advertisement
Chapter 9. Verifying and troubleshooting the installation
This section describes how to correct problems with the Tivoli Identity Manager installation. It also explains how to verify that the Tivoli Identity Manager Server and its prerequisite processes are running correctly.
You can test whether the database, the directory server, and other programs that the Tivoli Identity Manager Server uses are correctly configured and are in full communication with each other.
Correcting problems with starting the installation
If you cannot start the Tivoli Identity Manager installation program, check these requirements: v
Is there enough real memory available to run the installation program? For more information, refer to the
IBM Tivoli Identity Manager Information Center
.
v Are the correct operating system levels, patches, and space requirements provided for the hardware and software prerequisites? For more information, refer to the
IBM Tivoli Identity Manager Information Center
.
v
Does the installation program have the correct file permissions to run?
Administrative privileges are required.
v
Is your firewall preventing processes that are active during installation from accessing external resources? For example, if you have a firewall that prevents ldapsearch from connecting to the directory server, the Tivoli Identity Manager installation fails.
v
If the installation is on a UNIX or Linux system, do you have the correct permissions and display variables set?
A common mistake is to log in to the desktop, omit disabling access control, and then telnet or SSH to a remote host on which you intend to install the Tivoli
Identity Manager Server. To correct this problem, complete these tasks:
1.
Run this command at the command shell of your desktop to disable access control for the X Server: xhost +
2.
After you telnet or SSH to the remote host, run this command to set the
DISPLAY environment variable: export DISPLAY=
hostname
:0.0
The value of
hostname
is the host name or IP address of your local desktop computer.
Tivoli Identity Manager configuration errors
Check the Tivoli Identity Manager activity summary log file
(itim_install_activity.log). If a non-fatal error is reported and it involves DBConfig, ldapConfig, or system configuration, you can use stand-alone Tivoli Identity
Manager configuration utilities to recover. For more information about these
utilities, see Chapter 7, “Configuring the Tivoli Identity Manager Server,” on page
© Copyright IBM Corp. 2009
95
Verifying the installation
This section describes verifying whether the database, the directory server, and other programs that the Tivoli Identity Manager Server uses are correctly configured and are in full communication with the Tivoli Identity Manager Server.
Ensuring that the WebSphere Application Server is running
The WebSphere Application Server on which the Tivoli Identity Manager application is deployed needs to be running.
To determine whether the WebSphere Application Server is running, enter this command: v
Windows operating systems:
WAS_PROFILE_HOME
\bin\serverStatus.bat -all v
UNIX or Linux operating systems:
WAS_PROFILE_HOME
/bin/serverStatus.sh -all
If you do not find the process running, run this command to start the server: v
Windows operating systems:
–
WAS_PROFILE_HOME
\bin\startServer.bat
server_name
v
UNIX or Linux operating systems:
–
WAS_PROFILE_HOME
/bin/startServer.sh
server_name
The value of
server_name
is the name of the WebSphere Application Server. For example, server1
.
Additionally, examine the log files in the logs directory for entries that indicate the status of server1. For example, examine the log files in the
WAS_PROFILE_HOME
\ logs\server1 directory.
Verifying that the Tivoli Identity Manager Server is running
To verify that the Tivoli Identity Manager Server and related processes are running, complete these steps:
1.
Ensure that the WebSphere Application Server is running.
Start the WebSphere administrative console. On a browser, enter this Web address: http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060.
2.
On the WebSphere administrative console, click
Applications > Enterprise
Applications
and verify that the Tivoli Identity Manager Server is running. If the Tivoli Identity Manager Server is not running, select the application, and then click
Start
.
If the Tivoli Identity Manager Server does not start, examine the following log files: v
WAS_PROFILE_HOME
\logs\
server_name
\SystemOut.log
The value of
profile_name
is the name of the WebSphere Application Server profile running Tivoli Identity Manager.
The value of
servername
is typically server1 for single-server environments.
v
TIVOLI_COMMON_DIRECTORY
\CTGIM\logs\trace.log
96
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
In this directory, also examine the msg.log file. Installing Tivoli Identity
Manager Server defines the value of
TIVOLI_COMMON_DIRECTORY
.
3.
Log on to the Tivoli Identity Manager Server using the WebSphere embedded
HTTP transport. For example, at a browser window, enter this command: http://
hostname
:
port
/itim/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number of the WebSphere virtual host. The default port number is 9080. The port number can be removed if an HTTP server is used as the front-end proxy.
The browser displays the Tivoli Identity Manager login window. To log in to
Tivoli Identity Manager, enter the Tivoli Identity Manager Server administrator user ID ( itim manager
) and password (immediately after installation, the value is secret
).
4.
After a first, successful login, the login window immediately prompts you to change the administrator password. Ensure that your password change is successful.
Note:
It is recommended you create a backup administrator user ID with the same access rights as the "itim manager
″ user ID.
5.
If continued attempts fail to log on to Tivoli Identity Manager, determine whether the SystemOut.log file contains errors about referencing Tivoli Identity
Manager properties files.
Ensure that the
ITIM_HOME
\data directory contains the properties files.
Additionally, ensure that the WebSphere Application Server also references the
ITIM_HOME
\data directory. Complete these steps: a.
On the WebSphere administrative console, click
Servers > Application
Servers
.
b.
Select a server such as server1 and under
Server Infrastructure > Java and
Process Management,
click Process Definition.
c.
In the Process Definition, click
Java Virtual Machine
.
d.
Ensure that the Classpath field specifies the {
ITIM_HOME
}\data directory.
6.
If continued attempts fail, examine the status of the Tivoli Identity Manager middleware.
v
“Testing the database connection” on page 98
v
“Ensuring that the directory server is operational” on page 101
Checking the Tivoli Identity Manager bus and messaging engine
Before starting the Tivoli Identity Manager Server, use the WebSphere administrative console to check the status of the bus and messaging engine.
To check the bus and messaging engine, complete these steps:
1.
Start the WebSphere administrative console.
http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060.
2.
Click
Service Integration > Buses
.
3.
If the bus has been set, you see the itim_bus. Click
itim_bus
.
4.
In the Topology section, click
Messaging engines
.
Chapter 9. Verifying and troubleshooting the installation
97
For a single-server installation, you see an engine named
nodename.servername
itim_bus and the status of the engine is started.
For a cluster installation, you see n+1 messaging engines, where n is the number of Tivoli Identity Manager cluster members. An additional messaging engine is used for the Tivoli Identity Manager messaging cluster. All these engines need to be started.
If a message engine is not started, click the messaging engine name, and under the
Additional Properties section, click
Message store
to see the data source JNDI name. From this JNDI name, you can link the Tivoli Identity Manager data source defined under the Resources section and test the data source connection. If the
data source connection test fails, see “Testing the database connection” for more
information about how to resolve the issue. If the connection test succeeds, examine the
WAS_PROFILE_HOME
\logs\
server_name
\SystemOut.log file to determine the reason that the messaging engine cannot be started.
Verifying that the database is running correctly
Testing the database connection
Before starting the Tivoli Identity Manager Server, use the WebSphere administrative console to test the database connection. Complete these steps:
1.
Start the WebSphere administrative console.
http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060.
2.
Click
Resources > JDBC > Data Sources
.
3.
Select
ITIM Data Source
.
4.
Click
Test Connection
. A message appears that indicates the test result.
Repeat these steps for the
ITIM Bus DataSource
, and for clusters, additionally test the
ITIM BUS Shared DataSource
.
If any connections do not work, complete these steps:
1.
The CLASSPATH definition of the JDBC provider is set up during the Tivoli
Identity Manager installation. Verify that the CLASSPATH value is correct.
Complete these steps: a.
Start the WebSphere administrative console.
http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060.
b.
Click
Resources > JDBC > JDBC Providers > ITIM XA DB2 JDBC
Provider
.
c.
Examine the properties to verify that the CLASSPATH value is correct. For example, its value is like these values for DB2:
$ITIM_DB_JDBC_DRIVER_PATH\db2jcc.jar
$ITIM_DB_JDBC_DRIVER_PATH\db2jcc_license_cisuz.jar
$ITIM_DB_JDBC_DRIVER_PATH\db2jcc_license_cu.jar
98
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
To determine the value of $ITIM_DB_JDBC_DRIVER_PATH, click
Environment > WebSphere Variables
. Scroll through the list to locate the variable and confirm it is correct.
2.
Verify that the DB2 user ID and password are correct. Complete these steps: a.
Start the WebSphere administrative console.
http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060.
b.
Click
Resources > JDBC > Data Sources > ITIM Data Source
.
c.
Examine these fields to verify the correct values: v
Component-managed Authentication Alias
The value is itim-init
.
v
Container-managed Authentication Alias
The value is itim-init
.
d.
Under the Related Items category, click
JAAS - J2C authentication data
Examine the Alias list to ensure that an itim-init entry exists.
1) Click
itim-init
.
2) Verify that the value of the user ID field is identical to the Tivoli
Identity Manager Database User specified in
ITIM_HOME
\data\ enRole.properties file, for example, itimuser. Do not change this value.
3)
Note the password field. If you use this field to reset the password, ensure that the password value that you enter is identical to the value defined in the
ITIM_HOME
\data\enRoleDatabase.properties file.
3.
Ensure that other database settings are correct by checking the status of the
DB2 service listening port (typically 50000, 50002, or 60000) by using a utility such as netstat. The system etc directory contains a file called services which contains the actual port number being used. For more information, see
“Determining the correct service listening port and service name” on page 17.
4.
If DB2 is not listening on the port and you are using IPv6 and UNIX/Linux to connect to DB2, you might need to modify your /etc/hosts file. Complete these steps: a.
On the machine running IPv6, append these two lines to your /etc/hosts file:
IPv4_address hostname
IPv6_address hostname
For example, if the
hostname
is myhost
, the
IPv6_address
is
0000:ffff:ffff:0000:20e:cff:fe50:39c8 and the
IPv4_address
is
192.168.4.4
, then you need to append these two lines in the /etc/hosts file.
b.
Log in as the DB2 instance owner and restart the DB2 server by issuing the following commands: db2stop db2start c.
Ensure that DB2 is running on the IPv6 address by issuing the following command: netstat -an | grep db2port
For example, if the db2 is running on the port 50000, then you see the following line as the output:
Chapter 9. Verifying and troubleshooting the installation
99
tcp 0 0 :::50000 :::* LISTEN
Troubleshooting SQL Server 2005 issues
When the itim manager account logs in for the first time the user is typically prompted to change the password. This prompt might not work in case of SQL
Server 2005. In order to resolve this issue, complete these steps:
1.
After installing Tivoli Identity Manager, log in to the SQL Server 2005 host computer.
2.
Launch the Microsoft SQL Server Management Studio.
3.
Expand the SQL server in the object explorer.
4.
Expand
Databases
and move to the master database.
5.
Expand
Security > Schemas
.
6.
Right click
DBO
and click
Properties
7.
Click
Permissions
, click
Add
, and browse to add the required users.
8.
Grant all permissions to these required users and click
OK
.
9.
Restart the server, disconnect, and reconnect with user sa in mixed authentication mode.
Data Base Configuration is too restrictive for MS SQL Server
If Tivoli Identity Manager is configured with MSSQL Server 2005 as the Tivoli
Identity Manager database, you might receive the following message in trace.log
file. The error might occur the first time you access the Tivoli Identity Manager server after you perform the DBConfig operation javax.transaction.xa.XAException: java.sql.SQLException:
Failed to create the XA control connection.
Error: EXECUTE permission denied on object 'xp_sqljdbc_xa_init', database 'master', schema 'dbo'..
To resolve this issue, complete following steps:
Note:
In this task,
itimuser
is the database user configured for ITIM database, and
itimdb
is the name of the database configured for Tivoli Identity Manager.
1.
Stop the application server.
2.
Launch the Microsoft SQL Server Management Studio.
3.
Expand the SQL server in the object explorer.
4.
Expand Databases and delete
itimdb
.
5.
Delete the
itimuser
schema from master database: a.
Expand
Databases
>
System Databases
>
master
>
Security
>
Schemas
.
b.
Delete
itimuser
.
6.
Delete
itimuser
, ITIML000, ITIML001, and so forth login from
Security
>
Logins
.
7.
Create Database. SeeChapter 2, “Installing and configuring a database,” on page
8.
Perform
dbConfig
.
9.
Start the application server.
Note:
If name of the database or database user is changed, perform
runConfig
and restart the application server.
100
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Verifying that the directory server is properly running
Ensuring that the directory server is operational
This section describes the steps to ensure that the installed directory server for
Tivoli Identity Manager is running.
To determine whether the IBM Tivoli Directory Server is running, complete these steps: v On Windows systems, click
Start > Programs > Administrative Tools >
Services
. Locate the directory server entry, such as IBM Tivoli Directory Server
Instance V6.2 - ldapdb2
Ensure that the directory server service is started. If the service has not started, select it, and then select
Action > Start
from the main menu of the Services window.
v
On UNIX/Linux systems, ensure that the ibmslapd process is running. Enter this command: ps -ef | grep ibmslapd
The ps (process) command searches for processes. The grep command selects the processes that contain a string. The parameters in this example include:
-e
Select all processes.
-f
Display a full listing.
If the IBM Tivoli Directory Server is running, a process ID (PID) number is returned. If a PID number is not returned, the server must be restarted. First, stop the server: ibmslapd -I <instancename> -k
Restart the server: ibmslapd -I <instancename> v If the IBM Tivoli Directory Server is running, you must ensure that the IBM
Tivoli Directory Server is not in configuration mode only. Enter this command: ldapsearch -s base -b " " objectclass=* ibm-slapdisconfigurationmode
If the IBM Tivoli Directory Server is not in configuration mode, the value of the ibm-slapdisconfigurationmode parameter is FALSE. The ldapsearch command opens a connection to an LDAP server, binds, and performs a search. The -s parameter specifies the scope of the search to be base, one, or sub, which searches the base object, one level, or subtree. The -b parameter uses
searchbase
as the starting point for the search, instead of the default.
If problems continue, examine the ibmslapd.log file for messages that indicate whether the directory server is completely or partially started. The location of the log file depends on the IBM Tivoli Directory Server version:
Windows:
ITDS_INSTANCE_HOME
\logs\ibmslapd.log. For example, the file is in the
C:\idsslapd-ldapdb2\logs directory.
UNIX/Linux:
ITDS_INSTANCE_HOME
/etc/ibmslapd.log. On Linux, for example, the file is in the /home/ldapdb2/idsslapd-ldapdb2/etc/logs directory.
Checking the Web browser operation
This section describes potential problems associated with the Web browser.
Chapter 9. Verifying and troubleshooting the installation
101
Ensuring that the browser registers the Java plug-in
Tivoli Identity Manager uses applets that require the Java plug-in, which is provided by the Java 2 Runtime Environment, Standard Edition (JRE). The Java plug-in provides a connection between browsers and the Java platform, and enables applets to run within a browser. For more information about the version of the Java plug-in that Tivoli Identity Manager supports, refer to the
Tivoli Identity
Manager Information Center
.
If the Java plug-in is not installed on your system, or is not at a supported level, the browser prompts you to install the plug-in. For more information about these steps, refer to the
Tivoli Identity Manager Information Center
.
Microsoft Internet Explorer: Enabling active scripting
For Microsoft Internet Explorer, ensure that the Active Scripting item is enabled in the Scripting section of the Internet Options. Complete these steps:
1.
Click
Tools > Internet Options
on the main menu.
2.
On the Security tab, click the
Internet
icon, and then click the
Custom Level
button.
3.
In the Scripting, Active Scripting area, select
Enable
.
4.
Click
OK
.
5.
In the Internet Options window, click
OK
.
Using a supported browser
You might not be able to log on to Tivoli Identity Manager for various reasons. For example, you could be using an unsupported Web browser. For a list of supported browsers, refer to the
Tivoli Identity Manager Information Center
.
Avoiding two Web browser sessions on the same computer
Do not start two separate browser sessions from the same client computer. The two sessions are regarded as one session ID, which causes problems with data.
Troubleshooting Tivoli Identity Manager within WebSphere Application
Server
The Tivoli Identity Manager application runs within the WebSphere Application
Server as an enterprise application. The Tivoli Identity Manager installation program uses the WebSphere command-line interface (wsadmin) to deploy the
Tivoli Identity Manager application onto the WebSphere Application Server.
Deploying the Tivoli Identity Manager application also performs certain configuration steps on the WebSphere Application Server.
When the deployment completes, the Tivoli Identity Manager files are in these directories: v
WAS_PROFILE_HOME
\installedApps\
cellname
\ITIM.ear
v
WAS_PROFILE_HOME
\config\cells\
cellname
\applications\ITIM.ear
If the deployment fails, check the installation log files under
ITIM_HOME
\ install_logs\ starting with the itim_install_activity.log, and examine the setupEnrole.stdout log file.
102
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Correcting connection scripting errors
If the log data indicates a failure to establish a SOAP connection to the WebSphere
Application Server configuration manager, or some type of WebSphere Application
Server scripting error, complete these steps:
1.
Resolve the problem that prevents the connection to the WebSphere Application
Server or the problem described as a scripting error. For more information, refer to the WebSphere documentation.
2.
Run one of the following commands to deploy the Tivoli Identity Manager
Server onto the WebSphere Application Server: v
If WebSphere administrative security and application security is on, run this command (this command is one line):
ITIM_HOME
\bin\setupEnrole.exe install server:
name
user:
user_id
password:
pwd
ejbuser:
ejb_user_id
The value of
server_name
is the name of the WebSphere Application Server on which the Tivoli Identity Manager application is deployed. The value of
user_id
is the WebSphere administrator user ID, such as wasadmin
. The value of
pwd
is the password for the WebSphere administrator user ID, such as wasadmin
. The value of
ejb_user_id
is the Tivoli Identity Manager EJB user ID, which uses the WebSphere Application Server administrator user ID by default.
v If WebSphere administrative security and application security is off, enter this command:
ITIM_HOME
\bin\setupEnrole.exe install server:
name
Correcting timeout errors
If the log data indicates that the failure is due to a timeout error, continue the
Tivoli Identity Manager installation process.
If the Tivoli Identity Manager installation program has completed, delete the following directories if they exist: v
WAS_PROFILE_HOME
\installedApps\
cellname
\ITIM.ear
v
WAS_PROFILE_HOME
\config\cells\
cellname
\applications\ITIM.ear
Run one of the following commands to deploy the Tivoli Identity Manager Server onto the WebSphere Application Server: v
If WebSphere administrative security and application security is on, run this command:
– Windows operating systems:
ITIM_HOME
\bin\setupEnrole.exe install server:
name
user:
user_id
password:
pwd
ejbuser:
ejb_user_id
– UNIX or Linux operating systems:
ITIM_HOME
/bin/setupEnrole.sh install server:
name
user:
user_id
password:
pwd
ejbuser:
ejb_user_id
The value of
server_name
is the name of the WebSphere Application Server on which the Tivoli Identity Manager application is deployed. The value of
user_id
is the WebSphere administrator user ID, such as wasadmin
. The value of
pwd
is the password for the WebSphere administrator user ID, such as wasadmin
. The value of
ejb_user_id
is the Tivoli Identity Manager EJB user ID, which uses the
WebSphere Application Server administrator user ID by default.
v
If WebSphere administrative security and application security is off, enter this command:
– Windows operating systems:
Chapter 9. Verifying and troubleshooting the installation
103
Log files
ITIM_HOME
\bin\setupEnrole.exe install
server:name
– UNIX or Linux operating systems:
ITIM_HOME
/bin/setupEnrole.sh install
server:name
Determining the port number of the default host
If you have multiple instances of WebSphere Application Server running on the same computer, the port number might be a different value. To determine the port number of the default host, complete these steps:
1.
Log in to the WebSphere Application Server administrative interface.
2.
Click
Server > Application servers
.
3.
Click the server which hosts the Tivoli Identity Manager application cluster member.
4.
Under the Communications section, click the
Ports
link.
5.
Find the port number listed next to the WC_defaulthost port name. This port number is the one used to connect to Tivoli Identity Manager.
When the system configuration is complete, you can find the log files in Table 5 in
the directories specified.
Table 5. Installation log file names and directories
File names
log.txt
Description and location
Installation log file for WebSphere
Application Server.
v itim_install.stdout
v itim_install.stderr
Located in the system temp directory.
Standard out and error log files for Tivoli
Identity Manager.
Located in the system root directory.
Located in the
ITIM_HOME
\install_logs directory.
v dbConfig.stdout
v ldapConfig.stdout
v itim_installer_debug.txt
v runConfigFirstTime.stdout
v runConfig.stdout
v setupEnrole.stdout
v StartStopWas.stdout
v itim_install_activity.log
trace.log
msg.log
cfg_itim_mw.log
Located in the
TIVOLI_COMMON_DIRECTORY
\
CTGIM\logs\ directory.
The Tivoli Common Directory is the central location for all serviceability-related files, such as log files and first-failure capture data.
Located in the System %TEMP% directory.
The middleware configuration utility log file.
104
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
advertisement