Environment
Identity Manager Engine, Designer and RBPM 4.7
Identity Manager Engine, Designer and RBPM 4.8
Situation
Many IDM upgrade issues stem from steps being missed entirely or done in the wrong order. This often results in Designer having incorrect version information stored in the project while attempted updates are being pushed to the IDM Engine. The UserApp and Role and Resource Service Driver updates are documented here. The Designer package upgrade steps are outlined in section 6.2.3 of this document. A full Live -> Deploy is required after the IDM Engine(s) is upgraded, in order for the new driver packages and eDirectory schema to be loaded in the Identity Vault. Do not perform a Compare -> Reconcile when upgrading. The custom attributes and schema mentioned here will not be installed properly.
Resolution
This document can help correct failed upgrades or be used to ensure the required Designer updates are not missed in the first place. The Identity Applications upgrade scripts (from 4.7 on) now allow you to point the configuration to the existing drivers for Identity Applications, but you first need the upgraded IDM Engine (best practice is to upgrade and then patch eDirectory and IDM Engine to latest available SP for major release) and following Designer updates pushed out.
Often times, the missed or out of order Designer steps are caused
by using existing projects that do not get updated in the following
sections. When using existing projects, MANUALLY confirm the Identity
Vault Properties -> Server List -> Edit
Vault Properties:
Server List:
Vault Versions:
User Application Driver - Version Info:
User Application Driver Packages tab:
Preferred Server (optional):
Additional Information
Error caused by UAD packages not being upgraded and / or fully deployed to Identity Vault:
Incorrect values for nrfRoleLevels on cn=configuration object:
Errors encountered creating roles after upgrade to 4.7 or 4.8, due to nrfRoleLevels attributes of the cn=configuration object either missing or incorrectly set to the User Application Driver DN, rather than the correct role level container. With UA driver DN entered, a "DAL Communication error" will be seen in the catalina.out during creation of roles.com.sssw.fw.exception.EboDataException: User application driver (UAD) is not compatible with User Application version 4.8. Please upgrade your UAD using Designer for Identity Manager.
Incorrect values for nrfRoleLevels on cn=configuration object:
"cn=configuration,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=system"
cn=UserApplication,cn=DriverSet,o=system#10#
cn=UserApplication,cn=DriverSet,o=system#20#
cn=UserApplication,cn=DriverSet,o=system#30#
Should be:
Error encountered after upgrade due to UA driver package not being updated because IDM Engine version was not updated in existing project. This prevented Designer from detecting the correct version of package after upgrade:cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=system#10#
cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=system#20#
cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=system#30#
In browser:
“Identity authentication is not correctly configured or Identity Manager to eDirectory SAML is not functioning correctly.
Please contact an administrator to correct the problem”
catalina.out:
2019-07-25 21:30:56,397 [ERROR] AuthorizationManagerService [RBPM] [Create_Domain_Administrator_Failure] Initiated by com.novell.idm.security.authorization.service.AuthorizationManagerService; Domain Administrator DN: cn=userappadm,ou=Sa,o=system; Error Message: Role with DN = [cn=secAdmin,cn=System,cn=Level20,cn=UserApplication,cn=DriverSet,ou=IDM,ou=Services,o=system ] does not exist.
com.novell.idm.nrf.exception.NrfException: Role with DN = [cn=secAdmin,cn=System,cn=Level20,cn=UserApplication,cn=DriverSet,ou=IDM,ou=Services,o=system ] does not exist.