IBM
Tivoli
Identity
Manager
Problem
Determination
Guide
Version
4.5.1
SC32-1494-00
���
IBM
Tivoli
Identity
Manager
Problem
Determination
Guide
Version
4.5.1
SC32-1494-00
���
Note:
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
“Notices,”
on
page
67.
First
Edition
(February
2004)
This
edition
applies
to
version
4,
release
5,
modification
1
of
IBM
Tivoli
Identity
Manager
(product
number
5724–C34)
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions.
This
edition
replaces
SC32–1151–01
©
Copyright
International
Business
Machines
Corporation
2004.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
Contents
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Who
Should
Read
This
Book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Tivoli
Identity
Manager
Library
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Prerequisite
Product
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Related
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Accessing
Publications
Online
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Contacting
Software
Support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Conventions
Used
in
this
Book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Typeface
Conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Operating
System
Differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xi
Revision
Bars
used
in
the
Version
4.5.1
Library
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xi
Definitions
for
HOME
Directory
Variables
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xi
Chapter
1.
Message
Logging
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Using
Event
Log
File
Information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Installation
Log
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Audit
Log
for
Completed
Requests
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Tivoli
Identity
Manager
Server
Log
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Application
Server
Log
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
Web
Server
Access
Log
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
Directory
and
Database
Server
Logs
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
Error
Notification
Alerts
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
Sample
Appender
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 4
Sample
Appender
Usage
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 4
Chapter
2.
Solutions
to
Common
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 7
Installation
and
Start-up
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Cannot
Start
the
Server
Installer
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Configuration
Programs
Appear
to
Hang
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Missing
E-fix
PQ76707
(WebSphere
only)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Installation
Fails
to
Install
enrole.ear
File
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Cannot
Start
the
Tivoli
Identity
Manager
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Cluster
Installation:
Cannot
Log
In
To
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Datasource
Connection
Error
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 10
Logon
Problems
(WebSphere
environment)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
Required
Processes
Are
Not
Running
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
Initial
Logon
and
Change
Password
Fails
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
GUI
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 16
Field
Labels
do
not
Wrap
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 16
Web
Browser
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Web
Browser
Cannot
See
Any
Web
Pages
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
Error
-
Current
Workflow
Design
is
Used
by
Others
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
IBM
Directory
Server
(IDS)
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
Connection
Pool
Exceeded:
Directory
Server
Not
Available
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
Internal
Server
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
Internal
Server
Error
Message
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
All
Requests
are
Locked
in
Running
State
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
WebLogic-specific
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
WebLogic
fails
to
start;
no
information
in
server
log
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
Tivoli
Identity
Manager
Windows
2000
Service
Fails
to
Start
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
Data
Input
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
Remote
Communication
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
Tivoli
Identity
Manager
Server
Cannot
Connnect
to
IBM
DB2
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
©
Copyright
IBM
Corp.
2004
iii
||||
||||
Cannot
Communicate
with
an
Agent
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
Agent
Cannot
Communicate
with
the
Tivoli
Identity
Manager
Server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
UnsatisfiedLinkError
Exception
when
Server-agent
Communication
is
Tested
.
.
.
.
.
.
.
.
.
.
.
. 23
Missing
CA
Certificate
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Cannot
Send
to
Users
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Cannot
Send
to
External
Addresses
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 24
Miscellaneous
Problems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
New
Attributes
Do
Not
Display
on
Form
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Restoring
the
System
Administration
Account
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Cannot
Delete
an
Organizational
Unit
(OU)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
Processes
Hang
in
a
Workflow
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
Workflow
Designer
Classes
Not
Loading
Correctly
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
Add
Account
Request
Fails
with
a
NullPointerException
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
NotLockedException
thrown
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
Uncommited
Messages
Count
Error
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
No
Local
Copy
of
JVM
on
WebSphere
Application
Server
Network
Deployment
System
.
.
.
.
.
.
.
.
. 28
Chapter
3.
Directory
Server
Schema
and
Class
Reference
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
Tivoli
Identity
Manager
Directory
Tree
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
General
Tivoli
Identity
Manager
Classes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
erBPPersonItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
erBPOrg
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
erBPOrgItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
erDictionary
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
erDictionaryItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
erFormTemplate
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
erIdentityExclusion
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
erLocationItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
erManagedItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
erOrganizationItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
erOrgUnitItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
erPersonItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
erRole
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
erSecurityDomainItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 36
SecurityDomain
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 37
erTenant
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 37
erWorkflowDefinition
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 39
Service
Classes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
erAccountItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
erAttributeConstraint
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
erChallenges
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
erDSMLInfoService
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 42
erDSML2Service
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 42
erDynamicRole
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 43
erHostedAccountItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 43
erHostedService
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 44
erHostSelectionPolicy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 44
erITIMService
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 44
erJoinDirective
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 45
erObjectCategory
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 45
erObjectProfile
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 45
erRemoteServiceItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 46
erServiceItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 46
erServiceProfile
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
erSystemItem
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
erSystemRole
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 47
erSystemUser
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
Policy
Classes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
erIdentityPolicy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
erPasswordPolicy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
iv
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
||
erPolicyBase
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
erPolicyItemBase
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 50
erProvisioningPolicy
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 50
Chapter
4.
Database
Tables
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 51
Workflow
Tables
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 52
PROCESS
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 52
PROCESSLOG
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 54
PROCESSDATA
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 56
ACTIVITY
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 57
WORKITEM
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 58
PASSWORD_TRANSACTION
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 59
NEXTVALUE
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 59
PENDING
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 60
Services
Tables
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 61
RESOURCE_PROVIDERS
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 61
REMOTE_SERVICES_REQUESTS
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 62
REMOTE_RESOURCES_RECONS
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 62
REMOTE_RESOURCES_RECON_QUERIES
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 63
SCHEDULED_MESSAGE
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 64
LISTDATA
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
AUTH_KEY
Table
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
Appendix.
Notices
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 67
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 68
Glossary
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 71
Index
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 75
Contents
v
||
vi
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Preface
Welcome
to
the
IBM
®
Tivoli
®
Identity
Manager
Problem
Determination
Guide.
Problem
determination
is
a
process
of
determining
why
a
certain
product
is
not
functioning
in
the
expected
manner.
This
guide
provides
information
about
resources
and
techniques
to
aid
in
the
identification
and
resolution
of
problems
related
to
IBM
Tivoli
Identity
Manager.
This
guide
also
enables
adminstrators
to
quickly
look
up
Tivoli
Identity
Manager
directory
server
schema
and
IBM
DB2®
database
table
information
related
to
the
Tivoli
Identity
Manager
server.
Who
Should
Read
This
Book
This
manual
is
intended
for
system
and
security
administrators
who
install,
maintain,
or
administer
software
on
their
site’s
computer
systems.
Readers
are
expected
to
understand
system
and
security
administration
concepts.
Additionally,
the
reader
should
understand
administration
concepts
for
the
following:
v
Directory
server
v
Database
server
v
WebSphere®
embedded
messaging
support
v
WebSphere
Application
Server
or
WebLogic
v
IBM
HTTP
Servers
Publications
Read
the
descriptions
of
the
Tivoli
Identity
Manager
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
Tivoli
Identity
Manager
Library
The
publications
in
the
Tivoli
Identity
Manager
technical
documentation
library
are
organized
into
the
following
categories:
v
Release
Information
v
Online
User
Assistance
v
Server
Installation
v
Administration
and
Configuration
v
Technical
Supplements
v
Agent
Installation
Release
Information:
v
IBM
Tivoli
Identity
Manager
Release
Notes
Provides
software
and
hardware
requirements
for
Tivoli
Identity
Manager,
and
additional
fix,
patch,
and
other
support
information.
v
Tivoli
Identity
Manager
Read
This
First
Card
Online
User
Assistance:
©
Copyright
IBM
Corp.
2004
vii
v
Online
user
assistance
for
Tivoli
Identity
Manager
Provides
integrated
online
help
topics
for
all
Tivoli
Identity
Manager
administrative
tasks.
Server
Installation:
v
IBM
Tivoli
Identity
Manager
Server
Installation
Guide
on
UNIX
and
Linux
using
WebSphere
Provides
installation
information
for
Tivoli
Identity
Manager.
v
IBM
Tivoli
Identity
Manager
Server
Installation
Guide
on
Windows
using
WebSphere
Provides
installation
information
for
Tivoli
Identity
Manager.
v
IBM
Tivoli
Identity
Manager
Server
Installation
Guide
on
UNIX
using
WebLogic
Provides
installation
information
for
Tivoli
Identity
Manager.
v
IBM
Tivoli
Identity
Manager
Server
Installation
Guide
on
Windows
2000
using
WebLogic
Provides
installation
information
for
Tivoli
Identity
Manager.
Administration
and
Configuration:
v
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide
Provides
topics
for
Tivoli
Identity
Manager
administrative
tasks.
v
IBM
Tivoli
Identity
Manager
End
User
Guide
Provides
beginning
user
information
for
Tivoli
Identity
Manager.
v
IBM
Tivoli
Identity
Manager
Configuration
Guide
Provides
configuration
information
for
single-server
and
cluster
Tivoli
Identity
Manager
configurations.
Technical
Supplements:
v
IBM
Tivoli
Identity
Manager
Problem
Determination
Guide
Provides
additional
problem
solving
information
for
the
Tivoli
Identity
Manager
product.
Agent
Installation:
v
The
Tivoli
Identity
Manager
technical
documentation
library
also
includes
an
evolving
set
of
platform-specific
installation
documents
for
the
Agent
component
of
a
Tivoli
Identity
Manager
implementation.
Prerequisite
Product
Publications
To
use
the
information
in
this
book
effectively,
you
must
have
knowledge
of
the
products
that
are
prerequisites
for
Tivoli
Identity
Manager.
Publications
are
available
from
the
following
locations:
v
WebSphere
Application
Server
http://www.ibm.com/software/webservers/appserv/support.html
Note:
The
following
brief
list
of
Redbooks
describes
installing
and
configuring
WebSphere
Application
Server
and
providing
additional
security.
Although
the
list
was
current
when
this
publication
went
to
production,
publications
may
become
obsolete.
Contact
your
customer
representative
for
a
recommended
list
of
resource
information.
–
IBM
WebSphere
Application
Server
V5.0
System
Management
and
Configuration,
an
IBM
Redbook
–
IBM
WebSphere
Application
Server
V5.0
Security,
an
IBM
Redbook
viii
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
v
WebLogic
Server
http://e-docs.bea.com/
v
Database
servers
–
IBM
DB2
http://www.ibm.com/software/data/db2/udb/support.html
http://www.ibm.com/software/data/db2
–
Oracle
http://otn.oracle.com/tech/index.html
–
Microsoft
SQL
Server
2000
(SP3)
http://msdn.microsoft.com/library/v
Directory
server
applications
–
IBM
Directory
Server
http://www.ibm.com/software/network/directory
–
Sun
ONE
Directory
Server
http://wwws.sun.com/software/products/directory_srvr/5.1/index.htmlv
WebSphere
embedded
messaging
support
(or
IBM
MQSeries)
http://www.ibm.com/software/ts/mqseries
v
Web
Proxy
Server
–
IBM
HTTP
Server
http://www.ibm.com/software/webservers/httpservers/library.html
–
Microsoft
IIS
HTTP
Server
http://www.microsoft.com/technet/prodtechnol/iis/default.asp
–
Apache
HTTP
Server
http://httpd.apache.org/docs-project
Related
Publications
Information
related
to
Tivoli
Identity
Manager
Server
is
available
in
the
following
publications:
v
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications
such
as
white
papers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/
v
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only,
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page
at:
http://www.ibm.com/software/tivoli/library/
Accessing
Publications
Online
The
publications
for
this
product
are
available
online
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both
in
the
Tivoli
software
library:
http://www.ibm.com/software/tivoli/library
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
software
information
center
page.
Preface
ix
Product
publications
include
release
notes,
installation
guides,
user’s
guides,
administrator’s
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→
Print).
Accessibility
The
product
documentation
includes
the
following
features
to
aid
accessibility:
v
Documentation
is
available
in
both
HTML
and
convertible
formats
to
give
the
maximum
opportunity
for
users
to
apply
screen-reader
software.
v
All
images
in
the
documentation
are
provided
with
alternative
text
so
that
users
with
vision
impairments
can
understand
the
contents
of
the
images.
Contacting
Software
Support
Before
contacting
IBM
Tivoli
Software
Support
with
a
problem,
refer
to
the
IBM
Tivoli
Software
Support
site
by
clicking
the
Tivoli
support
link
at
the
following
Web
site:
http://www.ibm.com/software/support/
If
you
need
additional
help,
contact
software
support
by
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
The
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
v
A
list
of
information
you
should
gather
before
contacting
customer
support
Conventions
Used
in
this
Book
This
reference
uses
several
conventions
for
special
terms
and
actions
and
for
operating
system-dependent
commands
and
paths.
Typeface
Conventions
The
following
typeface
conventions
are
used
in
this
reference:
Bold
Lowercase
commands
or
mixed
case
commands
that
are
difficult
to
distinguish
from
surrounding
text,
keywords,
parameters,
options,
names
of
Java
classes,
and
objects
are
in
bold.
Italic
Variables,
titles
of
publications,
and
special
words
or
phrases
that
are
emphasized
are
in
italic.
Monospace
Code
examples,
command
lines,
screen
output,
file
and
directory
names
that
are
difficult
to
distinguish
from
surrounding
text,
system
messages,
text
that
the
user
must
type,
and
values
for
arguments
or
command
options
are
in
monospace.
x
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Operating
System
Differences
This
book
uses
the
UNIX
convention
for
specifying
environment
variables
and
for
directory
notation.
When
using
the
Windows
command
line,
replace
$variable
with
%variable%
for
environment
variables
and
replace
each
forward
slash
(/)
with
a
backslash
(\)
in
directory
paths.
If
you
are
using
the
bash
shell
on
a
Windows
system,
you
can
use
the
UNIX
conventions.
Revision
Bars
used
in
the
Version
4.5.1
Library
The
Tivoli
Identity
Manager
version
4.5.1
technical
documentation
library
makes
use
of
revision
bar
characters
to
indicate
where
technical
changes
have
occurred
to
the
information
previously
found
in
the
version
4.5
library.
Revision
bars
are
indicated
by
a
vertical
line
(
|
)
in
the
page
margin
to
the
left
of
the
change.
Definitions
for
HOME
Directory
Variables
The
following
table
contains
the
default
definitions
used
in
this
document
to
represent
the
″HOME″
directory
level
for
various
product
installation
paths.
You
can
customize
the
installation
directory
and
HOME
directory
for
your
specific
implementation.
If
this
is
the
case,
you
need
to
make
the
appropriate
substitution
for
the
definition
of
each
variable
represented
in
this
table.
Path
Variable
Default
Definition
ITIM_HOME
Windows:
c:\itim45\
UNIX:
/itim45/
WAS_HOME
Windows:
C:\Program
Files\WebSphere\AppServer\
UNIX:
/opt/WebSphere/AppServer/
WAS_NDM_HOME
Windows:
C:\Program
Files\WebSphere\DeploymentManager\
UNIX:
/opt/WebSphere/DeploymentManager/
BEA_HOME
Windows:
c:\bea\
UNIX:
/usr/local/bea/
Preface
xi
xii
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Chapter
1.
Message
Logging
Tivoli
Identity
Manager
allows
you
to
use
event
log
files
to
help
identify
where
failures
occur
within
the
system.
Section
topics:
v
“Using
Event
Log
File
Information”
on
page
1
v
“Installation
Log”
on
page
1
v
“Audit
Log
for
Completed
Requests”
on
page
2
v
“Tivoli
Identity
Manager
Server
Log”
on
page
2
v
“Application
Server
Log”
on
page
3
v
“Web
Server
Access
Log”
on
page
3
v
“Directory
and
Database
Server
Logs”
on
page
3
v
“Error
Notification
Alerts”
on
page
3
Using
Event
Log
File
Information
Tivoli
Identity
Manager
has
logging
features
that
log
system
events
during
specific
transactions.
You
can
refer
to
the
information
contained
in
log
files
to
facilitate
isolating
and
debugging
system
problems.
There
are
several
types
of
event
logging
available:
v
Installation
log
v
Audit
log
for
completed
requests
v
Tivoli
Identity
Manager
Server
log
v
Application
server
log
v
Web
server
access
log
v
Directory
and
database
server
logs
Tivoli
Identity
Manager
uses
the
log4j
libraries
and
has
expanded
logging
capabilities.
For
more
information
about
the
features
using
the
log4j
libraries,
refer
to
http://jakarta.apache.org/log4j
and
follow
the
link
to
the
Log4J
project.
Standard
Tivoli
Identity
Manager
logging
properties
are
located
in
the
enRoleLogging.properties
file.
For
more
information
about
the
Tivoli
Identity
Manager
logging
properties,
refer
to
the
IBM
Tivoli
Identity
Manager
Configuration
Guide.
Installation
Log
Verbose
logging
to
the
console
can
be
enabled
for
the
installer
and
configuration
programs
(DBConfig,
LdapConfig,
and
RunConfig)
during
installation.
To
enable
logging
during
installation,
type
the
following
at
the
prompt:
UNIX
(AIX
and
Solaris):
#
LAX_DEBUG=true
#
export
LAX_DEBUG
Windows:
MSDOS>
set
LAX_DEBUG
=
true
©
Copyright
IBM
Corp.
2004
1
Note:
These
commands
should
be
run
using
the
administrator
account.
The
administrator
account
should
use
a
Bourne
shell
or
Windows
command
prompt.
Installation
log
files
are
stored
in
the
ITIM_HOME/install_logs
directory.
Audit
Log
for
Completed
Requests
The
audit
log
for
completed
requests
performed
by
the
Tivoli
Identity
Manager
GUI
can
be
helpful
in
tracking
down
problems
with
agent
communication,
policy
enforcement,
and
request
approval.
Audit
logs
are
accessible
from
the
Tivoli
Identity
Manager
GUI.
For
example,
if
you
request
a
new
account
for
a
service
where
a
Tivoli
Identity
Manager
Agent
is
currently
not
running,
a
message
is
displayed
and
logged
by
the
Tivoli
Identity
Manager
GUI
indicating
that
the
connection
was
refused.
Audit
records
can
be
found
by
using
the
Tivoli
Identity
Manager
GUI.
1.
Select
the
Home
tab
on
the
Navigation
bar.
2.
Select
View
Completed
Requests
from
the
Task
Bar.
3.
Click
the
Request
Details
icon
found
on
the
left
of
each
audit
record
row.
The
Request
header
page
appears
for
that
record.
4.
Click
the
Audit
Log
tab.
5.
Click
the
Request
Details
icon
found
on
the
left
of
the
audit
record
row.
A
user
belonging
to
the
″Administrator″
ITIM
group
has
the
correct
access
rights
to
view
all
available
audit
records
on
the
system.
Refer
to
the
IBM
Tivoli
Identity
Manager
Policy
and
Organization
Administration
Guide
for
more
information
on
setting
the
audit
log
option.
Tivoli
Identity
Manager
Server
Log
The
Tivoli
Identity
Manager
server
logs
all
enterprise
application
activities
in
this
log
file.
It
contains
Tivoli
Identity
Manager
application
WARNING
and
ERROR
messages
by
default
and
can
be
set
to
more
verbose
message
logging
for
debugging
purpose.
The
Tivoli
Identity
Manager
server
log
file
is
located
at:
WebSphere:
WAS_HOME/logs/itim.log
WebLogic:
BEA_HOME/user_projects/itim/logs
Refer
to
the
IBM
Tivoli
Identity
Manager
Configuration
Guide
for
more
information
on
configuring
the
Tivoli
Identity
Manager
server
log
using
the
system
configuration
tool
(runConfig).
2
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
||||
Application
Server
Log
The
log
files
of
the
application
server
used
by
Tivoli
Identity
Manager
(WebSphere
Application
Server
or
WebLogic
Application
Server)
can
provide
useful
troubleshooting
information.
The
application
server
log
files
are
located
at:
WebSphere:
WAS_HOME/logs
WebLogic:
BEA_HOME/user_projects/itim/logs
Web
Server
Access
Log
The
HTTP
proxy
(Web)
server
tracks
all
HTTP
and
HTTPS
requests
made
from
clients.
v
For
the
IBM
HTTP
Server,
refer
to
the
IBM
HTTP
Server
documentation
for
more
information.
Go
to
the
following
Web
site:
http://www.ibm.com/software/webservers/httpservers/library.html
v
For
the
Microsoft
Internet
Information
Services
(IIS)
HTTP
Server,
refer
to
the
Microsoft
IIS
documentation
for
more
information.
Go
to
the
following
Web
site:
http://www.microsoft.com/technet/prodtechnol/iis
v
For
the
Apache
HTTP
Server,
refer
to
the
Apache
HTTP
Server
documentation
for
more
information.
Go
to
the
following
Web
site:
http://httpd.apache.org/docs-project
Directory
and
Database
Server
Logs
The
directory
server
(IBM
Directory
Server
or
Sun
ONE
Directory
Server)
logs
directory
requests
into
separate
log
files.
The
location
of
these
files
are
specified
when
you
install
the
directory
server.
The
database
server
(IBM
DB2
UDB,
Oracle
8i
Database,
or
Microsoft
SQLServer)
logs
database
requests
into
their
own
log
files.
The
location
of
these
files
are
specified
when
you
install
the
database
server.
Error
Notification
Alerts
By
default,
the
Tivoli
Identity
Manager
server
sends
all
logging
events
and
error
messages
to
the
WebSphere
Application
Server
for
tracking.
However,
since
the
Tivoli
Identity
Manager
server
uses
log4j
to
log
events,
the
system
can
be
modified
to
send
notifications
to
system
administrators
by
adding
or
modifying
the
appender
component
of
log4j.
log4j
provides
a
number
of
appender
classes;
each
class
uses
JavaBean
style
getter
and
setter
methods
to
configure
its
properties.
Refer
to
the
following
log4j
Web
site
for
more
information
about
log4j
and
its
components:
http://jakarta.apache.org/log4j
Note:
The
log4j
documentation
is
in
JavaDoc
format.
You
must
be
familiar
with
JavaDoc
format
to
be
able
to
navigate
through
the
log4j
documentation.
Chapter
1.
Message
Logging
3
The
logging
properties
are
defined
in
the
enRoleLogging.properties
file.
The
following
example
describes
how
to
configure
the
logging
features
in
the
Tivoli
Identity
Manager
server
to
send
notifications
when
a
fatal
error
is
detected.
Sample
Appender
Log4j
uses
an
SMTP
Appender
to
send
error
messages
to
addresses.
Therefore,
an
SMTP
Appender
must
be
defined
before
log4j
can
be
configured
to
send
notifications.
The
following
is
an
example
SMTP
appender:
#SMTP
Appender
used
to
send
errors
to
addresses.
log4j.appender.EMAIL=org.apache.log4j.net.SMTPAppender
log4j.appender.EMAIL.SMTPHost=enablemailserv
log4j.appender.EMAIL.BufferSize=50
log4j.appender.EMAIL.layout=org.apache.log4j.PatternLayout
log4j.appender.EMAIL.layout.ConversionPattern=<%d>
[%t]
<%c>
%m
\n
This
example
includes
the
following:
Name
of
the
new
appender
and
the
appender
is
defined
as
type
SMTPAppender.
SMTPHost
Name
of
server
to
use
when
sending
the
message.
To
address
that
receives
the
error
messages.
BufferSize
Number
of
events
from
an
event
log
that
is
sent
in
the
message.
If
the
BufferSize
is
not
defined,
the
default
value
is
512.
layout,
layout.ConversionPattern
Required
classes.
These
two
classes
define
what
is
displayed
in
the
message.
The
sample
above
displays
the
date,
the
name
of
the
thread
that
generated
the
logging
event,
the
logging
event’s
category,
the
message
associated
with
the
logging
event
that
the
Tivoli
Identity
Manager
server
generated,
and
a
line
feed.
Sample
Appender
Usage
The
sample
appender
is
called
by
defining
the
category
setup
to
use
the
appender.
The
following
is
an
example
of
how
the
previous
sample
appender
can
be
used:
log4j.rootCategory=FATAL,
log4j.category.com.ibm.enrole=INFO
log4j.additivity.com.ibm.enrole=false
Each
of
these
lines
specifies
where
an
error
message
is
sent.
The
basic
format
for
each
of
these
lines
is:
category=priority,
appender
where:
category
Name
of
the
category
priority
Level
or
priority
of
errors
to
log
The
priority
is
an
optional
setting.
The
priority
can
be
left
blank,
set
to
INHERIT,
or
explicitly
defined.
If
no
priority
is
defined,
the
default
priority
setting
is
DEBUG.
If
the
priority
is
set
to
INHERIT,
the
priority
4
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
level
is
set
to
the
same
level
as
the
parent
category’s
priority.
The
priority
can
also
be
explicitly
defined
using
one
of
the
following
terms:
INFO
Designates
informational
messages
that
highlight
the
progress
of
the
application
at
a
coarse-grained
level.
WARN
Designates
potentially
harmful
situations.
ERROR
Designates
error
events
that
still
allow
the
application
to
continue
running
but
fail
the
process.
FATAL
Designates
severe
error
events
that
lead
to
failure
of
the
application.
appender
Name
of
the
appender
to
use
for
the
specified
errors.
More
than
one
appender
can
be
used
by
listing
the
appenders
and
separating
each
appender
by
a
comma
(,)
Refer
to
the
log4j
Web
site
for
additional
information
on
the
priority
levels.
The
example
lines
include
the
following:
v
log4j.rootCategory=FATAL,
This
line
specifies
that
all
error
messages
of
priority
FATAL
will
use
the
appender
to
log
errors.
Because
the
appender
specifies
that
errors
using
it
must
be
e-mailed
to
a
specific
address,
all
FATAL
error
messages
are
e-mailed
to
the
designated
address.
If
this
line
is
the
only
line
defined
for
the
category,
all
other
error
messages
would
also
be
logged
using
the
appender
since
this
is
the
root
category.
v
log4Jcategory.com.ibm.enrole=INFO
This
line
specifies
that
all
error
messages
of
priority
INFO
will
use
the
WebSphere
appender
to
log
errors.
The
WebSphere
appender
is
predefined
in
the
software
and
is
the
default
appender
used
for
all
error
messages.
This
line
further
defines
the
granularity
of
the
logging.
However,
this
line
also
inherits
the
rootCategory
properties
unless
the
additivity
is
false.
v
log4J.additivity.com.ibm.enrole=false
This
line
allows
specific
granularity
of
logging
by
letting
priority
INFO
messages
be
sent
to
WebSphere
appender
without
being
sent
to
appender.
The
additivity
defines
whether
or
not
one
class
inherits
the
properties
of
its
parent
class.
If
the
additivity
was
set
to
″true″
or
not
defined,
INFO
errors
would
inherit
the
properties
of
the
rootCategory.
Additional
granularity
of
logging
can
be
defined
by
defining
additional
appenders
and
specifying
additional
category
usages.
Additional
categories
are
available
in
the
enRoleLogging.properties
file.
These
categories
are
currently
commented
out.
Chapter
1.
Message
Logging
5
6
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Chapter
2.
Solutions
to
Common
Problems
Before
listing
some
of
the
common
Tivoli
Identity
Manager
problems,
it
is
worthwhile
to
mention
that
most
common
problems
are
the
result
of
installation
and
configuration
problems
such
as:
v
Failure
to
install
all
of
the
software
required
by
the
Tivoli
Identity
Manager
product.
This
required
software
can
include:
–
Operating
system
software
–
Operating
system
patches
–
Prerequisite
software
products
–
Prerequisite
software
product
patchesv
Failure
to
install
the
correct
level
of
any
of
the
software
above
v
Failure
to
install
all
of
the
required
software
components
for
any
given
type
of
Tivoli
Identity
Manager
system
v
Failure
to
install
or
configure
any
of
the
above
items
properly
v
Failure
to
adhere
to
all
hardware
prerequisites
The
information
contained
within
the
Tivoli
Identity
Manager
technical
documentation,
including
the
latest
version
of
the
IBM
Tivoli
Identity
Manager
Release
Notes,
is
your
best
defense
against
the
occurrence
of
any
problems.
Section
topics:
v
“Installation
and
Start-up
Problems”
on
page
8
v
“Logon
Problems
(WebSphere
environment)”
on
page
12
v
“GUI
Problems”
on
page
16
v
“Web
Browser
Problems”
on
page
17
v
“IBM
Directory
Server
(IDS)
Problems”
on
page
18
v
“Internal
Server
Problems”
on
page
19
v
“WebLogic-specific
Problems”
on
page
20
v
“Data
Input
Problems”
on
page
21
v
“Remote
Communication
Problems”
on
page
22
v
Problems”
on
page
24
v
“Miscellaneous
Problems”
on
page
25
©
Copyright
IBM
Corp.
2004
7
|||
||
|
|
|
|
|
||
|
|
|||
Installation
and
Start-up
Problems
This
section
describes
commonly
encountered
installation
and
start-up
problems.
The
following
is
a
list
of
common
installation
and
start-up
problems:
v
“Cannot
Start
the
Server
Installer”
on
page
8
v
“Configuration
Programs
Appear
to
Hang”
on
page
8
v
“Missing
E-fix
PQ76707
(WebSphere
only)”
on
page
8
v
“Installation
Fails
to
Install
enrole.ear
File”
on
page
8
v
“Cannot
Start
the
Tivoli
Identity
Manager
Server”
on
page
9
v
“Cluster
Installation:
Cannot
Log
In
To
Server”
on
page
9
v
“Datasource
Connection
Error”
on
page
10
Cannot
Start
the
Server
Installer
If
you
cannot
install
the
Tivoli
Identity
Manager
server,
enable
installation
logging
and
check
the
log.
Refer
to
“Installation
Log”
on
page
1.
Check
the
following:
v
$DISPLAY
variables
v
Authorization
to
the
X
server
v
File
permissions
v
Disk
capacity
A
common
mistake
is
to
log
into
the
desktop,
switch
to
another
user,
and
try
to
install
the
Tivoli
Identity
Manager
Server
without
enabling
X
server
permission
and
setting
the
$DISPLAY
variable.
The
JAVA_HOME
directory
could
be
incorrectly
set
or
be
using
the
wrong
version
of
the
JDK.
Verify
that
the
JAVA_HOME
directory
is
correct
and
that
the
JDK
is
version
1.3.1.
Configuration
Programs
Appear
to
Hang
If
the
database
or
directory
server
configuration
program
appears
to
stop,
minimize
the
configuration
user
interface
windows
and
other
windows.
A
secondary
window
may
be
hiding
behind
other
windows,
waiting
for
response
for
the
next
step.
Missing
E-fix
PQ76707
(WebSphere
only)
During
installation,
an
installation
dialog
reports
that
the
system
does
not
have
WebSphere
Application
Server
e-fix
PQ76707
installed.
The
dialog
incorrectly
lists
e-fix
PQ76707.
The
correct
e-fix
to
apply
is
PQ77263.
Installation
Fails
to
Install
enrole.ear
File
Configuration:
Tivoli
Identity
Manager
with
WebSphere
Application
Server
base
If
the
enrole.ear
file
fails
to
install
during
installation,
a
popup
window
will
appear
informing
you
of
the
failure
and
the
installation
will
continue.
However,
the
application
will
not
start
and
you
will
not
be
able
to
log
on
to
Tivoli
Identity
Manager
because
the
application
failed
to
install
properly.
To
correct
the
problem,
complete
the
following
procedures:
1.
Open
a
command
prompt
window
on
the
system
that
failed
to
install
the
enrole.ear
file.
2.
Change
to
the
ITIM_HOME/bin
directory.
8
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
3.
Execute
the
SetupEnrole
application
with
the
install
parameter.
The
following
line
is
an
example
of
the
command
to
execute:
ITIM_HOME/bin>
SetupEnrole
install
This
will
install
the
enrole.ear
file
in
the
proper
directory.
4.
Log
on
to
the
WebSphere
Application
Server
Network
Deployment
Manager
and
open
the
administration
console.
5.
Verify
that
the
changes
are
seen
by
the
Network
Deployment
Manager
by
selecting
Environment->Update
Web
Server
Plugin.
6.
Save
and
synchronize
the
changes
with
all
nodes.
7.
Start
the
Tivoli
Identity
Manager
Server
by
selecting
Enrole
under
Enterprise
Applications
in
the
administration
console
and
click
Start.
Cannot
Start
the
Tivoli
Identity
Manager
Server
If
you
cannot
start
the
Tivoli
Identity
Manager
server,
enable
logging
to
the
console.
Use
the
following
command
to
check
whether
there
any
of
the
processes
started:
ps
-ef
|
grep
java
If
none
of
the
processes
have
started,
check
the
environment
variables,
including
the
JAVA_HOME
directory,
and
ITIM_HOME
directory
in
the
startserver
file.
Also,
verify
that
the
log
is
owned
by
the
Tivoli
Identity
Manager
user
account
and
not
the
root
account.
If
the
log
is
owned
by
the
root
account,
the
system
will
not
be
able
to
start
from
the
Tivoli
Identity
Manager
user
account.
If
the
Tivoli
Identity
Manager
Server
did
start,
check
the
server
log
for
errors
and
check
file
permissions.
If
the
server
does
not
have
permission
to
read
library
files,
the
server
will
fail.
If
the
server
is
started
with
a
user
other
than
root,
it
will
not
be
able
to
listen
for
connection
requests
on
ports
80
and
443.
Cluster
Installation:
Cannot
Log
In
To
Server
If
you
receive
the
following
error
message
when
starting
an
Tivoli
Identity
Manager
Server,
you
may
not
have
the
correct
system
configuration
or
you
may
have
a
corrupt
file.
...ConfigurationWarning:
No
server
target
found
for
application,
enRole...
To
resolve
this
exception,
complete
the
following
procedures.
Be
sure
to
stop
and
start
the
Tivoli
Identity
Manager
Server
after
each
procedure
to
test
whether
the
problem
has
been
fixed.
1.
Source
the
db2profile
file.
If
the
node
agents
in
the
cluster
are
started
before
the
db2profile
is
sourced,
the
WebSphere-based
applications
cannot
connect
to
the
data
source
and
throw
an
Unsatisfied
Link
exception.
To
source
the
db2profile,
complete
the
following
procedures:
a.
Logon
to
the
machine
with
Network
Deployment
Manager
(which
has
a
copy
of
the
DB2
client
installed).
b.
Type
the
following
command
in
a
command
prompt
window:
#
.
/db2InstanceHome/sqllib/db2profile
c.
Verify
that
the
profile
was
sourced
by
typing
the
following
command
in
the
command
prompt
window:
#
set
|
grep
-i
db2
Chapter
2.
Solutions
to
Common
Problems
9
||
If
the
db2profile
file
was
sourced
successfully,
you
will
see
a
display
similar
to
the
following:
CLASSPATH=/home/db2inst1...
DB2DIR=/usr/lpp/db2_07_01
DB2INSTANCE=db2inst1
2.
Update
the
httpd.conf
file
to
pick
up
the
plugin-cfg.xml
file
from
the
Network
Deployment
Manager.
To
update
the
httpd.conf
file,
complete
the
following
procedures:
a.
Back
up
the
httpd.conf
file.
The
httpd.conf
file
is
located
in
the
http_server/conf
directory.
b.
Open
the
httpd.conf
file
in
a
text
editor.
c.
Add
the
following
lines
to
the
end
of
the
file:
#WebSphere
plugin
settings
LoadModule
ibm_app_server_http_module
WAS_HOME/bin/mod_ibm_app_server_http.so
WebSpherePluginConfig
WAS_NDM_HOME/config/cells/plugin-cfg.xml
d.
Save
and
close
the
file.3.
Uninstall
and
re-install
the
enrole.ear
file
on
the
WebSphere
Administration
Console.
Refer
to
the
WebSphere
documentation
for
detailed
information
on
using
the
WebSphere
Administration
Console.
4.
Edit
the
server.xml
file
in
the
WAS_HOME/DeploymentManager/config/cells/<Network_Name>/nodes
directory
to
correctly
refer
to
the
cluster
names.
The
server.xml
file
may
be
corrupt
and
incorrectly
refer
to
the
cluster
names.
To
correct
this
issue,
complete
the
following
procedures:
a.
Back
up
the
server.xml
file.
b.
Open
the
server.xml
file
in
a
text
editor.
c.
Find
the
line
that
begins
with
xmi:id="Server_1"
in
the
process:server
tag.
For
example:
xmi:id="Server_1"
name="server1"
clusterName="MyCluster"
d.
Modify
the
clusterName
value
to
match
the
name
of
your
cluster.
If
clusterName
is
not
an
existing
attribute,
add
the
clusterName
attribute
and
its
corresponding
value
to
the
end
of
the
line.
e.
Save
and
close
the
file.
Datasource
Connection
Error
Configuration:
Tivoli
Identity
Manager
using
WebSphere
Application
Server
After
installing
Tivoli
Identity
Manager,
it
is
recommended
that
you
test
the
Java
Database
Connectivity
(JDBC)
driver
connections
using
the
WebSphere
Administration
Console.
While
checking
the
datasource
connections,
if
the
connection
fails,
you
will
see
the
following
error
if
the
variables.xml
file
is
missing:
java.io.FileNotFoundException:WAS_HOME/config/cells/ITIMMIX45CELL/nodes/
<serverName>/servers/<serverName>/variables.xml
If
you
encounter
this
error,
you
will
need
to
create
a
variables.xml
file
for
the
node
that
returns
the
error.
Complete
the
following
procedures
to
create
this
file:
1.
Log
on
to
the
WebSphere
Application
Server
Network
Deployment
Manager
and
open
the
administration
console,
if
it
is
not
already
open.
2.
Go
to
the
Environment
->
Manage
WebSphere
Variables
menu.
10
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
3.
Select
the
node
and
server
scope
for
the
server
with
the
connection
problem.
4.
Create
a
new
dummy
variable.
Creating
a
dummy
variable
creates
a
variables.xml
file
for
the
selected
server.
Chapter
2.
Solutions
to
Common
Problems
11
Logon
Problems
(WebSphere
environment)
You
may
not
be
able
to
log
on
to
Tivoli
Identity
Manager
for
a
variety
of
reasons.
For
example,
you
may
be
using
a
non-supported
Web
browser.
For
a
list
of
supported
browsers,
refer
to
the
IBM
Tivoli
Identity
Manager
Release
Notes.
A
number
of
other
processes
may
also
impact
your
access
to
Tivoli
Identity
Manager.
The
following
is
a
list
of
commonly
encountered
problems
that
can
cause
logging
on
to
Tivoli
Identity
Manager
(in
a
WebSphere
environment)
to
fail:
v
“Required
Processes
Are
Not
Running”
on
page
12
v
“Initial
Logon
and
Change
Password
Fails”
on
page
13
Required
Processes
Are
Not
Running
To
determine
if
required,
WebSphere-related
processes
are
running,
check
the
following:
v
“Is
the
HTTP
Server
Running?”
on
page
12
v
“Is
WebSphere
Application
Server
(server1)
Running?”
on
page
12
v
“Is
WebSphere
Embedded
Messaging
Support
Running?”
on
page
12
v
“Is
the
Directory
Server
Running?”
on
page
13
Is
the
HTTP
Server
Running?
Is
the
HTTP
server
running?
Type
the
following:
#
ps
-ef
|
grep
httpd
You
should
observe
that
approximately
a
half
dozen
HTTP
processes
are
running.
If
the
HTTP
server
process
is
not
running,
start
the
server
by
referring
to
the
server
start
and
stop
procedures
in
the
technical
documentation
for
the
appropriate
version
of
the
IBM
HTTP
Server:
http://www.ibm.com/software/webservers/httpservers/library.html
Is
WebSphere
Application
Server
(server1)
Running?
Is
the
server1
WebSphere
Application
Server
running?
Type
the
following:
<WAS_INSTALLDIR>/serverStatus.sh
-all
You
should
observe
a
server1
java
process
running.
If
not
found,
start
the
process
by
typing:
<WAS_INSTALLDIR>/bin/startServer.sh
server1
Additionally,
examine
the
<WAS_INSTALLDIR>/logs/server1
and
<WAS_INSTALLDIR>/logs/itim.log
files
for
entries
that
indicate
the
startup
status
of
server1.
Is
WebSphere
Embedded
Messaging
Support
Running?
WebSphere
embedded
messaging
support
must
be
running.
The
following
WebSphere
MQ
commands
are
useful
to
determine
problems
with
the
WebSphere
embedded
messaging
support
used
in
cluster
configurations.
For
additional
information,
refer
to
the
WebSphere
MQ
administration
information
provided
by
the
WebSphere
Application
Server.
dspmq
Displays
the
queue
manager
for
WebSphere
Application
Server.
For
example:
12
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
||
|
|
|||
|
QMNAME(WAS_hostname_server1)
STATUS(Running)
runmqsc
qmgrname
Starts
the
IBM
MQSeries
script
tool.
Within
this
environment,
you
can
issue
subcommands
such
as
DISPLAY
QMGR.
Use
DISPLAY
QUEUE(*)
for
queue
details.
Use
CURDEPTH
to
display
the
number
of
messages
in
the
queue.
Compare
the
value
of
CURDEPTH
and
MAXDEPTH
to
determine
if
the
queue
is
full,
which
indicates
the
messages
in
the
queue
are
not
being
processed.
Is
the
Directory
Server
Running?
This
section
describes
how
to
determine
whether
or
not
the
installed
directory
server
for
Tivoli
Identity
Manager
is
running.
v
“IBM
Directory
Server”
v
“Sun
ONE
Directory
Server”
IBM
Directory
Server:
Determine
if
an
IBM
Directory
Server
process
is
running
by
typing
the
following
on
the
computer
on
which
the
directory
server
is
installed:
#
ps
-ef
|
grep
slapd
If
IBM
Directory
Server
is
running,
a
process
ID
(PID)
number
is
returned.
If
a
PID
number
is
not
returned,
refer
to
the
server
start
and
stop
procedures
in
the
technical
documentation
for
the
appropriate
version
of
the
IBM
Directory
Server:
http://www.ibm.com/software/network/directory
You
should
now
observe
a
process
ID
for
IBM
Directory
Server.
Sun
ONE
Directory
Server:
Determine
if
a
Sun
ONE
Directory
Server
process
is
running
by
typing
the
following
on
the
computer
on
which
the
directory
server
is
installed:
#
ps
-ef
|
grep
slapd
If
Sun
ONE
Directory
Server
is
running,
a
process
ID
(PID)
number
is
returned.
If
a
PID
number
is
not
returned,
refer
to
the
server
start
and
stop
procedures
in
the
technical
documentation
for
the
appropriate
version
of
the
Sun
ONE
Directory
Server:
http://www.ibm.com/software/network/directory
You
should
now
observe
a
process
ID
for
Sun
ONE
Directory
Server.
Initial
Logon
and
Change
Password
Fails
Configuration:
Tivoli
Identity
Manager
with
WebSphere
Application
Server
base
in
a
functional
cluster
In
some
cases,
you
can
log
on
to
Tivoli
Identity
Manager
and
the
system
appears
to
work
correctly.
However,
when
you
attempt
to
change
the
password,
you
receive
a
CORBA
Exception
on
the
screen.
In
addition,
when
you
check
the
logs
on
the
various
nodes
in
the
cluster,
there
are
numerous
IBM
MQSeries
errors.
The
first
error
listed
is:
Chapter
2.
Solutions
to
Common
Problems
13
|||
|
|
||
|
|
||
|
|
|||
|
|
|||
|
|
<FATAL:com.ibm.itim.messaging.MessageManagerListener>JMSException
on
queue
queue:///WQ_itim_wf?persistence=2
javax.jms.InvalidDestinationException:
MQJMS2008:
failed
to
open
MQ
queue
...
Note:
Not
all
nodes
in
the
cluster
will
have
this
error.
You
must
identify
the
node
or
nodes
that
have
this
error
listed
in
the
log
files.
If
you
encounter
this
problem,
complete
the
following
procedures
on
the
node
with
the
error
message
to
verify
that
the
Tivoli
Identity
Manager
queues
are
installed
in
IBM
MQSeries
properly:
1.
Log
on
to
the
IBM
MQSeries
queue
manager.
2.
Execute
the
following
command:
dspmq
This
command
should
be
run
from
a
command
line
prompt
and
displays
the
status
of
the
jmsserver
queue
manager.
The
status
for
the
queue
manager
should
be
″Running″.
Note:
Make
note
of
the
jmsserver
queue
manager
name.
Typically,
the
name
is
in
the
following
format:WAS_<nodename>jmsserver.
3.
Execute
the
following
command:
runmqsc
queue_manager
queue_manager
should
match
the
name
of
the
jmsserver
queue
manager
found
in
the
previous
procedures.
This
command
starts
the
queue
manager’s
command
line
processor.
4.
Execute
the
following
command:
display
ql(*)
This
command
displays
all
of
the
local
queues
created
on
the
queue
manager.
If
the
Tivoli
Identity
Manager
queues
are
missing,
there
is
a
problem
with
the
setup.
Continue
with
the
following
procedures
if
the
Tivoli
Identity
Manager
queues
are
not
listed.
5.
Log
on
to
the
WebSphere
Application
Server
Network
Deployment
Manager
and
open
the
administration
console.
6.
Click
Resources
>
WebSphere
JMS
Provider
in
the
administration
console.
7.
Select
the
node
and
server
scope
and
click
Apply.
8.
Click
WebSphere
Queue
Connection
Factories.
9.
Delete
the
queue
connection
factory
named
″ITIM
Queue
Connection
Factory″
and
save
the
configuration.
10.
Select
Synchronize
with
nodes.
11.
Click
WebSphere
Queue
Destinations
under
the
WebSphere
JMS
Provider
node.
12.
Delete
all
of
the
Tivoli
Identity
Manager
queue
destinations
and
save
the
configuration.
13.
Click
Servers
>
JMS
Servers.
14.
Click
JMS
Server
for
the
node
that
has
the
problem
and
delete
the
queue
names
defined
on
that
JMS
Server.
15.
Save
the
configuration.
16.
Log
on
to
the
Tivoli
Identity
Manager
node
with
the
problem.
17.
Run
the
system
configuration
tool
with
the
install
option
by
executing
the
following
command
in
a
command
line
window:
runConfig
install
14
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
The
system
configuration
tool
opens.
18.
Verify
that
the
information
on
all
tabs
is
correct.
The
values
listed
should
match
the
values
initially
input
during
the
installation
process.
19.
Save
the
configuration
by
clicking
OK.
20.
Restart
the
Tivoli
Identity
Manager
Server.
If
you
have
additional
questions
regarding
this
problem,
please
contact
IBM
Tivoli
Software
Support.
Chapter
2.
Solutions
to
Common
Problems
15
GUI
Problems
This
section
describes
commonly
encountered
problems
involving
the
Tivoli
Identity
Manager
GUI.
The
following
is
a
list
of
common
GUI
problems:
v
“Field
Labels
do
not
Wrap”
on
page
16
Field
Labels
do
not
Wrap
This
problem
pertains
to
customized
panels
of
the
Tivoli
Identity
Manager
GUI.
Panels
affected
can
include
the
Modify
Accounts,
Create
Accounts,
and
New
Provisioning
Policy.
If
custom
labels,
used
to
describe
the
input
field
areas,
are
created
with
lengthy
text,
the
text
does
not
wrap
close
to
the
left-hand
border
of
the
panel.
Instead
the
label
text
stretches
across
the
panel
in
a
single
line
and
pushes
the
input
field
areas
to
the
right,
and
sometimes
off
the
screen
view.
If
lengthy
labels
for
input
fields
are
required,
you
can
enable
text
wrapping
by
modifying
the
enrole.xsl
stylesheet
file.
This
file
is
located
in:
WebSphere:
WAS_HOME\installedApps\MACHINE_NAME\enRole.ear\app_web.war\xsl\
WebLogic:
BEA_HOME\user_projects\itim\applications\enrole\xsl\
Edit
line
1393
of
the
enrole.xsl
to
comment
out
the
nowrap="true"
statement.
For
example:
<!--
Check
the
formElement
label
attribute
for
a
"$hidden"
flag.
The
flag
indicates
that
the
formElement
contains
a
hidden
field,
so
we
place
it
outside
of
the
table
rows
-->
<xsl:choose>
<xsl:when
test="boolean(@label=’$hidden’)">
<xsl:apply-templates
select="input"/>
</xsl:when>
<xsl:otherwise>
<tr
class="{$class}">
line
1393
->
<td
width="10%">
<!--
nowrap="true"
-->
<b
class="formlabel">
<xsl:value-of
select="@label"/>
</b>
</td>
Save
the
file
and
reboot
the
Tivoli
Identity
Manager
server.
16
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
|
||
|
|
||||||
||
|
|
|
|
||
||||||||||||||
|
Web
Browser
Problems
This
section
describes
commonly
encountered
problems
involving
the
Web
browser.
The
following
is
a
list
of
common
Web
browser
problems:
v
“Web
Browser
Cannot
See
Any
Web
Pages”
on
page
17
v
“Error
-
Current
Workflow
Design
is
Used
by
Others”
on
page
17
Web
Browser
Cannot
See
Any
Web
Pages
If
the
Web
browser
cannot
see
any
of
the
Tivoli
Identity
Manager
Server
Web
pages,
check
the
Web
server
access
log.
All
the
requests
made
to
the
WebSphere
Application
Server
are
logged
in
the
access
log.
If
the
request
is
not
listed
in
the
access
log,
check
the
port
number
used
to
log
into
the
WebSphere
Application
Server.
If
the
port
number
is
correct,
there
may
be
a
problem
with
the
network
address
translation.
Error
-
Current
Workflow
Design
is
Used
by
Others
If
the
following
error
appears
when
trying
to
access
a
workflow
and
no
other
users
are
modifying
the
workflow,
the
Jar
Cache
may
still
have
a
copy
of
the
workflow.
Current
workflow
design
is
used
by
others.
Please
try
again
later
Clear
the
Jar
Cache
by
going
into
the
Java
Plugin
Control
panel,
selecting
the
Cache
tab,
and
clicking
Clear
Jar
Cache.
Close
the
browser
window
and
open
a
new
window.
Use
the
new
window
to
access
the
Tivoli
Identity
Manager
system
and
modify
the
workflow,
as
desired.
Chapter
2.
Solutions
to
Common
Problems
17
IBM
Directory
Server
(IDS)
Problems
This
section
describes
commonly
encountered
problems
involving
the
IBM
Directory
Server
(IDS).
The
following
is
a
list
of
common
Web
browser
problems:
v
“Connection
Pool
Exceeded:
Directory
Server
Not
Available”
on
page
18
Connection
Pool
Exceeded:
Directory
Server
Not
Available
Configuration:
Tivoli
Identity
Manager
with
IBM
Directory
Server
(IDS)
5.2
running
on
Windows.
By
default,
the
IBM
Directory
Server
(IDS)
running
on
Windows
only
supports
64
concurrent
connections.
However,
Tivoli
Identity
Manager
data
services
uses
LDAP
connection
pooling
to
establish
up
to
100
(default)
simultaneous
connections
with
the
IDS.
Because
of
the
connection
limitation
on
Windows,
any
connection
attempts
beyond
64
connections
result
in
failed
logons
to
Tivoli
Identity
Manager
and
a
″Directory
Server
not
available″
error
message.
Additionally,
when
64
connections
are
reached,
you
cannot
use
the
IDS
Web
administration
to
manage
the
Tivoli
Identity
Manager
server.
Workaround
1:
Reduce
the
default
LDAP
connection
pooling
property
value
to
less
than
64.
The
connection
pool
property
is
located
in
the
enRole.properties
configuration
file:
enrole.connectionpool.maxpoolsize
Additionally,
you
might
need
to
adjust
the
enrole.connectionpool.initialpoolsize
value.
Refer
to
system
properties
file
reference
in
the
IBM
Tivoli
Identity
Manager
Configuration
Guide
for
information
on
modifying
these
properties.
Workaround
2:
Set
the
following
new
environment
variable
in
the
Windows
system
environment:
SLAPD_OCHANDLERS
=
number-of-threads
where
one
thread
supports
64
connections.
Alternatively,
you
can
edit
the
ibmslapd.conf
file.
Find
the
stanza:
dn:
cn=Front
End,
cn=Configuration
Add
the
following
line
to
this
stanza:
ibm-slapdsetenv:
SLAPD_OCHANDLERS=number-of-threads
Restart
IDS.
Example:
The
following
example
illustrates
the
appropriate
connection
pool
settings
for
a
Tivoli
Identity
Manager
cluster
with
2
members.
To
maintain
the
default
connection
pool
parameters
of
100
max
connections
and
50
initial
connections,
set
the
SLAPD_OCHANDLERS
value
to
at
least
4
threads
to
allow
both
cluster
members
to
establish
connections
to
IDS.
18
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
|
||
|
|
||
||||||||
|||
|
||||
||
|
|
|
|
|
|
|
|||||
Internal
Server
Problems
This
section
describes
commonly
encountered
internal
server
problems.
The
following
is
a
list
of
commonly
encountered
internal
server
problems:
v
“Internal
Server
Error
Message”
on
page
19
v
“All
Requests
are
Locked
in
Running
State”
on
page
19
Internal
Server
Error
Message
If
you
encounter
an
internal
server
error,
check
the
WebSphere
server
log
and
the
WebSphere
Application
Server
console.
Verify
that
the
servlets
and
Enterprise
Java
Beans
have
deployed
using
the
WebSphere
Application
Server
console.
The
WebSphere
Application
Server
console
can
be
used
to
check
the
status
of
the
Enterprise
Java
Beans
deployment,
database
connection
pool,
and
message
queues.
The
WebSphere
Application
Server
console
can
also
be
used
to
check
additional
configuration
properties
and
queues.
Access
the
WebSphere
Application
Server
console
at
the
following
address:
http://<IPAddress>:9090/admin
All
Requests
are
Locked
in
Running
State
If
all
requests
in
the
system
seem
to
be
stuck
in
the
running
state,
the
connection
between
the
Tivoli
Identity
Manager
Server
and
the
directory
server
may
have
been
lost
or
become
corrupt.
Check
the
server
logs
and
look
for
any
errors.
In
particular,
look
for
the
SERVER_NOT_AVAILABLE
error.
Restart
the
directory
server
and
then
restart
the
Tivoli
Identity
Manager
server.
Chapter
2.
Solutions
to
Common
Problems
19
WebLogic-specific
Problems
This
section
describes
commonly
encountered
problems
related
to
WebLogic.
The
following
is
a
list
of
these
problems:
v
“WebLogic
fails
to
start;
no
information
in
server
log”
on
page
20
v
“Tivoli
Identity
Manager
Windows
2000
Service
Fails
to
Start”
on
page
20
WebLogic
fails
to
start;
no
information
in
server
log
The
information
may
have
been
sent
to
the
console.
Perform
the
following
steps
to
display
the
output
to
the
console:
UNIX:
1.
Locate
the
startup
script:
ITIM_HOME/itim.sh
2.
There
two
lines
in
itim.sh
that
contain
nohup
and
>
/dev/null
&.
Edit
the
first
line
to
remove
these
commands
if
your
installation
is
a
single
server.
Edit
the
second
line
to
remove
these
commands
if
your
installation
is
a
cluster.
3.
Start
the
Tivoli
Identity
Manager
server
again:
#
sh
itim.sh
start
Windows
2000:
1.
Stop
the
Tivoli
Identity
Manager
service.
2.
Start
the
server
interactively:
ITIM_HOME/bin/itim.cmd
Tivoli
Identity
Manager
Windows
2000
Service
Fails
to
Start
If
the
Tivoli
Identity
Manager
Windows
2000
service
fails
to
start
or
does
not
start
properly,
try
to
uninstall
and
reinstall
the
service:
1.
Uninstall
the
service:
ITIM_HOME/bin/uninstallItimService.cmd
2.
Reinstall
the
service:
ITIM_HOME/bin/installItimService.cmd
20
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Data
Input
Problems
Data
input
problems
typically
occur
when
users
define
custom
data
structures
in
the
directory
structure
or
when
users
recently
installed
new
Tivoli
Identity
Manager
Agents.
If
you
cannot
input
data
for
a
custom
class,
check
the
Tivoli
Identity
Manager
server
log
and
the
directory
log.
LDAP
messages
such
as
object
error
32
are
typical
and
indicate
missing
data
for
required
fields
or
schema
problems.
Chapter
2.
Solutions
to
Common
Problems
21
Remote
Communication
Problems
This
section
describes
commonly
encountered
problems
involving
remote
communication.
The
following
is
a
list
of
these
problems:
v
“Tivoli
Identity
Manager
Server
Cannot
Connnect
to
IBM
DB2”
on
page
22
v
“Cannot
Communicate
with
an
Agent”
on
page
23
v
“Agent
Cannot
Communicate
with
the
Tivoli
Identity
Manager
Server”
on
page
23
v
“UnsatisfiedLinkError
Exception
when
Server-agent
Communication
is
Tested”
on
page
23
v
“Missing
CA
Certificate”
on
page
23
Tivoli
Identity
Manager
Server
Cannot
Connnect
to
IBM
DB2
Configuration:
Tivoli
Identity
Manager
with
WebSphere
Application
Server
base
with
IBM
DB2
on
AIX
While
running
various
processes
and
requests
in
Tivoli
Identity
Manager,
it
is
possible
that
the
Tivoli
Identity
Manager
will
not
be
able
to
connect
with
IBM
DB2.
This
problem
occurs
when
IBM
DB2
runs
out
of
shared
memory
segments
available
for
connections.
By
default,
AIX
does
not
permit
32-bit
applications
to
attach
more
than
11
shared
memory
segments
per
process,
of
which
a
maximum
of
10
memory
segments
can
be
used
for
local
DB2
connections.
If
this
problem
occurs,
the
following
error
is
seen
in
the
Tivoli
Identity
Manager
log
file:
[IBM][CLI
Driver]SQL1224N
A
database
agent
could
not
be
started
to
service
a
request,
or
was
terminated
as
a
result
of
a
database
system
shutdown
or
a
force
command.
SQLSTATE=55032
To
resolve
this
issue,
the
environment
variable
EXTSHM
should
be
set
to
ON
to
increase
the
number
of
shared
memory
segments
to
which
a
single
process
can
be
attached.
After
EXTSHM
is
set
to
ON,
it
must
be
exported
in
the
shell
where
the
client
application
is
started
and
the
db2start
is
run.
Setting
the
EXTSHM
Environment
Variable
The
following
procedures
describe
how
to
set
the
EXTSHM
environment
variable.
Client-side
procedures:
On
the
AIX
system
with
the
client
application
(Tivoli
Identity
Manager
on
WebSphere)
installed,
open
the
following
script
file
in
a
text
editor:
WAS_HOME/bin/startServer.sh
Modify
startServer.sh
to
include
the
following
line
before
the
Java
command
line
that
sets
the
environment
variable:
and
save
the
file:
EXTSHM=ON;
export
EXTSHM
Now
run
this
modified
startServer
command
to
restart
the
server.
DB2
server-side
procedures:
On
the
AIX
system
where
the
IBM
DB2
server
is
installed,
type
the
following
commands:
#
export
EXTSHM=ON
#
db2set
DB2ENVLIST=EXTSHM
#
db2set
-all
22
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
||
|||
|
||
|
|
||
|||
Add
the
following
lines
to
the
db2profile
file
on
the
system
where
the
IBM
DB2
server
is
installed
and
source
the
file:
EXTSHM=ON
export
EXTSHM
The
db2profile
file
is
located
in:
DB2instance_DIR/sqllib/db2profile
If
you
have
IBM
DB2
in
a
clustered
configuration,
db2profile
must
be
modified
on
each
member
of
the
cluster.
Cannot
Communicate
with
an
Agent
If
you
encounter
communication
problems
between
the
Tivoli
Identity
Manager
server
and
a
Tivoli
Identity
Manager
agent,
verify
that
the
Tivoli
Identity
Manager
server
has
the
correct
agent
information
by
navigating
to
the
agent’s
detailed
information
page
under
Service
Management
(Tivoli
Identity
Manager
GUI)
and
clicking
the
Test
button.
A
message
is
displayed
indicating
successful
communication
with
the
agent
or
failed
communication
with
an
explanation
of
the
failure.
Common
problems
are
mistyped
CA
certificate
store,
incorrect
user
IDs
or
passwords,
or
incorrect
URLs.
Agent
Cannot
Communicate
with
the
Tivoli
Identity
Manager
Server
This
problem
is
only
encountered
during
asynchronous
notification
and
asynchronous
response.
If
a
Tivoli
Identity
Manager
agent
cannot
communicate
with
the
Tivoli
Identity
Manager
server,
check
the
agent
log
file.
Error
Message
Possible
Causes
404
response
containing
notification
Agent
is
connecting
to
server
but
looking
for
an
incorrect
URL.
500
response
(internal
server
error)
Agent
is
using
an
incorrect
URL
that
does
not
connect
to
server
or
is
connecting
to
the
server
using
the
wrong
port.
UnsatisfiedLinkError
Exception
when
Server-agent
Communication
is
Tested
It
is
possible
in
a
WebSphere
environment
to
get
an
UnsatisfiedLinkError
exception
when
you
test
(by
clicking
the
Test
button
on
the
Service
form)
the
server-agent
communication
for
an
FTP
protocol
based
agent,
such
as
RACF.
The
problem
is
caused
by
not
adding
the
Tivoli
Identity
Manager
native
library
files
to
the
library
path
of
the
server.
Refer
to
the
IBM
Tivoli
Identity
Manager
Release
Notes
for
details.
Missing
CA
Certificate
If
the
CA
certificate
store
path
is
incorrectly
specified
on
a
service
form,
the
following
error
will
occur
when
testing
the
connection
to
a
service:
Communications
error:
no
valid
CA
certificates
found
in
/.../.../...
Correct
the
path
in
the
service’s
form.
The
CA
certificate
store
path
is
typically:
ITIM_HOME/cert
Chapter
2.
Solutions
to
Common
Problems
23
||
||
|
|
||
|||
Problems
This
section
describes
commonly
encountered
problems
involving
e-mail.
The
following
is
a
list
of
these
types
of
problems:
v
“Cannot
Send
to
Users”
on
page
24
v
“Cannot
Send
to
External
Addresses”
on
page
24
Cannot
Send
to
Users
If
you
encounter
problems
sending
from
the
Tivoli
Identity
Manager
server
to
a
user,
check
the
server
properties
(enRoleMail.properties).
Refer
to
the
IBM
Tivoli
Identity
Manager
Configuration
Guide
for
detailed
information
about
properties.
v
Verify
that
the
mailing
protocol
and
host
are
correct.
SMTP
is
the
most
commonly
used
protocol.
v
Check
the
server
log
for
related
messages.
v
Check
the
host
using
nslookup:
#
nslookup
>
set
type=MX
>
domain-name
where
domain-name
is
the
Internet
domain
name
of
your
organization’s
addresses.
This
command
lists
the
server
for
the
domain
name
that
you
typed.
Cannot
Send
to
External
Addresses
In
some
cases,
you
may
be
able
to
send
to
internal
addresses
but
not
to
external
Internet
addresses.
This
problem
may
be
caused
by
the
relay
permission
on
your
server.
Your
server
must
be
set
up
to
allow
relaying
from
the
machine
that
runs
the
Tivoli
Identity
Manager
server.
24
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Miscellaneous
Problems
This
section
describes
various
problems
that
may
be
encountered
when
administering
the
Tivoli
Identity
Manager
Server.
The
following
is
a
list
of
these
problems:
v
“New
Attributes
Do
Not
Display
on
Form”
on
page
25
v
“Restoring
the
System
Administration
Account”
on
page
25
v
“Cannot
Delete
an
Organizational
Unit
(OU)”
on
page
25
v
“Processes
Hang
in
a
Workflow”
on
page
26
v
“Workflow
Designer
Classes
Not
Loading
Correctly”
on
page
26
v
“Add
Account
Request
Fails
with
a
NullPointerException”
on
page
26
v
“NotLockedException
thrown”
on
page
27
v
“Uncommited
Messages
Count
Error”
on
page
27
New
Attributes
Do
Not
Display
on
Form
If
new
attributes
are
added
to
a
form
and
the
attributes
are
not
displayed
on
the
form,
these
attributes
may
be
listed
in
the
enRoleHiddenAttributes.properties
file.
Attributes
listed
in
this
file
are
not
displayed
on
the
forms.
To
display
these
attributes
on
the
form,
the
lines
for
these
attributes
must
be
commented
out
in
the
enRoleHiddentAttributes.properties
file.
This
file
is
located
in
the
following
directory:
ITIM_HOME/data
If
the
attributes
are
not
marked
as
hidden
in
the
enRoleHiddenAttributes.properties
file,
the
problem
may
be
a
cache
issue.
This
is
usually
the
case
if
a
new
attribute
was
just
added
to
an
objectclass.
To
solve
this
issue,
re-start
the
Tivoli
Identity
Manager
server.
Restoring
the
System
Administration
Account
If
all
Tivoli
Identity
Manager
accounts
are
suspended
or
de-provisioned,
including
the
system
administrator
account,
the
system
administrator
account
can
be
restored
through
the
directory
server.
All
accounts,
except
the
built-in
system
administrator
account,
can
be
deprovisioned
by
incorrectly
modifying
a
provisioning
policy.
To
re-activate
the
system
administrator
account,
access
the
directory
server
administration
console
and
navigate
through
to
the
following
location:
ou=SystemUsers,ou=Tivoli
Identity
Manager,o=<orgname>,dc=com
where
orgname
is
the
name
of
the
parent
organization.
Modify
the
Tivoli
Identity
Manager
manager
account
by
changing
the
eraccountstatus
value
from
1
to
0.
This
restores
the
Tivoli
Identity
Manager
manager
account.
Other
accounts
can
now
be
restored
using
the
Tivoli
Identity
Manager
manager
account.
Cannot
Delete
an
Organizational
Unit
(OU)
When
deleting
an
Organizational
Unit
(OU
–
any
unit
within
the
organization),
all
dependent
units
must
be
deleted
before
the
OU
can
be
deleted.
Sometimes,
however,
dependent
units
may
still
exist
even
though
they
do
not
appear
in
the
organizational
tree.
If
this
occurs,
an
error
message
will
appear
in
a
window
with
the
following
message:
Dependent
Unit(s)
exists.
Remove
all
dependent
Unit(s)
first,
then
Delete.
Chapter
2.
Solutions
to
Common
Problems
25
Check
the
directory
server
for
possible
dependencies
to
the
selected
OU
by
performing
a
search
in
the
directory
server.
The
search
is
performed
on
the
following:
erparent=OU-DN
where
OU-DN
is
the
distinguished
name
(DN)
of
the
OU.
If
any
dependencies
are
found,
remove
the
dependency
and
delete
the
OU
using
the
Tivoli
Identity
Manager
user
interface.
Processes
Hang
in
a
Workflow
In
a
cluster
environment,
if
processes
appear
to
hang
in
a
workflow
and
for
example,
are
marked
as
Not
Started
in
the
pending
requests,
the
reason
could
be
that
the
JMS
queue
manager
was
not
running
before
Tivoli
Identity
Manager
was
started.
Logon
to
the
WebSphere
administration
console
and
navigate
to
the
JMS
server
to
check
if
the
JMS
servers
are
started.
Workflow
Designer
Classes
Not
Loading
Correctly
If
you
encounter
errors
with
the
loading
of
Workflow
Designer
classes,
the
reason
could
be
that
required
WebSphere
Application
Server
fix
packs
were
not
installed
correctly.
WebSphere
Application
Server
fix
packs
should
be
loaded
only
after
the
HTTP
server
service
is
stopped.
In
addition,
in
a
cluster
environment,
ensure
that
you
have
applied
the
fix
packs
to
the
WebSphere
Application
Server
Network
Deployment
system.
Add
Account
Request
Fails
with
a
NullPointerException
Configuration:
Tivoli
Identity
Manager
with
WebSphere
Application
Server
base
cluster
using
IBM
DB2
If
a
request
to
add
an
account
to
a
user
fails
with
a
NullPointerException,
the
queues
in
IBM
MQSeries
may
need
to
be
cleared
and
the
database
tables
on
the
Network
Deployment
Manager
may
need
to
be
re-created
before
the
account
can
be
added.
First,
attempt
to
clear
the
queues
for
the
cluster
by
deleting
the
following
four
files
on
each
member
node
machine:
v
XAresource1
v
XAresource2
v
tranlog1
v
tranlog2
The
files
are
located
in
the
following
directory:
WAS_HOME/tranlog/Node_Name
If
deleting
the
previously
stated
files
does
not
resolve
the
problem,
complete
the
following
procedures
to
completely
clear
the
queues
on
the
member
nodes.
1.
Stop
the
Tivoli
Identity
Manager
cluster.
This
can
be
accomplished
by
stopping
the
enrole
application
in
the
Network
Deployment
Manager
administration
console.
2.
Log
onto
one
of
the
member
nodes
and
determine
the
queue
names.
26
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
|
||||
||
This
can
be
accomplished
by
using
the
dspmq
command
from
the
command
prompt
window.
3.
Issue
the
following
commands
for
each
queue
with
jmsserver
in
the
queue
name:
runmqsc
<queue_name>
clear
qlocal
('WQ_itim_ms')
runmqsc
<queue_name>
clear
qlocal
('WQ_itim_rs')
runmqsc
<queue_name>
clear
qlocal
('WQ_itim_wf')
runmqsc
<queue_name>
clear
qlocal
('WQ_itim_wf_pending')
4.
Repeat
the
previous
two
procedures
for
each
member
node.
5.
Restart
the
cluster
and
re-run
the
request.
If
clearing
the
queues
does
not
resolve
the
issue,
drop
the
IBM
DB2
tables
on
the
Network
Deployment
Manager
machine.
To
accomplish
this
task,
complete
the
following
procedures:
Note:
Warning:
This
action
will
erase
existing
data.
Before
performing
this
procedure,
you
may
want
to
backup
existing
data
using
the
DB2
Control
Center.
1.
Stop
the
Tivoli
Identity
Manager
cluster.
2.
Drop
the
database
tables
by
executing
the
database
configuration
tool
program.
Issue
the
following
command
on
the
Tivoli
Identity
Manager
server
from
a
command
prompt
window:
UNIX:
ITIM_HOME/bin/dbconfig
Windows:
ITIM_HOME\bin\dbconfig
3.
Stop
and
start
the
IBM
DB2
server.
This
clears
out
any
work
items.
4.
Restart
the
cluster
and
re-run
the
request.
NotLockedException
thrown
A
NotLockedException
can
be
thrown
when
a
transaction
has
been
rolled
back
by
the
application
container.
A
rollback
can
be
intiated
by
database
access
failure.
In
some
cases,
this
is
triggered
by
the
database
running
out
of
tablespace.
This
situation
causes
afterCompletion()
to
be
invoked
and
unlock
entities
in
the
LockManager.
When
the
workflow
thread
proceeds
to
process
the
newly
unlocked
entities,
it
encounters
an
UnLockedException.
This
exception
causes
the
message
to
rollback,
thereby
maintaining
system
integrity
until
more
tablespace
can
be
added
to
the
database.
Workflow
has
a
retry
mechanism
to
reprocess
the
original
message,
ensuring
the
rollback
will
not
cause
any
data
integrity
issues.
Uncommited
Messages
Count
Error
During
a
large
load
of
policy
change,
MQ
might
run
out
of
uncommited
messages
count
resulting
in
an
exception
being
thrown.
To
correct
this
problem,
the
MAXUMSGS
attribute
of
the
Queue
Manager
should
be
increased
to
a
value
that
will
support
the
load.
For
example,
a
policy
change
affecting
20,000
users
would
dictate
that
this
attribute
be
set
to
a
value
greater
than
20000.
The
attribute
can
be
changed
using
the
runmqsc
utility.
Chapter
2.
Solutions
to
Common
Problems
27
|||
No
Local
Copy
of
JVM
on
WebSphere
Application
Server
Network
Deployment
System
You
may
encounter
exceptions,
hang
on
executing
runConfig/dbConfig/ldapConfig,
or
hang
when
you
run
the
Tivoli
Identity
Manager
uninstall
program
if
you
have
a
Network
Deployment
Manager
system
that
does
not
have
a
local
copy
of
JVM
1.3
or
a
local
installation
of
WebSphere
Application
Server
base
resident
on
the
system.
This
situation
can
be
resolved
by
either
loading
a
copy
of
JVM
1.3
on
the
system,
or
by
updating
the
JVM
definition
for
the
following
LAX
files
in
order
to
run
the
corresponding
Tivoli
Identity
Manager
commands
successfully:
Windows:
v
ITIM_HOME\bin\runConfig.lax
v
ITIM_HOME\bin\dbConfig.lax
v
ITIM_HOME\bin\ldapConfig.lax
v
ITIM_HOME\itimUninstallerData\Uninstall
ITIM.lax
UNIX:
v
ITIM_HOME/bin/runConfig.lax
v
ITIM_HOME/bin/dbConfig.lax
v
ITIM_HOME/bin/ldapConfig.lax
v
ITIM_HOME/itimUninstallerData/Uninstall_ITIM.lax
Within
these
files,
change
the
following
line:
Windows:
lax.nl.current.vm
=
\java\bin\javaw.exe
to
lax.nl.current.vm
=
WAS_NDM_HOME\java\bin\javaw.exe
UNIX:
lax.nl.current.vm
=
/java/bin/java
to
lax.nl.current.vm
=
WAS_NDM_HOME/java/bin/java
28
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Chapter
3.
Directory
Server
Schema
and
Class
Reference
This
chapter
provides
descriptions
about
the
Tivoli
Identity
Manager
directory
information
tree
and
the
classes
used
by
Tivoli
Identity
Manager
in
the
directory
server.
Section
topics:
v
“Tivoli
Identity
Manager
Directory
Tree”
on
page
30
v
“General
Tivoli
Identity
Manager
Classes”
on
page
33
v
“Service
Classes”
on
page
41
v
“Policy
Classes”
on
page
49
©
Copyright
IBM
Corp.
2004
29
Tivoli
Identity
Manager
Directory
Tree
Tivoli
Identity
Manager
creates
its
own
directory
tree
to
store
information.
The
following
is
a
diagram
of
a
basic
Tivoli
Identity
Manager
directory
tree:
IBM Tivoli IdentityManager Root Node
ou=itim(application information)
ou=excludeAccountso=
(organization information)OrganizationName ou=itim
(service information)
ou=constraints
erdictionaryname=password
ou=orgChart
ou=workflow
ou=services
ou=peopleou=0
ou=n
ou=accounts
ou=0
ou=n
ou=policies
ou=sysRoles
ou=orphans
ou=roles
ou=systemUser
ou=formTemplates
ou=objectProfile
ou=recycleBin
ou=serviceProfile
cn=challenges
ou=joinDirectives
ou=CompanyName
ou=category
ou=operations
Figure
1.
Basic
directory
tree
30
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
The
following
table
includes
brief
descriptions
of
each
container.
Container
Description
Root
Node
Root
node
where
the
Tivoli
Identity
Manager
Server
is
installed.
ou=itim
This
container
stores
all
pertinent
information
for
the
Tivoli
Identity
Manager
application.
ou=constraints
This
container
stores
membership
restrictions
for
various
roles
and
services.
erdictionaryname=password
This
container
stores
invalid
password
entries
for
use
with
password
policies.
ou=CompanyName
Name
of
the
company.
This
container
is
the
parent
container
for
all
information
pertaining
to
the
company
within
the
Tivoli
Identity
Manager
system.
o=OrganizationName
Name
of
the
organization
as
it
appears
in
the
Organization
Tree.
ou=orgChart
This
container
stores
the
definition
of
the
organizations
and
organizational
units
within
Tivoli
Identity
Manager.
ou=workflow
This
container
stores
all
the
workflows
designed
for
use
within
the
Tivoli
Identity
Manager
system
for
the
company.
ou=services
This
container
stores
information
pertaining
to
the
services
installed
for
use
with
the
Tivoli
Identity
Manager
system.
ou=accounts
This
container
stores
all
accounts
in
the
Tivoli
Identity
Manager
system.
ou=policies
This
container
stores
all
the
defined
policies.
ou=sysRoles
This
container
stores
all
information
pertaining
to
the
Tivoli
Identity
Manager
Groups
defined
within
Tivoli
Identity
Manager.
ou=orphans
This
container
stores
all
orphan
accounts
retrieved
during
a
reconciliation.
ou=roles
This
container
stores
all
information
for
all
organizational
roles
defined
within
Tivoli
Identity
Manager.
ou=people
This
container
stores
all
information
about
Persons
within
Tivoli
Identity
Manager.
ou=itim
This
container
is
the
parent
container
for
system
specific
information.
ou=formTemplates
This
container
stores
information
about
the
various
forms
and
the
form
templates
used
within
the
system.
ou=objectProfile
This
container
stores
the
object
profiles
required
for
the
system
to
recognize
a
managed
resource
as
an
entity
(person,
organizational
unit,
location,
and
so
forth)
ou=recycleBin
This
container
stores
entities
deleted
from
the
system
using
the
graphical
user
interface.
Chapter
3.
Directory
Server
Schema
and
Class
Reference
31
Container
Description
ou=serviceProfile
This
container
stores
the
service
profiles
required
for
the
system
to
recognize
a
managed
resource
as
a
service.
ou=systemUser
This
container
stores
information
about
system
users.
ou=joinDirectives
This
container
stores
all
the
information
about
the
Provisioning
Policy
Join
Directives.
cn=challenges
This
container
stores
all
information
pertaining
to
the
Password
Challenge/Response
feature.
ou=operations
This
container
stores
information
on
workflow
operations
(such
as
add,
modify,
delete,
suspend,
and
transfer)
with
Tivoli
Identity
Manager.
ou=category
This
container
stores
life
cycle
management
operations
for
an
entity
type.
Only
Person
and
Account
are
supported.
Global
represents
the
system’s
operation.
32
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
General
Tivoli
Identity
Manager
Classes
The
Tivoli
Identity
Manager
system
uses
the
Directory
Server’s
default
schema
as
well
as
a
Tivoli
Identity
Manager
specific
schema.
The
Tivoli
Identity
Manager
specific
schema
consists
of
a
collection
of
auxiliary
classes
that
provide
the
interface
necessary
to
execute
the
Tivoli
Identity
Manager
system’s
business
logic.
These
auxiliary
classes
can
be
used
with
custom
defined
classes
to
complete
the
schema
used
by
the
Tivoli
Identity
Manager
system.
The
classes
listed
below
are
default
structural
classes.
An
additional
term
to
note
is:
domain
entry
An
entry
in
the
directory
that
corresponds
to
a
business
entity
managed
by
the
Tivoli
Identity
Manager
system.
erBPPersonItem
The
erBPPersonItem
class
is
an
auxiliary
class
that
identifies
attributes
for
a
business
partner
person.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
address.
directory
string
cn
Common
Name
for
person.
directory
string
erPersonStatus
Status
of
person.
integer
erSponsor
DN
of
this
person’s
sponsor.
distinguished
name
erRoles
DN
of
roles
for
person.
distinguished
name
erAliases
Aliases
for
person.
directory
string
erSharedSecret
Value
used
by
the
user
for
password
pickup.
directory
string
erCustomDisplay
User
selected
attribute
to
display
in
BP
Person
list.
directory
string
erLocale
User’s
locale
preference.
Default
is
the
system’s
locale.
directory
string
erBPOrg
The
erBPOrg
class
is
a
structural
class
that
stores
business
partner
organization
information.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
ou
Organizational
unit.
Required
directory
string
description
Description
of
the
business
partner
organization.
directory
string
erBPOrgItem
The
erBPOrgItem
class
is
an
auxiliary
class
that
stores
business
partner
(BP)
organization
information.
This
is
a
domain
entry.
The
parent
class
is
top.
Chapter
3.
Directory
Server
Schema
and
Class
Reference
33
Attribute
name
Description
Type
ou
Organizational
unit
name.
directory
string
erBPOrgStatus
Status
of
the
BP
organization.
integer
erSponsor
DN
of
organizational
unit’s
supervisor.
distinguished
name
erDictionary
The
erDictionary
class
stores
words
that
are
not
allowed
to
be
used
as
passwords.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erDictionaryName
The
name
of
the
dictionary.
Required
directory
string
description
Description
of
the
dictionary.
directory
string
erDictionaryItem
The
erDictionaryItem
class
stores
an
individual
word
that
is
not
allowed
to
be
used
as
a
password.
These
classes
are
then
linked
together
with
the
erDictionary
class.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erWord
The
word
that
is
excluded
from
being
used
as
a
password.
Required
directory
string
description
Description
of
the
word
and
why
it
is
not
allowed
to
be
used
as
a
password.
directory
string
erFormTemplate
The
erFormTemplate
class
stores
form
template
information.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erFormName
The
name
of
the
form.
Required
directory
string
erCustomClass
Name
of
the
entity’s
class.
directory
string
erXML
The
actual
XML
code
for
the
form.
binary
erIdentityExclusion
The
erIdentityExclusion
class
stores
the
names
of
the
accounts
that
are
not
retrieved
during
a
reconciliation.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
cn
Common
name.
Required
directory
string
34
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Attribute
name
Description
Type
erObjectProfileName
Service
profile
name.
directory
string
erAccountID
Account
ID
to
exclude
from
the
reconciliation.
directory
string.
erLocationItem
The
erLocationItem
class
is
an
auxiliary
class
that
stores
attributes
of
a
location
within
the
system.
The
location
name
attibute
must
be
defined.
The
erLocationItem
class
is
a
domain
entry
and
includes
the
erManagedItem
class.
The
parent
class
is
top.
Attribute
name
Description
Type
l
Location
name.
Required
directory
string
erSupervisor
DN
of
location’s
supervisor.
distinguished
name
erManagedItem
The
erManagedItem
class
is
an
auxiliary
class
that
is
added
to
all
domain
entries
(organizations,
organizational
units,
people,
and
roles)
that
require
access
control.
The
erManagedItem
class
defines
a
unique
ID,
a
parent
entry
(if
present),
and
an
access
control
list.
The
parent
class
is
top.
Attribute
name
Description
Type
erGlobalId
Unique,
random
ID
assigned
to
all
entries
in
a
directory.
Used
as
the
regional
DN
for
each
entry.
numeric
string
erLastModifiedTime
Entry’s
removal
date
and
time
(GMT
format).
directory
string
erAcl
Access
Control
List.
binary
erAuthorizationOwner
Owner
of
Access
Control.
distinguished
name
erParent
Entry’s
organizational
unit
DN.
distinguished
name
erIsDeleted
True
if
in
recycle
bin.
directory
string
erOrganizationItem
The
erOrganizationItem
class
is
an
auxiliary
class
that
is
added
to
organizations.
The
erOrganizationItem
class
is
a
domain
entry
and
includes
the
erManagedItem
class.
It
defines
the
organization’s
name
and
status.
The
parent
class
is
top.
Attribute
name
Description
Type
o
Organization
name.
directory
string
erOrgStatus
Organization
status.
integer
Chapter
3.
Directory
Server
Schema
and
Class
Reference
35
erOrgUnitItem
The
erOrgUnitItem
class
is
an
auxiliary
class
that
stores
information
about
an
organizational
unit.
It
contains
information
on
the
ou
name
and,
optionally
the
supervisor
(erSupervisor)
for
an
orgnizational
unit.
The
erOrgUnitItem
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
ou
Organizational
unit.
directory
string
erSupervisor
DN
of
organizational
unit’s
supervisor.
distinguished
name
erPersonItem
The
erPersonItem
class
is
an
auxiliary
class
that
identifies
attributes
for
a
person.
The
erPersonItem
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
address.
directory
string
cn
Common
name
for
person.
directory
string
erPersonStatus
Status
of
person.
integer
erRoles
DN
of
person’s
roles.
distinguished
name
erAliases
Aliases
for
person.
directory
string
erSupervisor
DN
of
the
person’s
supervisor.
distinguished
name
erSharedSecret
Value
used
by
the
user
for
password
pickup.
directory
string
erCustomDisplay
User
selected
attribute
to
display
in
Person
lists.
directory
string
erLocale
User’s
locale
preference.
Default
is
the
system’s
locale.
directory
string
erRole
The
erRole
class
stores
the
name
and
description
for
an
organizational
role.
However,
it
does
not
store
membership
information.
Role
membership
is
stored
in
erPersonItem.erRoles
.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erRoleName
Name
of
the
organizational
role.
Required
directory
string
description
Description
of
the
role.
directory
string
erSecurityDomainItem
The
erSecurityDomainItem
class
is
an
auxiliary
class
for
an
admin
domain.
The
parent
class
is
top.
Attribute
name
Description
Type
ou
Organizational
unit.
directory
string
erAdministrator
DN
of
the
administrator
of
an
Admin
Domain.
distinguished
name
36
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
SecurityDomain
The
SecurityDomain
class
stores
admin
domain
information.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
ou
Organizational
unit.
Required
directory
string
description
Description
of
the
admin
domain.
directory
string
erTenant
The
erTenant
class
is
a
class
that
defines
properties
based
on
a
tenant,
such
as
the
ou,
if
password
edits
are
allowed,
or
if
mailing
of
lost
passwords
is
allowed.
The
parent
class
is
top.
Attribute
name
Description
Type
ou
Organization
unit
that
contains
this
tenant.
Required
directory
string
erIsActive
Indicates
if
this
tenant
is
active.
Required
Boolean
description
Description
of
tenant.
directory
string
erPswdEditAllowed
Indicates
if
passwords
may
be
set
(true)
or
generated
(false).
Required
Boolean
erLostPswdByMail
Indicates
if
passwords
can
be
mailed
to
a
user
for
this
tenant.
Required
Boolean
erBucketCount
Hash
bucket
number.
Required
integer
erLastModifiedTime
Time
the
tenant
was
last
modified
(attributes).
directory
string
erPswdExpirationPeriod
Number
of
days
after
which
the
ITIM
password
gets
expired.
When
the
user
tries
to
login
to
the
system
after
the
password
expires,
the
user
is
forced
to
change
the
password.
If
this
value
is
set
to
0,
the
password
will
never
expire.
integer
Chapter
3.
Directory
Server
Schema
and
Class
Reference
37
Attribute
name
Description
Type
erPswdTransactionExpPeriod
Number
of
hours
after
which
the
transaction
to
retrieve
an
account
password
expires.
The
password
is
typically
retrieved
using
the
URL
link
provided
in
an
from
the
system.
If
this
value
is
set
to
0,
the
URL
link
will
never
expire.
integer
erLogonCount
Number
of
invalid
login
attempts
the
user
can
have
before
the
user’s
account
is
suspended.
If
this
value
is
set
to
0,
the
user
can
try
to
access
the
system
as
many
attempts
as
the
user
likes
and
the
system
will
not
suspend
the
account.
integer
erResponseEnable
Attribute
for
enabling
or
disabling
the
Password
Challenge/Response
feature.
If
this
attribute
is
set
to
TRUE
,
the
user
can
use
the
Forgot
Your
Password
link
to
enter
the
system
by
providing
correct
answers
to
the
Password
Challenge/Response
questions.
Boolean
erResponseDescription
Message
displayed
on
the
login
page
if
the
user’s
account
is
suspended
after
the
user
tries
to
log
into
the
system
too
many
times
and
fails
to
respond
correctly
to
the
Password
Challenge/Response
questions.
directory
string
erResponseEmail
Message
e-mailed
to
the
administrator
responsible
for
user
accounts
suspended
when
the
user
fails
to
access
the
system
in
the
defined
number
of
tries.
directory
string
38
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Attribute
name
Description
Type
erChallengeMode
Password
Challenge
Response
mode.
There
are
three
different
modes
available:
PRE-DEFINED:
If
this
mode
is
selected,
the
user
must
correctly
answer
all
of
the
challenge
questions
pre-defined
by
the
system
administrator
to
access
the
system.
USER-SELECTED:
If
this
mode
is
selected,
the
user
must
correctly
answer
the
challenge
questions
previously
selected
when
configuring
the
challenge/response
feature
for
the
account.
The
challenge
questions
are
selected
from
a
pre-defined
list.
RANDOM-SELECTED:
If
this
mode
is
selected,
the
user
must
correctly
answer
the
challenge
questions
selected
by
the
system.
The
challenge
questions
are
selected
from
a
pre-defined
list.
directory
string
erRequiredChallenges
Number
of
challenges
the
user
must
respond
to
correctly
to
access
the
system
if
the
user
forgot
his
password.
integer
erRandomChallenges
Number
of
challenges
available
for
the
system
to
select
from
when
presenting
Password
Challenge/Response
questions
to
users
who
forgot
their
passwords.
integer
erHashedEnabled
Not
used.
Boolean
erRespLastChange
Timestamp
of
when
the
administrator
last
changed
the
Password
Challenge/Response
configuration.
generalized
time
erChallengeDefMode
Definition
mode
for
lost
password
challenge
response.
Possible
values
are
Admin
Defined
(0)
and
User
Defined
(1).
integer
erPswdSyncAllowed
Attribute
for
enabling
and
disabling
password
synchronization
for
user
accounts.
Boolean
erWorkflowDefinition
The
erWorkflowDefinition
class
stores
workflow
information.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erProcessName
The
name
of
the
workflow.
Required
directory
string
Chapter
3.
Directory
Server
Schema
and
Class
Reference
39
Attribute
name
Description
Type
erObjectProfileName
Service
profile
name.
directory
string
erXML
Definition
of
workflow.
binary
erCategory
Type
of
entity
to
manage,
such
as
Person,
BPPerson,
or
Account.
directory
string
40
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Service
Classes
Services
may
be
hosted
or
owned.
A
hosted
service
is
a
service
that
is
shared
by
multiple
organizations
(such
as
in
an
ASP
environment).
An
owned
service
is
not
shared.
Each
type
of
service
has
its
own,
different
representation
within
the
system.
erAccountItem
The
erAccountItem
class
is
an
auxiliary
class
that
defines
required
attributes
for
a
user
account.
The
parent
class
is
top.
Attribute
name
Description
Type
erUid
Account
login
ID.
directory
string
owner
DN
of
the
account
owner.
distinguished
name
erAccountStatus
Account
status.
integer
erAccountCompliance
Compliancy
of
the
account.
Possible
values
are
Uncheck
account
(0),
Compliant
account
(1),
Unauthorized
account
(2),
Constraints
violated
account
(3).
integer
erPassword
Account
login
password.
binary
erHistoricalPassword
Previous
account
login
password.
binary
erService
DN
of
the
account
service.
distinguished
name
erLastAccessDate
Last
login
date.
generalized
time
erAttributeConstraint
The
erAttributeConstraint
class
provides
the
Tivoli
Identity
Manager
structure
for
an
attribute
constraint.
The
parent
class
is
top.
Attribute
name
Description
Type
erOid
Attribute’s
Object
Identification
Number
(Oid).
Required
directory
string
cn
Name
of
the
constraint
on
the
attribute.
directory
string
erType
Attribute
type.
directory
string
erIsReadOnly
True
if
this
is
a
read-only
attribute.
Boolean
erDefaultValue
Attribute’s
default
values.
directory
string
erCustomConstraint
Attribute’s
definition
constraints.
directory
string
erChallenges
The
erChallenges
class
provides
the
structure
for
questions
of
password
challenge
and
response.
The
parent
class
is
top.
Chapter
3.
Directory
Server
Schema
and
Class
Reference
41
Attribute
name
Description
Type
cn
Name
of
challenge
and
response
entry.
Required
directory
string
erLastModifiedTime
Last
time
the
user’s
challenge/response
list
was
updated.
directory
string
erLostPasswordQuestion
User’s
password
challenge
question/response
list.
binary
erDSMLInfoService
Attribute
name
Description
Type
erServiceName
The
display
name
for
service
instances.
Required
directory
string
erDSMLFileName
The
name
of
a
DSML
file
stored
on
disk.
directory
string
erUseWorkflow
A
Boolean
flag
used
on
a
DSMLInfoService
to
indicate
that
people
should
be
processed
using
the
workflow
engine.
Boolean
erUid
An
identifier
used
to
uniquely
identify
a
user
of
a
service.
directory
string
erPassword
A
password
used
to
authenticate
a
user.
binary
erPlacementRule
A
script
fragment
defining
the
location
of
the
user
within
the
organization
chart.
binary
erproperties
Defines
protocol
and
behavior
properties
for
service
profiles.
directory
string
erprotocolmappings
Specifies
the
service
attributes
that
should
be
used
in
messages
sent
to
managed
resources.
directory
string
erserviceproviderfactory
Defines
the
name
of
the
Java
class
for
creating
the
ServiceProvider
used
to
communicate
with
the
managed
resource.
directory
string
erxforms
Defines
transforms
for
Tivoli
Identity
Manager
agents.
binary
erDSML2Service
The
erDSML2Service
class
provides
the
Directory
Service
Markup
Language
Version
2
(DSMLv2)
class
to
import
data
into
Tivoli
Identity
Manager.
The
parent
class
is
top.
42
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Attribute
name
Description
Type
erCategory
Type
of
entity
to
manage.
Required
directory
string
erServiceName
Name
to
display
on
the
user
interface.
Required
directory
string
erURL
URL
of
the
data
source.
Supported
protocols
include:
file,
http,
and
https.
Required
directory
string
erPassword
Key
to
authenticate
DSMLv2
clients
when
using
the
JNDI
client.
binary
erPlacementRule
Placement
rule
defining
a
script
to
place
entries
within
the
organization
chart.
binary
erUid
Name
of
the
principal
to
authenticate
DSMLv2
clients
when
using
the
JNDI
client.
directory
string
erUseWorkflow
Boolean
flag
to
indicate
whether
to
use
workflow
when
managing
data.
A
value
of
true
will
evaluate
provisioning
policies
and
place
an
entry
in
the
audit
trail.
Boolean
ernamingattribute
The
naming
attribute
on
a
service
used
to
define
the
distinguished
names
of
entries
in
event
notification.
directory
string
namingcontexts
Identifies
the
service.
Required
when
Tivoli
Identity
Manager
is
acting
as
a
DSMLv2
service.
distinguished
name
erDynamicRole
The
erDynamicRole
class
provides
the
structure
for
a
dynamic
role.
The
parent
class
is
erRole.
Attribute
name
Description
Type
erJavaScript
Role’s
evaluation
definition.
This
definition
is
used
to
evaluate
members
of
a
role.
binary
erScope
Scope
of
role
evaluation:
single
or
subtree
scope.
integer
erHostedAccountItem
The
erHostedAccountItem
class
is
an
auxiliary
class
that
is
added
to
account
entries
for
hosted
services
(that
is,
represented
by
erHostedService
entries).
The
erHost
Chapter
3.
Directory
Server
Schema
and
Class
Reference
43
attribute
holds
a
reference
to
the
owned
service
entry
and
provides
a
more
efficient
search
when
trying
to
identify
the
owned
service.
The
parent
is
erAccountItem.
Attribute
name
Description
Type
erHost
DN
of
owned
service
entry.
distinguished
name
erHostedService
The
erHostedService
class
describes
a
hosted
service.
The
erHostedService
class
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erServiceName
Name
of
the
service.
Required
directory
string
erService
DN
of
the
target
service
to
be
managed.
Required
distinguished
name
erObjectProfileName
Service
profile
name
for
target
service.
Required
directory
string
erHostSelectionPolicy
The
erHostSelectionPolicy
class
provides
the
structure
for
a
host
selection
policy.
The
parent
class
is
erPolicyItemBase.
Attribute
name
Description
Type
erJavaScript
Contains
a
scriptlet
used
at
runtime
to
return
a
service
instance.
Required
binary
erObjectProfileName
Name
corresponding
to
the
service
type.
Required
directory
string
erUserClass
Name
of
a
user
class,
such
as
Person
or
BPPerson.
Required
directory
string
erITIMService
The
erITIMService
class
provides
the
Tivoli
Identity
Manager
structure
for
Tivoli
Identity
Manager
service.
The
parent
class
is
top.
Attribute
name
Description
Type
erServiceName
Tivoli
Identity
Manager
service
name.
Required
directory
string
owner
Service’s
owner
(person).
distinguished
name
44
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
erJoinDirective
The
erJoinDirective
class
provides
the
structure
for
a
join
directive
used
in
merging
provisioning
parameters.
The
parent
class
is
top.
Attribute
name
Description
Type
erAttributeName
Name
of
service
attribute.
Required
directory
string
erDirectiveType
Type
of
join
directive
to
be
used.
Required
directory
string
description
Description
of
how
the
directive
is
used.
directory
string
erCustomData
Contains
any
parameters
to
be
passed
to
the
class
implementing
the
JoinDirective
interface.
directory
string
erPrecedenceSequence
Sequence
of
allowed
values
for
a
single
valued
attribute
with
the
most
preferable
values
listed
first.
directory
string
erObjectCategory
The
erObjectCategory
class
provides
the
structure
for
an
entity
type.
The
parent
class
is
top.
Attribute
name
Description
Type
erType
Name
of
the
entity’s
category.
Required
directory
string
erXML
Object
Operation
definition
for
life
cycle
management.
binary
erObjectProfile
The
erObjectProfile
class
provides
the
Tivoli
Identity
Manager
structure
for
an
object
profile.
The
parent
class
is
top.
Attribute
name
Description
Type
erObjectProfileName
Profile
name.
Required
directory
string
erCategory
Entity
category
such
as
Person,
Role,
SystemUser,
or
other
category.
directory
string
erCustomClass
Name
of
the
class
used
to
create
an
entity.
directory
string
erRdnAttr
Name
attribute.
directory
string
erSearchAttr
Search
attribute.
directory
string
Chapter
3.
Directory
Server
Schema
and
Class
Reference
45
Attribute
name
Description
Type
erAttrMap
Map
of
the
logical
attribute
name
and
physical
attribute
name.
Key:
logical
attriobute
name.
directory
string
erXML
ObjectOperation
data
structure
—
life
cycle
management.
binary
erRemoteServiceItem
The
erRemoteServiceItem
class
is
an
auxiliary
class
that
describes
an
erServiceItem.
The
parent
class
is
erServiceItem.
Attribute
name
Description
Type
erUid
User’s
log
in
ID
for
the
service.
directory
string
erPassword
User’s
password
binary
erCheckPolicy
Flag
to
determine
whether
or
not
to
check
the
user
against
the
defined
policies.
Boolean
erDisallowedAction
The
action
to
be
taken
during
reconciliation
if
an
account
is
not
permitted
by
a
provisioning
policy.
Possible
values
are:
v
Log
Only
v
Suspend
v
Delete
directory
string
erConstraintViolationAction
The
action
to
be
taken
during
reconciliation
if
an
account
is
permitted
by
a
provisioning
policy
but
the
account
values
are
not
compliant.
Possible
values
are
Log
Only
,
Overwrite
Local
Values
,
and
Overwrite
Remote
Values.
directory
string
erIdentityLookupMethod
The
method
used
during
reconciliation
to
look
up
the
identity
of
the
account
owner.
The
only
possible
value
is
Alias.
directory
string
erServiceItem
The
erServiceItem
class
is
an
auxiliary
class
that
describes
an
owned
service.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erServiceName
Name
of
the
service.
directory
string
owner
DN
of
the
service
owner.
distinguished
name
erPrerequisite
Required
prerequisite
for
the
account.
distinguished
name
46
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Attribute
name
Description
Type
erNonComplianceAction
Compliant
action
for
accounts
of
the
service.
Possible
values
are
Mark
NonCompliant
(0),
Suspend
NonCompliant
(1),
Correct
NonCompliant
(2).
integer
erServiceProfile
The
erServiceProfile
class
provides
the
Tivoli
Identity
Manager
structure
for
a
service
profile.
The
parent
class
is
erObjectProfile.
Attribute
name
Description
Type
erAccountClass
Name
of
a
custom
class
used
to
create
an
account.
directory
string
erAccountName
Name
of
profile
associated
with
the
account.
directory
string
erproperties
Service
attributes
used
in
messages
sent
to
managed
resources.
Required
directory
string
erprotocolmappings
Service
attributes
used
in
messages
sent
to
managed
resources.
directory
string
erserviceproviderfactory
Name
of
the
Java
class
to
create
the
ServiceProvider
used
to
communicate
with
the
managed
resource.
Required
directory
string
erxforms
Defines
transforms
for
Tivoli
Identity
Manager
agents.
binary
erSystemItem
The
erSystemItem
class
provides
the
Tivoli
Identity
Manager
auxiliary
class
for
the
Tivoli
Identity
Manager
system.
The
parent
class
is
top.
erSystemRole
The
erSystemRole
class
represents
a
system
role,
however,
it
does
not
include
membership
information.
Members
are
defined
in
erSystemUser.erRoles.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erRoleName
The
system
role
name.
Required
directory
string
description
Description
of
the
role.
directory
string
erSystemRoleCategory
Level
of
access
-
End
User,
Supervisor,
System
Administrator.
integer
Chapter
3.
Directory
Server
Schema
and
Class
Reference
47
erSystemUser
The
erSystemUser
class
stores
Tivoli
Identity
Manager
system
accounts
such
as
the
pre-defined
Tivoli
Identity
Manager
system
account.
The
erAccountItem
is
also
added
to
each
erSystemUser
entry
since
it
is
an
account
managed
by
the
system.
This
is
a
domain
entry.
The
parent
class
is
top.
Attribute
name
Description
Type
erUid
Account
login
ID.
Required
directory
string
erLostPasswordQuestion
Account’s
lost
password
question.
directory
string
erLostPasswordAnswer
Account’s
lost
password
answer.
binary
erIsDelegated
Flag
determining
if
the
account’s
workflow
can
be
sent
to
delegates.
Boolean
erDelegate
User’s
delegate.
directory
string
erWorkflow
Filter
for
viewing
pending
requests
and
completed
requests.
directory
string
erRoles
Roles
associated
with
the
account.
distinguished
name
erHomePage
Login
home
page.
directory
string
erPswdLastChanged
Date
and
time
password
was
last
changed.
generalized
time
erNumLogonAttempt
Number
of
times
user
attempted
to
log
on.
integer
erChangePswdRequired
Flag
indicating
whether
or
not
the
user
is
required
to
change
the
password
the
next
time
the
user
logs
into
the
system.
Boolean
erRespLastChange
Date
and
time
challenge
response
was
last
changed.
generalized
time
48
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Policy
Classes
There
are
three
types
of
policies:
password,
identity
and
provisioning.
These
all
share
some
general
attributes.
These
attributes
are
represented
within
the
erPolicyBase
and
erPolicyItemBase
classes.
The
erPolicyBase
class
inherits
from
the
erPolicyItemBase
class.
All
policies
are
domain
entries.
erIdentityPolicy
The
erIdentityPolicy
class
stores
identity
policy-specific
attributes.
The
parent
class
is
erPolicyBase.
Attribute
name
Description
Type
erJavaScript
Script
that
is
evaluated
to
create
the
user
ID.
binary
erUserClass
User’s
class
home.
directory
string
erPasswordPolicy
The
erPasswordPolicy
class
stores
password
policy-specific
attributes.
The
parent
class
is
erPolicyBase.
Attribute
name
Description
Type
erXML
XML
document
containing
password
rules.
Required
binary
erPolicyBase
The
erPolicyBase
class
stores
commonly
used
functional
attributes
such
as
state
information
and
the
target
of
the
policy.
The
parent
class
is
erPolicyItemBase.
Attribute
name
Description
Type
erPolicyTarget
Service(s)
or
service
instances
targeted
by
the
policy.
If
a
service
instance
is
targeted,
the
value
is
the
string
representing
the
service
instance’s
DN.
Format:
1;<value>
If
a
service
profile
is
targeted,
the
value
is
the
name
of
the
service
profile.
Format:
0;<value>
If
all
services
are
targeted,
the
value
is
*
.
Format:
2;<*>
If
a
service
selection
policy
is
targeted,
the
value
is
the
name
of
the
service
profile
affected
by
the
service
selection
policy.
Format:
3;<value>
directory
string
erReqPolicyTarget
Lists
required
policy
targets
(service
instance
or
service
profile).
directory
string
Chapter
3.
Directory
Server
Schema
and
Class
Reference
49
||
erPolicyItemBase
The
erPolicyItemBase
class
stores
general
bookkeeping
attributes
for
policies,
such
as
name
and
description.
The
parent
class
is
top.
Attribute
name
Description
Type
erPolicyItemName
The
policy
name.
Required
directory
string
erLabel
The
label
name
for
the
policy.
directory
string
erKeywords
A
list
of
key
words.
directory
string
description
A
description
of
the
policy.
directory
string
erEnabled
Flag
indicating
whether
or
not
the
policy
participates
in
the
provisioning
process.
If
the
flag
is
enabled,
the
policy
participates
in
the
provisioning
process.
If
the
flag
is
disabled,
the
policy
does
not
participate
in
the
provisioning
process.
Boolean
erScope
Determines
which
service
instances
are
governed
by
this
policy.
Single
level
scope
limits
the
policy
to
affect
only
those
service
instances
at
the
same
level
as
the
policy.
Subtree
scope
allows
a
policy
to
affect
service
instances
at
the
same
level
as
the
policy
and
service
instances
in
levels
below
that
of
the
policy.
integer
erProvisioningPolicy
The
erProvisioningPolicy
class
stores
provisioning
policy-specific
attributes.
The
parent
class
is
erPolicyBase.
Attribute
name
Description
Type
erEntitlements
Policy
access
definitions.
Required
binary
erPriority
The
priority
level
for
this
policy.
Required
integer
erPolicyMembership
Policy
principals.
Identifies
users
who
are
governed
by
this
policy.
Required
directory
string
50
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Chapter
4.
Database
Tables
Tivoli
Identity
Manager
loads
tables
into
the
selected
database
during
installation.
Section
topics:
v
“Workflow
Tables”
on
page
52
v
“Services
Tables”
on
page
61
v
“SCHEDULED_MESSAGE
Table”
on
page
64
v
“LISTDATA
Table”
on
page
65
v
“AUTH_KEY
Table”
on
page
65
©
Copyright
IBM
Corp.
2004
51
|
Workflow
Tables
Tivoli
Identity
Manager
stores
workflow
specific
information
in
the
following
database
tables:
v
“PROCESS
Table”
on
page
52
v
“PROCESSLOG
Table”
on
page
54
v
“PROCESSDATA
Table”
on
page
56
v
“ACTIVITY
Table”
on
page
57
v
“WORKITEM
Table”
on
page
58
v
“PASSWORD_TRANSACTION
Table”
on
page
59
v
“NEXTVALUE
Table”
on
page
59
v
“PENDING
Table”
on
page
60
The
workflow
engine
accesses
these
tables
to
retrieve
information
that
is
used
during
the
workflow
process.
PROCESS
Table
The
PROCESS
table
stores
all
the
pending,
running,
and
historical
requests
submitted
to
the
Tivoli
Identity
Manager
workflow.
Each
request
is
represented
as
a
process.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
ID
Process
ID
number.
numeric
PARENT_ID
Parent
process
ID
number,
if
any.
numeric
PARENT_ACTIVITY_ID
Parent
activity
ID
number.
numeric
NAME
Process
name.
character
52
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Column
Name
Description
Data
Type
TYPE
Process
type
code.
Values
include:
v
User
Data
Change
(UC)
v
User
BU
Change
(UO)
v
Suspend
User
(US)
v
Restore
User
(UR)
v
Delete
User
(UD)
v
New
User
(UA)
v
Suspend
multiple
Users
(MS)
v
Restore
multiple
Users
(MR)
v
Delete
multiple
Users
(MD)
v
Account
Add
(AA)
v
Account
Change
(AC)
v
Account
Password
Change
(AP)
v
Suspend
Multiple
Accounts
(LS)
v
Restore
Multiple
Accounts
(LR)
v
Delete
Multiple
Accounts
(LD)
v
Change
Password
for
Multiple
Accounts
(LP)
v
Suspend
Account
(AS)
v
Restore
Account
(AR)
v
Delete
Account
(AD)
v
Reconciliation
(RC)
v
Add
Provisioning
Policy
(PA)
v
Modify
Provisioning
Policy
(PC)
v
Delete
Provisioning
Policy
(PD)
v
Add
Service
Selection
Policy
(SA)
v
Modify
Service
Selection
Policy
(SC)
v
Delete
Service
Selection
Policy
(SD)
v
Add
Dynamic
Role
(DA)
v
Modify
Dynamic
Role
(DC)
v
Remove
Dynamic
Role
(DD)
character
DEFINITION_ID
Process
definition
Identifier.
character
REQUESTER_TYPE
Requester
type.
Values
include:
v
End
User
(U)
v
Workflow
System
(S)
v
Tenant
Administrator
(T)
v
IBM
Tivoli
Identity
Manager
System
(P)
character
REQUESTER
DN
of
the
requester.
character
REQUESTER_NAME
Requester’s
name.
character
DESCRIPTION
Description
of
the
process.
character
PRIORITY
Priority
of
the
process.
numeric
SCHEDULED
Scheduled
start
time
for
the
process.
character
STARTED
Time
the
process
is
started.
character
COMPLETED
Time
the
process
is
completed.
character
Chapter
4.
Database
Tables
53
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
||
Column
Name
Description
Data
Type
LASTMODIFIED
Time
the
process
was
last
modified.
character
SUBMITTED
Time
the
process
was
submitted.
character
STATE
Current
state
of
the
process.
Values
include:
v
Running
(R)
v
Not
Started
(I)
v
Terminated
(T)
v
Aborted
(A)
v
Suspended
(S)
v
Completed
(C)
v
Bypassed
(B)
character
NOTIFY
Specifies
who
is
notified
when
a
process
is
completed.
There
are
four
possible
choices:
v
NOTIFY_NONE
(0)
v
NOTIFY_REQUESTOR
(1)
v
NOTIFY_REQUESTEDFOR
(2)
v
NOTIFY_BOTH
(3)
numeric
REQUESTEE
DN
of
the
requestee.
character
SUBJECT
Process’s
subject.
character
COMMENTS
Comments
for
the
process.
character
RESULT_SUMMARY
Process’s
result
summary
code.
Values
include:
v
Approved
(AA)
v
Rejected
(AR)
v
Submitted
(RS)
v
Success
(SS)
v
Timeout
(ST)
v
Failed
(SF)
v
Warning
(SW)
v
Pending
(PE)
v
Participant
Resolution
Failed
(PF)
v
Escalated
(ES)
v
Skipped
(SK)
character
RESULT_DETAIL
Detailed
information
on
the
process’s
result.
long
character
TENANT
DN
of
the
requester’s
tenant.
character
REQUESTEE_NAME
Requestee’s
name.
character
PROCESSLOG
Table
The
PROCESSLOG
table
maintains
a
record
of
audit
events
associated
with
a
process.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
ID
Log
ID
number.
numeric
54
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Column
Name
Description
Data
Type
PROCESS_ID
ID
of
the
process
associated
with
the
log.
numeric
ACTIVITY_ID
ID
of
the
activity
associated
with
the
log.
numeric
CREATED
Time
the
log
was
created.
character
EVENTTYPE
Log’s
event
type
code.
Values
include:
v
Activity
Created
(AC)
v
Process
State
Changed
(PS)
v
Process
Initial
Data
(PI)
v
Process
User
Changed
Data
(PC)
v
Process
Timeout
(PT)
v
Process
Escalation
Participant
Resolution
Failed
(PP)
v
Activity
Timeout
(AT)
v
Activity
Escalation
Timeout
(AE)
v
Activity
State
Changed
(AS)
v
Activity
Data
(AD)
v
Activity
Assignment
Changed
(AA)
v
Manual
Activity
Performed
By
(CM)
v
Activity
Participant
Resolution
Failed
(AP)
v
Activity
Escalation
Participant
Resolution
Failed
(AX)
character
OLD_PARTICIPANT_TYPE
Old
participant
type
for
the
assignment
change
event.
Values
include:
v
User
(U)
v
Person
(P)
v
Role
(R)
v
System
Administrator
(SA)
v
Supervisor
(SU)
v
Sponsor
(SP)
v
Service
Owner
(SO)
v
System
(WS)
v
Requestor
(RR)
v
Requestee
(RE)
v
Domain
Administrator
(DA)
v
Custom
Defined
Participant
(CM)
character
OLD_PARTICIPANT_ID
Old
participant
ID
for
the
assignment
change
event.
character
Chapter
4.
Database
Tables
55
|
|
|
|
|
||
|
|
|
|
||
||
||
||
|
|
|
|
|
|
|
|
|
|
|
|
Column
Name
Description
Data
Type
NEW_PARTICIPANT_TYPE
New
participant
type
for
the
assignment
change
event.
Values
include:
v
User
(U)
v
Person
(P)
v
Role
(R)
v
System
Administrator
(SA)
v
Supervisor
(SU)
v
Sponsor
(SP)
v
Service
Owner
(SO)
v
System
(WS)
v
Requestor
(RR)
v
Requestee
(RE)
v
Domain
Administrator
(DA)
v
Custom
Defined
Participant
(CM)
character
NEW_PARTICIPANT_ID
New
participant
ID
for
the
assignment
change
event.
character
REQUESTOR_TYPE
Requester
type
for
any
user
related
event.
Values
include:
v
End
User
(U)
v
Workflow
System
(S)
v
Tenant
Administrator
(T)
v
IBM
Tivoli
Identity
Manager
System
(P)
character
REQUESTOR
Requester
DN
for
any
user
related
event.
character
OLD_STATE
Old
state
for
a
state
change
event.
character
NEW_STATE
New
state
for
a
state
change
event.
character
DATA_ID
Data
ID
for
a
data
change
event.
character
NEW_DATA
Data
value
for
a
data
change
event.
long
character
PROCESSDATA
Table
The
PROCESSDATA
table
stores
the
runtime
process
data
of
a
process.
After
the
process
is
completed,
the
record
is
removed.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROCESS_ID
Proccess
ID
associated
with
the
data.
numeric
DEF_ID
Definition
ID
for
the
coresponding
relevant
data
in
the
process
definition.
character
NAME
Data
name.
character
CONTEXT
Context
of
data.
The
following
are
possible
values:
v
REQUESTEE
v
SUBJECT
v
BOTH
character
56
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
||
Column
Name
Description
Data
Type
DESCRIPTION
Data
description.
character
TYPE
Data
type.
character
COLLECTION_TYPE
Element
data
type
for
sets
of
data.
character
VALUE
Data
value.
long
character
SMALL_VALUE
Small
data
value.
character
ACTIVITY
Table
The
ACTIVITY
table
contains
records
of
each
workflow
process’s
execution
flow.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
ID
Activity
ID
number.
numeric
PROCESS_ID
Activity’s
process
ID
number.
numeric
DEFINITION_ID
Activity’s
definition
Identifier.
character
ACTIVITY_INDEX
Activity
index
(only
if
the
activity
is
inside
of
a
loop).
numeric
LOOP_COUNT
Specific
to
loop
activity.
Number
of
iterations
that
have
occurred
in
the
loop.
numeric
LOOP_RUNCOUNT
Specific
to
asynchronous
loop
activity.
Number
of
remaining
iterations
left
in
the
loop.
numeric
RETRY_COUNT
Number
of
attempts
to
complete
the
activity.
numeric
LOCK_COUNT
Number
of
tasks
pending
on
the
activity.
numeric
SUBPROCESS_ID
ID
of
the
subprocess
associated
with
the
activity.
numeric
NAME
Activity’s
name.
character
DESCRIPTION
Description
of
the
activity.
character
TYPE
Activity
type.
Values
include:
v
Application
(A)
v
Subprocess
(S)
v
Loop
(L)
v
Route
(R)
v
Manual
(M)
v
Operation
(O)
character
SUBTYPE
Activity
subtype.
Values
for
manual
activity
type
include:
v
Approval/Reject
(AP)
v
Provide
Information
(RI)
v
Work
Order
(WO)
Other
activity
types
do
not
have
subtype
values.
character
Chapter
4.
Database
Tables
57
|
|
|
|
|
|
|
|
|
|
Column
Name
Description
Data
Type
PRIORITY
Priority
of
the
activity
(NOT
SUPPORTED).
numeric
STARTED
Time
the
activity
is
started.
character
COMPLETED
Time
the
activity
is
completed.
character
LASTMODIFIED
Time
the
activity
was
last
modified.
character
STATE
Current
state
of
the
activity.
Values
include:
v
Running
(R)
v
Not
Started
(I)
v
Terminated
(T)
v
Aborted
(A)
v
Suspended
(S)
v
Completed
(C)
v
Bypassed
(B)
character
RESULT_SUMMARY
Activity’s
result
summary
code.
Values
include:
v
Approved
(AA)
v
Rejected
(AR)
v
Submitted
(RS)
v
Success
(SS)
v
Timeout
(ST)
v
Failed
(SF)
v
Warning
(SW)
v
Pending
(PE)
v
Participant
Resolution
Failed
(PF)
v
Escalated
(ES)
v
Skipped
(SK)
character
RESULT_DETAIL
Detailed
results
information
for
the
activity.
long
character
WORKITEM
Table
The
WORKITEM
table
maintains
a
record
of
workitems
associated
with
manual
workflow
activies
for
running
processes.
The
records
associated
with
the
process
are
removed
after
the
process
is
completed.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
ID
Process
data
ID.
numeric
PROCESS_ID
Proccess
ID
associated
with
the
data.
numeric
ACTIVITY_ID
Activity
ID
associated
with
the
data,
if
any.
numeric
58
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Column
Name
Description
Data
Type
PARTICIPANT_TYPE
Work
item
participant
type.
Values
include:
v
User
(U)
v
Person
(P)
v
Role
(R)
v
System
Administrator
(SA)
v
Supervisor
(SU)
v
Sponsor
(SP)
v
Service
Owner
(SO)
v
System
(WS)
v
Requestor
(RR)
v
Requestee
(RE)
v
Domain
Administrator
(DA)
v
Custom
Defined
Participant
(CM)
character
PARTICIPANT
Work
item
participant
identity.
character
CREATED
Time
the
work
item
was
created.
character
INPUT_PARAMETERS
Work
item
specific
parameters.
long
character
PASSWORD_TRANSACTION
Table
The
PASSWORD_TRANSACTION
table
is
used
during
secure
password
delivery
to
store
information.
After
the
password
is
retrieved,
the
record
is
deleted
from
the
table.
If
the
password
is
never
picked
up,
this
record
is
deleted
upon
password
pickup
expiration.
The
following
table
includes
descriptions
of
each
column.
Column
Name
Description
Data
Type
TRANSACTION_ID
Transaction
ID
used
to
retrieve
the
password.
numeric
ACCOUNT_DN
Account
DN
for
the
password.
character
CREATION_DATE
Password
creation
date.
character
PROCESS_ID
ID
of
the
workflow
that
started
the
password
transaction
process.
numeric
ACTIVITY_ID
ID
of
the
activity
that
started
the
password
transaction
process.
numeric
PASSWORD
Encrypted
password
value.
character
NEXTVALUE
Table
Note:
This
table
is
not
in
use
after
release
4.4.
The
NEXTVALUE
table
is
used
to
create
unique
IDs
for
workflow
tables.
The
NEXTVALUE
table
is
not
directly
used
in
a
workflow.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
ID
Process
data
ID.
numeric
NEXT_ID
Primary
key
ID
to
be
used
in
a
process.
numeric
Chapter
4.
Database
Tables
59
|
|
|
|
|
|
|
|
|
|
|
|
PENDING
Table
The
PENDING
table
stores
all
the
provisioning
requests
that
are
being
processed,
but
not
completed
yet.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROCESS_ID
Process
ID
number.
numeric
PERSON_DN
DN
of
the
person
for
which
the
request
was
submitted.
character
SERVICE_DN
DN
of
the
resource
to
which
to
add
the
account.
character
60
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
||
||
Services
Tables
Tivoli
Identity
Manager
creates
and
uses
the
following
database
tables
to
store
information
related
to
managed
resources:
v
“RESOURCE_PROVIDERS
Table”
on
page
61
v
“REMOTE_SERVICES_REQUESTS
Table”
on
page
62
v
“REMOTE_RESOURCES_RECONS
Table”
on
page
62
v
“REMOTE_RESOURCES_RECON_QUERIES
Table”
on
page
63
RESOURCE_PROVIDERS
Table
The
RESOURCE_PROVIDERS
table
stores
cross
references
between
resource
provider
IDs
and
stores
reconciliation
data
for
each
resource
provider.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROVIDER_ID
Unique
ID
for
each
resource
provider.
There
is
a
one-to-one
relationship
between
a
provider_id
and
a
resource_dn.
character
RESOURCE_DN
DN
for
the
managed
resource
the
provider
is
responsible
for.
character
RECON_STATUS
Indicates
whether
a
reconciliation
is
currently
running.
0
-
no
reconciliation
is
running
for
this
service.
1
-
reconciliation
is
currently
running
on
this
service.
If
the
server
is
shut
down
abruptly
during
a
reconciliation,
this
flag
may
need
to
be
reset
to
0
before
other
reconciliation
requests
can
be
processed
for
the
specified
service.
numeric
LAST_RECON_TIME
The
time
of
the
last
reconcilation.
date
MAX_RECON_DURATION
Timeout
value,
in
minutes,
for
reconciliations.
If
a
reconciliation
request
runs
beyond
the
amount
of
time
specified
in
this
field,
the
request
is
terminated.
numeric
LOCK_SERVICE
Indicates
whether
or
not
to
lock
the
service
during
a
reconciliation:
1
-
lock
the
service
during
a
reconciliation.
0
-
do
not
lock
the
service
during
a
reconciliation.
numeric
REQUEST_ID
Tracks
the
process
locking
the
service.
character
Chapter
4.
Database
Tables
61
|
REMOTE_SERVICES_REQUESTS
Table
The
REMOTE_SERVICES_REQUESTS
table
stores
asynchronous
requests
or
requests
that
are
made
while
a
reconciliation
is
in
progress.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROVIDER_ID
Unique
ID
for
each
resource
provider.
character
REQUEST_ID
ID
of
the
request
made.
character
TYPE
Request
type:
0
-
generic
requests
1
-
asynchronous
requests
2
-
intra-reconciliation
requests
numeric
OPERATION
Type
of
operation
being
performed:
0
-
no
operation
1
-
Add
request
2
-
Modify
request
3
-
Delete
request
4
-
Suspend
request
5
-
Restore
request
6
-
Change
password
request
numeric
REQUEST_TIME
Time
the
request
was
made.
date
EXPIRATION_TIME
Time
the
request
expires.
If
null,
the
request
never
expires.
date
TARGET
The
owner
of
the
account
for
an
add
request
or
the
account
dc
for
other
types
of
operations.
character
SERVICE_DN
The
distinguished
name
of
the
service
instance
in
the
directory.
character
DATA
The
data
for
the
request
(attribute
values
for
Add
and
Modify
requests).
This
information
is
a
serialized
Java
Collection.
long
character
CONNECTION_POINT
The
callback
to
complete
the
workflow
process.
This
information
is
a
serialized
Java
object.
long
binary
REMOTE_RESOURCES_RECONS
Table
The
REMOTE_RESOURCES_RECONS
table
stores
the
reconciliation
units
associated
with
a
given
resource
provider.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROVIDER_ID
Unique
ID
for
each
resource
provider.
character
RECON_ID
Unique
ID
for
each
reconcilation
unit.
numeric
62
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
|
|
Column
Name
Description
Data
Type
DAY_OF_MONTH
Day
of
month
the
reconciliation
is
scheduled
to
run.
numeric
MONTH_NUM
Month
the
reconciliation
is
scheduled
to
run.
numeric
DAY_OF_WEEK
Day
of
week
the
reconciliation
is
scheduled
to
run.
numeric
HOUR_NUM
Hour
of
day
the
reconciliation
is
scheduled
to
run.
numeric
MINUTE_NUM
Minute
of
hour
the
reconciliation
is
scheduled
to
run.
numeric
MAX_DURATION
This
value
overrides
the
MAX_RECON_DURATION
value
in
the
RESOURCE_PROVIDERS
table.
numeric
LOCK_SERVICE
Indicates
whether
or
not
to
lock
the
service
during
a
reconciliation.
1
-
lock
the
service
during
a
reconciliation
0
-
do
not
lock
the
service
during
a
reconciliation.
numeric
REMOTE_RESOURCES_RECON_QUERIES
Table
The
REMOTE_RESOURCES_RECON_QUERIES
table
stores
reconciliation
queries
associated
with
a
given
reconciliation
unit.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
PROVIDER_ID
Unique
ID
for
each
resource
provider.
character
RECON_ID
Unique
ID
for
each
reconciliation
unit.
numeric
QUERY_ID
Unique
ID
for
each
reconciliation
query.
numeric
RECON_FILTER
Filter
associated
with
the
reconciliation
query.
character
RECON_BASE
Search
base
associated
with
the
reconciliation
query.
character
MAX_DURATION
Not
used.
numeric
MAX_ENTRIES
Not
used.
numeric
ATTRIBUTES
Attributes
returned
during
a
reconciliation
request.
character
Chapter
4.
Database
Tables
63
|||
|
SCHEDULED_MESSAGE
Table
The
SCHEDULED_MESSAGE
table
stores
information
associated
with
a
scheduled
event
that
is
provided
by
the
scheduler.
The
scheduler
is
a
component
of
Tivoli
Identity
Manager
that
stores
one-time
or
regularly
scheduled
events.
These
events
are
typically
user
requests
(via
the
workflow
engine)
or
recurring
reconciliation
events.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
SCHEDULED_TIME
A
value
that
represents
the
time
of
the
scheduled
event,
which
is
the
number
of
milliseconds
since
January
1,
1970,
00:00:00
GMT.
numeric
SCHEDULED_MESSAGE_ID
Unique
ID
for
each
scheduled
event.
numeric
MESSAGE
A
serialized
object
that
represents
the
detail
information
of
the
scheduled
event.
long
character
SERVER
The
server
that
picks
up
the
scheduled
event
most
recently.
character
CHECKPOINT_TIME
A
value
that
represents
the
last
pick
up
time
of
the
scheduled
event,
which
is
the
number
of
milliseconds
since
January
1,
1970,
00:00:00
GMT.
numeric
REFERENCE_ID
Used
only
used
for
scheduled
workflow
events,
it
is
the
workflow
process
ID
that
the
scheduled
event
is
coming
from.
numeric
64
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
LISTDATA
Table
The
LISTDATA
table
is
used
to
optimize
memory
utilization
and
improve
performance
for
Tivoli
Identity
Manager.
This
table
is
used
to
store
large
data
lists.
Instead
of
loading
all
data
into
memory,
data
will
be
stored
in
this
table
and
referenced
by
index
in
memory.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
DATA_ID
Unique
identifier
for
the
data.
numeric
INDEX_ID
List
element’s
index.
numeric
VALUE
The
serialized
list
element.
long
character
AUTH_KEY
Table
The
AUTH_KEY
table
is
used
to
store
the
keys
for
signing
and
verifying
authentication
requests.
The
following
table
includes
descriptions
of
each
column
name:
Column
Name
Description
Data
Type
Y
The
public
key
in
the
DSA
algorithm.
character
P
The
prime
number
in
the
DSA
algorithm.
character
Q
The
sub-prime
number
in
the
DSA
algorithm.
character
G
The
modulus
in
the
DSA
algorithm.
character
X
The
private
key
in
the
DSA
algorithm.
character
Chapter
4.
Database
Tables
65
|
||
|
||||
|||
|||
||||
|||
|||||
66
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Appendix.
Notices
This
information
was
developed
for
products
and
services
offered
in
the
U.S.A.
IBM
may
not
offer
the
products,
services,
or
features
discussed
in
this
document
in
other
countries.
Consult
your
local
IBM
representative
for
information
on
the
products
and
services
currently
available
in
your
area.
Any
reference
to
an
IBM
product,
program,
or
service
is
not
intended
to
state
or
imply
that
only
that
IBM
product,
program,
or
service
may
be
used.
Any
functionally
equivalent
product,
program,
or
service
that
does
not
infringe
any
IBM
intellectual
property
right
may
be
used
instead.
However,
it
is
the
user’s
responsibility
to
evaluate
and
verify
the
operation
of
any
non-IBM
product,
program,
or
service.
IBM
may
have
patents
or
pending
patent
applications
covering
subject
matter
described
in
this
document.
The
furnishing
of
this
document
does
not
give
you
any
license
to
these
patents.
You
can
send
license
inquiries,
in
writing,
to:
IBM
Director
of
Licensing
IBM
Corporation
North
Castle
Drive
Armonk,
NY
10504-1785
U.S.A.
For
license
inquiries
regarding
double-byte
(DBCS)
information,
contact
the
IBM
Intellectual
Property
Department
in
your
country
or
send
inquiries,
in
writing,
to:
IBM
World
Trade
Asia
Corporation
Licensing
2-31
Roppongi
3-chome,
Minato-ku
Tokyo
106-0032,
Japan
The
following
paragraph
does
not
apply
to
the
United
Kingdom
or
any
other
country
where
such
provisions
are
inconsistent
with
local
law:
INTERNATIONAL
BUSINESS
MACHINES
CORPORATION
PROVIDES
THIS
PUBLICATION
“AS
IS”
WITHOUT
WARRANTY
OF
ANY
KIND,
EITHER
EXPRESS
OR
IMPLIED,
INCLUDING,
BUT
NOT
LIMITED
TO,
THE
IMPLIED
WARRANTIES
OF
NON-INFRINGEMENT,
MERCHANTABILITY
OR
FITNESS
FOR
A
PARTICULAR
PURPOSE.
Some
states
do
not
allow
disclaimer
of
express
or
implied
warranties
in
certain
transactions,
therefore,
this
statement
may
not
apply
to
you.
This
information
could
include
technical
inaccuracies
or
typographical
errors.
Changes
are
periodically
made
to
the
information
herein;
these
changes
will
be
incorporated
in
new
editions
of
the
publication.
IBM
may
make
improvements
and/or
changes
in
the
product(s)
and/or
the
program(s)
described
in
this
publication
at
any
time
without
notice.
Any
references
in
this
information
to
non-IBM
Web
sites
are
provided
for
convenience
only
and
do
not
in
any
manner
serve
as
an
endorsement
of
those
Web
sites.
The
materials
at
those
Web
sites
are
not
part
of
the
materials
for
this
IBM
product
and
use
of
those
Web
sites
is
at
your
own
risk.
IBM
may
use
or
distribute
any
of
the
information
you
supply
in
any
way
it
believes
appropriate
without
incurring
any
obligation
to
you.
©
Copyright
IBM
Corp.
2004
67
Licensees
of
this
program
who
wish
to
have
information
about
it
for
the
purpose
of
enabling:
(i)
the
exchange
of
information
between
independently
created
programs
and
other
programs
(including
this
one)
and
(ii)
the
mutual
use
of
the
information
which
has
been
exchanged
should
contact:
IBM
Corporation
2ZA4/101
11400
Burnet
Road
Austin,
TX
78758
U.S.A.
Such
information
may
be
available,
subject
to
appropriate
terms
and
conditions,
including
in
some
cases,
payment
of
a
fee.
The
licensed
program
described
in
this
information
and
all
licensed
material
available
for
it
are
provided
by
IBM
under
terms
of
the
IBM
Customer
Agreement,
IBM
International
Program
License
Agreement,
or
any
equivalent
agreement
between
us.
Any
performance
data
contained
herein
was
determined
in
a
controlled
environment.
Therefore,
the
results
obtained
in
other
operating
environments
may
vary
significantly.
Some
measurements
may
have
been
made
on
development-level
systems
and
there
is
no
guarantee
that
these
measurements
will
be
the
same
on
generally
available
systems.
Furthermore,
some
measurements
may
have
been
estimated
through
extrapolation.
Actual
results
may
vary.
Users
of
this
document
should
verify
the
applicable
data
for
their
specific
environment.
Information
concerning
non-IBM
products
was
obtained
from
the
suppliers
of
those
products,
their
published
announcements
or
other
publicly
available
sources.
IBM
has
not
tested
those
products
and
cannot
confirm
the
accuracy
of
performance,
compatibility
or
any
other
claims
related
to
non-IBM
products.
Questions
on
the
capabilities
of
non-IBM
products
should
be
addressed
to
the
suppliers
of
those
products.
Trademarks
The
following
terms
are
trademarks
or
registered
trademarks
of
International
Business
Machines
Corporation
in
the
United
States,
other
countries,
or
both:
AIX
DB2
IBM
IBM
logo
SecureWay
Tivoli
Tivoli
logo
Universal
Database
WebSphere
Lotus
is
a
registered
trademark
of
Lotus
Development
Corporation
and/or
IBM
Corporation.
Domino
is
a
trademark
of
International
Business
Machines
Corporation
and
Lotus
Development
Corporation
in
the
United
States,
other
countries,
or
both.
Microsoft,
Windows,
Windows
NT,
and
the
Windows
logo
are
trademarks
of
Microsoft
Corporation
in
the
United
States,
other
countries,
or
both.
68
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
UNIX
is
a
registered
trademark
of
The
Open
Group
in
the
United
States
and
other
countries.
Java™
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.
in
the
United
States
and
other
countries.
Other
company,
product,
and
service
names
may
be
trademarks
or
service
marks
of
others.
Appendix.
Notices
69
70
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Glossary
A
access.
The
privilege
to
use
information
or
data
stored
on
computer
systems.
account.
The
set
of
parameters
that
define
the
login
information
and
access
control
information
for
a
user.
account
report.
A
report
that
lists
people
and
their
associated
accounts
and
whether
or
not
the
account
is
in
compliance
with
current
policies.
access
control
information
(ACI).
Data
that
identifies
the
access
rights
of
a
group
or
principal.
See
also
access
control.
ACI
origin.
The
branch
in
the
organization
tree
where
the
ACI
is
created.
ACI
target.
The
set
of
entities
that
are
controlled
by
the
ACI.
active
account.
An
account
that
exists
and
that
is
in
use
by
the
owner
to
access
a
resource.
admin
domain.
A
business
unit
that
is
used
to
logically
separate
organizational
responsibilities
and
manage
access
rights.
alias.
An
identity
for
a
user,
usually
referred
to
as
the
user
ID.
A
person
can
have
several
aliases,
for
example:
GSmith
and
GWSmith.
attribute
enforcement.
The
process
in
which
system
administrators
define
the
attributes
that
are
required
for
an
account
and
the
values
that
are
valid
for
those
attributes.
audit
trail.
The
record
of
transactions
for
a
computer
system
during
a
given
time
period.
authentication.
The
process
of
identifying
an
individual,
usually
based
on
a
user
name
and
password.
In
security
systems,
authentication
is
distinct
from
authorization,
which
is
the
process
of
giving
individuals
access
to
system
objects
based
on
their
identity.
Authentication
merely
ensures
that
the
individual
is
who
he
or
she
claims
to
be,
but
says
nothing
about
the
access
rights
of
the
individual.
authorization.
In
computer
security,
the
right
granted
to
a
user
to
communicate
with
or
make
use
of
a
computer
system.
The
process
of
granting
a
user
either
complete
or
restricted
access
to
an
object,
resource,
or
function.
Most
computer
security
systems
are
based
on
a
two-step
process.
The
first
stage
is
authentication,
which
ensures
that
a
user
is
who
he
or
she
claims
to
be.
The
second
stage
is
authorization,
which
allows
the
user
access
to
various
resources
based
on
the
user’s
identity.
authorization
owner.
A
group
of
users
who
can
define
access
control
information
(ACI)
within
the
context
of
the
organizational
unit
to
which
they
belong.
B
branch.
Each
level
within
the
organization
tree
is
called
a
branch.
Each
type
of
branch
in
the
tree
is
indicated
by
a
different
icon.
The
contents
of
a
branch
with
sub-units
can
be
viewed
by
clicking
the
plus
(+)
sign
next
to
it.
business
partner
organization.
A
class
of
person
that
is
not
a
direct
employee
of
the
company
or
organization,
but
that
might
need
access
to
the
company’s
resources.
business
partner
person.
A
person
in
a
business
partner
organization.
business
unit.
A
subsidiary
entity
of
an
organization.
C
central
data
repository.
The
database
used
to
record
and
store
user
and
access
privilege
data
for
all
registered
users,
including
transaction
and
maintenance
records.
Certificate
Authority
(CA).
An
organization
that
issues
certificates.
The
certificate
authority
authenticates
the
certificate
owner’s
identity
and
the
services
that
the
owner
is
authorized
to
use,
issues
new
certificates,
renews
existing
certificates,
and
revokes
certificates
belonging
to
users
who
are
no
longer
authorized
to
use
them.
challenge
response.
An
authentication
method
that
requires
users
to
respond
to
a
prompt
by
providing
private
information
to
verify
their
identity
when
logging
in
to
the
network.
completed
requests.
Requests
that
were
submitted
to
the
system
and
that
are
completed.
constraint.
A
limitation
on
a
parameter
or
policy.
control
type.
An
instance
of
the
Java
Type
class
that
represents
the
type
of
field
on
a
user
interface.
©
Copyright
IBM
Corp.
2004
71
credential.
The
User
ID
and
password
information
for
a
user,
which
allows
access
to
an
account.
D
delegate.
An
individual
who
is
designated
as
the
responsible
party
to
approve
requests
or
provide
information
for
requests
for
another
user.
de-provision.
To
remove
a
service
or
component.
For
example,
to
de-provision
an
account
means
to
delete
an
account
from
a
resource.
digital
certificate.
An
attachment
to
an
electronic
message
used
for
security
purposes.
Directory
Services
Markup
Language
(DSML).
An
XML
implementation
that
provides
a
common
format
for
describing
and
sharing
directory
services
information
among
different
directory
systems.
disallowed
action.
A
parameter
set
for
reconciliations
that
defines
action
to
take
if
the
Tivoli
Identity
Manager
Server
finds
accounts
for
persons
who
are
not
allowed
to
have
an
account
for
the
selected
service.
This
parameter
is
only
valid
if
the
Check
Policy
check
box
is
selected.
domain
administrator.
An
administrator
that
can
define
and
manage
provisioning
entities,
policies,
services,
workflow
definitions,
roles,
and
users
within
their
admin
domain,
but
only
in
his
or
her
own
admin
domain.
DSML
identity
feed.
One
of
Tivoli
Identity
Manager’s
three
default
service
types.
A
DSML
identity
feed
service
imports
user
data
from
a
human
resources
database
or
file
and
feeds
the
information
into
the
Tivoli
Identity
Manager
directory.
The
service
can
receive
the
information
in
one
of
two
ways:
a
reconciliation
or
an
unsolicited
notification.
E
electronic
forms.
An
electronic
form
serves
as
a
template
to
define
the
parameters
of
the
access
being
requested.
entitlement.
In
security
management,
a
data
structure,
service,
or
list
of
attributes
that
represents
policy
information.
entity.
1)
A
person
or
object
for
which
information
is
stored.
2)
One
of
the
following
classes,
as
referred
to
by
the
Tivoli
Identity
Manager
system:
v
Person
v
BPPerson
v
Organization
v
BPOrganization
escalation
participant.
In
identity
management,
a
person
that
has
the
authority
to
respond
to
requests
that
participants
do
not
respond
to
within
a
specified
escalation
time.
An
escalation
participant
can
be
identified
as
an
individual,
as
a
roles,
or
by
using
a
custom
JavaScript
script.
escalation
limit.
The
amount
of
time,
in
days,
hours,
minutes
or
seconds,
that
a
participant
has
to
respond
to
a
request,
before
an
escalation
occurs.
H
HR
feed.
An
automated
process
in
which
the
Tivoli
Identity
Manager
system
imports
user
data
from
a
human
resources
database
or
file.
Refer
to
DSML
identity
feed.
I
identity
policy.
The
rules
by
which
the
Tivoli
Identity
Manager
system
defines
how
a
user’s
ID
is
created.
inactive
account.
An
account
that
exists
in
the
system,
but
that
is
not
in
use
by
the
account
owner.
ITIM
group.
A
user
group
within
the
Tivoli
Identity
Manager
Server.
System
access
and
administration
can
be
structured
around
ITIM
groups.
However,
before
a
person
can
be
assigned
to
an
ITIM
group,
the
user
must
be
provisioned
with
an
ITIM
account.
Once
the
person
is
provisioned
with
an
ITIM
account,
the
person
is
an
ITIM
user
and
can
be
added
to
an
ITIM
group.
J
join
directive.
The
set
of
rules
that
define
how
to
handle
attributes
when
two
or
more
provisioning
policies
conflict.
K
keyword.
An
index
entry
that
identifies
the
policy
in
a
search.
L
location.
One
of
the
types
of
subsidiary
entities
that
can
be
added
to
an
organization.
Typically,
locations
are
used
to
logically
separate
geographic
locations
for
organizational
management
purposes.
72
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
O
operation
report.
A
report
that
lists
Tivoli
Identity
Manager
operation
requests
by
type
of
operation,
date,
who
requested
the
operation,
and
who
the
operation
is
requested
for.
organization.
In
identity
management,
a
body
of
users
and
resources
which
is
fairly
independent.
Although
the
sharing
of
resources
between
organizations
is
possible,
the
level
of
integration
between
the
organizations
is
relatively
low.
Generally,
an
organization
represents
a
company.
organization
tree.
A
hierarchical
structure
of
the
organization
that
provides
a
logical
place
to
create,
access,
and
store
organizational
information.
organizational
role.
In
identity
management,
an
attribute
that
is
used
to
determine
membership
to
policies
that
grant
access
to
various
managed
resources.
organizational
unit.
A
body
of
users
and
resources
within
an
organization
defined
to
sub-divide
an
organization
into
more
manageable
groups.
Users
are
assigned
to
only
one
organizational
unit.
Resources
are
also
assigned
to
only
one
organizational
unit
unless
they
are
defined
as
global
to
an
organization.
orphan
(orphan
accounts).
Accounts
on
a
remote
resource
whose
owner
in
the
Tivoli
Identity
Manager
system
cannot
be
determined.
owner.
A
person
in
the
Tivoli
Identity
Manager
system
that
owns
an
account
or
a
service.
P
participant.
In
identity
management,
a
person
that
has
the
authority
to
respond
to
a
request
that
is
submitted
through
the
workflow
engine.
A
participant
can
be
identified
as
an
individual,
as
a
roles,
or
by
using
a
custom
JavaScript
script.
password.
In
computer
and
network
security,
a
specific
string
of
characters
entered
by
a
user
and
authenticated
by
the
system,
which
allows
the
user
to
gain
access
to
the
system
and
to
the
information
stored
within
it.
password
expiration
period.
The
amount
of
time
a
password
can
be
used
before
the
user
is
forced
to
change
it.
password
policy.
The
rules
that
define
the
set
parameters
that
all
passwords
must
meet,
such
as
length,
and
the
type
of
characters
allowed
and
disallowed.
pending
requests.
Requests
that
have
been
submitted
to
the
system
but
that
have
not
yet
been
completed.
personal
information.
A
user’s
personal
information.
This
information
can
include
last
name,
first
name,
home
address,
phone
number,
address,
office
number,
supervisor,
etc.
policy.
In
Tivoli,
a
set
of
rules
that
are
applied
to
managed
resources.
For
example,
a
policy
can
apply
to
passwords
or
to
resources
that
a
user
attempts
to
access.
policy
enforcement.
The
manner
in
which
the
Tivoli
Identity
Manager
system
allows
or
disallows
accounts
that
violate
provisioning
policies.
provision.
To
set
up
and
maintain
a
user’s
access
to
a
system
in
the
organization.
provisioning
policy.
A
policy
that
defines
the
access
to
various
types
of
managed
services,
such
as
Tivoli
Identity
Manager
or
operating
systems.
Access
is
granted
to
all
persons
or
based
on
a
person’s
organizational
role.
Access
can
also
be
granted
specifically
to
persons
who
are
not
members
of
any
organizational
role.
Q
query.
A
way
in
which
to
limit
a
reconciliation
to
return
smaller
packets.
R
reconciliation.
In
identity
management,
the
process
of
synchronizing
the
accounts
and
supporting
data
on
the
central
data
repository
with
the
accounts
and
supporting
data
on
the
managed
resource.
reconciliation
report.
A
report
that
lists
the
orphan
accounts
found
since
the
last
reconciliation
was
performed.
rejected
report.
A
report
that
lists
requests
denied
by
date,
who
requested
the
operation,
and
who
the
operation
is
requested
for.
request.
An
action
item
in
the
Tivoli
Identity
Manager
system
asking
for
approval
or
information.
requestee.
The
person
for
whom
a
request
is
submitted.
requestor.
A
person
who
submits
a
request.
resource.
A
hardware,
software,
or
data
entity
that
is
managed
by
Tivoli
software.
See
also
managed
resource.
resource
provisioning
management
(rpm).
The
management
principle
that
combines
three
key
elements
-
business
logic,
workflow
management,
and
Glossary
73
distribution
agents
-
which
together
centrally
manage
the
provisioning
of
users
with
access
to
information
and
business
resources.
restore.
To
reactivate
an
account
that
was
suspended.
request
for
information
(RFI).
In
identity
management,
an
action
item
that
requests
additional
information
from
the
specified
participant
and
that
is
a
required
step
in
the
workflow.
S
scope.
The
range
that
a
policy
can
affect.
Typically,
the
scope
is
defined
as
single
or
subtree.
When
the
scope
is
defined
as
single,
the
policy
only
affects
entities
in
the
same
branch
in
which
the
policy
is
defined.
When
the
scope
is
defined
as
sub-tree,
the
policy
affects
the
branch
in
which
it
is
defined
and
all
other
branches
that
are
subordinate
to
the
policy’s
branch
of
origin.
service.
A
program
that
performs
a
primary
function
within
a
server
or
related
software.
service
selection
policy.
A
JavaScript
filter
that
determines
which
service
to
use
in
a
provisioning
policy.
shared
secret.
An
encrypted
value
used
to
retrieve
a
user’s
initial
password
to
access
the
Tivoli
Identity
Manager
system.
This
value
is
defined
when
the
user’s
personal
information
is
initially
loaded
into
the
system.
signature
authority.
The
right
to
approve
or
deny
a
request
that
is
submitted
to
the
workflow
engine.
A
user
or
group
of
users
is
granted
signature
authority
when
they
are
designated
as
the
participant
or
escalation
participant
in
a
workflow
design.
secure
socket
layer
(SSL).
A
protocol
for
transmitting
private
documents
through
the
Internet.
SSL
works
by
using
a
private
key
to
encrypt
data
that
is
transferred
over
the
SSL
connection.
static
organizational
role.
An
organizational
role
that
can
only
be
assigned
manually.
subprocess.
A
workflow
design
that
is
started
as
part
of
another
workflow
design.
supervisor.
A
person
in
the
Tivoli
Identity
Manager
system
that
is
designated
as
the
owner
of
a
business
unit.
suspend.
The
act
of
deactivating
an
account
so
the
account
owner
cannot
log
into
the
resource.
system
administrator.
Individuals
with
access
to
all
areas
in
the
system.
A
pre-configured
ITIM
Group
is
provided
in
the
Tivoli
Identity
Manager
system.
This
ITIM
Group
is
designed
to
grant
members
maximum
access
to
the
system.
Users
who
are
members
of
the
administrator
ITIM
Group
have
access
to
all
system
functions
and
data.
T
Tivoli
Identity
Manager
Agent.
An
intelligent
interface
between
the
targeted
managed
system
and
the
Tivoli
Identity
Manager
Server.
It
acts
as
a
trusted
virtual
administrator
and
is
a
critical
component
that
translates
user
requests
and
provides
secure
configurations
access
to
various
targeted
systems.
Tivoli
Identity
Manager
Server.
A
software
and
services
package
designed
to
deploy
policy-based
provisioning
solutions.
to
do
list.
The
list
of
actions
items
assigned
to
a
user
for
completion.
U
user.
Any
person
who
interacts
with
the
system.
user
class.
An
LDAP
class
such
as
inetorgperson
or
BPPerson.
user
interface
(UI).
The
display
used
by
the
user
to
interact
with
the
system.
user
name.
The
ID
used
by
the
user
to
access
the
system.
This
ID
also
identifies
the
user
to
the
system
and
allows
the
system
to
determine
the
user’s
access
rights
based
on
the
user’s
membership
in
various
organizational
roles
and
ITIM
groups.
user
report.
A
report
that
lists
all
Tivoli
Identity
Manager
operations
by
date,
who
requested
the
operation,
and
who
the
operation
is
requested
for.
W
workflow.
The
sequence
of
activities
performed
in
accordance
with
the
business
processes
of
an
enterprise.
74
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
Index
Aaccessibility
statement
for
documentation
x
accessing
documents
online
ix
ACTIVITY
database
table
57
application
server
log
3
audience,
who
should
read
this
book
vii
audit
log
2
AUTH_KEY
database
table
65
Cclass
and
schema
descriptions
(directory
server)
29
classes
(directory
server
schema)general
33
erBPOrg
33
erBPOrgItem
33
erBPPersonItem
33
erDictionary
34
erDictionaryItem
34
erFormTemplate
34
erIdentityExclusion
34
erLocationItem
35
erManagedItem
35
erOrganizationItem
35
erOrgUnitItem
36
erPersonItem
36
erRole
36
erSecurityDomainItem
36
erTenant
37
erWorkflowDefinition
39
SecurityDomain
37
policy
49
erIdentityPolicy
49
erPasswordPolicy
49
erPolicyBase
49
erPolicyItemBase
50
erProvisioningPolicy
50
service
41
erAccountItem
41
erAttributeConstraint
41
erChallenges
41
erDSML2Service
42
erDSMLInfoService
42
erDynamicRole
43
erHostedAccountItem
44
erHostedService
44
erHostSelectionPolicy
44
erITIMService
44
erJoinDirective
45
erObjectCategory
45
erObjectProfile
45
erRemoteServiceItem
46
erServiceItem
46
erServiceProfile
47
erSystemItem
47
erSystemRole
47
erSystemUser
48
common
problems
7
data
input
21
24
common
problems
(continued)GUI
16
IBM
Directory
Server
(IDS)
18
installation
and
start-up
8
internal
server
19
logon
12
miscellaneous
25
remote
communication
22
Web
browser
17
WebLogic
20
contacting
software
support
x
conventions
used
in
this
document
x
Ddatabase
server
log
3
database
tables
51
AUTH_KEY
table
65
LISTDATA
table
65
SCHEDULED_MESSAGE
table
64
services
tables
61
REMOTE_RESOURCES_RECON_QUERIES
table
63
REMOTE_RESOURCES_RECONS
table
62
REMOTE_SERVICES_REQUESTS
table
62
RESOURCE_PROVIDERS
table
61
workflow
tables
52
ACTIVITY
table
57
NEXTVALUE
table
59
PASSWORD_TRANSACTION
table
59
PENDING
table
60
PROCESS
table
52
PROCESSDATA
table
56
PROCESSLOG
table
54
WORKITEM
table
58
directory
server
13
container
descriptions
31
directory
tree
30
schema
and
class
descriptions
29
directory
server
log
3
directory
tree
30
documents,
Tivoli
Identity
Manager
library
vii
accessing
documents
online
ix
related
documents
ix
domain
entry
33
Ee-fix
PQ76707
8
enrole.ear
8,
10
erAccountItem
class
41
erAttributeConstraint
class
41
erBPOrg
class
33
erBPOrgItem
class
33
erBPPersonItem
class
33
erChallenges
class
41
erDictionary
class
34
erDictionaryItem
class
34
erDSML2Service
class
42
erDSMLInfoService
class
42
erDynamicRole
class
43
©
Copyright
IBM
Corp.
2004
75
erFormTemplate
class
34
erHostedAccountItem
class
44
erHostedService
class
44
erHostSelectionPolicy
class
44
erIdentityExclusion
class
34
erIdentityPolicy
class
49
erITIMService
class
44
erJoinDirective
class
45
erLocationItem
class
35
erManagedItem
class
35
erObjectCategory
class
45
erObjectProfile
class
45
erOrganizationItem
class
35
erOrgUnitItem
class
36
erPasswordPolicy
class
49
erPersonItem
class
36
erPolicyBase
class
49
erPolicyItemBase
class
50
erProvisioningPolicy
class
50
erRemoteServiceItem
class
46
erRole
class
36
erSecurityDomainItem
class
36
erServiceItem
class
46
erServiceProfile
class
47
erSystemItem
class
47
erSystemRole
class
47
erSystemUser
class
48
erTenant
class
37
erWorkflowDefinition
class
39
event
log
file
information
1
EXTSHM
environment
variable
22
HHTTP
server
12
IIBM
Directory
Server
13
installation
log
1
LLAX_DEBUG
1
LISTDATA
database
table
65
log4j
1,
3
sample
appender
usage
4
SMTP
Appender
4
log4j.appender
4
logging
1
application
server
log
3
audit
log
2
database
server
log
3
directory
server
log
3
error
notification
alerts
3
installation
log
1
log4j
1,
3
Tivoli
Identity
Manager
server
log
2
using
event
log
information
1
Web
server
access
log
3
MMAXUMSGS
27
message
logging
1
message
logging
(continued)application
server
log
3
audit
log
2
database
server
log
3
directory
server
log
3
error
notrification
alerts
3
installation
log
1
log4j
1,
3
Tivoli
Identity
Manager
server
log
2
using
event
log
information
1
Web
server
access
log
3
NNEXTVALUE
database
table
59
PPASSWORD_TRANSACTION
database
table
59
PENDING
database
table
60
PROCESS
database
table
52
PROCESSDATA
database
table
56
PROCESSLOG
database
table
54
publications,
Tivoli
Identity
Manager
library
vii
accessing
documents
online
ix
related
documents
ix
RREMOTE_RESOURCES_RECON_QUERIES
database
table
63
REMOTE_RESOURCES_RECONS
database
table
62
REMOTE_SERVICES_REQUESTS
database
table
62
RESOURCE_PROVIDERS
database
table
61
SSCHEDULED_MESSAGE
database
table
64
schedulerdefinition
64
schema
and
class
descriptions
(directory
server)
29
SecurityDomain
class
37
SMTP
Appender
4
software
support,
contacting
x
Sun
ONE
Directory
Server
13
support,
contacting
software
x
TTivoli
Identity
Manager
server
log
2
troubleshooting
7
data
input
21
24
GUI
16
IBM
Directory
Server
(IDS)
18
installation
and
start-up
8
internal
server
19
logon
12
miscellaneous
25
remote
communication
22
Web
browser
17
WebLogic
20
76
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
WWeb
server
access
log
3
WebSphere
Application
Server
12
WebSphere
embedded
messaging
support
12
WORKITEM
database
table
58
Index
77
78
IBM
Tivoli
Identity
Manager:
Problem
Determination
Guide
����
Program
Number:
5724–C34
Printed
in
USA
SC32-1494-00