Problems with DirX Identity Manager

This section describes DirX Identity Manager problems that can occur and the steps to solve them.

General Issues

This section discusses general problems that can occur with the DirX Identity Manager.

Abbreviation Field Change Not Recognized

Indication:

Capitalization changes in the abbreviation field of a topic in the attribute configuration are not recognized in the generated mapping.

Reason:

When you add a new attribute in the attribute configuration file with an incorrect capitalization in the abbreviation field, then add this field to the selected attribute list and use it in the mapping, the mapping will use the wrong capitalized abbreviation in the generated mapping script. When you correct the capitalization, the mapping does not recognize the correction.

Solution:

When you detect an incorrect capitalization in the mapping, you should change to another attribute, change to the original one and save the mapping. The generated script should now contain the correct capitalization.

Copied Report does not Work

Indication:

A copied report does not work.

Reason:

All report templates contain relative reference links in the Format tab to common templates, for example "_Shared Report Routines". If you copy a report to the Customer Extensions folder, you must copy the _Shared Report Routines, too.

Solution:

Copy the common template, for example _Shared Report Routines, too. If necessary, adapt the links accordingly.

Instantiation Exception

Indication:

Objects or folders in the Identity Manager are shown in red together with the error message java.lang.InstantiationException:

Error: EXR191 (java.lang.InstantiationException)

In the Identity Manager log, you will find parsing error messages like:

DBG(STG100): parsing file 'storage://DirXmetaRole/cn=TSAccount.xml,cn=Object
   Descriptions,cn=default,cn=TargetSystems,cn=Configuration,cn=ZFMD?content=dxrObjDesc':
DBG(STG100): local var TSdefaultDN=cn=Default,cn=TargetSystems,cn=Configuration,cn=ZFMD
DBG(STG100): local var TSdefaultDN=cn=Default,cn=TargetSystems,cn=Configuration,cn=ZFMD
DBG(STG100): Configured SvcTSAccount
DBG(STG100): [Fatal Error] :6:1: Content is not allowed in prolog.
ERR(STG800): **** Parsing error: org.xml.sax.SAXParseException: Content is not allowed in prolog.
DBG(STG100): null at line 6 column 1

Reason:

The related object description is erroneous.

Solution:

Correct the object description (mostly incorrect XML formatting). In the log file, you will find the object description that causes the error.

java.lang.NullPointerException

Indication:

This message can occur in many situations. Consequently, there is no well-defined solution that can be described here.

Reason:

The LDAP server might be configured to a specific size limit (maximum number of records to be retrieved during a search operation). In this case, DirX Identity Manager can obtain messages that indicate severe errors (the database might become inconsistent!). For DirX Extranet, the size limit is set to 2048, which might be too low.

Solution:

We recommend setting the size limit to 10000 or higher.

java.lang.OutOfMemoryError

Indication:

This message can occur in many situations.

Reason:

The Java engine memory limit has been exceeded.

Solution:

Perform the following steps to increase the memory size for the Java engine:

  • Stop DirX Identity Manager.

  • Open the file run.bat in the directory install_path\GUI\bin with a text editor.

  • Set the memory limit in the line that starts with 'start javaw' to a higher value, for example:

start javaw -Xmx256m …​

  • Save the file.

  • Restart DirX Identity Manager.

Here is an excerpt from the Java documentation that describes -Xmx usage:

-Xmxn

Specify the maximum size, in bytes, of the memory allocation pool. This value must a multiple of 1024 greater than 2MB. Append the letter k or K to indicate kilobytes, or m or M to indicate megabytes. The default value is 64MB. Examples:

-Xmx83886080
-Xmx81920k
-Xmx80m

Reset in Sub-Dialogs of Wizards

Indication:

If you open a sub dialog in a wizard that was shown as wizard step as well and you changed values during this wizard step, pressing Reset will reset your changes.

Reason:

Malfunction of software.

Solution:

Press OK instead and it will work fine.

Target System Report does not Work

Indication:

A target system report does not work.

Reason:

You can call target system specific reports only from the node Target Systems or from sub nodes.

Solution:

Call the report from a correct location.

UTF-8 as Default Character Set

Indication:

After import of LDIF files, some special characters are not correctly displayed.

Reason:

With DirX Identity V7.0 the default character set for all import and export operation of LDIF files has been adapted to the standard definition. Instead of Latin1 we use now UTF-8.

Solution:

Convert your file from Latin1 format to UTF-8 before performing the import operation.

Inconsistent Mapping in Tcl-based Workflows

Indication:

Arguments are displayed as inconsistent.attributename in pink color.

Reason:

Often the corresponding mapping items refer to a non-existent channel. This may occur after you have linked the job with another channel. All mapping items created before are referencing the old channel. All mapping items created afterward refer to the new one. When the old channel is now deleted the old mapping items are now inconsistent. Also, if you export your workflow and import it on another machine the old channel may not exist there.

Solution:

You must edit your mapping (on the source side if you intend to copy it to another machine) and select all arguments again. Here all attributes of the actual channels are offered. So it could happen that attributes from the old channel don’t appear here.

Wrong Order in Tree after Changing dxmDisplayName in Data View

Indication:

After changing the dxmDisplayName in the Data View and then returning to the Connectivity View, the tree resorted.

Reason:

Unknown.

Solution:

Perform a Reload Object Descriptors operation. The tree elements will then appear in the correct order.

In general, changes made using the Data View are not automatically displayed in the Connectivity or Provisioning View without any action.

Displaying the LDAP Attribute Displayname

Indication:

Identity Manager handles the attribute "displayname" in a special way. When requesting displayname the value of the attribute defined by "displayattribute" is displayed. In the following TSAccount.xml snippet cn is defined as display attribute and therefore the cn value will be displayed.

<definition
     cluster="$(./../../..)"
     targetsystem="$(./../../..)"
     class="siemens.dxr.service.nodes.SvcTSAccount"
     namingattribute="cn"
     displayattribute="cn"
     label="TSAccount"
     icon="icons/tsaccount.gif"
     candelete="true"
     canrename="true"
     cancopy="true"
     haschildren="false"
     helpcontext="tsaccount"
     displayname="Account"
     filterobjectclass="dxrTargetSystemAccount"
     accesscontrol="true" />

Solution:

If you want to display the real LDAP displayname define a pseudo property ($myDisplay) which returns the value of the LDAP attribute; for example the snippet TSAccount.xml:

<propertysheet>
   <propertypage name="displayname" insertafter="AccountGeneral"
                 class="siemens.dxr.manager.nodes.customizer.GenericPropertyPage"
                 title="test"
                 layout="displayname, $myDisplay"
                 helpcontext="mr_ts_account_tsspecific"/>

</propertysheet>

<!-- JDBC specific properties -->
   <properties>
        <property name="displayName" type="java.lang.String" label="Displayname" multivalue="false" mandatory="false"/>

        <property name="$myDisplayName"
                label="Display"
                                           >
                <script name="getProperty" return="value">
                            <![CDATA[
                                 importPackage(java.lang);
                                 importClass(Packages.java.util.regex.Pattern);
                                 importClass(Packages.siemens.dxm.util.GeneralizedTime);

                                 var obj = scriptContext.getObject();
                                 var value = obj.getProperty("displayname");

                                ]]>
                </script>
        </property>

In the sample displayname displays the value of the attribute cn (ab099999) and myDisplayName displays the value of the LDAP attribute displayname (test):

myDisplayName

Monitor View

This section describes problems and issues that relate to using the DirX Identity Manager monitor view.

Duplicate Status Entries

Indication:

You start a workflow once interactively in the DirX Identity Manager.Afterwards you detect two status entries from this workflow with a slight delay (a few seconds).

Reason:

First you installed a DirX Identity Server on a configuration database. Then you installed a second DirX Identity Server on another machine but with the same configuration database.

This results in two main servers, which confuses the system.

Solution:

In this case, you must set up the system again from scratch:

  • Save any work you did in this database (for example scenarios, workflows, jobs…​) by exporting this information.

  • Uninstall both, main Server installations and all Agent Installations.

  • Install all servers again. Be sure that you set up only one main server (you select Server from the installation options). Do not select the Server option for the agent servers.

National Characters Are Not Displayed

Indication:

National characters are not displayed correctly when viewing trace or report files from the meta controller (metacp).

Reason:

The meta controller always uses UTF-8 code to write trace and report files.

Solution:

Configure an editor that can display UTF-8 characters for viewing files. For example, you can use the freely available lister program.

No HTML Viewer

Indication:

HTML files (suffix .htm) cannot be viewed in a status entry.

Reason:

  • Reason 1: No viewer is defined.

  • Reason 2: The defined viewer cannot be found during execution because the operating system’s path variable does not contain the location of the viewer.

Solution:

  • Solution 1: Define a viewer in the dxi.cfg file. By default, the Internet Explorer is defined (should work on Windows platforms). Choose another one.

  • Solution 2: Define either an absolute path to your viewer in the dxi.cfg file or extend the operating system path variable with the correct path.

No File Viewer for UNIX

Indication:

Files cannot be viewed in a status entry.

Reason:

The defined viewer cannot be found during execution because because it does not exist.

Solution:

Define the properties file.editor and clipboard.viewer in the dxi.cfg file so that the properties are of the form sh -c "*editor *'$file'" where editor is an absolute path to your viewer. The default editor is /usr/bin/gedit (Linux). Choose another one.

No Statistics When Compression Mode is On

Indication:

Statistics are missing for a workflow status entry.

Reason:

If the compression mode setting for a workflow is different from "Detailed" in the workflow entry or "None" in the central configuration object (which is the default) the statistics info for the workflow status object is not available.It is only available for the activity status objects.

Solution:

Choose another compression mode.

Connectivity View

This section describes problems that relate to DirX Identity Manager’s Connectivity view and how to solve them.

Cannot Set Notify on Modify

Indication:

In the Import Tab of a Realtime Workflow Channel inside the Notify boarder you cannot set the On Modify flag.After save it stays empty as before.

Reason:

The notifyOnModify attribute in the dxmImport LDAP attribute is missing. You can check this in the Data view. For example, the content of dxmImport looks like:

<import createDespiteOfMultipleMatch="false"
            idInAddRequest="true" notifyOnAdd="false" notifyOnDelete="false"/>

Solution:

In Data View extend the value with notifyOnModify attribute.For example:

<import createDespiteOfMultipleMatch="false"
            idInAddRequest="true" notifyOnAdd="false" notifyOnDelete="false" notifyOnModify="false"/>

Provisioning View

This section describes problems that relate to DirX Identity Manager’s Provisioning view and how to solve them.

Target System Creation Fails

Indication:

Target system creation with the target system creation wizard fails.

Reason:

You tried to create a target system that requires a custom schema extension.

Solution:

  • Delete the partially created target system (both within Connectivity and Provisioning views).

  • Perform the schema extension.

  • Create the target system again.

Workflow Runtime Window

This section describes problems related to the workflow runtime window and how to solve them.

SHM9550

Indication:

Workflow executions fail.ProcessInfo and/or trace files show error message SHM9550: timeout to get semaphore (in dxmGetShm).

Reason:

DirX Identity Server is in operation with an encryption mode that is different from NONE, and heavy system load causes some workflows to fail with this error message.

Solution:

Increment the KeyGet timeout of the related DirX Identity server using DirX Identity Manager (Expert View: Configuration/DirX Identity Servers/C++-based Servers/Server object).

Refresh Takes Too Much Time

Indication:

Automatic Refresh in the Monitor View takes too much time.

Reason:

When DirX Identity has produced a lot of status entries, the automatic refresh needs some time. Changing from the Monitor View to other views and back to it refreshes the view even if nothing has changed.

Solution:

Turn off the automatic refresh:

  1. Open the file install_path\Gui\bin\dxi.cfg

  2. Change the value monitorview.refresh to off.

  3. Save the file and restart DirX Identity Manager.

Wait for ACK of Create Instance Error

Indication:

Workflow runtime window hangs at 'Wait for ACK of create instance'.

Reason:

The DirX Identity 7.0 service is not started.

Solution:

  • Check the log files and/or the event log.

  • Start the DirX Identity service and try again.