Sun Role Manager (SRM)

This page contains the following information regarding Sun Role Manager (SRM)

  • Check List For Opening New Support Cases
  • Sample Support Case Entries
  • Self Help
  • Supported Installation Matrix

Check List For Opening New Support Cases

  • Check List

Please ensure that the following information is available when you submit your case to SUN support. Submitting this information when opening a support case will save time and potentially lead to a faster resolution to your problem.

    - Detailed description of issue
    - List the exact version of Sun Role Manager, Application server, repository(database) and JVM

To find out that the version of SRM, login as an Admin user and the version of SRM will
show at the bottom of any screen. If the SRM is down and the admin cannot login then you
can check out a file called VERSION.txt located at

/<absolute path of SRM directory>/WEB-INF/classes/VERSION.txt

    - Relevant J2EE Application server logs & Database logs during the above time frame of the SRM configuration.

Log4j.propertis and relevant Role Manager logs (rbacx.log) during the above time frame, the
location of the "rbacx.log" are noted within "log4j.properties" file within the "WEB-INF"
directory.

    - Screen shots showing the actual problem
    - Which environment is having the problem?(Production, Test or Development)?
    - What is the frequency of the issue?
    - When was the problem first noticed?
    - What has recently changed in your environment?
    - Copy and paste error messages from server log outputs
    - Steps to Reproduce Issue:
    - Are you running in a clustered environment?
    - Are you using an application server data source for the repository connection?
    - Is this a new installation/configuration or an existing setup?

  • Recommended Data Collection for Crashes in SRM Application

As with any J2EE Application server based applications, whenever SRM application crashes (cores dumps) here is what we need to collect:

    - Exact version of the SRM currently running
    - Exact time stamp of the crash
    - Relevant J2EE application server logs
    - Relevant SRM logs (rbacx.log)
    - A core file & JVM hot spot errors file with JVM heap dump (a file named hs_err_<pid>.log), these files are usually found in the directory where the application (SRM) is started from
    - If possible collect "netstat -an" output the SRM system to review the TCP/IP socket status.
    - kill -3 <java_process>   
    - Is CPU being consumed by the JVM or does CPU drop back to almost idle?
    - 2 pstack outputs
    - prstat -L -p PID output
    - truss -leaf -vall -wall -rall -p <java_process>

Sample Support Case Entries

Detailed description of issue

I get an error when I click on the Identity Certification Tab in SRM.I also get this error when I try to create a new certification. When I click on the Identity certification tab,I get a pop up which says error but no error is displayed.At this time,I see an error in rbacx.log.

Versions
SRM - 4.0.1Application Server - Sun Application Server 9.1Repository (database) - Oracle 10GJava - 1.6_07

Relevant J2EE Application server logs & Database logs during the above time frame of the SRM configuration
See attached files

log4j.properties file and relevant Role Manager logs (rbacx.log) during the above time frame
See attached files

Screen shots showing the actual problem

See attached files

Which environment is having the problem?(Production, Test or Development)
Test

Frequency of the issue
Each time I click on the "Identity Certification Tab"

When was the problem first noticed

I was running a few queries on the SRM repository from sql developer tool.select idc.manager, idr.name from idc_certs idc, id_certs idr where idc.id=idr.id and idr.state=4

What has recently changed in your environment?
nothing

Copy and paste error messages from server log outputs, if Any

The following below is the snippet of the error.log:-

--- Cause: java.sql.SQLException: ORA-00942: table or view does not exist

Steps to Reproduce Issue
Click on the Identity Certification Tab from SRM home page or Click on Submit button while creating a new certification

Are you running in a clustered environment?
No

Are you using an application server data source for the repository connection
No

Is it a new installation/configuration or an existing setup

Existing setup

All the data collected is uploaded to http://supportuploads.sun.com/upload.File name, cksum and the location of the file will be shared with the case/SR owner.

Self Help

  • Troubleshooting Common Errors

Role Manager Installer Cannot Connect To Database

The Role Manager installer cannot create connectivity with the database installer if drivers supporting the JDBCTM API (JDBC drivers) are not set in CLASSPATH variable

Resolution

Set CLASSPATH environment variable as described below and relaunch the installer For the Windows environment
(assuming connectivity is to be established with MS SQL Server, the JDBC driver is located in C:\RBACx_Drivers and
Role Manager Installer is located in C:\SRM_4.0)

set CLASSPATH=.;C:\RBACx_Drivers\jtds-1.2.jar
cd C:\SRM_4.1
install.bat

For the UNIX environment
(assuming connectivity is to be established with DB2 Server, the JDBC driver is located in usr/local/RBACx_Drivers/ and
the Role Manager installer is located in usr/local/SRM_4.1/)

export CLASSPATH=.:/usr/local/RBACx_Drivers/db2jcc.jar:/usr/local/RBACx_Drivers/ db2jcc_license_cu.jar
cd /usr/local/SRM_4.1
install.sh

Note - No line breaks should exist during CLASSPATH setup

JDBC Connection Error

The error is generated when Role Manager is unable to connect to the database and is logged in rbacx.log file. The error would consist of:

"Failed to obtain DB connection from data source 'springNonTxDataSource.QuartzScheduler': java.sql.SQLException:
 Connections could not be acquired from the underlying database\! \[See nested exception: java.sql.SQLException:
 Connections could not be acquired from the underlying database!\]"

Resolution

- Check jdbc.properties configuration file in $RBACX_HOME/conf folder
- Check conf-context.xml file in /WEB-INF/ folder
- Ensure that JDBC drivers corresponding to the database type is present in /WEB-INF/lib
- Verify the database server connectivity can be established from the application server

Error Loading Workflow

The following error is generated when 'workflows.xml' file is not properly configured in /WEB-INF/classes folder:

"Error loading workflow Role Membership Workflow com.opensymphony.workflow.FactoryException: Error in workflow
descriptor: file:/<WORKFLOWS_FILE_PATH>role-user-membership-workflow.xml: root cause:
<$RBACX_HOME>\conf\workflows\role-user-membership-workflow.xml (The device is not ready)"

Resolution

- Verify if $RBACX_HOME variable in 'workflows.xml' in /WEB-INF/classes is correctly setup

Role Mining Error

While executing the role mining process, a pop-up displays the following error:

"weka/filters/Filter"
This error is generated due the unavailability of weka.jar in the Role Manager library.

Resolution

- Copy weka.jar into /WEB-INF/lib folder, and restart the application server

Provisioning Server Not Listed Under Administration > Configurations > Provisioning Servers Tab

The 'Provisioning Servers' tab displays 'file' and 'sun' as the available options. To display other supported provisioning servers, edit 'iam-context.xml' in /WEB-INF folder

Resolution

- To setup IBM Tivoli Identity Manager, uncomment the following lines from 'iam-context.xml'

<!--entry key="ibm">
<ref local="tim"/>
</entry-->
<!--bean id="tim" class="com.vaau.rbacx.iam.ibm.TIMIAMSolution" parent="abstractIAMSolution"/-->

- To setup CA eTrust Identity Access Management, uncomment the following lines in 'iam-context.xml'

<!--entry key="ca">
<ref local="eTrust"/>
</entry-->
<!--bean id="eTrust" class="com.vaau.rbacx.iam.ca.ETrustIAMSolution"
parent="abstractIAMSolution">
<property name="extensions">
<value>${com.ca.iam.extensions}</value>
</property>
<property name="userSearchFilter">
<value>*</value>
</property>
</bean-->

- To setup Oracle Identity Manager, uncomment the following lines listed in 'iam-context.xml'

<!--entry key="oracle">
<ref local="oim"/>
</entry-->
<!--bean id="oim" class="com.vaau.rbacx.iam.oracle.OIMIAMSolution" parent="abstractIAMSolution">
// Sample application to namespace mapping
<property name = "namespaceMap">
<map>
<entry key = "HealthMaster">
<value>RACF Account</value>
</entry>
<entry key = "HealthMaster1">
<value>RACF Account</value>
</entry>
</map>
</property>
//Sample namespace attribute mapping->
<property name = "nsAttributeMap">
<map>
<entry key = "HealthMaster">
<map>
<entry key = "transactions">
<value>UD_RACFTR_P_TRANSACTION</value>
</entry>
</map>
</entry>
<entry key = "HealthMaster1">
<map>
<entry key = "transactions">
<value>UD_RACFTR_P_TRANSACTION</value>
</entry>
</map>
</entry>
</map>
</property>
<property name="loginConfig">
<value>${com.vaau.rbacx.iam.oracle.loginConfig}</value>
</property>
<property name="oimHome">
<value>${com.vaau.rbacx.iam.oracle.oimHome}</value>
</property>
<property name = "provider">
<value>jnp://</value>
</property>
<property name = "namingContextFactory">
<value>org.jnp.interfaces.NamingContextFactory</value>
</property>
<property name = 'roleDao'>
<ref bean="roleDao"/>
</property>
<property name = "policyManager">
<ref bean = "policyManager"/>
</property>
<property name="userProperties">
<map>
<entry key = "userName">
<value>Users.User ID</value>
</entry>
<entry key = "firstName">
<value>Users.First Name</value>
</entry>
<entry key = "lastName">
<value>Users.Last Name</value>
</entry>
<entry key = "middleName">
<value>Users.Middle Name</value>
</entry>
<entry key = "manager">
<value>Users.Manager Login</value>
</entry>
<entry key = "primaryEmail">
<value>Users.Email</value>
</entry>
<entry key = "employeeType">
<value>Users.Role</value>
</entry>
<entry key = "startDate">
<value>Users.Start Date</value>
</entry>
<entry key = "endDate">
<value>Users.End Date</value>
</entry>
<entry key = "createDate">
<value>Users.Provisioned Date</value>
</entry>
</map>
</property>
<property name = "customProperties">
<list>
<value>Users.Email</value>
<value>Organizations.Organization Name</value>
<value>USR_UDF_LOCATION</value>
<value>Users.Deprovisioning Date</value>
<value>Users.Xellerate Type</value>
<value>Users.Identity</value>
<value>Users.Lock User</value>
<value>Users.Disable User</value>
<value>Users.Role</value>
</list>
</property>
</bean-->

Error Rendering Report

The following error is generated when Role Manager reports cannot be rendered by the system:

20:44:43,498 ERROR [JasperPrintRenderer] Error rendering report:
java.io.FileNotFoundException:<$FILE_PATH>\<$FILE_NAME>.jasper

Resolution

- Validate the file path listed in 'reporting-context.xml'
- Verify the report being rendered(<$FILE_NAME>.jasper) exists in 'reports' folder

Role Manager Configuration Error

Any inaccuracies in the Role Manager configuration would generate errors and cause Role Manager launch failure. 'conf-context.xml' and 'reporting-context.xml' are 2 common files where configuration errors can cause failure. Some of the common errors are listed below:

java.io.FileNotFoundException: C:\Vaau\rbacx-4.1\conf\jdbc.properties (The system cannot find the path specified)
java.io.FileNotFoundException: C:\Vaau\rbacx-4.1\conf\mail.properties (The system cannot find the path specified)
java.io.FileNotFoundException: C:\Vaau\rbacx-4.1\conf\ldap.properties (The system cannot find the path specified)
java.io.FileNotFoundException: C:\Vaau\rbacx-4.1\conf\iam.properties (The system cannot find the path specified)

Resolution

- Verify the $RBACX_HOME path outlined in 'conf-context.xml' and 'reporting-context.xml' is accurate

Java Heap Out of Memory Error

'java.lang.OutOfMemoryError' exception in the log is caused by Java heap fragmentation. This fragmentation occurs when no contiguous chunk of free Java heap space is available from which to allocate Java objects.

Resolution

- Increasing the size of JVM memory pool and clearing out Java cache solves the exception stated above.
The recommended setting for min. / max. value is 512 MB / 1024 MB respectively
  • Role Manager Logs

Role Manager has various logs which are available for the user can use during trouble-shooting. The two major types of logs are:

  • Role Manager Audit/Import Logs
  • Role Manager System Logs

Role Manager Audit/Import Logs

Every operation done on the Role Manager user is recorded and reported in the Audit Event view in Role Manager. The current audit events include -

  • Role Manager User Password Update
  • Addition of Role Manager User
  • Modification of Role Manager User
  • Deletion of Role Manager User

The details captured by the Audit Events are:

Function Description
Timestamp
 Denotes the time when the audit event was captured
UserID
 Denotes the userid of the account which initiates the change
UserName
 Dentos the name of the user acount which iniiates the change
Action
 One of the following action are shown in this column ADD, MODIFY, DELETE, LOGIN, LOGOUT
Description
 The description of the audit event is provided here
Remote IP Address
 IP Address of the machine which initiates the change
Remote Hostname
 Host Name of the machine which initiates the change
Imported By
 This outlines the method used to import the feed files. In this case this will be represented as BATCH.
Source
 Denotes the source of import. For this version all imports will be FILE_IMPORT
Import Type
 Denoted as Accounts, Glossary, Users depending on type
Total number of records
 Total number of records in the feed file
Records Imported
 Total number of records imported by Role Manager
Number of Errors
 Denotes the number of errors encountered during the Feed import
Start time
 Start Time of Import
End time
 End Time of Import
Read time
 NA
Description
 The file name is specified in the description

Review Role Manager Audit Logs

Follow the steps below to analyze events in the Role Manager audit logs:

1.Log in to Role Manager
2.Click the System tab
3.Select the required Action. Content can be filtered using Username / Fullname
4.Select the time period from To and From calendars as required
5.Click Filter
6.The filtered event logs would be displayed
7.Click the Close icon to return to the filtered Audit Event Logs list

Review Role Manager Import Logs

Role Manager import logs can be accessed and analyzed by following steps outlined below:

1.Log in to Role Manager
2.Click the System tab
3.Click on Import Logs under the System tab
4.Select the type of Import Logs (Accounts, User, Roles, Policies, Glossary) as needed
5.Review details of the log
6.Click the Close icon to return to Import Logs page

Role Manager System Logs

Role Manager utilizes log4j framework which is one of several Java Logging Frameworks. The log file is named and created as per the definition in log4j.properties file located in $RBACX_HOME/WEB-INF folder. log4j.properties is the logging configuration file and can be utilized to alter different logging levels of Role Manager . The log captures various details such as the import /export information, ETL processing and also any exceptions which arise while running the application.
The contents of log4j.properties with the ideal logging levels are specified below -

log4j.rootLogger=INFO, file

# Console Appender
log4j.appender.console=org.apache.log4j.ConsoleAppender
log4j.appender.console.layout=org.apache.log4j.PatternLayout
log4j.appender.console.layout.ConversionPattern=%d{ABSOLUTE} %-5p [%c{1}] %m%n

# File Appender
log4j.appender.file=org.apache.log4j.DailyRollingFileAppender
log4j.appender.file.file=logs/rbacx.log
log4j.appender.file.layout=org.apache.log4j.PatternLayout
log4j.appender.file.layout.ConversionPattern=%d{ABSOLUTE} %-5p [%c{1}] %m%n
log4j.appender.file.ImmediateFlush=true
log4j.appender.file.DatePattern='.'yyyy-MM-dd

#Tomcat logging
log4j.logger.org.apache.catalina=WARN
 DON'T EDIT FOLLOWING
log4j.logger.com.vaau.commons.springframework.context.ContextLifecycleListener=INFO

#VAAU commons logging
log4j.logger.com.vaau.commons=WARN

#RBACx Core logging
log4j.logger.com.vaau.rbacx= WARN
log4j.logger.com.vaau.rbacx.core= WARN
log4j.logger.com.vaau.rbacx.service= WARN
log4j.logger.com.vaau.rbacx.manager= WARN

#RBACx Security logging
log4j.logger.com.vaau.rbacx.security=WARN

#RBACx Scheduling logging
log4j.logger.com.vaau.rbacx.scheduling=DEBUG

#RBACx ETL
log4j.logger.com.vaau.rbacx.etl.manager=WARN

#RBACx IAM logging
log4j.logger.com.vaau.rbacx.iam= DEBUG

#RBACx Reporting logging
log4j.logger.com.vaau.rbacx.reporting=WARN

#RBACx Audit logging
log4j.logger.com.vaau.rbacx.audit=WARN

#RBACx Role-Mining logging
log4j.logger.com.vaau.rbacx.rolemining=WARN
log4j.logger.com.vaau.commons.datamining=WARN
log4j.logger.com.vaau.commons.ml=WARN
log4j.logger.com.vaau.odm=WARN

#RBACx IDC logging
log4j.logger.com.vaau.rbacx.idc=WARN

#SYTEM
log4j.logger.com.vaau.rbacx.system=DEBUG

#Sandbox
log4j.logger.com.vaau.rbacx.sandbox.ida=WARN
log4j.logger.com.vaau.rbacx.sandbox.rme=WARN

#Workflow
log4j.logger.com.vaau.rbacx.workflow=WARN
log4j.logger.com.opensymphony.workflow.AbstractWorkflow=ERROR

#SqlMap logging configuration. Change WARN to DEBUG if want to see all sql statements
log4j.logger.com.ibatis=WARN
log4j.logger.com.ibatis.common.jdbc.SimpleDataSource=WARN
log4j.logger.com.ibatis.common.jdbc.ScriptRunner=WARN
log4j.logger.com.ibatis.sqlmap.engine.impl.SqlMapClientDelegate=WARN
log4j.logger.org.springframework.jdbc.datasource.DataSourceTransactionManager=WARN
log4j.logger.java.sql.Connection=WARN
log4j.logger.java.sql.Statement=WARN
log4j.logger.java.sql.PreparedStatement=WARN

#Spring Framework
log4j.logger.org.springframework=WARN
log4j.logger.org.springframework.rules.values=WARN
log4j.logger.org.springframework.context.support=WARN
log4j.logger.org.springframework.transaction=WARN
log4j.logger.org.springframework.aop.interceptor=WARN
log4j.logger.org.springframework.security=WARN
log4j.logger.org.springframework.security.event.authentication.LoggerListener=FATAL

#For Trace Logging change them TRACE
log4j.logger.org.springframework.aop.interceptor.PerformanceMonitorInterceptor=WARN
log4j.logger.org.springframework.aop.interceptor.CustomizableTraceInterceptor=WARN

##JIAM log
log4j.category.com.ca=WARN
#log4j.category.com.ca.commons.jndi=DEBUG

#Quartz scheduler
log4j.logger.org.quartz=WARN

#DWR
log4j.logger.uk.ltd.getahead.dwr=FATAL
log4j.logger.org.directwebremoting=FATAL

#ehcache
log4j.logger.net.sf.ehcache=ERROR

#CloverETL
log4j.logger.org.jetel=ERROR
#C3p0
log4j.logger.com.mchange=ERROR

#JasperReports
log4j.logger.net.sf.jasperreports=ERROR
log4j.logger.com.vaau.rbacx.search=WARN
log4j.logger.com.vaau.commons.search=WARN


A few more parameters to keep in mind are the Security and the IAM logging.

Supported Installation Matrix

Role Manager is J2EE-based, utilizing a 3-tiered model. Requirements of the 3-tier architecture are a web server, an application server, and a database server. The Role Manager application comes bundled with Apache Tomcat 5.5.16 which serves as both - a web server and an application server. Other Java based application servers such as Sun Java System Application Server, WebSphere, JBoss, WebLogic etc. are also supported by Role Manager. Supported database servers include MySQL,Microsoft SQL Server, Oracle®, IBM DB2. Role Manager can be easily integrated on Windows, UNIX or UNIX - like platforms. See below for information of supported applications.

Operating Systems:

  • Microsoft Windows Server 2000(SP3)
  • Microsoft Windows Server 2003
  • Solaris 8,9,10
  • Red Hat Linux 4, 5
  • Novel SuSE Linux Enterprise 9, 10

Application Servers:

  • Apache Tomcat 5.5.15+
  • IBM WebSphere 6.1
  • Weblogic 10
  • Sun Java Application Server

Database Servers:

  • Microsoft SQL Server 2000(SP4)/2005
  • IBM DB2 8.2, 9.x
  • Oracle 9i, 10g, 11.x
  • MySQL 5

Provisioning Servers:

  • File
  • Identity Manager
  • Oracle Identity Manager
  • CA eTrust Identity Access Management
  • IBM Tivoli Identity Manager

Labels

troubleshooting troubleshooting Delete
software software Delete
identity identity Delete
sun sun Delete
role role Delete
manager manager Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Comments (2)

 

  1. Sep 24

    meh4474 says:

    Can someone point me to how to connect Sun Role Manager with LDAP directory (any...

    Can someone point me to how to connect Sun Role Manager with LDAP directory (any LDAP directory)? I seems to be not finding any documents or anything on this integration

    Another question is for cvs file connector to import users. I have users and schema defined in <SRM_HOME>\import\in and \schema location. Once I schedule the job, I get no errors, no processed file in the \success folder. rbacx.log shows no error. Any one can point me what I am doing wrong?

    I am using SRM Build 4.1.0.20080903_406_3061

    1. Oct 21

      K-2 says:

      I'm not sure about 4.1, but maybe the 5.0 docs can help? http://wikis.sun.com...

      I'm not sure about 4.1, but maybe the 5.0 docs can help?

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact