the
enrole
application
in
the
Network
Deployment
Manager
Admin
Console.
2.
Log
onto
one
of
the
member
nodes
and
determine
the
queue
names.
This
can
be
accomplished
by
using
the
dspmq
command
from
the
command
prompt
window.
20
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
3.
Issue
the
following
commands
for
each
queue
with
jmsserver
in
the
queue
name:
runmqsc
<queue_name>
clear
qlocal
('WQ_itim_ms')
runmqsc
<queue_name>
clear
qlocal
('WQ_itim_rs')
runmqsc
<queue_name>
clear
qlocal
('WQ_itim_wf')
runmqsc
<queue_name>
clear
qlocal
('WQ_itim_wf_pending')
4.
Repeat
the
previous
two
procedures
for
each
member
node.
5.
Restart
the
cluster
and
re-run
the
request.
If
clearing
the
queues
does
not
resolve
the
issue,
drop
the
IBM
DB2
tables
on
the
Network
Deployment
Manager
machine.
To
accomplish
this
task,
complete
the
following
procedures:
1.
Stop
the
Tivoli
Identity
Manager
cluster.
2.
Drop
the
database
tables
by
executing
the
database
configuration
tool
program.
Issue
the
following
command
on
the
Tivoli
Identity
Manager
Server
from
a
command
prompt
window:
UNIX-based
Tivoli
Identity
Manager
Server:
<ITIM_HOME>/bin/dbconfig
Windows-based
Tivoli
Identity
Manager
Server:
<ITIM_HOME>\bin\dbconfig
3.
Stop
and
start
the
IBM
DB2
Server.
This
clears
out
any
work
items.
4.
Restart
the
cluster
and
re-run
the
request.
Problem:
NotLockedException
thrown
Show
to
support
only
—
DevTrack
#
11773
A
NotLockedException
can
be
thrown
when
a
transaction
has
been
rolled
back
by
the
application
container.
A
rollback
can
be
intiated
by
database
access
failure.
In
some
cases,
this
is
triggered
by
the
database
running
out
of
tablespace.
This
situation
causes
afterCompletion()
to
be
invoked
and
unlock
entities
in
the
LockManager.
When
the
workflow
thread
proceeds
to
process
the
newly
unlocked
entities,
it
encounters
an
UnLockedException.
This
exception
causes
the
message
to
rollback,
thereby
maintaining
system
integrity
until
more
tablespace
can
be
added
to
the
database.
Workflow
has
a
retry
mechanism
to
reprocess
the
original
message,
ensuring
the
rollback
will
not
cause
any
data
integrity
issues.
Problem:
Uncommited
Messages
Count
Error
Show
to
support
only
—
DevTrack
#
11968
During
a
large
load
of
policy
change,
MQ
might
run
out
of
uncommited
messages
count
resulting
in
an
exception
being
thrown.
To
correct
this
problem,
the
MAXUMSGS
attribute
of
the
Queue
Manager
should
be
increased
to
a
value
that
will
support
the
load.
For
example,
a
policy
change
affecting
20,000
users
would
dicate
that
this
attribute
be
set
to
a
value
greater
than
20000.
The
attribute
can
be
changed
using
the
runmqsc
utility.
Problem:
No
Local
Copy
of
JVM
on
WebSphere
Application
Server
Network
Deployment
System
Show
to
support
only
—
DevTrack
#
11978
You
may
encounter
exceptions,
hang
on
executing
runConfig/dbConfig/ldapConfig,
or
hang
when
you
run
the
Tivoli
Identity
Manager
uninstall
program
if
you
have
a
Network
Deployment
Manager
system
that
does
not
have
a
local
copy
of
JVM
1.3
or
a
local
installation
of
WebSphere
Application
Server
base
resident
on
the
system.
This
situation
can
be
resolved
by
either
loading
a
copy
of
JVM
1.3
on
the
system,
or
by
updating
the
JVM
definition
for
the
following
LAX
files
in
order
to
run
the
corresponding
Tivoli
Identity
Manager
commands
successfully:
For
Windows:
Chapter
1.
Troubleshooting
21
v
<ITIM_HOME>\bin\runConfig.lax
v
<ITIM_HOME>\bin\dbConfig.lax
v
<ITIM_HOME>\bin\ldapConfig.lax
v
<ITIM_HOME>\itimUninstallerData\Uninstall
ITIM.lax
For
Unix:
v
<ITIM_HOME>/bin/runConfig.lax
v
<ITIM_HOME>/bin/dbConfig.lax
v
<ITIM_HOME>/bin/ldapConfig.lax
v
<ITIM_HOME>/itimUninstallerData/Uninstall_ITIM.lax
Within
these
files,
change
the
following
line:
For
Windows:
lax.nl.current.vm
=
\java\bin\javaw.exe
to
lax.nl.current.vm
=
<was_ndm_home>\java\bin\javaw.exe
For
Unix:
lax.nl.current.vm
=
/java/bin/java
to
lax.nl.current.vm
=
<was_ndm_home>/java/bin/java
22
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
This
chapter
provides
descriptions
about
the
Tivoli
Identity
Manager
Directory
Information
Tree
and
the
classes
used
by
Tivoli
Identity
Manager
in
the
LDAP
directory.
Topic
index:
v
“Tivoli
Identity
Manager
LDAP
Directory
Tree”
on
page
24
v
“General
Tivoli
Identity
Manager
Classes”
on
page
27
v
“Service
Classes”
on
page
35
v
“Policy
Classes”
on
page
43
©
Copyright
IBM
Corp.
2003
23
Tivoli
Identity
Manager
LDAP
Directory
Tree
Tivoli
Identity
Manager
creates
its
own
directory
tree
to
store
information.
The
following
is
a
diagram
of
a
basic
Tivoli
Identity
Manager
directory
tree:
IBM Tivoli IdentityManager Root Node
ou=itim(application information)
ou=excludeAccountso=
(organization information)OrganizationName ou=itim
(service information)
ou=constraints
erdictionaryname=password
ou=orgChart
ou=workflow
ou=services
ou=peopleou=0
ou=n
ou=accounts
ou=0
ou=n
ou=policies
ou=sysRoles
ou=orphans
ou=roles
ou=systemUser
ou=formTemplates
ou=objectProfile
ou=recycleBin
ou=serviceProfile
cn=challenges
ou=joinDirectives
ou=CompanyName
ou=category
ou=operations
Figure
1.
Basic
directory
tree
24
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
The
following
table
includes
brief
descriptions
of
each
container.
Container
Description
Root
Node
Root
node
where
the
Tivoli
Identity
Manager
Server
is
installed.
ou=itim
This
container
stores
all
pertinent
information
for
the
Tivoli
Identity
Manager
application.
ou=constraints
This
container
stores
membership
restrictions
for
various
roles
and
services.
erdictionaryname=password
This
container
stores
invalid
password
entries
for
use
with
password
policies.
ou=CompanyName
Name
of
the
company.
This
container
is
the
parent
container
for
all
information
pertaining
to
the
company
within
the
Tivoli
Identity
Manager
system.
o=OrganizationName
Name
of
the
organization
as
it
appears
in
the
Organization
Tree.
ou=orgChart
This
container
stores
the
definition
of
the
organizations
and
organizational
units
within
Tivoli
Identity
Manager.
ou=workflow
This
container
stores
all
the
workflows
designed
for
use
within
the
Tivoli
Identity
Manager
system
for
the
company.
ou=services
This
container
stores
information
pertaining
to
the
services
installed
for
use
with
the
Tivoli
Identity
Manager
system.
ou=accounts
This
container
stores
all
accounts
in
the
Tivoli
Identity
Manager
system.
ou=policies
This
container
stores
all
the
defined
policies.
ou=sysRoles
This
container
stores
all
information
pertaining
to
the
Tivoli
Identity
Manager
Groups
defined
within
Tivoli
Identity
Manager.
ou=orphans
This
container
stores
all
orphan
accounts
retrieved
during
a
reconciliation.
ou=roles
This
container
stores
all
information
for
all
organizational
roles
defined
within
Tivoli
Identity
Manager.
ou=people
This
container
stores
all
information
about
Persons
within
Tivoli
Identity
Manager.
ou=itim
This
container
is
the
parent
container
for
system
specific
information.
ou=formTemplates
This
container
stores
information
about
the
various
forms
and
the
form
templates
used
within
the
system.
ou=objectProfile
This
container
stores
the
object
profiles
required
for
the
system
to
recognize
a
managed
resource
as
an
entity
(person,
organizational
unit,
location,
and
so
forth)
ou=recycleBin
This
container
stores
entities
deleted
from
the
system
using
the
graphical
user
interface.
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
25
Container
Description
ou=serviceProfile
This
container
stores
the
service
profiles
required
for
the
system
to
recognize
a
managed
resource
as
a
service.
ou=systemUser
This
container
stores
information
about
system
users.
ou=joinDirectives
This
contain
stores
all
the
information
about
the
Provisioning
Policy
Join
Directives.
cn=challenges
This
container
stores
all
information
pertaining
to
the
Password
Challenge/Response
feature.
ou=operations
This
container
stores
information
on
workflow
operations
(such
as
add,
modify,
delete,
suspend,
and
transfer)
with
Tivoli
Identity
Manager.
ou=category
This
container
stores
life
cycle
management
operations
for
an
entity
type.
Only
Person
and
Account
are
supported.
Global
represents
the
system’s
operation.
26
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
General
Tivoli
Identity
Manager
Classes
The
Tivoli
Identity
Manager
system
uses
the
Directory
Server’s
default
schema
as
well
as
an
Tivoli
Identity
Manager
specific
schema.
The
Tivoli
Identity
Manager
specific
schema
consists
of
a
collection
of
auxiliary
classes
that
provide
the
interface
necessary
to
execute
the
Tivoli
Identity
Manager
system’s
business
logic.
These
auxiliary
classes
can
be
used
with
custom
defined
classes
to
complete
the
schema
used
by
the
Tivoli
Identity
Manager
system.
The
classes
listed
below
are
default
structural
classes.
An
additional
term
to
note
is:
domain
entry
An
entry
in
the
directory
that
corresponds
to
a
business
entity
managed
by
the
Tivoli
Identity
Manager
system.
erBPPersonItem
The
erBPPersonItem
class
is
an
auxiliary
class
that
identifies
attributes
for
a
business
partner
person.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
address.
directory
string
cn
Common
Name
for
person.
directory
string
erPersonStatus
Status
of
person.
integer
erSponsor
DN
of
this
person’s
sponsor.
distinguished
name
erRoles
DN
of
roles
for
person.
distinguished
name
erAliases
Aliases
for
person.
directory
string
erSharedSecret
Value
used
by
the
user
for
password
pickup.
directory
string
erCustomDisplay
User
selected
attribute
to
display
in
BP
Person
list.
directory
string
erLocale
User’s
locale
preference.
Default
is
the
system’s
locale.
directory
string
erBPOrg
The
erBPOrg
class
is
a
structural
class
that
stores
business
partner
organization
information.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
ou
Organizational
unit.
Required
directory
string
description
Description
of
the
business
partner
organization.
directory
string
erBPOrgItem
The
erBPOrgItem
class
is
an
auxiliary
class
that
stores
business
partner
(BP)
organization
information.
This
is
a
domain
entry.
The
parent
class
is
top.
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
27
Attribute
name
Description
Type
ou
Organizational
unit
name.
directory
string
erBPOrgStatus
Status
of
the
BP
organization.
integer
erSponsor
DN
of
organizational
unit’s
supervisor.
distinguished
name
erDictionary
The
erDictionary
class
stores
words
that
are
not
allowed
to
be
used
as
passwords.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erDictionaryName
The
name
of
the
dictionary.
Required
directory
string
description
Description
of
the
dictionary.
directory
string
erDictionaryItem
The
erDictionaryItem
class
stores
an
individual
word
that
is
not
allowed
to
be
used
as
a
password.
These
classes
are
then
linked
together
with
the
erDictionary
class.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erWord
The
word
that
is
excluded
from
being
used
as
a
password.
Required
directory
string
description
Description
of
the
word
and
why
it
is
not
allowed
to
be
used
as
a
password.
directory
string
erFormTemplate
The
erFormTemplate
class
stores
form
template
information.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erFormName
The
name
of
the
form.
Required
directory
string
erCustomClass
Name
of
the
entity’s
class.
directory
string
erXML
The
actual
XML
code
for
the
form.
binary
erIdentityExclusion
The
erIdentityExclusion
class
stores
the
names
of
the
accounts
that
are
not
retrieved
during
a
reconciliation.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
cn
Common
name.
Required
directory
string
28
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Attribute
name
Description
Type
erObjectProfileName
Service
profile
name.
directory
string
erAccountID
Account
ID
to
exclude
from
the
reconciliation.
directory
string.
erLocationItem
The
erLocationItem
class
is
an
auxiliary
class
that
stores
attributes
of
a
location
within
the
system.
The
location
name
attibute
must
be
defined.
The
erLocationItem
class
is
a
domain
entry
and
includes
the
erManagedItem
class.
The
parent
class
is
top.
Attribute
name
Description
Type
l
Location
name.
Required
directory
string
erSupervisor
DN
of
location’s
supervisor.
distinguished
name
erManagedItem
The
erManagedItem
class
is
an
auxiliary
class
that
is
added
to
all
domain
entries
(organizations,
organizational
units,
people,
and
roles)
that
require
access
control.
The
erManagedItem
class
defines
a
unique
ID,
a
parent
entry
(if
present),
and
an
access
control
list.
The
parent
class
is
top.
Attribute
name
Description
Type
erGlobalId
Unique,
random
ID
assigned
to
all
entries
in
a
directory.
Used
as
the
regional
DN
for
each
entry.
numeric
string
erLastModifiedTime
Entry’s
removal
date
and
time
(GMT
format).
directory
string
erAcl
Access
Control
List.
binary
erAuthorizationOwner
Owner
of
Access
Control.
distinguished
name
erParent
Entry’s
organizational
unit
DN.
distinguished
name
erIsDeleted
True
if
in
recycle
bin.
directory
string
erOrganizationItem
The
erOrganizationItem
class
is
an
auxiliary
class
that
is
added
to
organizations.
The
erOrganizationItem
class
is
a
domain
entry
and
includes
the
erManagedItem
class.
It
defines
the
organization’s
name
and
status.
The
parent
class
is
top.
Attribute
name
Description
Type
o
Organization
name.
directory
string
erOrgStatus
Organization
status.
integer
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
29
erOrgUnitItem
The
erOrgUnitItem
class
is
an
auxiliary
class
that
stores
information
about
an
organizational
unit.
It
contains
information
on
the
ou
name
and,
optionally
the
supervisor
(erSupervisor)
for
an
orgnizational
unit.
The
erOrgUnitItem
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
ou
Organizational
unit.
directory
string
erSupervisor
DN
of
organizational
unit’s
supervisor.
distinguished
name
erPersonItem
The
erPersonItem
class
is
an
auxiliary
class
that
identifies
attributes
for
a
person.
The
erPersonItem
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
address.
directory
string
cn
Common
name
for
person.
directory
string
erPersonStatus
Status
of
person.
integer
erRoles
DN
of
person’s
roles.
distinguished
name
erAliases
Aliases
for
person.
directory
string
erSupervisor
DN
of
the
person’s
supervisor.
distinguished
name
erSharedSecret
Value
used
by
the
user
for
password
pickup.
directory
string
erCustomDisplay
User
selected
attribute
to
display
in
Person
lists.
directory
string
erLocale
User’s
locale
preference.
Default
is
the
system’s
locale.
directory
string
erRole
The
erRole
class
stores
the
name
and
description
for
an
organizational
role.
However,
it
does
not
store
membership
information.
Role
membership
is
stored
in
erPersonItem.erRoles
.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erRoleName
Name
of
the
organizational
role.
Required
directory
string
description
Description
of
the
role.
directory
string
erSecurityDomainItem
The
erSecurityDomainItem
class
is
an
auxiliary
class
for
an
admin
domain.
The
parent
class
is
top.
Attribute
name
Description
Type
ou
Organizational
unit.
directory
string
erAdministrator
DN
of
the
administrator
of
an
Admin
Domain.
distinguished
name
30
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
SecurityDomain
The
SecurityDomain
class
stores
admin
domain
information.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
ou
Organizational
unit.
Required
directory
string
description
Description
of
the
admin
domain.
directory
string
erTenant
The
erTenant
class
is
a
class
that
defines
properties
based
on
a
tenant,
such
as
the
ou,
if
password
edits
are
allowed,
or
if
mailing
of
lost
passwords
is
allowed.
The
parent
class
is
top.
Attribute
name
Description
Type
ou
Organization
unit
that
contains
this
tenant.
Required
directory
string
erIsActive
Indicates
if
this
tenant
is
active.
Required
Boolean
description
Description
of
tenant.
directory
string
erPswdEditAllowed
Indicates
if
passwords
may
be
set
(true)
or
generated
(false).
Required
Boolean
erLostPswdByMail
Indicates
if
passwords
can
be
mailed
to
a
user
for
this
tenant.
Required
Boolean
erBucketCount
Hash
bucket
number.
Required
integer
erlastModifiedTime
Time
the
tenant
was
last
modified
(attributes).
generalized
time
erPswdExpirationPeriod
Number
of
days
after
which
the
ITIM
password
gets
expired.
When
the
user
tries
to
login
to
the
system
after
the
password
expires,
the
user
is
forced
to
change
the
password.
If
this
value
is
set
to
0,
the
password
will
never
expire.
integer
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
31
Attribute
name
Description
Type
erPswdTransactionExpPeriod
Number
of
hours
after
which
the
transaction
to
retrieve
an
account
password
expires.
The
password
is
typically
retrieved
using
the
URL
link
provided
in
an
from
the
system.
If
this
value
is
set
to
0,
the
URL
link
will
never
expire.
integer
erLogonCount
Number
of
invalid
login
attempts
the
user
can
have
before
the
user’s
account
is
suspended.
If
this
value
is
set
to
0,
the
user
can
try
to
access
the
system
as
many
attempts
as
the
user
likes
and
the
system
will
not
suspend
the
account.
integer
erResponseEnable
Attribute
for
enabling
or
disabling
the
Password
Challenge/Response
feature.
If
this
attribute
is
set
to
TRUE
,
the
user
can
use
the
Forgot
Your
Password
link
to
enter
the
system
by
providing
correct
answers
to
the
Password
Challenge/Response
questions.
Boolean
erResponseDescription
Message
displayed
on
the
login
page
if
the
user’s
account
is
suspended
after
the
user
tries
to
log
into
the
system
too
many
times
and
fails
to
respond
correctly
to
the
Password
Challenge/Response
questions.
directory
string
erResponseEmail
Message
e-mailed
to
the
administrator
responsible
for
user
accounts
suspended
when
the
user
fails
to
access
the
system
in
the
defined
number
of
tries.
directory
string
32
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Attribute
name
Description
Type
erChallengeMode
Password
Challenge
Response
mode.
There
are
three
different
modes
available:
PRE-DEFINED:
If
this
mode
is
selected,
the
user
must
correctly
answer
all
of
the
challenge
questions
pre-defined
by
the
system
administrator
to
access
the
system.
USER-SELECTED:
If
this
mode
is
selected,
the
user
must
correctly
answer
the
challenge
questions
previously
selected
when
configuring
the
challenge/response
feature
for
the
account.
The
challenge
questions
are
selected
from
a
pre-defined
list.
RANDOM-SELECTED:
If
this
mode
is
selected,
the
user
must
correctly
answer
the
challenge
questions
selected
by
the
system.
The
challenge
questions
are
selected
from
a
pre-defined
list.
directory
string
erRequiredChallenges
Number
of
challenges
the
user
must
respond
to
correctly
to
access
the
system
if
the
user
forgot
his
password.
integer
erRandomChallenges
Number
of
challenges
available
for
the
system
to
select
from
when
presenting
Password
Challenge/Response
questions
to
users
who
forgot
their
passwords.
integer
erHashedEnabled
Not
used.
Boolean
erRespLastChange
Timestamp
of
when
the
administrator
last
changed
the
Password
Challenge/Response
configuration.
generalized
time
erChallengeDefMode
Definition
mode
for
lost
password
challenge
response.
Possible
values
are
Admin
Defined
(0)
and
User
Defined
(1).
integer
erPswdSyncAllowed
Boolean
erWorkflowDefinition
The
erWorkflowDefinition
class
stores
workflow
information.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erProcessName
The
name
of
the
workflow.
Required
directory
string
erObjectProfileName
Service
profile
name.
directory
string
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
33
Attribute
name
Description
Type
erXML
Definition
of
workflow.
binary
erCategory
Type
of
entity
to
manage,
such
as
Person,
BPPerson,
or
Account.
directory
string
34
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Service
Classes
Services
may
be
hosted
or
owned.
A
hosted
service
is
a
service
that
is
shared
by
multiple
organizations
(such
as
in
an
ASP
environment).
An
owned
service
is
not
shared.
Each
type
of
service
has
its
own,
different
representation
within
the
system.
erAccountItem
The
erAccountItem
class
is
an
auxiliary
class
that
defines
required
attributes
for
a
user
account.
The
parent
class
is
top.
Attribute
name
Description
Type
erUid
Account
login
ID.
directory
string
owner
DN
of
the
account
owner.
distinguished
name
erAccountStatus
Account
status.
integer
erAccountCompliance
Compliancy
of
the
account.
Possible
values
are
Uncheck
account
(0),
Compliant
account
(1),
Unauthorized
account
(2),
Constraints
violated
account
(3).
integer
erPassword
Account
login
password.
binary
erHistoricalPassword
Previous
account
login
password.
binary
erService
DN
of
the
account
service.
distinguished
name
erLastAccessDate
Last
login
date.
generalized
time
erAttributeConstraint
The
erAttributeConstraint
class
provides
the
Tivoli
Identity
Manager
structure
for
an
attribute
constraint.
The
parent
class
is
top.
Attribute
name
Description
Type
erOid
Attribute’s
Object
Identification
Number
(Oid).
Required
directory
string
cn
Name
of
the
constraint
on
the
attribute.
directory
string
erType
Attribute
type.
directory
string
erIsReadOnly
True
if
this
is
a
read-only
attribute.
Boolean
erDefaultValue
Attribute’s
default
values.
directory
string
erCustomConstraint
Attribute’s
definition
constraints.
directory
string
erChallenges
The
erChallenges
class
provides
the
structure
for
questions
of
password
challenge
and
response.
The
parent
class
is
top.
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
35
Attribute
name
Description
Type
cn
Name
of
challenge
and
response
entry.
Required
directory
string
erLastModifiedTime
Last
time
the
user’s
challenge/response
list
was
updated.
directory
string
erLostPasswordQuestion
User’s
password
challenge
question/response
list.
binary
erDSMLInfoService
Attribute
name
Description
Type
erServiceName
The
display
name
for
service
instances.
Required
directory
string
erDSMLFileName
The
name
of
a
DSML
file
stored
on
disk.
directory
string
erUseWorkflow
A
Boolean
flag
used
on
a
DSMLInfoService
to
indicate
that
people
should
be
processed
using
the
workflow
engine.
Boolean
erUid
An
identifier
used
to
uniquely
identify
a
user
of
a
service.
directory
string
erPassword
A
password
used
to
authenticate
a
user.
binary
erPlacementRule
A
script
fragment
defining
the
location
of
the
user
within
the
organization
chart.
binary
erproperties
Defines
protocol
and
behavior
properties
for
service
profiles.
directory
string
erprotocolmappings
Specifies
the
service
attributes
that
should
be
used
in
messages
sent
to
managed
resources.
directory
string
erserviceproviderfactory
Defines
the
name
of
the
Java
class
for
creating
the
ServiceProvider
used
to
communicate
with
the
managed
resource.
directory
string
erxforms
Defines
transforms
for
Tivoli
Identity
Manager
agents.
binary
erDSML2Service
The
erDSML2Service
class
provides
the
Directory
Service
Markup
Language
Version
2
(DSMLv2)
class
to
import
data
into
Tivoli
Identity
Manager.
The
parent
class
is
top.
36
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Attribute
name
Description
Type
erCategory
Type
of
entity
to
manage.
Required
directory
string
erServiceName
Name
to
display
on
the
user
interface.
Required
directory
string
erURL
URL
of
the
data
source.
Supported
protocols
include:
file,
http,
and
https.
Required
directory
string
erPassword
Key
to
authenticate
DSMLv2
clients
when
using
the
JNDI
client.
directory
string
erPlacementRule
Placement
rule
defining
a
script
to
place
entries
within
the
organization
chart.
directory
string
erUid
Name
of
the
principal
to
authenticate
DSMLv2
clients
when
using
the
JNDI
client.
directory
string
erUseWorkflow
Boolean
flag
to
indicate
whether
to
use
workflow
when
managing
data.
A
value
of
true
will
evaluate
provisioning
policies
and
place
an
entry
in
the
audit
trail.
Boolean
ernamingattribute
The
naming
attribute
on
a
service
used
to
define
the
distinguished
names
of
entries
in
event
notification.
directory
string
namingcontexts
Identifies
the
service.
Required
when
Tivoli
Identity
Manager
is
acting
as
a
DSMLv2
service.
distinguished
name
erDynamicRole
The
erDynamicRole
class
provides
the
structure
for
a
dynamic
role.
The
parent
class
is
erRole.
Attribute
name
Description
Type
erJavaScript
Role’s
evaluation
definition.
This
definition
is
used
to
evaluate
members
of
a
role.
binary
erScope
Scope
of
role
evaluation:
single
or
subtree
scope.
integer
erHostedAccountItem
The
erHostedAccountItem
class
is
an
auxiliary
class
that
is
added
to
account
entries
for
hosted
services
(that
is,
represented
by
erHostedService
entries).
The
erHost
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
37
attribute
holds
a
reference
to
the
owned
service
entry
and
provides
a
more
efficient
search
when
trying
to
identify
the
owned
service.
The
parent
is
erAccountItem.
Attribute
name
Description
Type
erHost
DN
of
owned
service
entry.
distinguished
name
erHostedService
The
erHostedService
class
describes
a
hosted
service.
The
erHostedService
class
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erServiceName
Name
of
the
service.
Required
directory
string
erService
DN
of
the
target
service
to
be
managed.
Required
distinguished
name
erObjectProfileName
Service
profile
name
for
target
service.
Required
directory
string
erHostSelectionPolicy
The
erHostSelectionPolicy
class
provides
the
structure
for
a
host
selection
policy.
The
parent
class
is
erPolicyItemBase.
Attribute
name
Description
Type
erJavaScript
Contains
a
scriptlet
used
at
runtime
to
return
a
service
instance.
Required
binary
erObjectProfileName
Name
corresponding
to
the
service
type.
Required
directory
string
erUserClass
Name
of
a
user
class,
such
as
Person
or
BPPerson.
Required
directory
string
erITIMService
The
erITIMService
class
provides
the
Tivoli
Identity
Manager
structure
for
Tivoli
Identity
Manager
service.
The
parent
class
is
top.
Attribute
name
Description
Type
erServiceName
Tivoli
Identity
Manager
service
name.
Required
directory
string
owner
Service’s
owner
(person).
distinguished
name
38
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
erJoinDirective
The
erJoinDirective
class
provides
the
structure
for
a
join
directive
used
in
merging
provisioning
parameters.
The
parent
class
is
top.
Attribute
name
Description
Type
erAttributeName
Name
of
service
attribute.
Required
directory
string
erDirectiveType
Type
of
join
directive
to
be
used.
Required
directory
string
description
Description
of
how
the
directive
is
used.
directory
string
erCustomData
Contains
any
parameters
to
be
passed
to
the
class
implementing
the
JoinDirective
interface.
directory
string
erPrecedenceSequence
Sequence
of
allowed
values
for
a
single
valued
attribute
with
the
most
preferable
values
listed
first.
directory
string
erObjectCategory
The
erObjectCategory
class
provides
the
structure
for
an
entity
type.
The
parent
class
is
top.
Attribute
name
Description
Type
erType
Name
of
the
entity’s
category.
Required
directory
string
erXML
Object
Operation
definition
for
life
cycle
management.
binary
erObjectProfile
The
erObjectProfile
class
provides
the
Tivoli
Identity
Manager
structure
for
an
object
profile.
The
parent
class
is
top.
Attribute
name
Description
Type
erObjectProfileName
Profile
name.
Required
directory
string
erCategory
Entity
category
such
as
Person,
Role,
SystemUser,
or
other
category.
directory
string
erCustomClass
Name
of
the
class
used
to
create
an
entity.
directory
string
erRdnAttr
Name
attribute.
directory
string
erSearchAttr
Search
attribute.
directory
string
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
39
Attribute
name
Description
Type
erAttrMap
Map
of
the
logical
attribute
name
and
physical
attribute
name.
Key:
logical
attriobute
name.
directory
string
erXML
ObjectOperation
data
structure
—
life
cycle
management.
binary
erRemoteServiceItem
The
erRemoteServiceItem
class
is
an
auxiliary
class
that
describes
an
erServiceItem.
The
parent
class
is
erServiceItem.
Attribute
name
Description
Type
erUid
User’s
log
in
ID
for
the
service.
directory
string
erPassword
User’s
password
binary
erCheckPolicy
Flag
to
determine
whether
or
not
to
check
the
user
against
the
defined
policies.
Boolean
erDisallowedAction
The
action
to
be
taken
during
reconciliation
if
an
account
is
not
permitted
by
a
provisioning
policy.
Possible
values
are:
v
Log
Only
v
Suspend
v
Delete
directory
string
erConstraintViolationAction
The
action
to
be
taken
during
reconciliation
if
an
account
is
permitted
by
a
provisioning
policy
but
the
account
values
are
not
compliant.
Possible
values
are
Log
Only
,
Overwrite
Local
Values
,
and
Overwrite
Remote
Values.
directory
string
erIdentityLookupMethod
The
method
used
during
reconciliation
to
look
up
the
identity
of
the
account
owner.
The
only
possible
value
is
Alias.
directory
string
erServiceItem
The
erServiceItem
class
is
an
auxiliary
class
that
describes
an
owned
service.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erServiceName
Name
of
the
service.
directory
string
owner
DN
of
the
service
owner.
distinguished
name
erPrerequisite
Required
prerequisite
for
the
account.
distinguished
name
40
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Attribute
name
Description
Type
erNonComplianceAction
Compliant
action
for
accounts
of
the
service.
Possible
values
are
Mark
NonCompliant
(0),
Suspend
NonCompliant
(1),
Correct
NonCompliant
(2).
integer
erServiceProfile
The
erServiceProfile
class
provides
the
Tivoli
Identity
Manager
structure
for
a
service
profile.
The
parent
class
is
erObjectProfile.
Attribute
name
Description
Type
erAccountClass
Name
of
a
custom
class
used
to
create
an
account.
directory
string
erAccountName
Name
of
profile
associated
with
the
account.
directory
string
erproperties
Service
attributes
used
in
messages
sent
to
managed
resources.
Required
directory
string
erprotocolmappings
Service
attributes
used
in
messages
sent
to
managed
resources.
directory
string
erserviceproviderfactory
Name
of
the
Java
class
to
create
the
ServiceProvider
used
to
communicate
with
the
managed
resource.
Required
directory
string
erxforms
Defines
transforms
for
Tivoli
Identity
Manager
agents.
binary
erSystemItem
The
erSystemItem
class
provides
the
Tivoli
Identity
Manager
auxiliary
class
for
the
Tivoli
Identity
Manager
system.
The
parent
class
is
top.
erSystemRole
The
erSystemRole
class
represents
a
system
role,
however,
it
does
not
include
membership
information.
Members
are
defined
in
erSystemUser.erRoles.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erRoleName
The
system
role
name.
Required
directory
string
description
Description
of
the
role.
directory
string
erSystemRoleCategory
Level
of
access
-
End
User,
Supervisor,
System
Administrator.
integer
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
41
erSystemUser
The
erSystemUser
class
stores
Tivoli
Identity
Manager
system
accounts
such
as
the
pre-defined
Tivoli
Identity
Manager
system
account.
The
erAccountItem
is
also
added
to
each
erSystemUser
entry
since
it
is
an
account
managed
by
the
system.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erUid
Account
login
ID.
Required
directory
string
erLostPasswordQuestion
Account’s
lost
password
question.
directory
string
erLostPasswordAnswer
Account’s
lost
password
answer.
binary
erIsDelegated
Flag
determining
if
the
account’s
workflow
can
be
sent
to
delegates.
Boolean
erDelegate
User’s
delegate.
directory
string
erWorkflow
Filter
for
viewing
pending
requests
and
completed
requests.
directory
string
erRoles
Roles
associated
with
the
account.
distinguished
name
erHomePage
Login
home
page.
directory
string
erPswdLastChanged
Date
and
time
password
was
last
changed.
generalized
time
erNumLogonAttempt
Number
of
times
user
attempted
to
log
on.
integer
erChangePswdRequired
Flag
indicating
whether
or
not
the
user
is
required
to
change
the
password
the
next
time
the
user
logs
into
the
system.
Boolean
erRespLastChange
Date
and
time
challenge
response
was
last
changed.
generalized
time
42
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Policy
Classes
There
are
three
types
of
policies:
password,
identity
and
provisioning.
These
all
share
some
general
attributes.
These
attributes
are
represented
within
the
erPolicyBase
and
erPolicyItemBase
classes.
The
erPolicyBase
class
inherits
from
the
erPolicyItemBase
class.
All
policies
are
domain
entries.
erIdentityPolicy
The
erIdentityPolicy
class
stores
identity
policy-specific
attributes.
The
parent
class
is
erPolicyBase.
Attribute
name
Description
Type
erJavaScript
Script
that
is
evaluated
to
create
the
user
ID.
binary
erUserClass
User’s
class
home.
directory
string
erPasswordPolicy
The
erPasswordPolicy
class
stores
password
policy-specific
attributes.
The
parent
class
is
erPolicyBase.
Attribute
name
Description
Type
erXML
XML
file
name.
Required
binary
erPolicyBase
The
erPolicyBase
class
stores
commonly
used
functional
attributes
such
as
state
information
and
the
target
of
the
policy.
The
parent
class
is
erPolicyItemBase.
Attribute
name
Description
Type
erPolicyTarget
Service(s)
or
service
instances
targeted
by
the
policy.
If
a
service
instance
is
targeted,
the
value
is
the
string
representing
the
service
instance’s
DN.
Format:
1;<value>
If
a
service
profile
is
targeted,
the
value
is
the
name
of
the
service
profile.
Format:
0;<value>
If
all
services
are
targeted,
the
value
is
*
.
Format:
2;<*>
If
a
service
selection
policy
is
targeted,
the
value
is
the
name
of
the
service
profile
affected
by
the
service
selection
policy.
Format:
3;<value>
directory
string
erReqPolicyTarget
Lists
required
policy
targets
(service
instance
or
service
profile).
directory
string
Chapter
2.
Tivoli
Identity
Manager
LDAP
Schema
43
erPolicyItemBase
The
erPolicyItemBase
class
stores
general
bookkeeping
attributes
for
policies,
such
as
name
and
description.
The
parent
class
is
top.
Attribute
name
Description
Type
erPolicyItemName
The
policy
name.
Required
directory
string
erLabel
The
label
name
for
the
policy.
directory
string
erKeywords
A
list
of
key
words.
directory
string
description
A
description
of
the
policy.
directory
string
erEnabled
Flag
indicating
whether
or
not
the
policy
participates
in
the
provisioning
process.
If
the
flag
is
enabled,
the
policy
participates
in
the
provisioning
process.
If
the
flag
is
disabled,
the
policy
does
not
participate
in
the
provisioning
process.
Boolean
erScope
Determines
which
service
instances
are
governed
by
this
policy.
Single
level
scope
limits
the
policy
to
affect
only
those
service
instances
at
the
same
level
as
the
policy.
Subtree
scope
allows
a
policy
to
affect
service
instances
at
the
same
level
as
the
policy
and
service
instances
in
levels
below
that
of
the
policy.
integer
erProvisioningPolicy
The
erProvisioningPolicy
class
stores
provisioning
policy-specific
attributes.
The
parent
class
is
erPolicyBase.
Attribute
name
Description
Type
erEntitlements
Policy
access
definitions.
Required
binary
erPriority
The
priority
level
for
this
policy.
Required
integer
erPolicyMembership
Policy
principals.
Identifies
users
who
are
governed
by
this
policy.
Required
directory
string
44
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Chapter
3.
Database
Tables
Tivoli
Identity
Manager
loads
tables
into
the
selected
database
during
installation.
These
tables
are
used
for
five
features
in
Tivoli
Identity
Manager:
Topic
index:
v
“Workflow
Tables”
on
page
46
v
“Services
Tables”
on
page
51
v
“SCHEDULED_MESSAGE
Table”
on
page
54
v
“LISTDATA
Table”
on
page
55
©
Copyright
IBM
Corp.
2003
45
Workflow
Tables
Tivoli
Identity
Manager
stores
workflow
specific
information
in
the
following
database
tables:
v
“PROCESS
Table”
on
page
46
v
“PROCESSLOG
Table”
on
page
47
v
“PROCESSDATA
Table”
on
page
47
v
“ACTIVITY
Table”
on
page
48
v
“WORKITEM
Table”
on
page
49
v
“PASSWORD_TRANSACTION
Table”
on
page
49
v
“NEXTVALUE
Table”
on
page
49
v
“PENDING
Table”
on
page
50
The
workflow
engine
accesses
these
tables
to
retrieve
information
that
is
used
during
the
workflow
process.
PROCESS
Table
The
PROCESS
table
stores
all
the
pending,
running,
and
historical
requests
submitted
to
the
Tivoli
Identity
Manager
workflow.
Each
request
is
represented
as
a
process.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
ID
Process
ID
number.
numeric
PARENT_ID
Parent
process
ID
number,
if
any.
numeric
PARENT_ACTIVITY_ID
Parent
activity
ID
number.
numeric
NAME
Process
name.
character
TYPE
Process
type
code.
character
DEFINITION_ID
Process
definition
Identifier.
character
REQUESTER_TYPE
Requester
type.
character
REQUESTER
DN
of
the
requester.
character
REQUESTER_NAME
Requester’s
name.
character
DESCRIPTION
Description
of
the
process.
character
PRIORITY
Priority
of
the
process.
numeric
SCHEDULED
Scheduled
start
time
for
the
process.
character
STARTED
Time
the
process
is
started.
character
COMPLETED
Time
the
process
is
completed.
character
LASTMODIFIED
Time
the
process
was
last
modified.
character
SUBMITTED
Time
the
process
was
submitted.
character
STATE
Current
state
of
the
process.
character
NOTIFY
Specifies
who
is
notified
when
a
process
is
completed.
There
are
four
possible
choices:
v
NOTIFY_NONE
(0)
v
NOTIFY_REQUESTOR
(1)
v
NOTIFY_REQUESTEDFOR
(2)
v
NOTIFY_BOTH
(3)
numeric
46
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Column
Name
Description
Data
Type
REQUESTEE
DN
of
the
requestee.
character
SUBJECT
Process’s
subject.
character
COMMENTS
Comments
for
the
process.
character
RESULT_SUMMARY
Process’s
result
summary
code.
character
RESULT_DETAIL
Detailed
information
on
the
process’s
result.
long
character
TENANT
DN
of
the
requester’s
tenant.
character
REQUESTEE_NAME
Requestee’s
name.
character
PROCESSLOG
Table
The
PROCESSLOG
table
maintains
a
record
of
audit
events
associated
with
a
process.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
ID
Log
ID
number.
numeric
PROCESS_ID
ID
of
the
process
associated
with
the
log.
numeric
ACTIVITY_ID
ID
of
the
activity
associated
with
the
log.
numeric
CREATED
Time
the
log
was
created.
character
EVENTTYPE
Log’s
event
type
code.
character
OLD_PARTICIPANT_TYPE
Old
participant
type
for
the
assignment
change
event.
character
OLD_PARTICIPANT_ID
Old
participant
ID
for
the
assignment
change
event.
character
NEW_PARTICIPANT_TYPE
New
participant
type
for
the
assignment
change
event.
character
NEW_PARTICIPANT_ID
New
participant
ID
for
the
assignment
change
event.
character
REQUESTOR_TYPE
Requester
type
for
any
user
related
event.
character
REQUESTOR
Requester
ID
for
any
user
related
event.
character
OLD_STATE
Old
state
for
a
state
change
event.
character
NEW_STATE
New
state
for
a
state
change
event.
character
DATA_ID
Data
ID
for
a
data
change
event.
character
NEW_DATA
Data
value
for
a
data
change
event.
long
character
PROCESSDATA
Table
The
PROCESSDATA
table
stores
the
runtime
process
data
of
a
process.
After
the
process
is
completed,
the
record
is
removed.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROCESS_ID
Proccess
ID
associated
with
the
data.
numeric
Chapter
3.
Database
Tables
47
Column
Name
Description
Data
Type
DEF_ID
Definition
ID
for
the
coresponding
relevant
data
in
the
process
definition.
character
NAME
Data
name.
character
CONTEXT
Context
of
data.
The
following
are
possible
values:
v
REQUESTEE
v
SUBJECT
v
BOTH
character
DESCRIPTION
Data
description.
character
TYPE
Data
type.
character
COLLECTION_TYPE
Element
data
type
for
sets
of
data.
character
VALUE
Data
value.
long
character
ACTIVITY
Table
The
ACTIVITY
table
contains
records
of
each
workflow
process’s
execution
flow.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
ID
Activity
ID
number.
numeric
PROCESS_ID
Activity’s
process
ID
number.
numeric
DEFINITION_ID
Activity’s
definition
Identifier.
character
ACTIVITY_INDEX
Activity
index
(only
if
the
activity
is
inside
of
a
loop).
numeric
LOOP_COUNT
Specific
to
loop
activity.
Number
of
iterations
that
have
occurred
in
the
loop.
numeric
LOOP_RUNCOUNT
Specific
to
asynchronous
loop
activity.
Number
of
remaining
iterations
left
in
the
loop.
numeric
RETRY_COUNT
Number
of
attempts
to
complete
the
activity.
numeric
LOCK_COUNT
Number
of
tasks
pending
on
the
activity.
numeric
SUBPROCESS_ID
ID
of
the
subprocess
associated
with
the
activity.
numeric
NAME
Activity’s
name.
character
DESCRIPTION
Description
of
the
activity.
character
TYPE
Activity
type.
character
SUBTYPE
Activity
subtype.
character
PRIORITY
Priority
of
the
activity
(NOT
SUPPORTED).
numeric
STARTED
Time
the
activity
is
started.
character
COMPLETED
Time
the
activity
is
completed.
character
48
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Column
Name
Description
Data
Type
LASTMODIFIED
Time
the
activity
was
last
modified.
character
STATE
Current
state
of
the
activity.
character
RESULT_SUMMARY
Activity’s
result
summary
code.
character
RESULT_DETAIL
Detailed
results
information
for
the
activity.
long
character
WORKITEM
Table
The
WORKITEM
table
maintains
a
record
of
workitems
associated
with
manual
workflow
activies
for
running
processes.
The
records
associated
with
the
process
are
removed
after
the
process
is
completed.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
ID
Process
data
ID.
numeric
PROCESS_ID
Proccess
ID
associated
with
the
data.
numeric
ACTIVITY_ID
Activity
ID
associated
with
the
data,
if
any.
numeric
PARTICIPANT_TYPE
Work
item
participant
type.
character
PARTICIPANT
Work
item
participant
identity.
character
CREATED
Time
the
work
item
was
created.
character
INPUT_PARAMETERS
Work
item
specific
parameters.
long
character
PASSWORD_TRANSACTION
Table
The
PASSWORD_TRANSACTION
table
is
used
during
secure
password
delivery
to
store
information.
After
the
password
is
retrieved,
the
record
is
deleted
from
the
table.
If
the
password
is
never
picked
up,
this
record
is
deleted
upon
password
pickup
expiration.
The
following
table
includes
descriptions
of
each
column.
Column
Name
Description
Data
Type
TRANSACTION_ID
Transaction
ID
used
to
retrieve
the
password.
numeric
ACCOUNT_DN
Account
DN
for
the
password.
character
CREATION_DATE
Password
creation
date.
character
PROCESS_ID
ID
of
the
workflow
that
started
the
password
transaction
process.
numeric
ACTIVITY_ID
ID
of
the
activity
that
started
the
password
transaction
process.
numeric
PASSWORD
Encrypted
password
value.
character
NEXTVALUE
Table
Note:
This
table
is
not
in
use
after
release
4.4.
The
NEXTVALUE
table
is
used
to
create
unique
IDs
for
workflow
tables.
The
NEXTVALUE
table
is
not
directly
used
in
a
workflow.
The
following
table
includes
descriptions
of
each
column
name:
Chapter
3.
Database
Tables
49
Column
Name
Description
Data
Type
ID
Process
data
ID.
numeric
NEXT_ID
Primary
key
ID
to
be
used
in
a
process.
numeric
PENDING
Table
The
PENDING
table
stores
all
the
provisioning
requests
that
are
being
processed,
but
not
completed
yet.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROCESS_ID
Process
ID
number.
numeric
PERSON_DN
Name
of
the
person
for
which
the
request
was
submitted.
character
SERVICE_DN
Name
of
the
resource
to
which
to
add
the
account.
character
50
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Services
Tables
Tivoli
Identity
Manager
creates
and
uses
the
following
database
tables
to
store
information
related
to
managed
resources:
v
“RESOURCE_PROVIDERS
Table”
on
page
51
v
“REMOTE_SERVICES_REQUESTS
Table”
on
page
52
v
“REMOTE_RESOURCES_RECONS
Table”
on
page
52
v
“REMOTE_RESOURCES_RECON_QUERIES
Table”
on
page
53
RESOURCE_PROVIDERS
Table
The
RESOURCE_PROVIDERS
table
stores
cross
references
between
resource
provider
IDs
and
stores
reconciliation
data
for
each
resource
provider.
The
resource
provider
IDs
are
used
as
the
primary
keys
for
resource
provider
entity
beans.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROVIDER_ID
Unique
ID
used
as
the
primary
key
for
the
resource
provider
entity
beans.
There
is
a
one-to-one
relationship
between
a
provider_id
and
a
resource_dn.
character
RESOURCE_DN
DN
for
the
managed
resource
the
provider
is
responsible
for.
character
RECON_STATUS
Indicates
whether
a
reconciliation
is
currently
running.
0
-
no
reconciliation
is
running
for
this
service.
1
-
reconciliation
is
currently
running
on
this
service.
If
the
server
is
shut
down
abruptly
during
a
reconciliation,
this
flag
may
need
to
be
reset
to
0
before
other
reconciliation
requests
can
be
processed
for
the
specified
service.
numeric
LAST_RECON_TIME
The
length
of
time
the
last
reconcilation
took
to
complete.
MAX_RECON_DURATION
Timeout
value,
in
minutes,
for
reconciliations.
If
a
reconciliation
request
runs
beyond
the
amount
of
time
specified
in
this
field,
the
request
is
terminated.
numeric
LOCK_SERVICE
Indicates
whether
or
not
to
lock
the
service
during
a
reconciliation:
1
-
lock
the
service
during
a
reconciliation.
0
-
do
not
lock
the
service
during
a
reconciliation.
numeric
REQUEST_ID
Tracks
the
process
locking
the
service.
character
Chapter
3.
Database
Tables
51
REMOTE_SERVICES_REQUESTS
Table
The
REMOTE_SERVICES_REQUESTS
table
stores
asynchronous
requests
or
requests
that
are
made
while
a
reconciliation
is
in
progress.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROVIDER_ID
Unique
ID
used
as
the
primary
key
for
the
resource
provider
entity
beans.
character
REQUEST_ID
ID
of
the
request
made.
character
TYPE
Request
type:
0
-
generic
requests
1
-
asynchronous
requests
2
-
instra-reconciliation
requests
numeric
OPERATION
Type
of
operation
being
performed:
0
-
no
operation
1
-
Add
request
2
-
Modify
request
3
-
Delete
request
4
-
Suspend
request
5
-
Restore
request
6
-
Change
password
request
numeric
REQUEST_TIME
Time
the
request
was
made.
date
EXPIRATION_TIME
Time
the
request
expires.
If
null,
the
request
never
expires.
date
TARGET
The
owner
of
the
account
for
an
add
request
or
the
account
dc
for
other
types
of
operations.
character
SERVICE_DN
The
distinguished
name
of
the
service
instance
in
the
directory.
character
DATA
The
data
for
the
request
(attribute
values
for
Add
and
Modify
requests).
This
information
is
a
serialized
Java
Collection.
long
character
CONNECTION_POINT
The
callback
to
complete
the
workflow
process.
This
information
is
a
serialized
Java
object.
long
binary
REMOTE_RESOURCES_RECONS
Table
The
REMOTE_RESOURCES_RECONS
table
stores
the
reconciliation
units
associated
with
a
given
resource
provider.
The
following
table
includes
descriptions
of
each
column
name:
52
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Column
Name
Description
Data
Type
PROVIDER_ID
Unique
ID
used
as
the
primary
key
for
the
resource
provider
entity
beans.
character
RECON_ID
Unique
ID
for
each
reconcilation
unit.
numeric
DAY_OF_MONTH
Day
of
month
the
reconciliation
is
scheduled
to
run.
numeric
MONTH_NUM
Month
the
reconciliation
is
scheduled
to
run.
numeric
DAY_OF_WEEK
Day
of
week
the
reconciliation
is
scheduled
to
run.
numeric
HOUR_NUM
Hour
of
day
the
reconciliation
is
scheduled
to
run.
numeric
MINUTE_NUM
Minute
of
hour
the
reconciliation
is
scheduled
to
run.
numeric
MAX_DURATION
This
value
overrides
the
MAX_DURATION
value
in
the
RESOURCE_PROVIDERS
table.
numeric
LOCK_SERVICE
Indicates
whether
or
not
to
lock
the
service
during
a
reconciliation.
1
-
lock
the
service
during
a
reconciliation
0
-
do
not
lock
the
service
during
a
reconciliation.
numeric
REMOTE_RESOURCES_RECON_QUERIES
Table
The
REMOTE_RESOURCES_RECON_QUERIES
table
stores
reconciliation
queries
associated
with
a
given
reconciliation
unit.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROVIDER_ID
Unique
ID
used
as
the
primary
key
for
the
resource
provider
entity
beans.
character
RECON_ID
Unique
ID
for
each
reconciliation
unit.
numeric
QUERY_ID
Unique
ID
for
each
reconciliation
query.
numeric
RECON_FILTER
Filter
associated
with
the
reconciliation
query.
character
RECON_BASE
Search
base
associated
with
the
reconciliation
query.
character
MAX_DURATION
Not
used.
numeric
MAX_ENTRIES
Not
used.
numeric
ATTRIBUTES
Attributes
returned
during
a
reconciliation
request.
character
Chapter
3.
Database
Tables
53
SCHEDULED_MESSAGE
Table
The
SCHEDULED_MESSAGE
table
stores
information
associated
with
a
scheduled
event
that
is
provided
by
the
scheduler.
The
scheduler
is
a
component
of
Tivoli
Identity
Manager
that
stores
one-time
or
regularly
scheduled
events.
These
events
are
typically
user
requests
(via
the
workflow
engine)
or
recurring
reconciliation
events.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
SCHEDULED_TIME
The
long
integer
that
represents
the
time
of
the
scheduled
event,
which
is
the
number
of
milliseconds
since
January
1,
1970,
00:00:00
GMT.
numeric
SCHEDULED_MESSAGE_ID
Unique
ID
for
each
scheduled
event.
numeric
MESSAGE
A
serialized
object
that
represents
the
detail
information
of
the
scheduled
event.
long
character
SERVER
The
server
that
picks
up
the
scheduled
event
most
recently.
character
CHECKPOINT_TIME
The
long
integer
that
represents
the
last
pick
up
time
of
the
scheduled
event,
which
is
the
number
of
milliseconds
since
January
1,
1970,
00:00:00
GMT.
numeric
REFERENCE_ID
Used
only
used
for
scheduled
workflow
events,
it
is
the
workflow
process
ID
that
the
scheduled
event
is
coming
from.
numeric
54
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
LISTDATA
Table
The
LISTDATA
table
is
used
to
optimize
memory
utilization
and
improve
performance
for
Tivoli
Identity
Manager.
This
table
is
used
to
store
large
data
lists.
Instead
of
loading
all
data
into
memory,
data
will
be
stored
in
this
table
and
referenced
by
index
in
memory.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
DATA_ID
Unique
identifier
for
the
data.
numeric
INDEX_ID
List
element’s
index.
numeric
VALUE
The
serialized
list
element.
long
character
Chapter
3.
Database
Tables
55
56
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Appendix.
Notices
This
information
was
developed
for
products
and
services
offered
in
the
U.S.A.
IBM
may
not
offer
the
products,
services,
or
features
discussed
in
this
document
in
other
countries.
Consult
your
local
IBM
representative
for
information
on
the
products
and
services
currently
available
in
your
area.
Any
reference
to
an
IBM
product,
program,
or
service
is
not
intended
to
state
or
imply
that
only
that
IBM
product,
program,
or
service
may
be
used.
Any
functionally
equivalent
product,
program,
or
service
that
does
not
infringe
any
IBM
intellectual
property
right
may
be
used
instead.
However,
it
is
the
user’s
responsibility
to
evaluate
and
verify
the
operation
of
any
non-IBM
product,
program,
or
service.
IBM
may
have
patents
or
pending
patent
applications
covering
subject
matter
described
in
this
document.
The
furnishing
of
this
document
does
not
give
you
any
license
to
these
patents.
You
can
send
license
inquiries,
in
writing,
to:
IBM
Director
of
Licensing
IBM
Corporation
North
Castle
Drive
Armonk,
NY
10504-1785
U.S.A.
For
license
inquiries
regarding
double-byte
(DBCS)
information,
contact
the
IBM
Intellectual
Property
Department
in
your
country
or
send
inquiries,
in
writing,
to:
IBM
World
Trade
Asia
Corporation
Licensing
2-31
Roppongi
3-chome,
Minato-ku
Tokyo
106-0032,
Japan
The
following
paragraph
does
not
apply
to
the
United
Kingdom
or
any
other
country
where
such
provisions
are
inconsistent
with
local
law:
INTERNATIONAL
BUSINESS
MACHINES
CORPORATION
PROVIDES
THIS
PUBLICATION
“AS
IS”
WITHOUT
WARRANTY
OF
ANY
KIND,
EITHER
EXPRESS
OR
IMPLIED,
INCLUDING,
BUT
NOT
LIMITED
TO,
THE
IMPLIED
WARRANTIES
OF
NON-INFRINGEMENT,
MERCHANTABILITY
OR
FITNESS
FOR
A
PARTICULAR
PURPOSE.
Some
states
do
not
allow
disclaimer
of
express
or
implied
warranties
in
certain
transactions,
therefore,
this
statement
may
not
apply
to
you.
This
information
could
include
technical
inaccuracies
or
typographical
errors.
Changes
are
periodically
made
to
the
information
herein;
these
changes
will
be
incorporated
in
new
editions
of
the
publication.
IBM
may
make
improvements
and/or
changes
in
the
product(s)
and/or
the
program(s)
described
in
this
publication
at
any
time
without
notice.
Any
references
in
this
information
to
non-IBM
Web
sites
are
provided
for
convenience
only
and
do
not
in
any
manner
serve
as
an
endorsement
of
those
Web
sites.
The
materials
at
those
Web
sites
are
not
part
of
the
materials
for
this
IBM
product
and
use
of
those
Web
sites
is
at
your
own
risk.
IBM
may
use
or
distribute
any
of
the
information
you
supply
in
any
way
it
believes
appropriate
without
incurring
any
obligation
to
you.
©
Copyright
IBM
Corp.
2003
57
Licensees
of
this
program
who
wish
to
have
information
about
it
for
the
purpose
of
enabling:
(i)
the
exchange
of
information
between
independently
created
programs
and
other
programs
(including
this
one)
and
(ii)
the
mutual
use
of
the
information
which
has
been
exchanged
should
contact:
IBM
Corporation
2ZA4/101
11400
Burnet
Road
Austin,
TX
78758
U.S.A.
Such
information
may
be
available,
subject
to
appropriate
terms
and
conditions,
including
in
some
cases,
payment
of
a
fee.
The
licensed
program
described
in
this
information
and
all
licensed
material
available
for
it
are
provided
by
IBM
under
terms
of
the
IBM
Customer
Agreement,
IBM
International
Program
License
Agreement,
or
any
equivalent
agreement
between
us.
Any
performance
data
contained
herein
was
determined
in
a
controlled
environment.
Therefore,
the
results
obtained
in
other
operating
environments
may
vary
significantly.
Some
measurements
may
have
been
made
on
development-level
systems
and
there
is
no
guarantee
that
these
measurements
will
be
the
same
on
generally
available
systems.
Furthermore,
some
measurements
may
have
been
estimated
through
extrapolation.
Actual
results
may
vary.
Users
of
this
document
should
verify
the
applicable
data
for
their
specific
environment.
Information
concerning
non-IBM
products
was
obtained
from
the
suppliers
of
those
products,
their
published
announcements
or
other
publicly
available
sources.
IBM
has
not
tested
those
products
and
cannot
confirm
the
accuracy
of
performance,
compatibility
or
any
other
claims
related
to
non-IBM
products.
Questions
on
the
capabilities
of
non-IBM
products
should
be
addressed
to
the
suppliers
of
those
products.
Trademarks
The
following
terms
are
trademarks
or
registered
trademarks
of
International
Business
Machines
Corporation
in
the
United
States,
other
countries,
or
both:
AIX
DB2
IBM
IBM
logo
SecureWay
Tivoli
Tivoli
logo
Universal
Database
WebSphere
Lotus
is
a
registered
trademark
of
Lotus
Development
Corporation
and/or
IBM
Corporation.
Domino
is
a
trademark
of
International
Business
Machines
Corporation
and
Lotus
Development
Corporation
in
the
United
States,
other
countries,
or
both.
Microsoft,
Windows,
Windows
NT,
and
the
Windows
logo
are
trademarks
of
Microsoft
Corporation
in
the
United
States,
other
countries,
or
both.
58
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
UNIX
is
a
registered
trademark
of
The
Open
Group
in
the
United
States
and
other
countries.
Java™
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.
in
the
United
States
and
other
countries.
Other
company,
product,
and
service
names
may
be
trademarks
or
service
marks
of
others.
Appendix.
Notices
59
60
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Glossary
A
access.
The
privilege
to
use
information
or
data
stored
on
computer
systems.
account.
The
set
of
parameters
that
define
the
login
information
and
access
control
information
for
a
user.
account
report.
A
report
that
lists
people
and
their
associated
accounts
and
whether
or
not
the
account
is
in
compliance
with
current
policies.
access
control
information
(ACI).
Data
that
identifies
the
access
rights
of
a
group
or
principal.
See
also
access
control.
ACI
origin.
The
branch
in
the
organization
tree
where
the
ACI
is
created.
ACI
target.
The
set
of
entities
that
are
controlled
by
the
ACI.
active
account.
An
account
that
exists
and
that
is
in
use
by
the
owner
to
access
a
resource.
admin
domain.
A
division
of
an
organization
within
the
Tivoli
Identity
Manager
system
that
contains
its
own
policies,
services,
ACIs,
and
so
on.
Each
admin
domain
can
have
administrators
that
cannot
administer
or
view
the
policies,
services,
ACIs
of
other
admin
domains.
alias.
An
identity
for
a
user,
usually
referred
to
as
the
user
ID.
A
person
can
have
several
aliases,
for
example:
GSmith
and
GWSmith.
attribute
enforcement.
The
process
in
which
system
administrators
define
the
attributes
that
are
required
for
an
account
and
the
values
that
are
valid
for
those
attributes.
audit
trail.
The
record
of
transactions
for
a
computer
system
during
a
given
time
period.
authentication.
The
process
of
identifying
an
individual,
usually
based
on
a
user
name
and
password.
In
security
systems,
authentication
is
distinct
from
authorization,
which
is
the
process
of
giving
individuals
access
to
system
objects
based
on
their
identity.
Authentication
merely
ensures
that
the
individual
is
who
he
or
she
claims
to
be,
but
says
nothing
about
the
access
rights
of
the
individual.
authorization.
In
computer
security,
the
right
granted
to
a
user
to
communicate
with
or
make
use
of
a
computer
system.
The
process
of
granting
a
user
either
complete
or
restricted
access
to
an
object,
resource,
or
function.
Most
computer
security
systems
are
based
on
a
two-step
process.
The
first
stage
is
authentication,
which
ensures
that
a
user
is
who
he
or
she
claims
to
be.
The
second
stage
is
authorization,
which
allows
the
user
access
to
various
resources
based
on
the
user’s
identity.
authorization
owner.
A
group
of
users
who
can
define
access
control
information
(ACI)
within
the
context
of
the
organizational
unit
to
which
they
belong.
B
branch.
Each
level
within
the
organization
tree
is
called
a
branch.
Each
type
of
branch
in
the
tree
is
indicated
by
a
different
icon.
The
contents
of
a
branch
with
sub-units
can
be
viewed
by
clicking
the
plus
(+)
sign
next
to
it.
business
partner
organization.
One
of
the
types
of
subsidiary
entities
that
can
be
added
to
an
organization.
Typically,
a
business
partner
organization
is
used
to
identify
a
contractor,
supplier,
or
other
groups
of
individuals
who
are
not
direct
employees
but
may
need
access
to
a
company’s
resources.
business
partner
person.
A
person
in
a
business
partner
organization.
business
unit.
A
subsidiary
entity
of
an
organization.
C
central
data
repository.
The
database
used
to
record
and
store
user
and
access
privilege
data
for
all
registered
users,
including
transaction
and
maintenance
records.
Certificate
Authority
(CA).
An
organization
that
issues
certificates.
The
certificate
authority
authenticates
the
certificate
owner’s
identity
and
the
services
that
the
owner
is
authorized
to
use,
issues
new
certificates,
renews
existing
certificates,
and
revokes
certificates
belonging
to
users
who
are
no
longer
authorized
to
use
them.
challenge
response.
An
authentication
method
that
requires
users
to
respond
to
a
prompt
by
providing
private
information
to
verify
their
identity
when
logging
in
to
the
network.
completed
requests.
Requests
that
were
submitted
to
the
system
and
that
are
completed.
©
Copyright
IBM
Corp.
2003
61
constraint.
A
limitation
on
a
parameter
or
policy.
control
type.
An
instance
of
the
Java
Type
class
that
represents
the
type
of
field
on
a
user
interface.
credential.
The
User
ID
and
password
information
for
a
user,
which
allows
access
to
an
account.
D
delegate.
An
individual
who
is
designated
as
the
responsible
party
to
approve
requests
or
provide
information
for
requests
for
another
user.
de-provision.
To
remove
a
service
or
component.
For
example,
to
de-provision
an
account
means
to
delete
an
account
from
a
resource.
digital
certificate.
An
attachment
to
an
electronic
message
used
for
security
purposes.
Directory
Services
Markup
Language
(DSML).
An
XML
implementation
that
provides
a
common
format
for
describing
and
sharing
directory
services
information
among
different
directory
systems.
disallowed
action.
A
parameter
set
for
reconciliations
that
defines
action
to
take
if
the
Tivoli
Identity
Manager
Server
finds
accounts
for
persons
who
are
not
allowed
to
have
an
account
for
the
selected
service.
This
parameter
is
only
valid
if
the
Check
Policy
check
box
is
selected.
domain
administrator.
An
administrator
that
can
define
and
manage
provisioning
entities,
policies,
services,
workflow
definitions,
roles,
and
users
within
their
admin
domain,
but
only
in
his
or
her
own
admin
domain.
DSML
identity
feed.
One
of
Tivoli
Identity
Manager’s
three
default
service
types.
A
DSML
identity
feed
service
imports
user
data
from
a
human
resources
database
or
file
and
feeds
the
information
into
the
Tivoli
Identity
Manager
directory.
The
service
can
receive
the
information
in
one
of
two
ways:
a
reconciliation
or
an
unsolicited
notification.
E
electronic
forms.
An
electronic
form
serves
as
a
template
to
define
the
parameters
of
the
access
being
requested.
entitlement.
In
security
management,
a
data
structure,
service,
or
list
of
attributes
that
represents
policy
information.
entity.
1)
A
person
or
object
for
which
information
is
stored.
2)
One
of
the
following
classes,
as
referred
to
by
the
Tivoli
Identity
Manager
system:
v
Person
v
BPPerson
v
Organization
v
BPOrganization
escalation
participant.
In
identity
management,
a
person
that
has
the
authority
to
respond
to
requests
that
participants
do
not
respond
to
within
a
specified
escalation
time.
An
escalation
participant
can
be
identified
as
an
individual,
as
a
roles,
or
by
using
a
custom
JavaScript
script.
escalation
limit.
The
amount
of
time,
in
days,
hours,
minutes
or
seconds,
that
a
participant
has
to
respond
to
a
request,
before
an
escalation
occurs.
H
HR
feed.
An
automated
process
in
which
the
Tivoli
Identity
Manager
system
imports
user
data
from
a
human
resources
database
or
file.
Refer
to
DSML
identity
feed.
I
identity
policy.
The
rules
by
which
the
Tivoli
Identity
Manager
system
defines
how
a
user’s
ID
is
created.
inactive
account.
An
account
that
exists
in
the
system,
but
that
is
not
in
use
by
the
account
owner.
ITIM
group.
A
user
group
within
the
Tivoli
Identity
Manager
Server.
System
access
and
administration
can
be
structured
around
ITIM
groups.
However,
before
a
person
can
be
assigned
to
an
ITIM
group,
the
user
must
be
provisioned
with
an
ITIM
account.
Once
the
person
is
provisioned
with
an
ITIM
account,
the
person
is
an
ITIM
user
and
can
be
added
to
an
ITIM
group.
J
join
directive.
The
set
of
rules
that
define
how
to
handle
attributes
when
two
or
more
provisioning
policies
conflict.
K
keyword.
An
index
entry
that
identifies
the
policy
in
a
search.
L
location.
One
of
the
types
of
subsidiary
entities
that
can
be
added
to
an
organization.
Typically,
locations
are
used
to
logically
separate
geographic
locations
for
organizational
management
purposes.
62
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
O
operation
report.
A
report
that
lists
Tivoli
Identity
Manager
operation
requests
by
type
of
operation,
date,
who
requested
the
operation,
and
who
the
operation
is
requested
for.
organization.
In
identity
management,
a
body
of
users
and
resources
which
is
fairly
independent.
Although
the
sharing
of
resources
between
organizations
is
possible,
the
level
of
integration
between
the
organizations
is
relatively
low.
Generally,
an
organization
represents
a
company.
organization
tree.
A
hierarchical
structure
of
the
organization
that
provides
a
logical
place
to
create,
access,
and
store
organizational
information.
organizational
role.
In
identity
management,
an
attribute
that
is
used
to
determine
membership
to
policies
that
grant
access
to
various
managed
resources.
organizational
unit.
A
body
of
users
and
resources
within
an
organization
defined
to
sub-divide
an
organization
into
more
manageable
groups.
Users
are
assigned
to
only
one
organizational
unit.
Resources
are
also
assigned
to
only
one
organizational
unit
unless
they
are
defined
as
global
to
an
organization.
orphan
(orphan
accounts).
Accounts
on
a
remote
resource
whose
owner
in
the
Tivoli
Identity
Manager
system
cannot
be
determined.
owner.
A
person
in
the
Tivoli
Identity
Manager
system
that
owns
an
account
or
a
service.
P
participant.
In
identity
management,
a
person
that
has
the
authority
to
respond
to
a
request
that
is
submitted
through
the
workflow
engine.
A
participant
can
be
identified
as
an
individual,
as
a
roles,
or
by
using
a
custom
JavaScript
script.
password.
In
computer
and
network
security,
a
specific
string
of
characters
entered
by
a
user
and
authenticated
by
the
system,
which
allows
the
user
to
gain
access
to
the
system
and
to
the
information
stored
within
it.
password
expiration
period.
The
amount
of
time
a
password
can
be
used
before
the
user
is
forced
to
change
it.
password
policy.
The
rules
that
define
the
set
parameters
that
all
passwords
must
meet,
such
as
length,
and
the
type
of
characters
allowed
and
disallowed.
pending
requests.
Requests
that
have
been
submitted
to
the
system
but
that
have
not
yet
been
completed.
personal
information.
A
user’s
personal
information.
This
information
can
include
last
name,
first
name,
home
address,
phone
number,
address,
office
number,
supervisor,
etc.
policy.
In
Tivoli,
a
set
of
rules
that
are
applied
to
managed
resources.
For
example,
a
policy
can
apply
to
passwords
or
to
resources
that
a
user
attempts
to
access.
policy
enforcement.
The
manner
in
which
the
Tivoli
Identity
Manager
system
allows
or
disallows
accounts
that
violate
provisioning
policies.
provision.
To
set
up
and
maintain
a
user’s
access
to
a
system
in
the
organization.
provisioning
policy.
A
policy
that
defines
the
access
to
various
types
of
managed
services,
such
as
Tivoli
Identity
Manager
or
operating
systems.
Access
is
granted
to
all
persons
or
based
on
a
person’s
organizational
role.
Access
can
also
be
granted
specifically
to
persons
who
are
not
members
of
any
organizational
role.
Q
query.
A
way
in
which
to
limit
a
reconciliation
to
return
smaller
packets.
R
reconciliation.
The
process
of
comparing
the
information
the
central
data
repository
to
the
managed
agent
system
and
identifying
the
discrepancies
between
the
two.
reconciliation
report.
A
report
that
lists
the
orphan
accounts
found
since
the
last
reconciliation
was
performed.
rejected
report.
A
report
that
lists
requests
denied
by
date,
who
requested
the
operation,
and
who
the
operation
is
requested
for.
request.
An
action
item
in
the
Tivoli
Identity
Manager
system
asking
for
approval
or
information.
requestee.
The
person
for
whom
a
request
is
submitted.
requestor.
A
person
who
submits
a
request.
resource.
A
hardware,
software,
or
data
entity
that
is
managed
by
Tivoli
software.
See
also
managed
resource.
resource
provisioning
management
(rpm).
The
management
principle
that
combines
three
key
elements
-
business
logic,
workflow
management,
and
Glossary
63
distribution
agents
-
which
together
centrally
manage
the
provisioning
of
users
with
access
to
information
and
business
resources.
restore.
To
reactivate
an
account
that
was
suspended.
request
for
information
(RFI).
In
identity
management,
an
action
item
that
requests
additional
information
from
the
specified
participant
and
that
is
a
required
step
in
the
workflow.
S
scope.
The
range
that
a
policy
can
affect.
Typically,
the
scope
is
defined
as
single
or
subtree.
When
the
scope
is
defined
as
single,
the
policy
only
affects
entities
in
the
same
branch
in
which
the
policy
is
defined.
When
the
scope
is
defined
as
sub-tree,
the
policy
affects
the
branch
in
which
it
is
defined
and
all
other
branches
that
are
subordinate
to
the
policy’s
branch
of
origin.
service.
A
program
that
performs
a
primary
function
within
a
server
or
related
software.
service
selection
policy.
A
JavaScript
filter
that
determines
which
service
to
use
in
a
provisioning
policy.
shared
secret.
An
encrypted
value
used
to
retrieve
a
user’s
initial
password
to
access
the
Tivoli
Identity
Manager
system.
This
value
is
defined
when
the
user’s
personal
information
is
initially
loaded
into
the
system.
signature
authority.
The
right
to
approve
or
deny
a
request
that
is
submitted
to
the
workflow
engine.
A
user
or
group
of
users
is
granted
signature
authority
when
they
are
designated
as
the
participant
or
escalation
participant
in
a
workflow
design.
secure
socket
layer
(SSL).
A
protocol
for
transmitting
private
documents
through
the
Internet.
SSL
works
by
using
a
private
key
to
encrypt
data
that
is
transferred
over
the
SSL
connection.
static
organizational
role.
An
organizational
role
that
can
only
be
assigned
manually.
subprocess.
A
workflow
design
that
is
started
as
part
of
another
workflow
design.
supervisor.
A
person
in
the
Tivoli
Identity
Manager
system
that
is
designated
as
the
owner
of
a
business
unit.
suspend.
The
act
of
deactivating
an
account
so
the
account
owner
cannot
log
into
the
resource.
system
administrator.
Individuals
with
access
to
all
areas
in
the
system.
A
pre-configured
ITIM
Group
is
provided
in
the
Tivoli
Identity
Manager
system.
This
ITIM
Group
is
designed
to
grant
members
maximum
access
to
the
system.
Users
who
are
members
of
the
administrator
ITIM
Group
have
access
to
all
system
functions
and
data.
T
Tivoli
Identity
Manager
Agent.
An
intelligent
interface
between
the
targeted
managed
system
and
the
Tivoli
Identity
Manager
Server.
It
acts
as
a
trusted
virtual
administrator
and
is
a
critical
component
that
translates
user
requests
and
provides
secure
configurations
access
to
various
targeted
systems.
Tivoli
Identity
Manager
Server.
A
software
and
services
package
designed
to
deploy
policy-based
provisioning
solutions.
to
do
list.
The
list
of
actions
items
assigned
to
a
user
for
completion.
U
user.
Any
person
who
interacts
with
the
system.
user
class.
An
LDAP
class
such
as
inetorgperson
or
BPPerson.
user
interface
(UI).
The
display
used
by
the
user
to
interact
with
the
system.
user
name.
The
ID
used
by
the
user
to
access
the
system.
This
ID
also
identifies
the
user
to
the
system
and
allows
the
system
to
determine
the
user’s
access
rights
based
on
the
user’s
membership
in
various
organizational
roles
and
ITIM
groups.
user
report.
A
report
that
lists
all
Tivoli
Identity
Manager
operations
by
date,
who
requested
the
operation,
and
who
the
operation
is
requested
for.
W
workflow.
The
sequence
of
activities
performed
in
accordance
with
the
business
processes
of
an
enterprise.
64
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
Index
Aaccessibility,
documentation
vii
ACTIVITY
table
48
audience
v
Bbold
text
viii
Cclasses
generaldescription
27
erBPOrg
27
erBPOrgItem
27
erBPPersonItem
27
erDictionary
28
erDictionaryItem
28
erFormTemplate
28
erIdentityExclusion
28
erLocationItem
29
erManagedItem
29
erOrganizationItem
29
erOrgUnitItem
30
erPersonItem
30
erRole
30
erSecurityDomainItem
30
erTenant
31
erWorkflowDefinition
33
SecurityDomain
31
policydescription
43
erIdentityPolicy
43
erPasswordPolicy
43
erPolicyBase
43
erPolicyItemBase
44
erProvisioningPolicy
44
servicedescription
35
erAccountItem
35
erAttributeConstraint
35
erChallenges
35
erDSML2Service
36
erDSMLInfoService
36
erDynamicRole
37
erHostedAccountItem
38
erHostedService
38
erHostSelectionPolicy
38
erITIMService
38
erJoinDirective
39
erObjectCategory
39
erObjectProfile
39
erRemoteServiceItem
40
erServiceItem
40
erServiceProfile
41
erSystemItem
41
erSystemRole
41
erSystemUser
42
contacting
support
vii
conventions,
in
publications
viii
Ddirectory
schema
24
server
log
3
documentsaccessibility
vii
accessing
online
vii
IBM
DB2
vi
IBM
Directory
Server
vi
IBM
HTTP
Server
vi
Oracle
vi
related
v,
vi
SQL
Server
2000
vi
Sun
ONE
Directory
Server
vi
Web
proxy
server
vi
WebLogic
Application
Server
vi
WebSphere
Application
Server
vi
WebSphere
embedded
messaging
support
vi
domain
entry
27
Eensuring
running
processesHTTP
server
8
IBM
Directory
Server
9
Sun
ONE
Directory
Server
9
WebSphere
Application
Server
8
WebSphere
embedded
messaging
support
8
erAccountItem
classattributes
35
description
35
erAttributeConstraint
classattributes
35
description
35
erBPOrg
classattributes
27
description
27
erBPOrgItem
classattributes
27
description
27
erBPPersonItem
classattributes
27
description
27
erChallenges
classattributes
35
description
35
erDictionary
classattributes
28
description
28
erDictionaryItem
classattributes
28
description
28
erDSML2Service
classattributes
36
description
36
erDSMLInfoService
classattributes
36
©
Copyright
IBM
Corp.
2003
65
erDSMLInfoService
class
(continued)description
36
erDynamicRole
classattributes
37
description
37
erFormTemplate
classattributes
28
description
28
erHostedAccountItem
classattributes
38
description
38
erHostedService
classattributes
38
description
38
erHostSelectionPolicy
classattributes
38
description
38
erIdentityExclusion
classattributes
28
description
28
erIdentityPolicy
classattributes
43
description
43
erITIMService
classattributes
38
description
38
erJoinDirective
classattributes
39
description
39
erLocationItem
classattributes
29
description
29
erManagedItem
classattributes
29
description
29
erObjectCategory
classattributes
39
description
39
erObjectProfile
classattributes
39
description
39
erOrganizationItem
classattributes
29
description
29
erOrgUnitItem
classattributes
30
description
30
erPasswordPolicy
classattributes
43
description
43
erPersonItem
classattributes
30
description
30
erPolicyBase
classattributes
43
description
43
erPolicyItemBase
classattributes
44
description
44
erProvisioningPolicy
classattributes
44
description
44
erRemoteServiceItem
classattributes
40
description
40
erRole
classattributes
30
erRole
class
(continued)description
30
erSecurityDomainItem
classattributes
30
description
30
erServiceItem
classattributes
40
description
40
erServiceProfile
classattributes
41
description
41
erSystemItem
classattributes
41
description
41
erSystemRole
classattributes
41
description
41
erSystemUser
classattributes
42
description
42
erTenant
classattributes
31
description
31
erWorkflowDefinition
classattributes
33
description
33
HHTTP
serverensuring
up
and
running
8
IIBM
DB2
documents
vi
IBM
Directory
Serverdocuments
vi
ensuring
up
and
running
9
IBM
HTTP
Serverdocuments
vi
italic
text
viii
LLISTDATA
table
55
logaudit
trail
2
description
1
directory
server
3
installation
1
properties
1
Tivoli
Identity
Manager
Server
2
web
server
access
2
Mmonospace
text
viii
NNEXTVALUE
table
49
66
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
OOracle
documents
vi
PPASSWORD_TRANSACTION
table
49
PENDING
table
50
performance
optimization
table
55
prerequisitedocuments
v
PROCESS
table
46
PROCESSDATA
table
47
PROCESSLOG
table
47
publicationsaccessibility
vii
accessing
online
vii
conventions
used
in
viii
IBM
DB2
vi
IBM
Directory
Server
vi
IBM
HTTP
Server
vi
Oracle
vi
prerequisite
v
related
vi
SQL
Server
2000
vi
Sun
ONE
Directory
Server
vi
Tivoli
Identity
Manager
v
Web
proxy
server
vi
WebLogic
Application
Server
vi
WebSphere
Application
Server
vi
WebSphere
embedded
messaging
support
vi
Rrelated
documents
v,
vi
REMOTE_RESOURCES_RECON_QUERIES
table
53
REMOTE_RESOURCES_RECONS
table
52
REMOTE_SERVICES_REQUESTS
table
52
RESOURCE_PROVIDERS
table
51
SSCHEDULED_MESSAGE
table
54
schedulerdefinition
54
SCHEDULED_MESSAGE
table
54
SecurityDomain
classattributes
31
description
31
servicesdatabase
tables
51
REMOTE_RESOURCES_RECON_QUERIES
table
53
REMOTE_RESOURCES_RECONS
table
52
REMOTE_SERVICES_REQUESTS
table
52
RESOURCE_PROVIDERS
table
51
SQL
Server
2000
documents
vi
Sun
ONE
Directory
Serverdocuments
vi
ensuring
up
and
running
9
support,
contacting
vii
Ttroubleshooting
data
input
15
18
troubleshooting
(continued)installation
5
internal
server
errors
13
remote
communication
16
start-up
5
web
browser
12
WWeb
proxy
serverdocuments
vi
web
server
access
log
2
WebLogic
Application
Server
documents
vi
WebSphere
Application
Serverensuring
up
and
running
8
WebSphere
Application
Server
documents
vi
WebSphere
embedded
messaging
supportdocuments
vi
ensuring
up
and
running
8
workflowACTIVITY
table
48
database
tables
46
NEXTVALUE
table
49
PASSWORD_TRANSACTION
table
49
PENDING
table
50
PROCESS
table
46
PROCESSDATA
table
47
PROCESSLOG
table
47
WORKITEM
table
49
WORKITEM
table
49
Index
67
68
IBM
Tivoli
Identity
Manager:
Server
Troubleshooting
Guide
����
Program
Number:
5724–C34
Printed
in
USA
SC32-1151-01
Recommended