Troubleshooting Guide

Similar documents
Tivoli IBM Tivoli Advanced Catalog Management for z/os

License Administrator s Guide

Error Message Reference

IBM Tivoli Monitoring for Business Integration. User s Guide. Version SC

WebSphere Message Broker Monitoring Agent User's Guide

IBM Tivoli Federated Identity Manager Version Installation Guide GC

WebSphere MQ Configuration Agent User's Guide

Web Services Security Management Guide

Troubleshooting Guide

IBM Operational Decision Manager Version 8 Release 5. Installation Guide

xseries Systems Management IBM Diagnostic Data Capture 1.0 Installation and User s Guide

Installation and Configuration Guide

Installation and Setup Guide

Managing Server Installation and Customization Guide

IBM Tivoli Storage Manager for Windows Version Tivoli Monitoring for Tivoli Storage Manager

Installation and Configuration Guide

Road Map for the Typical Installation Option of IBM Tivoli Monitoring Products, Version 5.1.0

IBM Security Role and Policy Modeler Version 1 Release 1. Glossary SC

Internet Information Server User s Guide

IBM Tivoli Configuration Manager for Automated Teller Machines. Release Notes. Version 2.1 SC

Jazz for Service Management Version 1.1 FIx Pack 3 Beta. Configuration Guide Draft

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

IBM Director Virtual Machine Manager 1.0 Installation and User s Guide

IBM Tivoli Storage Manager for Windows Version 7.1. Installation Guide

Version Monitoring Agent User s Guide SC

IBM Security Access Manager for Web Version 7.0. Installation Guide GC

Tivoli Tivoli Provisioning Manager

IBM Tivoli Monitoring: AIX Premium Agent Version User's Guide SA

Monitor Developer s Guide

IBM Tivoli Directory Server. System Requirements SC

iplanetwebserveruser sguide

IBM Tivoli Enterprise Console. User s Guide. Version 3.9 SC

Tivoli Business Systems Manager

Deployment Overview Guide

IBM i Version 7.2. Security Service Tools IBM

Federated Identity Manager Business Gateway Version Configuration Guide GC

IBM Security Access Manager for Enterprise Single Sign-On Version 8.2. Administrator Guide SC

IBM Security Identity Manager Version 6.0. Installation Guide GC

IBM Tivoli Privacy Manager for e-business. Installation Guide. Version 1.1 SC

IBM Security Access Manager for Web Version 7.0. Upgrade Guide SC

Authorization C API Developer Reference

Web Security Developer Reference

Tivoli IBM Tivoli Advanced Catalog Management for z/os

Tivoli Tivoli Provisioning Manager

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

IBM Tivoli Netcool Performance Manager Wireline Component October 2015 Document Revision R2E1. Pack Upgrade Guide IBM

WebSEAL Installation Guide

Installing and Configuring Tivoli Enterprise Data Warehouse

Tivoli IBM Tivoli Advanced Audit for DFSMShsm

IBM Tivoli Storage Manager for Windows Version Installation Guide

Problem Determination Guide

Problem Determination Guide

Tivoli Identity Manager. End User Guide. Version SC

Administration Java Classes Developer Reference

Tivoli Business Systems Manager

IBM. Troubleshooting Operations Center client updates

Network Service Manager REST API Users Guide

Tivoli Identity Manager

Netcool Configuration Manager Version Installation and Configuration Guide R2E6 IBM

IBM i Version 7.2. Connecting to IBM i IBM i Access for Web IBM

IBM Agent Builder Version User's Guide IBM SC

Tivoli Monitoring: Windows OS Agent

IBM Security Role and Policy Modeler Version 1 Release 1. Planning Guide SC

Installation and Setup Guide

IBM Tivoli Monitoring for Messaging and Collaboration: Lotus Domino. User s Guide. Version SC

IBM Marketing Operations and Campaign Version 9 Release 1.1 November 26, Integration Guide

Registration Authority Desktop Guide

IBM Tivoli Monitoring for Web Infrastructure: WebSphere Application Server. User s Guide. Version SC

Netcool/Impact Version User Interface Guide SC

Tivoli Tivoli Provisioning Manager

Tivoli Tivoli Intelligent ThinkDynamic Orchestrator

IBM Marketing Operations and Campaign Version 9 Release 0 January 15, Integration Guide

IBM Sterling Gentran:Server for Windows. Installation Guide. Version 5.3.1

IBM Tivoli Service Level Advisor. Getting Started. Version 2.1 SC

IBM Security Identity Manager Version Installation Topics IBM

IBM System Migration Assistant 4.2. User s Guide

IBM Tivoli Access Manager for WebSphere Application Server. User s Guide. Version 4.1 SC

Extended Search Administration

RSA Authentication Manager Adapter User Guide

Version 8.2 (Revised December 2004) Plus Module User s Guide SC

Tivoli Tivoli Provisioning Manager

Planning and Installation

LotusLive. LotusLive Engage and LotusLive Connections User's Guide

IBM InfoSphere Information Server Integration Guide for IBM InfoSphere DataStage Pack for SAP BW

Live Partition Mobility ESCALA REFERENCE 86 A1 85FA 01

IBM. Client Configuration Guide. IBM Explorer for z/os. Version 3 Release 1 SC

IBM. Connecting to IBM i IBM i Access for Web. IBM i 7.1

Tivoli Application Dependency Discovery Manager Version 7.3. Installation Guide IBM

IBM Tivoli Storage Manager for Virtual Environments Version Data Protection for VMware Installation Guide IBM

IBM Cognos Dynamic Query Analyzer Version Installation and Configuration Guide IBM

Tivoli Security Compliance Manager

Adapters in the Mainframe Connectivity Suite User Guide

IBM. Installing. IBM Emptoris Suite. Version

Monitoring: Windows OS Agent Version Fix Pack 2 (Revised May 2010) User s Guide SC

IBM Tivoli Directory Server

IBM Monitoring Agent for OpenStack Version User's Guide IBM SC

Tivoli Tivoli Provisioning Manager

IBM System Migration Assistant 4.1. User s Guide SC90-P288-70

IBM. RSE for z/os User's Guide. IBM Explorer for z/os. Version 3 Release 1 SC

IBM Tivoli Service Level Advisor. Troubleshooting. Version 2.1 SC

Transcription:

Security Policy Manager Version 7.1 Troubleshooting Guide GC27-2711-00

Security Policy Manager Version 7.1 Troubleshooting Guide GC27-2711-00

Note Before using this information and the product it supports, read the information in Notices on page 61. This edition applies to ersion 7, release 1, modification 0 of IBM Tioli Security Policy Manager (product number 5724-S24) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2010. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents About this publication........ Intended audience............ Publications.............. IBM Tioli Security Policy Manager library... Prerequisite publications......... i Accessing terminology online....... i Accessing publications online....... i Ordering publications.......... i Accessibility.............. ii Tioli technical training.......... ii Support information........... ii Conentions used in this book........ ii Typeface conentions.......... ii Operating system differences....... iii WS-Security configuration issues...... 24 Registration utility fails......... 25 Registration fails and error CWWSS5508E occurs 25 Registration fails with an "Untrusted Security Policy Manager Certificate Fingerprint".... 26 Certificate-related error messages are displayed during registration........... 27 Exception error occurs during startup of the runtime security serices client....... 27 Expired certificates........... 28 About fixes and updates.......... 29 About messages............. 30 About performance problems and hangs.... 31 About traps, crashes, and abends....... 32 Chapter 1. Introduction to troubleshooting........... 1 Chapter 2. Learning about problem symptoms.............. 3 About troubleshooting........... 3 About connectiity problems......... 5 About Tioli Security Policy Manager...... 5 Installation from a mounted ISO image displays an error message............ 6 Cannot reinstall after a failed installation.... 7 Migration is disabled after migration is completed 9 LDAP proisioning fails......... 10 Configuration tool fails during security task.. 10 Configuration tool fails during Serices security task................ 11 Console does not work......... 12 Various timeout errors occur........ 12 Tioli Security Policy Manager serer certificate must be replaced........... 13 Components are unable to communicate.... 16 Parent permission not selected when all child permissions are selected......... 16 Anonymous workspaces are created in the wstemp directory........... 17 Detailed information for file handler exception is missing............... 17 Console session timeout occurs....... 17 No policies distributed status....... 18 User registry search using the wildcard symbol does not produce expected results...... 19 User registry search causes console to hang... 19 One or more reports from the Tioli Common Reporting component fail......... 19 Cannot configure a policy........ 20 Problems importing a serice from a file.... 20 Text and tables do not wrap in console window 21 About runtime security serices components... 22 Using a stand-alone user registry with runtime security serices components....... 23 Chapter 3. Troubleshooting checklist 33 Chapter 4. Searching knowledge bases 35 Chapter 5. Obtaining a fix...... 37 Chapter 6. Collecting data...... 39 Installation logs............. 40 Configuration tool logs.......... 40 Message and trace logs.......... 41 Message logs............. 41 Trace logs.............. 43 Configuring log settings.......... 44 Configuring message logging....... 44 Configuring the JVM log........ 45 Configuring the IBM Serice log..... 45 Enabling trace logging for WebSphere Application Serer........... 46 Enabling trace at serer startup...... 46 Enabling trace on a running serer.... 47 Enabling trace logging for Tioli Integrated Portal............... 48 Enabling trace logging for the registration utilities............... 48 Viewing logs.............. 49 Chapter 7. Analyzing data...... 51 Chapter 8. Contacting IBM Support.. 53 Using IBM Support Assistant........ 53 Using the IBM Support Assistant in graphical mode............... 54 Using the IBM Support Assistant in console mode............... 55 IBM software maintenance contracts...... 56 Determining the business impact....... 57 Describing a problem........... 57 Submitting data............. 57 Copyright IBM Corp. 2010 iii

Notices.............. 61 Trademarks.............. 62 Index............... 65 i Version 7.1: Troubleshooting Guide

About this publication Intended audience Publications IBM Tioli Security Policy Manager enables you to manage access to resources by defining and enforcing security policies. You can manage many types of resources, including Web serices and applications.. This guide describes how to troubleshoot problems in Tioli Security Policy Manager. This publication is designed for the system administrators and network administrators in an organization that uses IBM Tioli Security Policy Manager to manage its security policies. Readers of this book should hae working knowledge of the following topics: The implementation of IBM Tioli Security Policy Manager in their enironment Web serices security concepts and practices The types of resources being protected by policies IBM WebSphere Application Serer Read the descriptions of the IBM Tioli Security Policy Manager library, the prerequisite publications, and the related publications to determine which publications that you might find helpful. The section also describes how to access Tioli publications online and how to order Tioli publications. IBM Tioli Security Policy Manager library The following documents are aailable in the library: IBM Tioli Security Policy Manager Quick Start Guide Proides instructions for getting started with IBM Tioli Security Policy Manager. IBM Tioli Security Policy Manager Installation Guide Proides instructions for installing IBM Tioli Security Policy Manager. IBM Tioli Security Policy Manager Configuration Guide Proides instructions for configuring IBM Tioli Security Policy Manager and its related components. IBM Tioli Security Policy Manager Administration Guide Proides instructions for administering IBM Tioli Security Policy Manager. IBM Tioli Security Policy Manager Error Message Reference Proides explanations of the IBM Tioli Security Policy Manager error messages. IBM Tioli Security Policy Manager Troubleshooting Guide Proides troubleshooting information and instructions for problem soling. You can obtain the publications from the IBM Tioli Security Policy Manager Information Center: Copyright IBM Corp. 2010

http://publib.boulder.ibm.com/infocenter/tiihelp/2r1/index.jsp?toc=/ com.ibm.tspm.doc_7.1/toc.xml. Prerequisite publications To use the information in this book effectiely, you should hae some knowledge of related software products, which you can obtain from the following publications: IBM WebSphere Application Serer Version 7.0 Information Center: http://www14.software.ibm.com/webapp/wsbroker/redirect?ersion=compass &product=was-nd-dist IBM WebSphere Application Serer Version 6.1 Information Center: http://www14.software.ibm.com/webapp/wsbroker/redirect?ersion=pix &product=was-nd-dist Accessing terminology online The IBM Terminology Web site consolidates the terminology from IBM product libraries in one conenient location. You can access the Terminology Web site at http://www.ibm.com/software/globalization/terminology. Accessing publications online The documentation CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. Refer to the readme file on the CD for instructions on how to access the documentation. IBM posts publications for this and all other Tioli products, as they become aailable and wheneer they are updated, to the Tioli Documentation Central Web site at http://www.ibm.com/tioli/documentation Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper. Ordering publications You can order many Tioli publications online at http://www.ibm.com/ebusiness/linkweb/publications/serlet/pbi.wss. You can also order by telephone by calling one of these numbers: In the United States: 800-879-2755 In Canada: 800-426-4968 In other countries, contact your software account representatie to order Tioli publications. To locate the telephone number of your local representatie, perform the following steps: 1. Go to http://www.elink.ibmlink.ibm.com/publications/serlet/pbi.wss. 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representatie. i Version 7.1: Troubleshooting Guide

Accessibility Tioli technical training Support information Accessibility features help a user who has a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You also can use the keyboard instead of the mouse to operate all features of the graphical user interface. For additional information, see the "Accessibility" topic in the Release Information section of the information center at http://publib.boulder.ibm.com/infocenter/ tiihelp/2r1/index.jsp?toc=/com.ibm.tspm.doc_7.1/toc.xml. For Tioli software training information, refer to the IBM Tioli Education Web site: http://www.ibm.com/software/tioli/education If you hae a problem with your IBM software, you want to resole it quickly. IBM proides the following ways for you to obtain the support you need: Online Go to the IBM Software Support site at http://www.ibm.com/software/ support/probsub.html and follow the instructions. IBM Support Assistant The IBM Support Assistant (ISA) is a free local software sericeability tool that helps you resole questions and problems with IBM software products. The ISA proides quick access to support-related information and sericeability tools for problem determination. For information about IBM Support Assistant, go to http://www.ibm.com/software/support/isa. Troubleshooting Guide For more information about resoling problems, see the IBM Tioli Security Policy Manager Troubleshooting Guide. Conentions used in this book This reference uses seeral conentions for special terms and actions and for operating system-dependent commands and paths. Typeface conentions The following typeface conentions are used in this guide. Bold Italic Lowercase commands or mixed case commands that are difficult to distinguish from surrounding text, keywords, parameters, options, names of Jaa classes, and objects are in bold Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) Citations (examples: titles of publications, diskettes, and CDs) About this publication ii

Words defined in text (example: a nonswitched line is called a point-to-point line) Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictie clause."; letters as letters example: "The LUN address must start with the letter L.") New terms in text (except in a definition list): a iew is a frame in a workspace that contains data. Variables and alues you must proide:... where myname represents... Monospace Examples and code examples File names, programming keywords, and other elements that are difficult to distinguish from surrounding text Message text and prompts addressed to the user Text that the user must type Values for arguments or command options Operating system differences This publication uses the UNIX conention for specifying enironment ariables and for directory notation. When using the Windows command line, replace $ariable with % ariable% for enironment ariables and replace each forward slash (/) with a backslash (\) in directory paths. The names of enironment ariables are not always the same in the Windows and UNIX enironments. For example, %TEMP% in Windows enironments is equialent to $TMPDIR in UNIX enironments. Note: If you are using the bash shell on a Windows system, you can use the UNIX conentions. iii Version 7.1: Troubleshooting Guide

Chapter 1. Introduction to troubleshooting Troubleshooting, or problem determination, is a process of determining why a product is not functioning in the expected manner. This guide proides information to help you identify and resole problems that you might encounter while using Tioli Security Policy Manager and its prerequisite products. You can often preent certain problems by planning before the software is deployed. Before installing Tioli Security Policy Manager, reiew the Product information topics in the Tioli Security Policy Manager information center. These topics contain the following information: Supported operating system leels Prerequisite software requirements Required software patches Minimum and recommended memory requirements Disk space requirements Upgrade considerations The troubleshooting process, in general, requires that you isolate and identify a problem, then seek a resolution. For help troubleshooting Tioli Security Policy Manager, you can use the troubleshooting checklist in Chapter 3, Troubleshooting checklist, on page 33. If the checklist does not lead you to a resolution, collect additional diagnostic data that you can analyze yourself or that you can submit to IBM Software Support for analysis. Troubleshooting topics for Tioli Security Policy Manager are organized according to the sequence of these steps: 1. Learn more about a symptom or the feature that does not seem to be functioning as expected. Before you can successfully troubleshoot a symptom or a problem with a specific product feature, you must hae a basic understanding of that symptom or feature. 2. Follow the troubleshooting checklist for the appropriate feature or symptom. The troubleshooting checklist offers a series of questions to guide you through the process of isolating and identifying a problem. If the problem is known to IBM, the checklist guides you to a published fix, solution, or workaround. If the troubleshooting checklist has not led you to a resolution, continue to the next step. 3. Collect diagnostic data. This information explains how to gather the necessary information that you, or IBM Software Support, must hae in order to determine the source of a problem. 4. Analyze diagnostic data. This information explains how to analyze the diagnostic data that you collected. Copyright IBM Corp. 2010 1

2 Version 7.1: Troubleshooting Guide

Chapter 2. Learning about problem symptoms About troubleshooting The first step in the troubleshooting process is to learn more about the problem symptoms or about the affected product feature. The following topics can help you to acquire the information that you need to effectiely troubleshoot problems with IBM Tioli Security Policy Manager and its components: About troubleshooting About connectiity problems on page 5 About Tioli Security Policy Manager on page 5 About runtime security serices components on page 22 About fixes and updates on page 29 About messages on page 30 About performance problems and hangs on page 31 About traps, crashes, and abends on page 32 Troubleshooting is a systematic approach to soling a problem. The goal is to determine why something does not work as expected and how to resole the problem. The first step in the troubleshooting process is to describe the problem completely. Without a problem description, neither you nor IBM know where to start to find the cause of the problem. This step includes asking yourself basic questions, such as: What are the symptoms of the problem? Where does the problem occur? When does the problem occur? Under which conditions does the problem occur? Can the problem be reproduced? The answers to these questions typically lead to a good description of the problem, and that is the best way to start down the path of problem resolution. What are the symptoms of the problem? When starting to describe a problem, the most obious question is "What is the problem?" This might seem like a straightforward question; howeer, you can break it down into seeral more-focused questions that create a more descriptie picture of the problem. These questions can include: Who, or what, is reporting the problem? What are the error codes and messages? How does the system fail? For example, is it a loop, hang, crash, performance degradation, or incorrect result? What is the business impact of the problem? Copyright IBM Corp. 2010 3

Where does the problem occur? Determining where the problem originates is not always easy, but it is one of the most important steps in resoling a problem. Many layers of technology can exist between the reporting and failing components. Networks, disks, and driers are only a few components to be considered when you are inestigating problems. The following questions can help you to focus on where the problem occurs in order to isolate the problem layer. Is the problem specific to one platform or operating system, or is it common across multiple platforms or operating systems? Is the current enironment and configuration supported? Remember that, een though one layer might report the problem, this does not mean that the problem originates in that layer. Part of identifying where a problem originates is understanding the enironment in which it exists. Take some time to completely describe the problem enironment, including the operating system, its ersion, all corresponding software and ersions, and hardware information. Confirm that you are running within an enironment that is a supported configuration; many problems can be traced back to incompatible leels of software that are not intended to run together or hae not been fully tested together. When does the problem occur? Deelop a detailed timeline of eents leading up to a failure, especially for those cases that are one-time occurrences. You can most easily do this by working backward: Start at the time an error was reported (as precisely as possible, een down to the millisecond), and work backward through the aailable logs and information. Typically, you need to look only as far as the first suspicious eent that you find in a diagnostic log; howeer, this is not always easy to do and takes practice. Knowing when to stop looking is especially difficult when multiple layers of technology are inoled, and when each has its own diagnostic information. To deelop a detailed timeline of eents, try to answer these questions: Does the problem happen only at a certain time of day or night? How often does the problem happen? What sequence of eents leads up to the time that the problem is reported? Does the problem happen after an enironment change, such as upgrading or installing software or hardware? Responding to questions like this can help to proide you with a frame of reference in which to inestigate the problem. Under which conditions does the problem occur? Knowing what other systems and applications are running at the time that a problem occurs is an important part of troubleshooting. These and other questions about your enironment can help you to identify the root cause of the problem: Does the problem always occur when the same task is being performed? Does a certain sequence of eents need to occur for the problem to surface? Do any other applications fail at the same time? 4 Version 7.1: Troubleshooting Guide

About connectiity problems Can the problem be reproduced? From a troubleshooting standpoint, the ideal problem is one that can be reproduced. Typically with problems that can be reproduced, you hae a larger set of tools or procedures at your disposal to help you inestigate. Consequently, problems that you can reproduce are often easier to debug and sole. Howeer, problems that you can reproduce can hae a disadantage: If the problem is of significant business impact, you do not want it to recur! If possible, re-create the problem in a test or deelopment enironment, which typically offers you more flexibility and control during your inestigation. Can the problem be re-created on a test machine? Are multiple users or applications encountering the same type of problem? Can the problem be re-created by running a single command, a set of commands, or a particular application, or a stand-alone application? Connectiity problems typically inole multiple systems, including software, hardware, and communications. The best way to troubleshoot connectiity problems is through a process of elimination. First, collect releant data and determine what you know, what data you hae not yet collected, and what paths you can eliminate. At a minimum, answer the following questions. Are the communication paths operational? Has the initial connection been successful? Is the problem intermittent or persistent? Hae changes been made to the communication network that would inalidate the preious directory entries? Where is the communication breakdown encountered? For example, was the breakdown between the client and a serer? Is the problem encountered only within a specific application? What can you determine by the content of the message and the tokens that are returned in the message? Are other systems able to perform similar tasks successfully? If this is a remote task, is it successful when performed locally? Next, try to isolate the problem by answering the questions in the Chapter 3, Troubleshooting checklist, on page 33. About Tioli Security Policy Manager Before you begin troubleshooting a problem with Tioli Security Policy Manager, reiew its oeriew and a list of symptoms that might indicate a typical problem. IBM Tioli Security Policy Manager proides standards-based application security management to secure access to applications and Web serices in heterogeneous IT and serice-oriented architecture (SOA) enironments. Typical problems with Tioli Security Policy Manager can reeal themseles in the following common symptoms: During installation Chapter 2. Learning about problem symptoms 5

Installation from a mounted ISO image displays an error message Cannot reinstall after a failed installation on page 7 During migration Migration is disabled after migration is completed on page 9. During configuration LDAP proisioning fails on page 10 Configuration tool fails during security task on page 10 Configuration tool fails during Serices security task on page 11 During operation Console does not work on page 12 Various timeout errors occur on page 12 Tioli Security Policy Manager serer certificate must be replaced on page 13 Components are unable to communicate on page 16 Parent permission not selected when all child permissions are selected on page 16 Anonymous workspaces are created in the wstemp directory on page 17 Detailed information for file handler exception is missing on page 17 Console session timeout occurs on page 17 No policies distributed status on page 18 User registry search using the wildcard symbol does not produce expected results on page 19 User registry search causes console to hang on page 19 One or more reports from the Tioli Common Reporting component fail on page 19 Cannot configure a policy on page 20 Problems importing a serice from a file on page 20 Text and tables do not wrap in console window on page 21 Installation from a mounted ISO image displays an error message When you install the Installation Manager using a mounted ISO image, an error message is displayed. Symptoms The following error message is displayed if you install the Installation Manager using a mounted ISO image: Concurrent access to HashMap attempted by Thread... This error message is displayed at the end of the installation. You exit from the Installation Manager and Installation Manager restarts itself. Resoling the problem Ignore this message. Click OK and proceed to exit Installation Manager. 6 Version 7.1: Troubleshooting Guide

Cannot reinstall after a failed installation A failed installation leaes files on the hard disk. If running the uninstall program does not remoe the files, you must remoe them manually before you can try to reinstall. Symptoms An attempt to reinstall fails after a failed installation and after uninstalling. Causes When the installation fails, it leaes many files on the hard disk. These files preent the installation program from running again. Resoling the problem If the installation fails, try running the uninstall program using the Installation Manager. See the uninstallation tasks in the Tioli Security Policy Manager Installation Guide. If you cannot re-install after you hae uninstalled, manually remoe the files that remain on the disk. 1. Remoe Tioli Security Policy Manager serer files: On AIX, Linux, or Solaris: a. On the serer where Tioli Security Policy Manager is installed, remoe the installation directories. By default, these directories are named TSPM and TSPMShared. For example, open a command prompt and run the following commands: rm -rf /opt/ibm/tspm rm -rf /opt/ibm/tspmshared b. Uninstall the TSPM application from the WebSphere Application Serer. Use the console or the command line. Using the console: See the topic for uninstalling enterprise applications in the WebSphere Application Serer information center: WebSphere Application Serer ersion 6.1 http:// www14.software.ibm.com/webapp/wsbroker/redirect?ersion=pix &product=was-nd-dist WebSphere Application Serer ersion 7.0 http:// www14.software.ibm.com/webapp/wsbroker/redirect?ersion=compass &product=was-nd-dist Using the command line: 1) Stop the WebSphere Application Serer. 2) Change to the config directory. For example, type cd /opt/ibm/websphere/appserer/profiles/appsr01/config 3) Remoe "tspm." For example, type rm -rf tspm 4) Start WebSphere Application Serer. c. Continue with the steps to remoe files on the Tioli Security Policy Manager console serer. See2 on page 8. On Windows: Chapter 2. Learning about problem symptoms 7

a. On the serer where Tioli Security Policy Manager is installed, delete the installation directories. By default, these directories are named TSPM and TSPMShared. By default, these are located at C:\Program Files\IBM. For example, you can locate and delete the directories using Windows Explorer, or you can use the rmdir command on a command line. b. Uninstall the TSPM application from the WebSphere Application Serer. Use the console or the command line. Using the console: See the topic for uninstalling enterprise applications in the WebSphere Application Serer information center: WebSphere Application Serer ersion 6.1 http:// www14.software.ibm.com/webapp/wsbroker/redirect?ersion=pix &product=was-nd-dist WebSphere Application Serer ersion 7.0 http:// www14.software.ibm.com/webapp/wsbroker/redirect?ersion=compass &product=was-nd-dist Using the command line: 1) Stop the WebSphere Application Serer. 2) Change to the config directory. For example, type cd C:\Program Files\IBM\WebSphere\AppSerer\profiles \AppSr0\config 3) Remoe tspm using the delete command. 4) Start WebSphere Application Serer. c. Continue with the steps to remoe files on the Tioli Security Policy Manager console serer. See 2. 2. Remoe files from the Tioli Security Policy Manager console serer: Note: This is the serer where you installed the Tioli Integrated Portal component. On AIX, Linux, or Solaris: a. On the serer where the Tioli Security Policy Manager console is installed, remoe the installation directories. By default, these directories are named TSPM and TSPMShared. For example, open a command prompt and run the following commands: rm -rf /opt/ibm/tspm rm -rf /opt/ibm/tspmshared b. Remoe the console installation directory and its associated directories and files. By default the console installation directory is /opt/tioli. For example, Delete the following directories:.tspm-tip acsitemp_administrator acsitemplogs_administrator Note: Your installation might hae all or only one or two of these directories. Open a command prompt and run the following commands: rm -rf /opt/tioli cd /ar/ibm/common/acsi../seten.sh cd /usr/ibm/common/acsi/bin./si_inst.sh -r -f rm -rf /usr/ibm/common/acsi rm -rf /usr/ibm/tioli/common 8 Version 7.1: Troubleshooting Guide

cd /tmp rm -rf.tspm-tip rm -rf acsitemplogs_root rm -rf acsitemp_root c. Restart WebSphere Application Serer and then try the installation again. On Windows a. On the serer where Tioli Security Policy Manager is installed, delete the installation directories. By default, these directories are named TSPM and TSPMShared. By default, these are located at C:\Program Files\IBM. For example, you can locate and delete the directories using Windows Explorer, or you can use the rmdir command on a command line. b. Remoe the console installation directory and its associated directories and files. 1) Use Explorer to delete the installation directory. By default it is C:\Program Files\tioli 2) Open a command prompt and run the following commands: cd C:\Program Files\IBM\asci seten.cmd cd C:\Program Files\IBM\Common\acsi\bin si_inst.bat -r -f c. Use explorer to delete C:\Program Files\IBM\Common\acsi d. Use explorer to delete C:\Program Files\IBM\tioli\common e. Open a command prompt and run the set command to locate the 'temp' or 'tmp' directory. Change directory to that temp directory and delete the following directories, if they exist:.tspm-tip acsitemp_administrator acsitemplogs_administrator f. Restart WebSphere Application Serer and then try the installation again. Migration is disabled after migration is completed If you migrated Tioli Security Policy Manager ersion 7.0 data to the Tioli Security Policy Manager ersion 7.1 database, the migration capability is disabled. Symptoms After you hae migrated data, you cannot run migration again. Causes When a successful migration completes, the com.ibm.tspm.migration.enable parameter in the configuration file is set to false. Resoling the problem You can change the alue from false to true if you must re-enable the migration capability. The configuration file is located in the following location: AIX: /usr/ibm/websphere/appserer/profiles/profile_name/config/ tspm/etc/com.ibm.tspm.conf.xmi Linux or Solaris: Chapter 2. Learning about problem symptoms 9

/opt/ibm/websphere/appserer/profiles/profile_name/config/ tspm/etc/com.ibm.tspm.conf.xmi Windows: C:\Program Files\IBM\WebSphere\AppSerer\profiles\profile_name\config\ tspm\etc\com.ibm.tspm.conf.xmi Complete the following steps to enable migration: 1. Open the com.ibm.tspm.conf.xmi file using a text editor. 2. Locate the com.ibm.tspm.migration.enable parameter. 3. Change the alue to true. 4. Sae and close the file. 5. Restart WebSphere Application Serer. LDAP proisioning fails The configuration tool accesses the user registry to proision the groups that are required by Tioli Security Policy Manager. Symptoms When you choose this option, the configuration tool must hae direct write access your user registry. Causes The configuration tool cannot access the user registry to create the users, or the selected user (bind dn) does not hae write permissions. Resoling the problem If your user registry is not accessible or you want to preent the tool from writing to your user registry, choose the Create a Lightweight Directory Interchange Format (LDIF) file option. This method creates an LDIF file that you can use to synchronize the group information to your user registry serer. After you use this method, examine the content of the file to ensure that it is correct for your user registry requirements. You must also use the instructions for your user registry to synchronize the content of the file with your user registry. See the tasks for configuring policy administration components in the Tioli Security Policy Manager Configuration Guide. Configuration tool fails during security task The configuration tool might fail while running the security task. Symptoms The following message is displayed: CTGVU0027I - Could not find the group with cn=<groupname>. Verify that the group exists in your LDAP repository and that this LDAP repository is properly configured in both the Tioli Security Policy Manager serer and the Tioli Security Policy Manager console. 10 Version 7.1: Troubleshooting Guide

Causes This problem can occur when the console has not been configured to use the Tioli Security Policy Manager user registry as a federated repository. The configuration tool tries to use the proper identities that hae access to Tioli Security Policy Manager resources. The same identities must be aailable to both the Tioli Security Policy Manager serer and the Tioli Security Policy Manager console. Resoling the problem To resole this problem: 1. Configure the console to use the same user registry as the Tioli Security Policy Manager serer. See the topics about configuring user registries in the Tioli Security Policy Manager Configuration Guide. 2. Run the configuration tool again using the adanced mode, which preselects the tasks that hae not completed. See the topics about running the configuration tool in the Tioli Security Policy Manager Configuration Guide. Configuration tool fails during Serices security task If you are using WebSphere Application Serer 6.1 and the configuration tool fails, the most likely cause is that the Web Serices Feature Pack was not augmented. Symptoms The configuration tool fails when the Serices security task is running. Either of the following messages are recorded in the log files: SEVERE: ADMF0005E Command or Command Group listpolicysets not found. jaa.lang.exception: ADMF0005E Command or Command Group listpolicysets not found. SEVERE: CTGVU0007E An error occurred when attempting to execute the WebSphere administratie task importpolicyset. jaa.lang.exception: CTGVU0007E An error occurred when attempting to execute the WebSphere administratie task importpolicyset. Causes This problem occurs on WebSphere Application Serer ersion 6.1 when the WebSphere Application Serer profile has not been augmented with the Web Serices Feature Pack. Unlike a fix pack, the feature packs are not applied to the profiles. Resoling the problem To resole this problem: 1. Uninstall Tioli Security Policy Manager. See the uninstalling topics in the Tioli Security Policy Manager Installation Guide. 2. Delete the WebSphere Application Serer profile. 3. Create a new profile that is enabled with the feature pack. See the profile topics in the WebSphere Application Serer 6.1 information center http://www14.software.ibm.com/webapp/wsbroker/redirect?ersion=pix &product=was-nd-dist. 4. Install Tioli Security Policy Manager. See the Tioli Security Policy Manager Installation Guide. Chapter 2. Learning about problem symptoms 11

5. Run the Tioli Security Policy Manager configuration tool. See the Tioli Security Policy Manager Configuration Guide. Console does not work You might experience problems with the console after you hae run the configuration tool. Symptoms You ran the configuration tool, and it completed successfully. Howeer, you cannot use the console to manage Tioli Security Policy Manager. Causes This problem typically occurs if the Tioli Security Policy Manager serer and the Tioli Security Policy Manager console hae not been restarted after configuration. You must restart the WebSphere Application Serer where each of these components is installed. The restart forces the configuration to be loaded. Resoling the problem To resole this problem, restart the WebSphere Application Serers where each of these components is installed. Then, try to use the console. Various timeout errors occur Some Tioli Security Policy Manager transactions might take longer to complete than the time that is specified by the configured serer timeout alues. Symptoms The following exception errors might be displayed if the transaction takes longer to complete than the time allocated: Error org.omg.corba.no_response com.ibm.wsspi.uow.uowexception: jaax.transaction.rollbackexception: Global transaction timed out after 0 seconds Serer that displays the error WebSphere Application Serer where the Tioli Integrated Portal is installed. WebSphere Application Serer where the Tioli Security Policy Manager is installed. Causes The timeout alues on the WebSphere Application Serer where the Tioli Integrated Portal, or Tioli Security Policy Manager, or both are installed are not long enough for the transactions to complete. Resoling the problem A script file is included with Tioli Security Policy Manager that you can use to increase the affected timeout alues. 12 Version 7.1: Troubleshooting Guide

The file is located in the installation directory of Tioli Security Policy Manager. For example: AIX /usr/ibm/tspm/bin/increasetimeout.py Linux or Solaris /opt/ibm/tspm/bin/increasetimeout.py Windows C:\Program Files\IBM\TSPM\bin\increaseTimeout.py Use the script with wsadmin scripting client. For information about the wsadmin scripting client, see the WebSphere Application Serer documentation: WebSphere Application Serer ersion 6.1 http://www14.software.ibm.com/ webapp/wsbroker/redirect?ersion=pix&product=was-nd-dist WebSphere Application Serer ersion 7.0 http://www14.software.ibm.com/ webapp/wsbroker/redirect?ersion=compass&product=was-nd-dist The script file requires the following parameters: --cell The cell name. --node The node name. --seconds The time in seconds in which the transaction must complete before a timeout occurs. For example, 90 seconds might be a reasonable alue for most transactions. Example The following example shows the syntax for running the script on a Linux system. In this example, TIPCell and TIPNode are the names of the cell and node of the serer where the Tioli Integrated Portal is installed../wsadmin.sh -f /opt/ibm/tspm/bin/increasetimeout.py --cell TIPCell --node TIPNode --seconds 90 Tioli Security Policy Manager serer certificate must be replaced If the default serer certificate for the Tioli Security Policy Manager serer has expired or you experience certificate-related errors, replace the certificate. Symptoms You might receie errors about the certificate or you might know that the certificate has expired. Causes The serer certificate has expired. Resoling the problem You can replace the certificate using the WebSphere Application Serer console on the serer where Tioli Security Policy Manager is installed. Chapter 2. Learning about problem symptoms 13

1. Delete the existing certificate: a. Log in to the WebSphere Application Serer where Tioli Security Policy Manager is installed. b. Click Security > SSL certificate and key management > Key stores and certificates. c. Click DefaultTSPMKeystore. d. Under Additional Properties, click Personal certificates. e. Select the tspm_default certificate and click Delete. 2. Create a new self-signed certificate: Note: The following steps use the Create a self-signed certificate function in the console to create the certificate. You can use a certificate tool, such as ikeyman or keytool instead. If you use a certificate tool, use the same certificate properties listed below and sae the certificate to a file. Use the Import button in the console to import the personal certificate and specify tspm_default as the Imported certificate alias alue. a. Log in to the WebSphere Application Serer where Tioli Security Policy Manager is installed. b. Click Security > SSL certificate and key management > Key stores and certificates. c. Click DefaultTSPMKeystore. d. Under Additional Properties, click Personal certificates. e. Click Create a self-signed certificate. f. Use the following alues for the certificate properties: Alias tspm_default Common name tspm_default Organization ibm Organizational unit tioli Country or region US Set other properties such as alidity period, to alues appropriate to your enironment. g. Click Apply. h. Click OK. A self-signed personal certificate and a signer certificate are created. i. Restart WebSphere Application Serer. 3. Extract the new signer certificate: Note: Extract the new signer certificate to share with other keystores that used the old signer certificate. For example, if you are using runtime security serices components in your enironment, replace the certificate in their keystores with the new tspm_default certificate. a. Log in to the WebSphere Application Serer where Tioli Security Policy Manager is installed. 14 Version 7.1: Troubleshooting Guide

b. Click Security > SSL certificate and key management > Key stores and certificates. c. Click DefaultTSPMKeystore. d. Under Additional Properties, click Personal certificates. e. Select the tspm_default certificate and click Extract. f. Specify a file name to extract the certificate into. Note the Data type alue; you use the same data type when you import the certificate. g. Click OK. 4. Import the new signer certificate into other keystores: Note: Replace the tspm_default signer certificate in any keystore or truststore to which it has been distributed. Your enironment might use keystores in addition to the ones in the following steps. a. Replace the certificate in the Tioli Security Policy Manager truststore: 1) Log in to the WebSphere Application Serer where Tioli Security Policy Manager is installed. 2) Click Security > SSL certificate and key management > Key stores and certificates > DefaultTSPMKeystore > Signer certificates. 3) Select the existing tspm_default certificate. 4) Click Delete. 5) Click Add. 6) Type tspm_default as the alias name. 7) Complete the File name and Data type fields. Use the same data type alue that you used when you extracted the certificate. 8) Click OK. b. Replace the certificate in the runtime security serices keystore, if you use runtime security serices components: 1) Transfer the file that holds the extracted certificate to the system that is running your runtime security serices component. If the runtime security serices component is installed in a cluster, transfer the file to the deployment manager. 2) Log in to the WebSphere Application Serer where the runtime security serices serer or client is installed. 3) Click Security > SSL certificate and key management > Key stores and certificates > DefaultTSPMKeystore > Signer certificates. 4) Select the existing tspm_default certificate and click Delete. 5) Click Add. 6) Type tspm_default as the alias name. 7) Complete the File name and Data type fields. Use the same data type alue that you used when you extracted the certificate. 8) Click OK. 9) Click Sae. 10) Log out of the console and restart WebSphere Application Serer. If the runtime security serices component is installed in a cluster, restart the application serers, the cluster, the nodes, and the deployment manager, as applicable. Chapter 2. Learning about problem symptoms 15

Components are unable to communicate Tioli Security Policy Manager components and systems that communicate with those components must hae static IP addresses and accurate name serer entries. Symptoms Components in the enironment cannot communicate. Causes Possible causes include: Use of dynamic IP addresses. Failure to register systems with a domain name serice. Resoling the problem Tioli Security Policy Manager is a distributed solution. All components must be able to communicate reliably with each other. These components include the Tioli Security Policy Manager serer, administration console, and runtime security serices. They must also be able to communicate with other entities such as serice and user registries, policy distribution targets, and so on. Systems that use static IP addresses and accurate name serer entries can be located more reliably than systems that use dynamic host configuration protocol (DHCP) to obtain IP addresses. Additionally, systems on which Tioli Security Policy Manager is installed must be registered with a domain name serice (DNS) serer. During installation, the fully qualified host name of the Tioli Security Policy Manager serer is written to the Tioli Security Policy Manager properties file. If the system is not DNS registered, the current IP address is written to the properties file. If the system acquires a new IP address, Tioli Security Policy Manager experiences communication errors because Tioli Security Policy Manager does not update the IP address in the properties file after installation. Parent permission not selected when all child permissions are selected When a new administrator role is created, clearing and selecting child permissions again might not result in the expected permission set. Symptoms Permissions for administrator roles are listed in the console in a hierarchical check list. By default, all permission check boxes are selected when a new role is created. If you clear a child permission check box, each permission that is parent to that child is also cleared and those parent permissions are not assigned. When you re-select a child permission check box, the parents are not automatically re-selected, een when all child permissions are selected. Subsequent creation of this role results in each child permission being assigned to the role but not the parent permission that was left cleared. Resoling the problem The actiities in the Symptoms section describe the correct function of role permissions. Use caution when you clear child permissions from a parent. 16 Version 7.1: Troubleshooting Guide

Anonymous workspaces are created in the wstemp directory During the course of normal Tioli Security Policy Manager operations, the WebSphere Application Serer workspace management component creates and stores temporary session data in the <profile_name> /wstemp directory of the Tioli Security Policy Manager application serer profile. As the directory accumulates more and more temporary session data, the files and directories can take up a lot of space in the file system. Symptoms Temporary session data remains on the file system and takes up space. Causes Temporary session data is required as long as a user is logged in. WebSphere can create a large number of directories een when no user is logged in. By default, session directories are deleted after a user correctly logs out of the administratie console. Howeer, if a user ends a session by closing the Web browser instead of logging out, the directories remain in the file system. Resoling the problem You can safely delete the temporary session data to free space on the file system. Shut down the serer before deleting the content. The shutdown ensures that no user is logged in and that no open or actie sessions become corrupted. For more information, see the WebSphere Process Serer technote at http://www-01.ibm.com/support/dociew.wss?uid=swg21315735. Detailed information for file handler exception is missing When certain failures occur during audit logging, such as the file system being full, audit eents for either the Tioli Security Policy Manager or runtime security serices components can trigger an exception that is logged in the SystemOut.log file. Symptoms The following exception message is logged, but it is missing detailed information about the cause of the exception. CTGVM0014E The file handler used for writing audit records to log files threw an exception. Resoling the problem If the SystemOut.log file contains error CTGVM0014E, examine the SystemErr.log file for detailed information about the cause of the exception. Console session timeout occurs User actiity that is read-only in the Tioli Security Policy Manager console does not register as user actiity with the WebSphere serer. Chapter 2. Learning about problem symptoms 17

Symptoms If an administrator only performs iew operations in the Tioli Security Policy Manager console, a session timeout error occurs when the administrator clicks another part of the console. For example, the following message might result: Session timeout due to inactiity. Causes Actiities in the console such as adding, modifying, and attaching policies or serices generate serer actiity. Viewing serice and policy information, howeer, generates only client-side actiity that does not register on the serer. If the user exceeds the WebSphere console inactiity timeout alue without generating serer-side actiity, a session timeout error can occur. Resoling the problem To aoid this error, the user can either perform an action that generates serer actiity, such as adding, modifying, or attaching policies or serices or can moe to another area of the console. No policies distributed status The status, No policies distributed, can be misleading. Symptoms You distribute or remoe policies and No policies distributed is displayed as the status. Causes Depending on the type of policy distribution target, policy distribution and policy remoal can be asynchronous processes. In asynchronous policy remoal or distribution, Tioli Security Policy Manager communicates with a WS-Notification broker, which, in turn, communicates with the policy distribution target. In this case, Tioli Security Policy Manager is notified only whether the broker receied the communication, not whether the broker actually succeeded in completing its communication flow. Under typical circumstances, policy remoal and distribution work correctly, and the status message is accurate. Howeer, if the WS-Notification broker cannot reach the policy distribution target due to network difficulties or because the policy distribution target is down, the Tioli Security Policy Manager policy distribution status can be inaccurate. For example, the Tioli Security Policy Manager policy distribution status might indicate there are no policies distributed although the policy still exists on the target. In this case, the WS-Notification broker continues to perform the request until it is successful. Resoling the problem If you see a No policies distributed status after the policy is remoed but you know that the policy still exists on the policy distribution target, you can perform the following actions to ensure policy remoal or distribution: 18 Version 7.1: Troubleshooting Guide

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback