May 3, 2010

1/13/10 – when running ITIM 5.1 upgrade from 5.0, get this on dbUpgrade
sqlcode=-552, sqlstate=42502
– was because used root to configure the db.  Needed to use db inst owner

1/13/10 30906 379 – when installing 5.1 fp1 using update installer, fp1 shows as not applicable
– also could not create a person
– problem: WAS was installed with cluster
– uninstalled WAS, installed as single-server, applied fp5, installed updinstlr
– still got jms errors
– itim_bus was unavailable
– followed step 5 and on in http://www.ibm.com/support/docview.wss?uid=swg21380384
– restarted WAS
– was able to create a person
– attempted itim upgrade to 5.1 fp1 – could not recognize fixpack
– was pointing to was for upgrade, pointed to /opt/IBM/itim, saw fixpack, retried
– got error CWUPI0013E: A configuration action failed. The failing configuration action is: UpdateITIMEar.
– found error 105 in ant script in /opt/IBM/itim/logs/update/
– in soap.client.props file, was_profiel\properties changed com.ibm.SOAP.requestTimeout=1200
– retried upgrade, worked
– doc APARs/APAR needed

1/27/10 32903 379 – CTGIMA416E The following process cannot be found in the database.
Process ID: 7835357467799461128

1/29/10  when installing WAS 7.0 cluster member, got errror:
wrn, Config action failed: 97SInstallInvokeWSProfile – /usr/IBM/WebSphere/AppServer/properties/version/nif/config/install/97S
– manually tried federating the node
./addNode.sh hostname 8879
– time was not sync’d between servers, sync’d time
– federated node, worked
– until ITIM wouldn’t install on the node – had to reinstall WAS

– this was running on 02:
root 512014 626844   2 10:46:44  pts/1  1:10 /usr/IBM/WebSphere/AppServer/java/bin/java -Xbootclasspath/p: -Dws.output.encoding=console -Dosgi.install.area=/usr/IBM/WebSphere/AppServer -Dosgi.configuration.area=/usr/IBM/WebSphere/AppServer/profiles/Custom01/configuration -Dcom.ibm.CORBA.ConfigURL=file:/usr/IBM/WebSphere/AppServer/profiles/Custom01/properties/sas.client.props -Dcom.ibm.SSL.ConfigURL=file:/usr/IBM/WebSphere/AppServer/profiles/Custom01/properties/ssl.client.props -Dcom.ibm.SOAP.ConfigURL=file:/usr/IBM/WebSphere/AppServer/profiles/Custom01/properties/soap.client.props -Djava.security.auth.login.config=/usr/IBM/WebSphere/AppServer/profiles/Custom01/properties/wsjaas_client.conf -Dcom.ibm.ws.scripting.wsadminprops=/usr/IBM/WebSphere/AppServer/profiles/Custom01/properties/wsadmin.properties -Dconfig_consistency_check= -Dwas.install.root=/usr/IBM/WebSphere/AppServer -Duser.install.root=/usr/IBM/WebSphere/AppServer/profiles/Custom01 -Dwas.repository.root=/usr/IBM/WebSphere/AppServer/profiles/Custom01/config -Dlocal.cell=hdgisscwctmq2Node01Cell -Dlocal.node=hdgisscwctmq2Node01 -Dcom.ibm.ws.management.standalone=true -Dcom.ibm.itp.location=/usr/IBM/WebSphere/AppServer/bin -Dws.ext.dirs=/usr/IBM/WebSphere/AppServer/java/lib:/usr/IBM/WebSphere/AppServer/classes:/usr/IBM/WebSphere/AppServer/lib:/usr/IBM/WebSphere/AppServer/installedChannels:/usr/IBM/WebSphere/AppServer/lib/ext:/usr/IBM/WebSphere/AppServer/web/help:/usr/IBM/WebSphere/AppServer/deploytool/itp/plugins/com.ibm.etools.ejbdeploy/runtime -Xms256m -Xmx256m -Xquickstart -Djava.util.logging.manager=com.ibm.ws.bootstrap.WsLogManager -Djava.util.logging.configureByServer=true -classpath /usr/IBM/WebSphere/AppServer/profiles/Custom01/properties:/usr/IBM/WebSphere/AppServer/properties:/usr/IBM/WebSphere/AppServer/lib/startup.jar:/usr/IBM/WebSphere/AppServer/lib/bootstrap.jar:/usr/IBM/WebSphere/AppServer/lib/lmproxy.jar:/usr/IBM/WebSphere/AppServer/lib/urlprotocols.jar:/usr/IBM/WebSphere/AppServer/java/lib/tools.jar:/usr/IBM/WebSphere/AppServer/deploytool/itp/batchboot.jar:/usr/IBM/WebSphere/AppServer/deploytool/itp/batch2.jar com.ibm.wsspi.bootstrap.WSPreLauncher -nosplash -application com.ibm.ws.bootstrap.WSLauncher com.ibm.ws.runtime.WsProfileAdminListener /usr/IBM/WebSphere/AppServer/profiles/Custom01/temp/wsadmin /usr/IBM/WebSphere/AppServer/logs/manageprofiles/Custom01/wsadminListener.log ISO8859-1

2/1/10 – 33658 379  ITIM 5.1 upgrade does not work on a cluster if you use a cluster name other than the default name listed as the example in the install doc (ITIM_Application_Cluster)  Used itim_app_cluster and itim_msg_cluster.  Install does not prompt for cluster names.  Got WasClusterConfigUtil.updateJvmPath failed and other errors
– had to change cluster name in runConfig.lax, worked on DM
– then was problem on cluster member – could not find WAS profile
– was APP_SERVER_HOME=/usr/IBM/WebSphere/AppServer/profiles/AppSrv01
– which didn’t exist.  changed to:
– APP_SERVER_HOME=/usr/IBM/WebSphere/AppServer/profiles/Custom01
– same error
– previous error installing on invoking the profile is issue
– uninstalled, reinstalled, same error in install log.txt
– tried deleting profile, could not find profile
– deleted profile dir, tried creating profile, hung on importWasprofile
– uninstalled WAS, ran ./installRegistryUtils.sh -cleanAll
– installed WAS 7.0, ITIM upgrade worked, closed

2/4/10 – messaging engines were unavailable on cluster upgrade to 5.1
– DBconfig had not been run successfully
– on runConfig install, was getting itim_bus already exists
– Once getting DB comm to work, DBA had dropped enrole tables but not sib tables
– had to remove ITIM from WAS manually, including itim_bus, drop enrole and sib tables, run ITIM install on both nodes, started WAS, worked

2/4/10 – 34355 379 – Logging on with bad user id/pwd gives 500 null pointer exception
Gary – 714-327-5916
– nothing in trace.log or access.log
Can you please perform a diff of the contents of the ITIM.ear file in the installedApps directory on your working vs. non-working system?  Can you also provide a copy of the ui.properties file from the working and non-working system as well as a copy of the enRole.properties file from both systems.
– sent
– asked to send msg, trace, sysout syserr, ffdc logs at MIN setting
– also noticed that server is not stop/startable from WAS console
– Installed fixpack 7, resolved issue, closed

2/4/10 – 34372 379 – IDI Feed fails to Create Person in ITIM5.1
changes filter to (|(namingcontexts=dc=FromIL))(ernamingcontexts=dc=FromIL)))
– format of $dn was incorrect – don’t use parens – just uid=…
– worked, closed

2/10/10 – 45214 379 – Err upgrading 5.1 to fp1 – DBUpgrade fails
JPanelRdbmsConfig.JPanelRdbmsConfig: For upgrade, change button text from ‘Test’ to ‘Continue’, then
reset the action command back to ‘Test’.
– Chris Weber
– Tried running DBConfig, dropping tables, fails on enrole.menu, manually dropped enrole and sib tables
– Reran DBConfig, created/configed tables
– Retried fp1 upgrade, same error
– created <itim home>/properties/version/nif/config/install/backdoors_user.properties file, having the following entry:  skip.dbupgrade=true
– reran install, worked
– removed backdoor, tried upgrading with UpdInst 7005, worked fine
– Manqing Li/Ottawa   developer

2/25/10 – 47431 379 – haven’t sync’d password yet, user gets locked out, call help desk
first try to reset the password,
itim account is “inactive”, it doesn’t reset password for inactive account
TAM/iSeries works; ITIM/SAP doesn’t
– if hd does a restore, then pwd change, then works
– Charles S

3/11/10 – 77896 344 – after migrating from 4.6-5.1, cannot view adoption policies

3/11/10 – 77900 344 – Unable to View/Edit Password Policies in 5.1
CTGIMU116E  An error occurred while retrieving the services covered by the password policy                  CTGIMG012E  An error occurred while retrieving detailed information of the service

3/12/10 – 77016 344 – workflows
– inconsistent case in dc=sem/dc=SEM
– Mike C supplied perl script to fix case

3/16/10 – when installing IDS 6.2, get glpins253e – no features available for installation
– uninstall didn’t uninstall

3/16/10 – 78138 344 cannot remove IDS instance.  dropped database, and database instance, deleted home
– lists of instances are in __cfg

3/17/10 – 78241 344 getting “no Memory” on bulkload
– issue was currupted ldif

3/18/10 – delete pending transactions from database – clear database

3/19/10 – 78320 344 – when trying to logon to itim, got “an error has occurred”
getting NameNotFoundException: dnqualifier, in trace.log
– cause was recert policy
was getting in ibmslapd.log – GLPSRV204W The server has temporarily suspended reading client requests from the network 10 times. There are 0 of 15 worker threads attempting to write results
– tried to run ldapsearch on ou=people, and got out of memory error
– had set entry cache to 500000, set it back to 25000, same problem
– set ulimits for root and ldap owner to unlimited for mem and data, 2097151 for stack, worked

4/9/10 – When calling dll from ITDI getting: CTGDIS628E Error in COMProxy.dll: IDispatch not initialized

4/14/10 – 79130 7TD – help with itdi script

var oh;
var ohi;
var nh;
oh = conn.getAttribute(“handle”);
nh = oh + 0;
ret.value = nh;

4/15/10 – 79321 7TD – getting schema violation importing custom adapter profile
– when moving connector to flow, where it needs to be to work and not give null value for query

4/16/10 – 79361 7TD – attrib not avail in output map when using branch or loop

4/19/10 – 26323 499 – sev1 – During Feed, getting Transaction rollback
– WAS won’t start clean w/o XA exceptions
– stopped WAS, ran removeTransactions.sh, cleaned tranlogs, restarted WAS
– still got XA Exceptions, and had 600 in Pending
– Deleted all Pending trans
– found /db2itim_ind1 was 98% used (indexes)
– ran removeTransactions.sh, cleaned tranlogs, restarted WAS
– still got XA Exceptions
979-942-8178 Clyde cell
– comitted indoubt transactions (pmr 26534), repeated above, no XA exceptions!
– XA exceptions returned when transaction logs filled up
– added more trans logs, cleared sib and partner logs, still had indoubt trans
– chose forget on all 5 indoubt trans,
-db2 tranlogs were read in and archived properly, relieving space
– closed

4/20/10 – 26534 499 – sev1 – cannot release lock on scheduled_message table -> DB2
db2 list indoubt transactions with prompting
– all were status “i” – were 5 transactions – committed all 5, quit
– db2 restart db
– after purging SIB was able to start WAS clean
– indoubt trans still existed
– forget transactions was the resolution, closed

4/28/10 – 26206 499 – Cannot make salesman number searchable – search fields have to be text not numeric
– working as designed
– Brian will work with Fernando

4/28/10 – 27212 499 – Recons running 8-18 hours after scheduled
– Can check these tables to see if it’s hitting the limit for recons or a resource is marked down:



December 2, 2009

1/27/09   80075 379 – getting “CTGDIK450E Unable to interface with the TAM server. The following unknown message type was retrieved by TAM while processing an exception thrown by TAM: The server could not locate the session for the client” when enabling autoprov for TAM Combo.  see pmrs 65458.379, 36116.379, and 15034,379

Requesting APAR to implement pooling contexts as TAM documentation dictates as shown in this article             http://www-01.ibm.com/support/docview.wss?uid=swg1IZ00350

– TDI group – Hemric  /Lak Sri

– opened the tamAdd.xml in IDI, created a new connector called TAMpool, enabled pooling with the default settings and max size of 5, changed the AL to inherit from TAMpool, and enabled Use connector from pool.

– Brian’s example worked (tam_context-example.xml) when removed all but description from connector attributes

– closed b/c ssltimeout=1200 worked

2/10/09  82353 379 – CTGDIS181E Error while evaluating single attribute map tamUserIter.initialize_fail.


– tried itamprofile.jar from 11/11/08, same

– tried TAMComboUtils.jar v4.6.5, TamLdapReconFactory’ not found

– reverted TAMComboUtils.jar, tried itamprofile-orig.jar from 11/7/08, worked

– tried 4.6.5 profile, worked, closed

4/16/09 16861 379 – Trying to create an LDAP account with custom adapter profile,

sn and cn are not getting passed to work object

– they are in trace.log, not ibmdi.log

– Charles Schultz

At first when we deleted the provisioning policy, service, accounts, object classes to prepare to re-import the profile, the import errored out.  I found that the provisioning policy delete had hung, aborted it, restarted WAS, and retried the import.  We then got Null Pointer Exceptions and IIOP errors.  There were some old object classes (erLdapUserAccount, erSunLdapUserAccount) so I deleted those, and then when I imported the profile the errors went away, but we don’t have object classes and ALs.

– rebuilt profile from scratch

– service name object class was misspelled, corrected

– object class viols when creating an account, noticed objectclass did not contain erCompanyIntLdapUser

– added objectclass to the account attribs in ADT, re-exported jar, imported into ITIM, same error

– changed object class in Output map to “companyInternalPerson”

– or you can add this to the service.def


<default>inetorgperson organizationalperson person top</default>

Objectclass to be used for user entries


– closed

5/5/09 19501 379 – IndexOutOfBoundsException when disabling/enabling/Creating any provisioning policies.

– It runs for about a half hour and then throws that error

– any prov policy causes the error not just the custom LDAP profile (erCompanyIntLdapUser)

– problem was strange foreign characters in the CN of 220 person records

– fixed in IF66 (FP 79)

– deleted people, worked, closed

5/29/09 78488 7TD –  – Failures in ITIM console but changes actually succeed

–             CTGIMO014E Communication Failure. The directory server is not available.

Error: [LDAP: error code 2 – Protocol Error])

– Juan Acosta/Austin/IBM: the minimum requirement is 6.1 fp2 –  you should install FP2 or newer     http://www.ibm.com/support/docview.wss?uid=swg27010306#ver50

also, I found that TDS introduced an attribute to confiture the time out on SSL

here is the tech note for extending the SSL time out    http://www.ibm.com/support/docview.wss?uid=swg21233758

I suggest you first install the TDS fixpack, since the base TDS image has known problems. then, if you don’t see any resolution with the fixpack, set the SSL attribute to a higher value

– installed fp2

– changed ibmslapd.conf to add ssl_timeout:5000 and oc_handlers:15

– worked, closed

6/3/09 79236 7TD  – Account ACI’s stopped working after accounts and service deleted

– Create Service Group ACI with filter

– APAR IZ52841

– was already in ITIM 5.0 FP5/IF26 (APAR #IZ43723)

– upgraded, followed Grey’s word doc (filed under ), worked, closed

6/3/09 79237 7TD – CTGIMO036E An error occurred while processing an ecryption request. Given final block not properly padded

– ldap encryption problem, not SSL

– ran runConfig, turned off encryption in Security tab

– checked these settings for the correct passwords







– no errors in trace.log, so re-enabled encrypted passwords with runConfig

– no errors, restarted, got errors again

6/4/09 79356 7TD – Cannot create mailboxes – error IID_IMailRecipient failed Error 0x80004002

– had 32bit version of adapter installed

– installed 64 bit v5.0.6

– Changed service account to use dev\iam_dev, worked, closed

6/8/09 79799 7TD – Upgrading AD adapter from win2003 64-bit 5.0.4 to 5.0.6 creates dup service

– was trying to upgrade from 32 bit adapter

– got object class violations when importing jar w/ custom attributes

– you have to use “ADprofile” exactly as the directory you jar up – was using “ADprofile2”

– jar can be named anything

– Dan Barto making doc apar

– APAR IZ56415

6/9/09 – custom person object attributes not showing up in report schema available

– inetorgperson was not superior object class

– changed v3.modifiedschema, restarted ids, was, ran data sync, upgraded to 5.0 fp5 + if27, worked

6/22/09 86806 7TD – In * Test *, IDI HR feed hangs, LDAP server connection problem

upped the WAS JVM to 1024 Mb Initial, 2048 Max, and set the Min and Max connections in enrole.properties to 5 and 10

Then found that transactions were stuck in WAS and would just retry each time I started WAS without restarting the bulkload.              hung transactions in WAS when doing bulkload (ldap server unavailable)

– I deleted all people entry except ITIM Manager

– Stopped WAS

– Deleted log1 & log2 from <WAS_Home>\profiles\AppSrv01\tranlog\dix-t-iamwas-01Node01Cell\dix-t-iamwap-01Node01\server1\transaction\partnerlog

and ….tranlog

– Started WAS

— Transactions were still there

– Stopped WAS

– Ran DBConfig, dropping tables

– Deleted tranlogs again as above

– Started WAS, came up clean

– Bulkload still causes ldap server unavailable

6/23/09 – Last name/Full name gone from Manage Users and cannot search on them

– possible affecting change was changing Person to use inetOrgPerson as superior object class

– also affecting ACIs – options are Person and inetOrgPerson for Person ACIs

– was result of changing Person to subordinate of inetOrgPerson

– need to delete dup attribs from Person

6/24/09  87056 7TD – Lifecycle rule not attempting to run when scheduled

– was running even though no entries were in view requests, closed

6/30/09  87798 7TD – Passport Advantage doesn’t have 5.0 AIX and AS/400 adapters

– Mike C. uploaded to ftp, closed

7/1/09 88022 7TD – AD adapter page size – recons take over 6 hours,

– adapter reads in all 16,000 objects before passing to ITIM

9/10/09   COMPANY:  Got error when accessing ITIM console page:

CTGIMU509E  An error occurred while determining if support is enabled for forgotten passwords. CTGIMO018E The following directory server error occurred. Error: usqaitim02:389; socket closed

– restarted WAS, could logon

9/15/09  –  In SystemOut:

J2CA0056I: The Connection Manager received a fatal connection error from the Resource Adapter for resource itimBusDataSource. A communication error has been detected. Communication protocol being used: TCP/IP.

Communication API being used: SOCKETS.  Location where the error was detected: Reply.fill().

Communication function detecting the error: InputStream.read().  Protocol specific error codes Insufficient data, * , 0.

In trace.log when trying to logon:

CTGIMU509E An error occurred while determining if support is enabled for forgotten passwords.  CTGIMO018E The following directory server error occurred.

Error: usqaitim02:389; socket closed

– IDS was down.  The password expired, set to never expire, worked

9/15/09 – When searching for jago3129

com.ibm.itim.apps.ApplicationException: CTGIMF007E The specified object cannot be found in the directory server. The object might have been moved or deleted before your request completed. The following information was returned from the directory server: The erglobalid=2223415282824235364,ou=0,ou=people,erglobalid=00000000000000000000,ou=COMPANY,dc=company object cannot be found. The following error occurred. Error: [LDAP: error code 32 – No Such Object].

CTGIMF007E  The specified object cannot be found in the directory server. The object might have been moved or deleted  before your request completed. The following information was returned from the directory server: The erglobalid=2223415282824235364,ou=0,ou=people,erglobalid=00000000000000000000,ou=COMPANY,dc=company object cannot be found. The following error occurred. Error: [LDAP: error code 32 – No Such Object].

– deleted orphans, worked

9/17/09 – AD service crashing

5.0.1018 version installed on uspritim03 – 32bit

– installed 5.0.7, no crashes as of 9/28

9/22/09 13124 7TD – When trying to create an AD account for a user

CTGIMU556E An error has occurred. If the problem persists, contact your system administrator

com.ibm.ejs.container.UnknownLocalException:  Caused by: java.lang.NullPointerException

– because prov pol populated groups that do not exist

9/24/09 13375 7TD – Trace.log growing too large

– known issue with restarting itim from was console


– The issue is similar to PMR 51850,550,000

– FITS # MR0930093933

10/2/09 – getting errors when creating AD Exch 2007 mailbox

BSE:09/10/02 10:06:39 Attribute erademailboxstore Condition code 5 (Unable to move mailbox.  Not a mailbox enabled user.)

BSE:09/10/02 10:06:39 Attribute eradealias Condition code 5 (Error from Exchange command invoker: 0x80070002)

11/12/09 03459 379 – When searching for ACIs

CTGIMU208E  A communication error occurred while searching on access control items.

CNTR0020E: EJB threw an unexpected (non-declared) exception during invocation of method “getCategory” on bean “BeanId(ITIM#api_ejb.jar#enroleejb.ACIManagerHome, null)”. Exception data: java.lang.NullPointerException

11/13/09 03754 379 – Getting error when restoring TAM account:

CTGIMU007E  An error occurred while trying to restore an account.

CTGIME012E  The password does not meet the requirements of the password rule. The

following error occurred. Error: CTGIMH020E The new password cannot be the same as any previously used passwords.

11/30/09 10547 379 – Report sync failing


– told to run:

db2 list tables schema enrole

drop tables not in <itim_home>/config/rdbms/db2/enrole.ddl

update <owner>.ENTITY_COLUMN set AVAILABLE_FOR_REPORTING = ‘table_dropped’


– reran data sync



– found all tables were not dropped

– issue was “>” in table name – error on drop script

– dropped all tables

– reran data sync




– tablespace was full

– db2 “alter tablespace enrole_data extend (all 40000)”

– sync completed with 7 non-fatal exceptions

– still had same errors in logs

– will have dba’s check config, closed


December 2, 2009

1/2/08  15705,499 – getting error starting JMS server on cluster member: MSGS0058E: Unable to start the

JMS Server as WebSphere Embedded Messaging has not been installed

– Emb msging is installed according to install program and install logs

– checked under server, app svrs, timsrvqa02, srv components, and JMS server is not there, contr to:


– Ondrej Bizub (WAS) – run dspmq and mqver, file not found (mq was uninstalled by someone)

– removenode.sh, uninstalled WAS, reinstalled plus fp’s,

– addnode.sh timsrvqa01 8879 -includeapps, added server back to cluster, worked

1/9/08  In IDI log when running identity feed:

CTGIMD011E The Person profile cannot be found for the [EmpPerson] object class

– solution: check object classes in Config, Entities – make sure object class name matches

– changed to “Employee”, worked

1/11/08  16461 499 – In ibmditk, Adding new connector attrib to output map getting error

Exception in thread “AWT-EventQueue-0”

java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 1

– tried dragging attrib over from work attribs, and adding directly

1/14/08 16634,499 – Getting the following error when provisioning accounts:

CTGIMO019E The following JNDI error occurred.Error: [LDAP: error code 1 – Operations Error].

– they tried to do an export/import using itim gui – problem

– exported ldap from dev using db2ldif

1/16/08 16922,499 – Installation of ITDI 6.1.1 hangs at 50% during

“Performing System Checks – Checking system status”

installs fine on 2 other servers.  Not working on production boxes

– had to install new version of SI to allow product to install to a network mounted drive


– APAR # IO08028 already exists to fix this on the SI side

– asked for an IDI readme note

3/20/08  – getting error on WAS 6.1 fp9 install says prerequisite checking has failed…

A general exception has occurred during prerequisite checking

install_log.txt says “CWuPI0026E ”

– problem was actually update installer version

3/20/08 – 48099,180 – passport adv down, esr website down

3/24/08 – 69471 999 – After installing ITIM 5.0, When starting the app, get

EJB container caught com.ibm.ejs.container.DuplicateHomeNameException:


– fix was to stop the node, run syncnode.sh, and restart the node

– the app started ok.  For some reason sync’ing from the WAS console, even

full sync was not working earlier.  Is this a bug with ”

3/25/08            – 69580 999 – When trying to connect to the itim db, getting

SQL30081N: A Communication ERror has been detected…Location “”

function “connect” Protocol specific error code “79, “*”, “*” SQLSTATE=08001

– when stopping and starting db2, then running ls, pwd, get

ksh: 0403-030 The fork function failed. Too many processes already exist

many db2sync processes exist

– changed maxuproc to 4096 in smitty, tried to connect to db, got

sql1224N – database manager is not able accept new requests, has terminated all requests in

progress, or has terminated your particular request due to a problem with your request.


– tried setting num_poolagents to 100

– running “db2pd -agent|grep Current” showed up to 420 running when connecting to db,

then back to 100

– then after installing fixpack 4a, we’re getting this when running db2start

exec(): 0509-036 Cannot load program db2star2 because of the following errors:

0509-130 Symbol resolution failed for db2star2 because:

0509-136   Symbol sqloSetThreadScopeForDB2EDUs (number 115) is not exported from

dependent module /opt/IBM/db2/V9.1/lib64/libdb2e.a[shr_64.o].

0509-192 Examine .loader section symbols with the

‘dump -Tv’ command.

03/26/2008 16:20:53     0   0   SQL1042C  An unexpected system error occurred.

SQL1032N  No start database manager command was issued.  SQLSTATE=57019

– fix was to run db2iupdt ldapdb2 and postfix steps from:

http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?                       topic=/com.ibm.db2.udb.uprun.doc/doc/t0006352.htm

3/26/08 48769 180 – using a password with an exclamation point for itim db user,

makes cfg_itim_mw_aix fail 2 cmds

– Lance Clinton – making APAR – # IZ18696

fixed 6/11/08  IF0006

3/26/08 – When runnig db2 9.1 fp 4a install..

Req’d minimum level of xlC runtime is

Actual version

– download IBM C++ Runtime Environment Component for AIX (Feb 2008)

– worked

4/1/08 49505 180 – when test connection using TAM adapter, getting ctgimM107W and ctgimT407E

– tried default adapter profile, getting CTGIMT401E – NoClassDefFoundError:


java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd <pwd> -appsvr_id sm5ts05 -policysvr sm5

ts02:7135:1 -port 7135 -authzsvr sm5ts02:7136:1 -mode remote -cfg_file /usr/java14/jre/PDPerm.properties -key_file /usr/java1

4/jre/PdPerm.ks -cfg_action create

– cd /opt/IBM/TDI/V6.1.1/jre/java/lib/ext

– cp /usr/java14/jre/lib/ext/PD.jar .

– Stop and start Adapter

– Test Connection

– OK

— Worked, closed

4/3 – When creating a person w/ a valid ID policy, getting error

“CTGIMU150E An error occurred while trying to locate the identity policy for Tiv Id Mgr user ID’s”

From trace.log: “Governing Policy couldn’t be found”

– on method “validatePassword”

7/22/08  21549,999 – What versions of ITDS are supported with WAS 5.1, 6.0?

8/22/08  18170,033

18179,033 – After federating node to the DM, creating a cluster, and adding an app

to the cluster, home page for app hangs and will not display.  App

(IDSWebApp.war) works fine with standalone server

9/3/08   18567 033 – WAS console not accessible, Getting authentication error when trying to restart the deployment mgr.  Don’t know that anyone enabled security


On the second line of the file you will see enabled=”true”. Change this to enabled=”false”.

– someone did enable security, got password and above instr, closed

9/8/08 – insert disk 3 comes up during itds 6.1 install by default – customers don’t have disk 3

9/8/08 – migrate doc doesn’t address upgrading WebSphere or in-place upgrades for middleware

9/9/08 – errors creating db and connecting to db in middleware config util when using a password with @ # and $

9/9/08  51686,227 – Queue: L2LDAP Center: 165 – Running idscfgdb get error GLPCTL036E Failed to update the database: ‘ldapdb2’

db2cli.log said

db2 9fp5, ids6.1 fp2

– mike cotociu

uninstalled v6.1, v6.0, reinstalled v6.1, config’d db

– got GLPCTL028E: Failed to create db ldapdb2. The failure might have occurred because the system was not set up correctly before using the tool

– created instance and db using db2admin instead of ldapdb2, worked

– db2 service was running with company\db2admin (domain acct) as the account, which was locked out

– probable cause

9/10/08 51809,227 – Queue WBETIM Center: 12H – getting ldap error code 52: serviceunavailableexception when trying to run ldapUpgrade.exe during upgrade to ITIM 5.0

DB2 v9.1 fp5 not recommended w/ itds 6.1


The imported LDIF had a different server id than that in the ibmslapd.conf, changed, fixed

9/10/08 – IDIL2, 12H – when running itdi install for fixpack 3, get error when selecting location

9/16/08 29022,082 – When running ITDI data feed, recon hangs, and getting mult errors in trace.log:

com.ibm.ejs.container.SessionBeanTimeoutException: Stateful bean CMStatefulBeanO(BeanId(ITIM#mdb_ejb.jar#enroleejb.CompletionListenerRegistryHome, 10F1DD26-011C-4000-E000-F4820A521FB3), state = METHOD_READY) timed out

saw error in the SystemOut.log: DSRA7019W: Oracle10gDataStoreHelper or a subclass of it must

be used when configuring WebSphere DataSources to run using Oracle10g jdbc driver

– changed Oracle helper class in WAS console:resources, JDBC, Data Sources, (each one), picked 10g helper for each one

– restarted server, ran through 5000, trace.log showed success, but itim console hung

– changed max jdbc connections to 100, min 50 from 5/50

– changed entry cache to 30000, filter cache 100, acl cache 100

– ibmdefaultbp 98304, ldapbp 4096

– changed timeouts back in ap servers, itim01, container settings, transaction service


– changed input file to original one (known good data)

– set timeouts to 120 sec

– changed entry cache to 100000, ldapbp 36864

– stopped WAS, deleted tranlogs, reran, no errors, success in trace.log, but hung as pending request

– sent logs with workflow and workflowextensions debug_max

– was working 6 out of 7 times

– found NullPointerException at com.ibm.itim.ui.impl.customform.SubFormLegacyFilter.doFilter

– deleted all persons and accounts, ran initial feed – 2hrs, 15 hung processes

– removed trace logging in WAS

– changed under was console app servers, srvnm, thread pools, web contn’r= 100min 200max

– ran full ititial load got nullptrs in trace.log

– 2761 activity, 7009 process, then 3114 act, 7262 proc, went up then down

– Upped all 3 jdbc connectors to 300min 500max

– Upped LDAP conn pool to 120min 150max from 50/100

– turned up wkflow & rmt resrcs logging, ran 1000 entries, worked fine

– turned off debug logging, ran 5000 entries, had 3 pending in activity, 5 in process

– upped entry cache to 600000, doubled bp’s

– turned up logging, ran 5000 entries

– error seen by L3 – IndexOutOfBoundsException in the trace log

– fixed by APAR: IZ24874

9/24/08 – PMR 47206,082,000 – Confusing display of status of running reconciliation request in TIM UI

– APAR IZ33245 has been created

9/24/08 – PMR 47311,082,000 – Opening workflow designer results in nullpointer exception in trace.log file               – APAR IZ33246 has been created

9/26/08 – When trying to create a person or an ITIM account, get this in completed requests:

CTGIME203E The following script interpreter error occurred. Error: Runtime error Java Array index 0 is out of range 0 detected at line 3 of function ‘createIdentity’ in string starting with: ‘function createIdentity()’… called at line 5 in string starting with: ‘function createIdentity()’…

– ITIM account is set to auto provision

– was because userID was blank

9/29/08 08403 7TD – When configuring TAm rvrs pwd sync, get this in pdweb msg log:

DPWCA0917E   Could not find ITIM  message header.

HPDIA0310W The password for user testuser2 was rejected due to policy violation.

-fixed in tam adapter 4.6.7, but using TAM combo adapter – latest appears to be 4.6.3


10/3/08 15034 379 – When enabling auto provisioning policy for tam, got database connection errors in SystemOut.log

WSVR0605W: Thread “MessageListenerThreadPool : 238” (36d249ae) has been active for 602,812 milliseconds and may be hung.  There are 11 threads in total in the server that may be hung.

E J2CA0045E: Connection not available while invoking method queueRequest for resource enroleDataSource.

[10/3/08 14:35:56:945 EDT] 25f949ae ConnectionMan E J2CA0020E: The Connection Pool Manager could not allocate a Managed Connection: com.ibm.websphere.ce.j2c.ConnectionWaitTimeoutException: Connection not available, Timed out waiting for 180000

Also, out of memory errors in ibmdi.log

– set -Xms512m -Xmx1536m in ibmdisrv

– then when resubmitting the prov pol, got this in ibmdi.log

2008-10-06 19:11:19,

CTGDIK404E Could not log on to TAM

CTGDIK450E Unable to interface with the TAM server. The following unknown message type was retrieved by TAM while processing an exception thrown by TAM: The server could not locate the session for the client

– in msg__amj_error1.log, get

PROGRAM ERROR null null $com.tivoli.pd.jutil.AuthResponse <AuthResponse constructor> RMI TCP Connection(374)- [The server could not locate the session for the client.]

– David Hooks/Austin, Charles Schultz

– upgrade profile, dispatcher

– set -Xms1024m -Xmx2048m in ibmdisrv, 1536/2048 in WAS, resubmitted

– session error occurred at 15:37:12,903

– got error starting AL tam_add early on – this is normal and by design

– got out of memory error on WAS when checking completed failed request

MEM_ERROR in inflateInit2

– increased all ulimits for wasadmin, including hard fsize, core, data, rss

– got past that situation, but then got out of mem when aborting prov pol, still session errors

– changed session timeouts for TAM to 10sec, 30 sslv3, 30 inactv, maxThreads on ITDI to 50

– got session errors right away on first account

– changed session timeouts to 30sec, 90 inactv

– got OoM on ITDI

– changed max heap ITDI 1536m

– upgraded dispatcher to 5.0.11, fixed UID to be an array in prov policy script for DN

– changed AL cache to 0 in <idi_home>/itim_listener.properties

– changed Servers -> Application Servers -> server1 -> ORB Service -> Thread Pool = 20

– Servers -> Application Servers -> server1 -> Web Container -> Thread Pool = 20

– Servers -> Application Servers -> server1 -> Message Listener Service -> Thread Pool =20

– still same errors, few days later got hung threads (pmr 24707)

– set orb and web cont back to 50, mls to 25

– FITS  MR1022083847

10/3/08 – when starting WAS, getting in SystemOut.log

QueueManagerM E MSGS0153E: The Queue Manager process strmqm could not be started – error: com.ibm.ws.process.exception.InvalidExecutableException: PROC0004E: Executable: [strmqm] does not appear to be a valid executable.  Process could not be created.

JMSService    E MSGS0001E: Starting the JMS Server failed with exception: com.ibm.ws.process.exception.InvalidExecutableException: PROC0004E: Executable: [strmqm] does not appear to be a valid executable.  Process could not be created.

– solution was to start was as “wasadmin” user (owner of was app)

10/8/08 15044 379 – When submitting password change, getting in ibmdi.log:

java.lang.NoClassDefFoundError: com.tivoli.pd.jutil.bn (initialization failure)

– Brian Hemric, Charles Schultz

– upgrade profile, dispatcher to 4.6.4 of combo adapter

(had just copied in tamcomboutils.jar from 4.6.4)

if fails, log4j – root category=debug

– upgraded, made changes, change password hung, changed prov pol to manual, aborted process,

upped logging on remt svcs, stopped was, got err in sysout:

CNTR0019E: Non-application exception occurred while processing method “dummyTest”. Exception data: com.ibm.websphere.csi.CSIException: Begin global tx failed; nested exception is:

org.omg.CORBA.NO_PERMISSION: Transaction service is unavailable

– was starting WAS with root, started with wasadmin, worked, closed (fix was upgrade rest of aptr)

10/14/08 – java.lang.ClassCastException: java.lang.Object when creating a person

id policy seemed ok

10/14/08 24455 379 – LDAP Error code 32: No Such Object when creating person, and tries to create TAM acct

– OU and given name were null

– tamUpdate AL runs for some reason

10/14/08 24525 379 – after upgrading TDI to 6.1.1 and installing the TAM Combo adapter? Error when running LDAP recon after reading several records:

[status:fail, connectorname:conLDAPUser, operation:get, exception:javax.naming.CommunicationException: connection closed [Root exception is java.io.IOException: connection closed],

Can you use an existing LDAP profile/service after upgrading?

4.6.5 min – introduced supt for tdi 6.1.1, 4.6.7 latest

– imported 4.6.7 profile, same error

– turned AL caching off (com.ibm.di.dispatcher.disableConnectorCache=true)

– got out of mem err too – sent logs

– tried with ITDI on other machine (256/1024 mem), same error

– reinstalled TDI 6.1.1, fp3, dispatcher, same error

– checked /<tdi_home>/solutions/etc/reconnect.rules for com.ibm.di.connector.LDAPConnector::javax.naming.CommunicationException:reconnect

– checked Auto Reconnect on Connection Loss” checkbox option on the Connection Errors tab of the connector setup in the TDI assy line

– Fern – 3 issues: upgrade, assy line err, reconnect in ldap

– tried filtered recon – on sunone, got

com.ibm.itim.remoteservices.ejb.mediation.AccountEntryHandler.FAILURE_THRESHOLD_EXCEEDED; 516; 530; 15

– set enrole.reconciliation.failurethreshold=100% in enRole.props, filtered worked

– full Sun recon now gets “error unmarshalling return; nested exception is: java.io.EOFException”

– for IDS, added this to service.def under LDAPSearch operation

<parameter name=”ldapPageSize”><default>100</default></parameter>

– recon ran, but no accounts returned

– was using companyDlrLdap2 as ADT project name, changed back to companyDlrLdap, reran recon

– accounts were added, but under LDAPAccount object class

– deleted all accounts, prov pol, svc, profile pieces, obj cls for dealer ldap

– reimported profile and recreated svc, prov pol, reran recon, still erLDAPUserAccount oc

– custom still errors, but solution is probably upgrade profile and add paging

– still get EOF errors with default profile

– I changed the connectorpooltimeout, restarted the adapter, had not gotten to run a recon yet, changed it back, restarted the adapter again, and restarted TDS before running the recon.  It’s now working.

FITS #  MR0210094525

10/15/08 – getting error in sysout when multiple person modify requests are sent

CNTR0020E: Non-application exception occurred whi

le processing method “handleMessage” on bean “BeanId(enRole#mdb_ejb.jar#enroleejb.ContainerManagedMess

ageHandlerHome, null)”. Exception data: Process ID: 0

Activity ID: 0

com.ibm.itim.workflow.engine.RemoteServiceFailure: CTGIMO006E The following SQL error occurred.

Error: 1

SQL State: 23000

Caused by: com.ibm.websphere.ce.cm.DuplicateKeyException: ORA-00001: unique constraint (ENROLE.ACTIVIT

Y_PK) violated

10/15/08 – 24707 379 – getting hung threads in WAS when submitting auto prov pol on tam combo adapter.  processing just stops entirely after itim processing of changes is done (~20 min) and nothing gets to IDI

– set orb and web cont back to 50, mls to 25, worked, closed

10/23/08 35942 379 – after setting up TAM adapter on 2nd box (PMR 15034,379), get

CTGDIK403E Invalid TAM configuration file: /opt/PolicyDirector/etc/tamsslcfg.conf

– changed conf file in itim service form to /opt/IBM/IBMDirectoryIntegrator/solutions/PDCfgFile.conf

got HPDIA0200W Authentication failed. You have used an invalid user name, password or client certificate..

deleted conf & ks files, reran svrsslcfg, re-entered password in service form, worked.

10/24/08 36054 379 – from 24525 379, cannot install tdi 6.1.1, getting error

The following requirements have not been met: – Nothing selected to install, or the product is already installed at this location. Target (default) dir is empty.  Uninstall was successful.

– when choose cancel, get

Error in copying /tmp/ismp011/7050297/data/faddba0181b51d9316ef30cc8eb4700d/  there may not be enough space on device

java.io.IOException: File does not exist: /tmp/istemp131786298120653/_bundledJRE_/jre/lib/ext/svcdump.jar

– 600 mb free on tmp, 8 gb free on target dir

– deleted /usr/ibm/common/acsi, /var/common, AD data from /etc/inittab, etc/services

– freed up 2.5 mb free on /tmp

– install worked, closed

10/24/08  36116,379 – when turning on autoprov or manual for tam, getting

java.lang.ClassCastException: java.lang.Object

Chris Weber

– changed line in id policy to return currUID[0];

got error in TDI:  CTGDIK415E Unable to interface with the TAM server.

java.lang.IndexOutOfBoundsException: Index: 0, Size: 0

– followed by out of memory

– changed /etc/security/limits – stack_hard = -1

– creating a user gave this for dn: uid=[object JavaArray],ou=dealerstaff,o=company.com

– changed dn script to subjUID = subject.getProperty(“UID”)[0];

– getting IndexOutOfBoundsException when running sslsvrcfg

– you have to run sslsvrcfg to interface with TAM on another box

– tried truss

– copied in different PD.jar

– tried running command w/o -cp option, specifying -cp /opt/PolicyDirector

– tried running java w/o fully qualifying, and setting JAVA_HOME to same dir before running svrsslcfg

– deleted PDCfgFile.conf and retried it without the -cfg_action replace, and it worked

– got error during recon “Reference Error : ‘TamLdapReconFactory’ not found”

– copied in correct TAMComboUtils.jar (4.6.4), worked

– getting ojbect class violation from companyActive during Add – should not be an attrib

– Chris sent me a jar with some more hooks and logging

–      did?

– set GloabalRunnALCount to 10 in itim_listener.properties

— closed b/c ssltimeout=1200 worked

12/29/08 65458 379 – getting “CTGDIK450E Unable to interface with the TAM server. The following unknown message type was retrieved by TAM while processing an exception thrown by TAM: The server could not locate the session for the client” when enabling autoprov for TAM Combo

Tried the latest 5.012 (rel 12/30/08), with GlobalRunALCount set to 5.

– still failed

– tried to upgrade to itdi 611 fp4, got errors

I get this when I first run it:

Error in copying /tmp/ismp001/1216208/data/a7390f9ecf6457bf3713f951c90b1bdb/  there may not be enough space on device

(Jan 2, 2009 11:46:48 AM), Install, com.ibm.wizard.platform.aix.AixRegistryServiceImpl, wrn, AixRegistryServiceImpl: Unable to initialize AIX  registry.

and this when I select Next, Install:

Exception in thread “Thread-19” java.lang.NullPointerException

at com.ibm.ci.gmi.issi.wizard.actions.OfferingQueryAction$OfferingQueryOperation.performOfferingQuery(OfferingQueryAction.java:168)

at com.ibm.ci.gmi.issi.wizard.actions.OfferingQueryAction$OfferingQueryOperation.execute(OfferingQueryAction.java:243)

at com.installshield.wizard.service.AsynchronousOperation.run(Unknown Source)

at java.lang.Thread.run(Thread.java:801)

and then it hangs at “Performing offering query, please wait…”

– make sure acsi process is running: /usr/ibm/common/acsi/bin/acsisrv.sh -start

– killed acsi, restarted

– tried GlobalRunALCnt = 5 (diff spelling), same error, uploaded logs

– TDI fp4 problem was conflict w/ 6.1 (article swg21255761)

– ran /usr/ibm/common/acsi/bin/de_instmaint -mfile TDI_MAIN_IU.jar

– back to main problem


– Edit the /opt/PolicyDirectory/etc/pdmgrd_routing and /opt/PolicyDirector/etc/pdacld_routing files.  The edit is uncommenting the last line in each file. Send /var/PolicyDirector/log/trace__pdacld_utf8.log /var/PolicyDirector/log/trace__pdmgrd_utf8.log

– Set ssl-v3-timeout = 1200 in /opt/PolicyDirector/etc/ivmgrd.conf

– hung for 3 days

– Set GlobalRunALCount to 30

– worked, closed – solution was ssl-v3-timeout = 1200 and GlobalRunALCount to 30


December 2, 2009

1/23/07   60115,49r – WAS 5.1 not installing MQ on 64 bit Linux

– Sal Salaimani/Austin – 64 bit not supported in 5.1

1/24/07   60277,49r – ITIM 4.6 fp33 uninstaller deletes all of /tmp

1/24/07   60316,49r – JMSserver not starting – Queue Manager Listener failed rc: 20

– Dave Brune

– Dave Kenner – wl1cet,30w queue

– Dave Tiler

– runmqlsr process was still running

– kill that, recreate the qmgr for jmsserver, start jmsserver, worked

1/24/07              60359,49r – createQueueConnection failed

J2CA0020E: The Connection Pool Manager could not allocate a Managed Connection:

createQueueConnection failed

MQException occurred: Completion Code 2, Reason 2195

MQJE018: Protocol error – unexpected segment type received

– Chenna Korvi

– Toan Nguyen/Raleigh

– Angel Rivera – MQ L2 –

export LD_ASSUME_KERNEL=2.4.19 is required for MQ 5.3 on 2.6 kernel

– after this the dspmq, etc cmds worked

– Clyde Zoch – Oracle 64 bit db & RHEL 4 support

– William (Al) Gilchrist – WASCET

– clearing tranlogs, killing vs. shutting down WAS

– William J. (Bill) Moss – MQ – is WAS using right ports to connect to MQ?

– Diane Shallo – MQ manager

– W. David Walker – L2 MQ 2nd shift


– Root cause turned out to be 755 perms on /tmp caused by PMR 60277,49r

(ITIM 4.6 fp33 uninstaller deleting /tmp).  MQ needs 777

– Changed perms, killed mq listener, ipcrm on all mqm resources, started jmsserver,

started cluster/app, worked, closed – Devtrack # S16345 (ITIM uninstaller 60277,49R)

– APAR IZ13924

1/30/07   60916,49R – error in setupEnrole.stdout – sev1

IWAE0002E Could not reflect methods for com.ibm.tenant.TenantEntityHome

Charles – that’s no problem, expected error

– tried setting perms on Oracle db per release notes to resolve MQ issue

– closed with 60359

2/6/07    61748,49R – LDAP replication not working

– cannot use cn=root – undocumented?

– used cn=any, worked

Lance Clinton

– to clean up cn=ibmpolicies, needed to use cmd line:


– closed, asked for doc apar

2/7/07   61928,49R – getting XAException error –

WTRN0037W: The transaction service encountered an error on an xa_recover operation

2/12/07              62480,49R – after installing LDAP 4.6.3 adapter, cannot logon to ITIM               java.rmi.RemoteException: java.lang.NullPointerException

Chris Weber (714)438-5194

2/15/07  62926,49R – When submitting provisioning policy:

CTGIMO014E The following JNDI communication error occurred. Error:


A communication failure occurred while attempting to obtain an initial context with the provider URL: “iiop://its-itimapp2-test:2809/cell/clusters/itim_cluster_test”. Make sure that any bootstrap address information in the URL is correct and that the target name server is running. A bootstrap address with no port specification defaults to port 2809. Possible causes other than an incorrect bootstrap address or unavailable name server include the network environment and workstation network configuration.

NMSV0602E: Naming Service unavailable. A communications error occurred

– started node agent, could logon

com.ibm.mqservices.MQInternalException: MQJE001: An MQException occurred: Completion Code 2, Reason 2059

MQJE011: Socket connection attempt refused

MQJMS2005: failed to create MQQueueManager for ‘its-itimapp2-test:WAS_its_itimapp2_test_jmsserver’

2/20 – server restarted when running a full HR load

– got “exception is java.net.SocketException: Too many open files” in trace.log

tried setting   ibm-slapdAllReapingThreshold: 1000

ibm-slapdAnonReapingThreshold: 1000

ibm-slapdBoundReapingThreshold: 1000

ibm-slapdIdleTimeOut: 60

tried             setting root and mqm nofiles=1024000 in /etc/security/limits.conf, rebooted

Lance Clinton

Found that IF 34 fixed the problem (IY93514), closed

2/22/07            63938 49R – Ran LDAP svc recon, got this in IDI log:

executeALSearchNext():2273 status=1, reason=100

ERROR [/opt/ITDI60/ITIM_RMI.xml] – [Iterator Error] Search Entry Unsuccessful [status:fail, connectorname:conLDAPUser, operation:get, exception:javax.naming.CommunicationException: connection closed [Root exception is java.io.IOException: connection closed], message:connection closed, class:javax.naming.CommunicationException]

– changed IDI setting of SearchResultSetSize=20000 in itim_listener.properties

– then got object class violations

– manager field was not using DN syntax

– excluded manager field, recon finished

– working on parsing manager field into DN syntax

2/25/07                        SRVE0120E: IO Error java.net.SocketException: Connection reset

2/28/07            64337 49R – Getting Remote exception Null Pointer when logging on – after LDAP recon, and after deleting LDAP profile object classes

– restarting enRole resolves for the moment

– had to restart IDS after deleting object classes to re-import LDAP profile

– APAR IY96120

4/25 – fixed in 4.6.0-TIV-TIM-IF0041

3/6/07  80116 49R      – Error when stopping WAS:

ExceptionUtil E CNTR0019E: Non-application exception occurred while processing method “dummyTest”. Exception data: com.ibm.websphere.csi.CSIException: Begin global tx failed; nested exception is:

org.omg.CORBA.NO_PERMISSION: Transaction service is unavailable  vmcid: 0x0  minor code: 0  completed: No

Helpers       W NMSV0610I: A NamingException is being thrown from a javax.naming.Context implementation. Details follow:

Context implementation: com.ibm.ws.naming.jndicos.CNContextImpl

Context method: lookupExt

Context name: its-itimapp2-testNetwork/nodes/its-itimapp2-test/servers/nodeagent/cell/clusters/itim_cluster_test

Target name: enroleejb.HomeHome

Other data:

Exception stack trace: javax.naming.NamingException: Error during resolve.  Root exception is org.omg.CORBA.NO_IMPLEMENT:

Trace from server: 298002686 at host its-itimapp1-test >>

– suggested applying a jdk to fix, closed b/c low priority

3/12/07            80989,49R      ACI not working – when submit new one:

[LDAP: error code 34 – Invalid DN Syntax]; remaining name                         ‘erglobalid=00000000000000000000,ou=cdns,dc=com’

3/14/07 81259 49R  – bogus error 1000 entries

3/14/07 81260 49R  – segmentation violation and ACE adapter crashes

– when creating acct thru auto prov policy

5/21/07             When adding an LDAP service “You are not authorized to perform this function”

– because removed object class in v3.modifiedschema

– added it back, allowed adding a service

5/22/07                        got RemoteException NullPointer when logging on

– after deleting LDAP profile from v3.modified schema

– CTGIMF007E The {0} object cannot be found in the directory server

– LDAP: error code 32 – No Such Object; remaining name


– restarted enRole, allowed logons

– was to be fixed in IF41

5/23/07             getting error in IDI log when adding an LDAP account

Java method “addValue” cannot be assigned to.,

– problem was this was the advanced mapping for object class:

var oc = system.newAttribute(“objectclass”);

oc.addValue = (“posixAccount”);

oc.addValue = (“shadowAccount”);

oc.addValue = (“companyUnixAccount”);

ret.value = oc;

– should have been this


5/23/07                        getting error in IDI log when adding LDAP account

AttributeInUseException: [LDAP: error code 20 – Attribute Or Value Exists]

– problem was should not pass top, person, inetOrgPerson, and

organizationalPerson as object classes

– took them out, worked

5/31/07 03970,49R – getting “add_failed_no_req_attributes” statuscode: ‘2’ reasoncode: ‘100

when adding an ldap account w/ ldap rmi adapter

– problem was duplicated attributes in the schema for erLDAPUserAccount object class

and posixAccount.  They need to be in one or the other, not both

– removed from erLDAPUserAccount obj class

– then still got error (with error code 65 (?) in itim log)

– cannot convert null to an object

– redid the adapter using adt, worked

6/1/07             “cannot convert null to an object” in idi.log

– when trying to change an attrib in ldap service

6/6/07            04409,49R  getting “un-named object” entries in service list, cannot delete

Sam Kamela

– removed

6/7/07             LDAP error code 34 – Invalid DN when running recon on LDAP adapter

6/11/07                        NMSV0011E: Unable to start bootstrap server using port 2809

– stopped http srv, killed all java, restarted, worked

6/11/07            04789,49R – Group data not being brought back on LDAP recon, nothing in idi log

base dn was ou=group,dc=company,dc=com

should be   ou=group, dc=company,dc=com

– then object class searched was “groupofnames” should be “posixgroup”

– changed in service.def x4, rejarred, reimported profile, didn’t change

– deleted assembly line ou, reimported, didn’t import

– deleted all parts of profile except

error code 80 on deleting erldaprmiservice obj class

– rejarred profile properly, imported, ran recon, worked (pulled groups!)

6/12/07 04908,49R – Websphere being killed when terminal services time limit is reached

– dhanson owned the websphere java process

– started as a service, worked, websphere start icon should start as ‘system’

Ram Arika (ramarika@us) – will check w/ L3 on how it should work

– 6.0 works well, runs as system, no more coding on 5.1, closed

6/13/07 15075,49R – sev1 – manual all svcs prov policy hangs when submitted,

– nullpointerexception errors in trace.log

– mult errors in systemout.log PLGN0021E: Virtual Host/WebGroup Not Found

– appears to be referring to some password policy or workflow

– deleted extra provisioning policies, no more errors, closed

6/20/07 15636,49R – LDAP account add request hangs for 5+ min before sending to IDI

– sent logs, floyd sent to L3

– enrole.properties, remotesevices.remotepending.interval set to 10 min

– set to 1 min, and can monitor enrole.resources_providers table in itim db

– closed

6/20/07 15658,49R – – Error when stopping WAS:

ExceptionUtil E CNTR0019E: Non-application exception occurred while processing method “dummyTest”. Exception data: com.ibm.websphere.csi.CSIException: Begin global tx failed; nested exception is:

org.omg.CORBA.NO_PERMISSION: Transaction service is unavailable  vmcid: 0x0  minor code: 0  completed: No

– Charles Schultz – happens when the naming service stops before the enrole application, would not happen if stop enrole before stopping WAS

– will update documentation and pass to WAS queue for proper stopping order

– bad design of WAS – transaction service is unavailable when app is shutting down

– bad design of ITIM – dummyTest is an ITIM method of pinging the trans svc

6/26/07                        When running recon on LDAP adapter,

getting “LDAP: error code 21 – Invalid Attribute Syntax” in trace.log on 2 group adds

– groups and netgroups are added

– real problem is no users get added to LDAP as accounts or orphans

– getting “CTGIMS001E At least one required attribute is missing” on all users

– found that the LDAPSearch.xml AL was did not have gecos, gidNumber, homeDirectory,

uidNumber, or vUID in the input map, input schema, or ldapReturn parameter

– added those to the ADT project, imported jar, worked

6/26/07  16213,49R Getting nullpointerexception when adding new account w/ ldap adptr

– error occurs after account is created and added to group successfully

– was not using sufficient error reporting – use structure from basic adapter

– worked, closed

7/2/07  16686,49R debug logging not displayed in ibmdi.log

– set etc/log4j.properties to debug, no joy

– set log4j.properties in install root to debug, recycled, worked

7/3/07  16726,49R – ADT 2.1 giving error plug-in com.ibm.itim.tools.adapterfactory was

unable to load class com.ibm.itim.tools.adapterfactory.Application

7/3/07  16751,49R – IDI not connecting via SSL to 2nd server

Clyde Zoch –  c

– connect to https://<servername&gt;:636, display the cert

– download the .cer file from tools, internet options, certs, export

– open ikeyman, create new jks db, import it into the jks, repoint IDI global.props

– restarted IDI, worked

7/24/07  67767,499 – getting error when starting ITIM

XARecoveryDat E WTRN0040W: Object cannot be deserialized

– loaded cf 15 for 5.1.1 beforehand

– Dan Barto –  – stop was, delete tranlogs,

maybe be stuck if was stopped abnormally

– deleted, started w/ no errors

also cannot logon to itim after turning on global security

7/24/07  67829,499 – getting error when starting cluster

DSRA8200W: DataSource Configuration: DSRA8020E: Warning: The property ‘connRetriesDuringDBFailover’ does not exist on the DataSource class COM.ibm.db2.jdbc.DB2XADataSource.

– also errors on ‘connRetriesDuringDBFailover’ & ‘connRetryIntervalDuringDBFailover’

– nodes were at, upgraded to, worked, closed

– properties were available as of

7/24/07  67830,499 – getting error when starting cluster

TraceNLS      u No message text associated with key Unable.to.get.SSL.context:. in bundle com.ibm.ejs.resources.seriousMessages

SSLConfig     E Unable to get SSL context: @

TraceNLS      u No message text associated with key Unable.to.get.SSL.context:. in bundle com.ibm.ejs.resources.seriousMessages

SSLConfig     E Unable to get SSL context:

TraceNLS      u No message text associated with key Unable.to.create.server.socket in bundle com.ibm.ejs.resources.seriousMessages

SSLServerSock E Unable to create server socket

WebContainer  E SRVE0146E: Failed to Start Transport on host *, port 9443

– Ram Arika: change app servers, 02, web container, http transports,

9443 – change to 9453

– add new virtual host * for 9453

– system admin, nodes, select both nodes, full resync

– Application, msrvqa02 > Web Container > HTTP Transport >

uncheck enable ssl

– server started ok

** Application Servers > timsrvqa02 > Administration Services >

JMX Connectors > SOAPConnector, change to timsrvqa02/DefaultSSLSettings

** Application Servers > timsrvqa02 > Web Container > HTTP Transport >

ensure check enable ssl, and **change SSL settings to 02**, save

** system admin, nodes, select both nodes, full resync

– started server, worked great, changed back to 9443

– still getting validation failed – ram opening other pmr

7/25/07            67968,499 – getting “validation failed for was admin”

Vikram Thommandru – set logging, send collector jar

Ram – try cn=wasadmin,ou=WasSecurity,dc=com for serverid

Fred Fouche  – try editing security.xml for user params

– now node2 jms server and server won’t start

– Removed, and readded the node, readded to cluster, ran runConfig install

– started cluster, get error on 02 with port 9444

** Application Servers > timsrvqa02 > Administration Services >

JMX Connectors > SOAPConnector, change to timsrvqa02/DefaultSSLSettings

** Application Servers > timsrvqa02 > Web Container > HTTP Transport >

ensure check enable ssl, and **change SSL settings to 02**, save

– Ajit – remove the wstemp contents and config/temp

– started cluster fine

– for GS, changed User registry to cn= for filter and user ID map, enabled GS

– set SSL rep’s back to ${USER_INSTALL_ROOT}/etc/DummyServerKeyFile.jks

– changed Application Servers > timsrvqa02 > Web Container > HTTP Transport >

9080 and **change SSL settings to 02**, save

– needed to manually sync with syncNode.sh

– brought up node ok, jms and cluster, closed

– was still getting mq errors, needed to set wasadmin ID in j2c auth section

– server started w/ no errors

– tried to logon, got “CTGIMM091E Unsuccessful login to WebSphere application server”

– ran runConfig install and set wasadmin ID in security tab

– restarted cluster, logged on fine

8/1/07            68648,499 – Cannot configure ITIM to connect to LDAP via SSL

followed http://www-1.ibm.com/support/docview.wss?uid=swg21218521

– had to do it opposite of doc – create the self-signed cert in the kdb,

export it to der, then import it in the jks

12/12/07 19940,499 – adding roles add groups to posix aix adapter, but deleting roles does not delete groups

– chuser <all the groups> is being sent from the assembly line

– solution – changed provisioning policy to handle groups in an array


December 2, 2009

Joined Tivoli Services.  Experience at several different companies. ITIM v4.51-4.6.

1/30/06 PMR 37367,122 – IDS starts in config-only mode after installing and error connecting to db
– Debra asked for debug info, sent it
– Set environment variable “db2instance” to “db2admin”, restarted itds, worked

1/31/06 PMR 10711,379 – NDS connect error 601

1/31/06 PMR 10803,379 – Websphere and http server do not start from services applet (http svc started and then stopped) after installation of novell client 4.91 sp2
– Kathy Reichard
– Vikram Thommandru  – wasservice -help
– Removed and added was, http srvr, http admin, now they start

1/31/06 PMR ,379 – AD reconciliation only returns 11 out of 8000 accounts
– set base point to root, reran recon, worked
– Fon

1/31/06 PMR 10947,379 – AS400 adapter getting erma error 0, erm_status_no_error
-Jim Kovarik

2/3/06 PMR 11737,379 – Java.exe ordinal 318 not found in libeay32.dll
– Chris thinks a new dll will fix

2/3/06 PMR 11735,379 – Searching for AD groups under AD user: com.ibm.itim.dataservices.model.Size_limit_exceeded
– updated ui.properties in itim_home\data with max records=3000

2/3/06 PMR 11734,379 – Person records don’t show up under ou’s
– added placement rule to each OU (return “ou=” + entry.ou[0];)

**  pr 2 to update record

2/6/06 PMR 11948,379 – ITIM not reachable after installing AD pwd sync module, enrole app is started
– uninstalled pwd sync, problem still exists
– sent Fernando logs
– problem was that apache wasn’t running – (PMR 10803)

2/6/06 PMR 12096,379 – Self care app does not pull up using url documented
– built itim_expi.war as documented (selfcare.ear was from Sysco)

2/6/06 PMR 12100,379 – AD pwd sync module not pulling changes from AD
– Jim Kovaric

2/6/06 PMR 12203,379 – Self care app gives error: You cannot use the “Change Challenge/Response Answers” feature at this time. The sample code only supports configuring challenge/response answers when the challenges are defined by an Administrator, however, there are no Administrator defined challenges at this time.
2/10 – APAR/devtrack # IY81564 – dt# s17191
3/21 – had problem with self-care custom app – notified Ramya of APAR #

2/23/06 PMR 20883,379 – Is there support for sync’ing passwords on AS/400 or planned for future?
– yes, it is in v6.3 (6.x) of agent

2/23/06 PMR 20948 379 – DBConfig does not open Xwindow

2/24/06 PMR 21064,379 – Blank white screen on ITIM console, no msgs in WAS or http logs
– was only problem on acinstaller laptop

3/1/06 PMR 22238,379 – “CTGIMO039E A database connection error occurred.” when trying to login as itim manager for first time
– Charles

3/6/06 PMR 23028,379 – ERMA error on AS/400 service
java.lang.NoClassDefFoundError: com/ibm/erma/ERMAWrapper

3/7/06 PMR 23259,379 – Adapter error: ERM_STATUS_PROTOCOL_SPECIFIC_ERROR

3/7/06 PMR 23229,379 – Need help with IDI if/then code for ou placement

3/8/06 PMR 23355,379 – “Reconciliation is already in progress for this service instance” when running IDI recon, no recons in progress
– Clyde – go to the DB2 table ENROLE.RESOURCE_PROVIDERS and change the RECON_STATUS column to a 0, telling ITIM that there is no recon running.  The update command would be something like “update enrole.resource_providers set recon_status = 0 where resource_dn = ???”, where ??? is the DN of the service that is having the issue. do a “select resource_dn, recon_status from enrole.resource_providers” to get the particulars
– FITS # MR0331063210

3/8/06 PMR 23363,379 – WAS won’t stop – error
– Clyde –  – kill -9 all was processes, restart – sent him logs, will send to IDS queue for APAR
– upped JVM to 512mb, tested good for 5 days running

3/8/06 PMR 23447,379 – TPM can’t handle colons in prompts – feature request
– Rob Mitchell/Austin – creating FITS/APAR

3/9/06 PMR 23828,379 – IDSWebApp won’t allow choosing Attributes tab when editing object class
– Roy G. Spencer – talking to dev
– 3/23 – we have been unable to duplicate so far, have WAS lab testing now

3/14/06 PMR 24528,379  IDI ADchangelogv2 – Error on access to the System Store: SQL Exception: Another instance of Cloudscape may have already booted the database D:\Apps\IBM\IBMDirectoryIntegrator\CloudScape.
Brian Hemric
ibmdiservice.exe -i to install as a service
Lak Sri/Raleigh
– service starts, but AL and EH’s don’t run
** remove the -d in ibmdiservice.props file — worked!!
– APAR opened for cloudscape error – IO04037 – expected in fp3, 4/15

3/14/06 PMR 30213,379 Error running IDI as a service: Reporting queued error: faulting application ITDIAsService.exe, version, faulting module ITDIAsService.exe, version, fault address 0x0000225d.
– should not use itdiasService – use ibmdiservice.exe

3/20/06 PMR 30617,379 IDI – ldif to csv assembly line – getting infinite loop when AL reaches “sun.io.MalformedInputException”
– Lak Sri – change Character Encoding in LDIF parser to “Cp1252” — worked

3/31/06 PMR 33190,379 – Warning changing prov pol – ‘syntax error in line 44 after “;” ‘

4/11/06 PMR 40373,379 – How to trigger ITIM person & acct suspend action in IDI
fp14 should fix problem creating accounts and not modifying

4/27/06 PMR – ACS –

5/10/06 PMR – 55925,379 – TPM/TIO problem – Please send to TPM queue – created dcm, run wkf, failed, reboot, start ids, started tio, deployment mgr did not start
– have to reinit (recreate DCM), start tio, then works
Dale Ullrich/Austin/IBM –  – run thinkcontrol\tools\packagelogs.cmd %TIO_LOGS%
– run-deploymentengine.cmd

5/3/06  PMR 58546,122 – – Cannot stop DB2 – Brent Simpson, Max Petrenko
5/4 – figured out why he could not stop db2, but getting diff err, wants to uninstall
5/10 – root,itimdb in etc/group – when install fails only root exists
– did uninstall work?

5/16/06 PMR 60028,122 – – Cannot install fp1 for WASND
Getting error “The fix pack can not be aplied to the currently selected product because of missing prerequisites” when trying to install WAS ND 5.1 fp1 on Linux RHEL 3 Update 6
– needed to download fp1 for WASND instead of for WAS base

5/17/06 PMR 60105,122 – Getting error “Invalid db2 instance home” when installing ITIM 4.5.1 on RHEL 3 Update 6 and DB2 8.2 fp11  – Error goes on to say “either DB2INSTANCE is not defined, or cannot locate the JDBC driver db2java.zip based on the current DB2INSTANCE.”  DB2INSTANCE is defined properly, however, because the DB2 env was sourced.  See attached file for error
– Charles
– fix was run “. /home/db2inst1/sqllib/db2profile” then

5/18/06 PMR 60242,122 – Failed to connect to the DataSource.  Encountered : java.lang.UnsatisfiedLinkError: xaConnect
– add “. /home/db2inst1/sqllib/db2profile” or similar to startServer.sh
– Customer needs help upgrading LDAP to ITIM 4.6.  Getting invalid password after installing 4.5.1 fp58, pointing to existing LDAP

5/24/06 PMR 58416,379 – 2nd WAS cluster server showing unavailable – conn refused port 9900
– Node agent on 2nd server wasn’t started – started node agent, worked

5/30/06 PMR 59101,379 – Setting up IDI Web Services connector
– Lak sent custom example 6/1
– have working AL as of 6/7

6/1/06  PMR 59634,379 – ITIM logon page will not display on 2nd node in cluster
Grey Thrasher

6/6/06                   ctgimo002E – nullpointer when trying to restore an inactive iSeries account

6/6/06  PMR 70349,379 – IDI problem javaw.exe hanging on web svcs connector errror
Lak Sri – was to be fixed in fixpack 2 – apar IO02483

6/7/06  PMR 70728,379 – Need ITIM 4.6 SAP adaptor for AIX
ftp:  ftp.emea.ibm.com/fromibm/tivoli

6/9/06  PMR 62351,122 – running DBConfig getting error – Can’t find library db2jdbc (libdb2jdbc.so in sun.boot.library.path=/usr/WebSphere/AppServer/java/jre/bin
tried copying file in, then got error – CLI0647E Error allocating DB2 environment handle
– Rick Schlosser – make sure you have db2 env sourced & add the path of   db2java.zip(ie. /usr/opt/db2_08_01/java/db2java.zip) into the DBConfig.lax  file, save the file, and run  DBConfig again.

6/9/06 PMR 62506,122 – SQL 30081N – communication error occurred – TCPIP
– recataloged db, worked

6/14/06 PMR ,122 – get warning message about not having enough disk space (1 Gb) when had plenty

6/14/06 PMR 62908,122 – sev1 – got error sql0601n when upgrading 4.5.1 fp58 to 4.6 fp14 during DBUpgrade
– expected behavior after if51
– apar iy84863  – 45to46.ddl & upgrade.properties

6/15/06 PMR 62997,122 – after upgrading to 4.6, when modifying a person object, all
associated accounts are deleted.
– changed back to upgraded 46 schema file, worked

6/15/06 PMR 63019,122 – combine schema files together
– tried 46 schema file, worked

6/15/06 63068,122 – get encryption error ctgimo037e – could not perform unpadding: invalid pad byte
DCF: 1214083 – need to re-enter agent password in service form, worked

6/15/06 63181,122 – null pointer exception on EUA custom app

8/10/06 23905,004 – error installing db2 – using gui – could not create db instance
doug kroll –   x3696
– permissions problem with home dir
– out of disk space
– worked when fixed above 2 issues, reran gui, ran “mkuser db2fenc1” and db2icrt

– send output of db2setup -l log_file -t trace_file

8/16/06 24660,004 – error dropping and creating instances – Could not load program     /usr/opt/db2_08_01/bin/db2langdir:
Dependent module /home/db2inst1/sqllib/lib/libdb2locale.a(shr.o) could not be loaded.
Member shr.o is not found in archive
– comment out lines with LD_LIBRARY_PATH in db2profile, unset this and export
– worked

8/21/06 30235,004 – changed permissions on db2home to non-root user and getting
“SQL1032N  No start database manager command was issued.  SQLSTATE=57019”
Basem – run db2iupdt on each instance to reset permissions
(ie, “db2iupdt ldapdb”)
(Needed to set 775 perms on <inst>/sqllib/backup first, then worked)

8/22/06 30403,004 – getting error when trying to start ldap as non-root
GLPCOM027E Attempt to bind failed with errno 13 (Permission denied)
Thao Vo – create user and new instance on port > 1024
– tried, got error GLPRDB001E Error code -1 from function:” SQLExecDirect ”
– idsucfgdb then idscfgdb worked

8/23/06 30445,004 – starting was as non-root
j. ernie seymour –  – told dana set perm on all was_home
– MQ not working
– starting WAS quit on starting the broker
– Vishavpal S Shergill/Atlanta
– recreated mq queues, deleted shared memory segments, rebooted, worked
– opened doc APAR PK30674 to update the infocenter w/ mem segm technote

8/30/06 31329,004 – getting MSGS0255E: Broker Manager unable to attach to
Queue Manager – unknown Queue” after running hacrtmqm
send to wascet,103
David Tiler
-ran createmq.sh in followup to hacrtmqm, got past broker
-now gevid Roland L1 – sending sev1 over to L2 queue
– tried setting auth to non for server and cell conn factories
– HA mqm cmds not supported w/ embedded msging

8/31/06 31563,004 – Getting CTGIMM091E Unsuccessful login to WebSphere application server.
..after renaming node and cell and recreating queues
Diep Le – – send screenshot, trace, msg, sysout, syserr
– changed node name in enrole.properties, restart itim, worked

9/7/06 32126,004 – Need help setting up remote http server to a websphere server
added 2 lines to httpd.conf, worked
LoadModule ibm_app_server_http_module

9/11/06 32413,004 – Need documentation or help setting up http server as proxy
Robert Boretti () need v2.0.47
– installed 2.0.47, configured per Rob
– waiting for network to test, closed PMR

9/14/06 32913,004 – Getting “SchemaEntryNotFoundException: eraddamlservice” when trying to
add AD service
– getting pwd expired when trying to reimport the profile
– problem was enrole’s pwd expired,
– changed, updated in enroledatabase.props & jdbc prov in was, worked

9/20/06 33655,004 – Getting GLPRDB001E Error code -1 from function:” SQLConnect ” ldapdb2b .
SQL1026N  The database manager is already active
after stopping and starting db2 to fix db2 client connect problem
– Lance reassigned a drive, lost all data on reboot

9/27/06 34407,004 – Customer needs way to communicate from ITIM to RACF & AS/400 thru agent srvr
– gave as400 idi connector, opened fits for racf – MR0928066059

9/27/06 34484,004 – DB2 v8.2 installation doesn’t install full bin or instance directory
– Had previous copy in system library, deleted from smit, re-installed, worked

9/28/06 34531,004 – “Memory fault – core dumped” on dascrt and db2icrt
– AIX 5.3 TL4 – Lance said it’s trying to execute in the stack – not allowed now
– Shawn Mullen/Austin – security contact
– Andy – core is in tcbck command – audits security of system
– 11/30 Rec’d fix IY91160 from Faraz Ahmad <>

9/28/06 34618,004 – When setting up WebSphere to run as non-root user, starting the server
quits with no error in SystemOut.log on starting the Broker
– rebooted server, worked

10/12/06 46165,004 – How can you support multiple languages on the same ITIM server?
Challenge Response questions, self-care app
– Installed language packs, could not see any other language avail

10/16/06 46575,004 – Connection refused when testing RACF agent
– use_ssl was set to true, set to false, tested good
– now getting “Unable to create APPC transaction” on a recon

10/19/06 46933,004 – When editing wkf, Getting “please take care of all the invalid (yellow)         nodes and links first
Workflow – OK button doesn’t remove window
– Exit doesn’t exit
– checking the java 1.42 or 1.50 button in internet options fixed it

10/30/06 48175,004 – When starting ldap, GLPRDB001E Error code -1 from function:” SQLConnect ” ldapdb2b .  SQL1026N  The database manager is already active.
– ldapdb password expired, changed password and ran idscfgdb -I xx -w xx, wrkd
– got same thing after running idsucfgdb and idscfgdb
– had 2 db aliases, uncataloged both, cataloged one,
– changed ibmslapd.conf, worked

11/2/06 48513,004 – AD agent, unable to bind to base point
– entered password for itimadm (RM had not), removed base point, worked

11/2/06 48603,004 – ran AD recon, ldap died with
GLPRDB001E Error code -2 from function:”SQLBindParameter ”
– restarted ldap, reran recon
– “tenant cannot be found.”  ldap was up, but could not browse to anything under dc=com
– increased entry cache size, worked

11/6/06 48910,004 – ran AD recon, ldap died with:
– “tenant cannot be found.”  ldap was up, but could not browse to anything under dc=com
– ITIM console hung on logon after running AD recon
– Could not stop enRole in WAS console for 7+ min
– transactions timed out in SystemOut
– “Threads “Servlet.Engine.Transports : 20″ (19, etc) may be hung”
– WAS was not using enough memory, ids/db2 were tuned too big for the box (40,000 users)
– stopped WAS, stopped itimdb, killed ids, retuned for 10,000 users (40000 entry cache)
– restarted, reran recon
– set entry cache to 10000, recon ran
– found ulimit -d was = 240000, set to 2000000, retried 40000 entry cache

11/9/06 49330,004 – upgrade to fp25 doesn’t change fp # on logon screen
– changed Messages_en.props (& other langs) in itimhome/data, worked, closed

11/13/06 49716,004 – fp25 upgrade broke placement rule
– installed if29, script produced error, but installed manually thru was console
– worked – populated right ou
– sent new script, closed?

11/28/06 61095,004 – After applying cf 12 to WAS 5.1.1, getting error
J2CA0007W: An exception occurred while invoking method setsetMcfPassword
on com.ibm.ejs.jms.JMSManagedQueueSessionFactory used by resource JMS$ITIM Queue Connection Factory$JMSManagedConnection@539129660 : com.ibm.ws.security.util.InvalidPasswordDecodingException
– ITIM is running fine
Chenna Korvi – WAS
Jason Dourity – told of PK32670 – installed, worked, closed

12/12/06 62522,004 – When connecting to Oracle CBS – Error code 800a0e7a, Code meaning = U, Source ADODB.Connection, Provider cannot be found. It may not be properly installed.
– needed Oracle client installed
– Dan Barto
– 1/12/06 – Getting error on recon:
Failed   Parse XML file failed: The system cannot locate the object specified. :

12/13/06 <NOPMR>   – Starting HTTP server 2.0 – error in event log – loadlibrary (“c:\mod_ibm_app_server_http.dll”) failed – the specified module could not be found
– changed line in httpd.conf from
LoadModule ibm_app_server_http_module c:\WebSphere\AppServer\bin\mod_app_server_http.dll
LoadModule was_ap20_module <drive>:\WebSphere\AppServer\bin\mod_was_ap20_http.dll
– got error: can’t locate API module structure ‘ibm_app_server_http_module’ in file c:/program files/websphere/appserver/bin/mod_was_ap20_http.dll: No error
– forgot the “was_ap20_module” part of the line, changed that
– got error in system event log: “The IBM HTTP Server service terminated with service-specific error 1″  nothing in the app log, or ibm http logs, even when logging turned to debug
– set loglevel in plugin-cfg.xml : <Log LogLevel=”Error” Name=”C:\Program
– found that WAS hostname was not defined.  Set in hosts file, then service started

12/14/06  62909,004 – Getting: “Unable to obtain mutex in GetDefaultDomain” when trying to run         an AD recon – adapter server in a different domain than target domain
– need server in the same forest as target domain

12/15/06  63037,004 – Form customization field names not text as expected – mgr role
– problem really was LDAP error 34 when running IDI feed

1/23/07   60115,49r – WAS 5.1 not installing MQ on 64 bit Linux
– Sal Salaimani/Austin – 64 bit not supported in 5.1

1/24/07   60277,49r – ITIM 4.6 fp33 uninstaller deletes all of /tmp

1/24/07   60316,49r – JMSserver not starting – Queue Manager Listener failed rc: 20
– Dave Brune
– Dave Kenner – wl1cet,30w queue
– Dave Tiler
– runmqlsr process was still running
– kill that, recreate the qmgr for jmsserver, start jmsserver, worked


December 2, 2009

Attempts to install ITIM 4.5.1, and configuration issues at a major Utility.

12/18/04 PMR 06615-122 – Error dll in use while upgrading to Websphere 5.0 fp2

12/19/04 PMR 06745-122 – Cannot find jar file (fix) when installing fix using Update Installer

12/19 PMR 06786-122 – No installable fixpacks that can be applied to the currently selected product

12/19/04 PMR 06813-122 – Please input an existing DN – Fon Kwok – set up ref integ per doc
– 12/22 set up ref integ, and doc is junk – forward slashes???
– 12/30 yes, forward slashes on both of those paths.  now getting rolledbackException, sent logs    – 1/2 tried reinstalling 3x, same error, now getting failed to create MQ queue manager
– 1/5 check on amq6119 (pmr 08801)
– 1/7     -check systemout.log for queue mgr
* during fixpack2 – check embedded msging box to upgrade that too
* check queue mgr & broker start successfully
* Dave Titzler
– closed when reinstall started mqm ok
– reopen to yell about service installed w/ no exe

12/30 PMR 08100-122 – (WAS queue) CSITransactionRolledBackException when trying to reset the ITIM mgr password
– In log, NoClassDefFoundError: com/ibm/ws/spi/txhelper/TransactionHelperFactory
– ITIM probably got confused between WAS and WAS express and installed pointers to Express – uninstall and reinstall WAS and ITIM

01/02/05 PMR 08370-122 – Port 8880 conflict on Websphere    Anita, Sherry – reinstall (worked)

01/05 PMR 08680-122 – ITDS install error – fatal DB2

01/05 PMR 08801-122 – Trying to create MQ queue manager, and getting amq6119, etc
– Lev 1: run collector and transferred to lev 2
– Lev 2: called after 2 hours and needed to research – 3 more hours later, try setting 2 log settings
– 1/6 waited for callback 10:30-2:10 (3:40)
– 1/6 – need to be at mq 5.30 w/ csd 4
– 1/7 – Matt Davis
– 1/7 – Dave closed – dup01/07 PMR 09133-122 – bipservice.exe – Dave closed – dup

01/08 PMR 09462-122 – Tim DeCoursey – noclassDefFound

01/30 PMR 18631-122 – Websphere service did not install    – Nasar – reinstall, he will call back

02/02 PMR 18923-122 – ITDS user ID or password is invalid    Tom – AD domain, moved to res & worked

02/12 PMR 26148-122 – java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx is not serializable
– also, Agent Profile installations give errors: LDAP: error code 16 – No Such Attribute]; remaining name ‘erobjectprofilename=NT40Profile,ou=serviceProfile,ou=itim,ou=Tivoli, dc=com’
–  Rick Schlosser – try deleting databases and recreate create in db and separate ldap db    – make sure that you run ldapcfg on suffix.ldif to add the suffix object to the ldap db

02/19 PMR 27531-122 – How do you get to 50 canned challenge reponse questions.    – Gary Larson   – there are none

02/23 PMR 27961-122 – Error 2 when trying to remove evt notif context – unable to remove it
Error 1810 when trying to generate private key pair and cert request: Error gen PKCS10 request
Error “java.lang.NullPointerException” when testing Novell agent service
Error “Connection refused: connect” when testing NT agent service    Noel – Grey Thrasher in Irvine has latest doc for AD pwd sync, Fernando – NovAgntFernando: ** Don’t set up evt notif until test user add, modify, suspend, delete, recon **erservicename=novellservice,o=Test,o=test,dc=comreg hklm/software/agent360/novellagent1. load new profile from 4.52. remove old profile (will tell you in slapd.err what object is problem –  remove it)

03/03 PMR 29922-122 – Can you expire the ITIM password after 90 days
– yes, config, properties
– How do you get a certificate for the NT and Netware agents?
– ** How do you change the console timeout?
– Charles will send files to change.
– ** How do you change the default username format?        Charles will send sample
– Testing RACF: ERMA connection Create operation failed: Protocol specific error: 20, ‘INTERNET_OPEN_ERROR’.
– ftp doesn’t work, daml version coming out 3/4, new erma libraries coming out in a week
– Charles will send when available    – NT: Connection reset by peer:  socket closed
– httpS: required

03/?  PMR 31625,122 CORBA BAD_PARAM JNDILDAP.LdapCtx is not serializable
Recommended to reinstall ITIM, Websphere.

03/15 PMR -122 – Tenant not found – Marie: ldap config thing

03/16 PMR 32249-122 – Access denied when creating an NT account
Fix:  change the service to logon as the Domain Admin account

03/16 PMR 32258,122 – When trying to reset pwd as a user, NT service is not listed as an option.
Valentina Sessa, Italy – add Account ACI under My Org and grant password attribute perm    Fon Kwok – NT pwd should reset when pwd sync is enabled    Bruce Larson 3/23

03/17 PMR 32457,122 – Cannot create Novell account
FB- prov policy, entitle, advanced, add container name      – upgrade to 1013 – how?
– 1013 version produced “unable to save 219 bytes to server” on recon

03/18 PMR 32575,122 – bring up racfssl – BPXP005I A FORK OR SPAWN ERROR WAS  ENCOUNTERED. RETURN CODE 00000070 REASON CODE 0BFC0434        – Gary – use racf ssl agent 4.5.2

03/23 PMR 33471,122 – Attempting a recon w/ RACF SSL – “racfSearch: Unable to create APPC transaction”    – Bill Palmer, John Young

03/?  PMR 33523,122 Warning during DSML feed.                Recommended to review ITIM trace.

03/?  PMR 34115,122 How to link NT Account to LDAP User                Recommendation was to add alias attributes to dsml feed.

03/31 PMR 40005,122 – 2 NT IDs didn’t show up in orphan accounts    – Charles
03/31 PMR 40041,122 – Hanging when deleting mq queue manager
– fp2 does not update csd if install fails once, have to uninstall was completely

4/1   PMR 40212,122 – RACF – password max 8 char on racf
– FR? – how to unlock accounts – need to restore acct- Gary Larson
– what rights it needs – pg 26, step 5.5 of RACF SSL install guide

4/1   PMR 40232,122    – feature request: ability to reset racf w/ lan or w/o

4/2   PMR 40397,122 – With RACF linked account, Passwords are not sync’d (Russ’ and dhanson1 accts)        Rick Schloss

4/5   PMR 40776,122 – Password requirements/conform error is always the same (Password does not contain required minimum digit characters)
Noel Lewis – message is unique to that case, but I said it should be more clear
– became enhancement request MR0414044252

4/5   PMR 34697,122 – Request product developer to resolve design defect issues:     In the latest LDIF export there are 870 “erisdeleted: Y” records.  We ran the command     e:\itim45\bin\win\ldapclean.cmd
to clean up these records, but zero entries are deleted for this tenant.       The response message to the ldapclean.cmd points to Recycle Bin DN: ou=recycleBin,ou=tim,ou=test.       This is not critical day one, but over time the LDIF will be filled with garbage.  The LDIF shows there are approximately 23000 orphans and 18000 accounts.  Field “erAliases” has been added to the dsml records.  Service recons are hanging.   There has been some associations between services and people records, but far fewer then expected.   Recons are hanging and this may be the cause of the large number of orphans.  Recons should continue to run when an error is not fatal, or the program should abort when the error is fatal.
RACF Accounts          4,000
RACF Orphans          18,000
NT Accounts            7, 814
NT Orphans             2,273
NV Accounts        6,708
NV Orphans        2,105
Service recons can modify  data on the server.   Is this true?  We are not sure if this is true, and need to be certain that the end-user data on the server is not changed by doing a recon.  It is essential that the ITIM product not modify data on the NT, NV, and RACF server when doing a recon. Recons are running in excess of 12 hours.  This is slow and sequential.  Twelve minutes would be more acceptable using some hashing algorithms.

By design adoptions can only take place when service recons are done.  Adoptions should take place
with the DSML recon as well by having the existing orphan record population examined.

Filtered recons to test a single adoption take almost as long as a full recon because all the server
service entries are loaded into ITIM each time a recon is done.  (You mentioned this will be redesigned
with ITIM 4.6) .

4/5   PMR 40832,122 – Cannot unlock NT accounts – Gary – change the registry hklm/sft/acc360/nt/unlockOnChgPwd=TRUE

4/5   PMR 40953,122 – Cannot add console servers to manage under ITDS console

4/7   PMR 41353,122 – Netware 1013 agent giving obj class viol’s on NetwHomeDirServer during recon
****  Performance:  agentcfg & itim45/data/enrolelogging.prop & ibmslapd.conf (syslog) – log file location
edit plus – charles’ editor
– In itim.log getting “Corba.no_memory:unable to write value” error
– FIX: WAS console – servers, app servers, server1, proces def, max heap size: 512 or increase, apply, save to master config (at the top), save, restart was
** ADD to BUILD **

4/13  PMR 42494,122 – NullPointerException – ITIM not working but shows started in WAS console
– http server was stopped for some reason, started, worked

4/?   PMR 42996,122 Is there a best way to do a mass delete of people records.
Recommended to delete from MI. ldap browser
and  then run a small import load from Dan’s prior work

4/22  PMR 44180,122 Schema Violation Exception during Netware RECON
Gary Larson
4/26 opened crit-sit, Jane Harris is contact
4/27 India tried to repro w/ 48 char group name and no problems
4/28 sent full logs
4/30 Irvine posted the logs to devtrack
5/03 Shashank is dev that is working this, GL will set up conf call w/ me and India for tomorrow
– closed when APAR was closed that resolved 100 object class viols
– still have viols but only 12 so they want a new PMR opened
– APAR/devtrack# IY56076/dt# s12843

4/24  PMR 44649,122 – If a completed req shows warning or failed, no more detail on # of warnings is available

4/27  PMR 55141,122 – When submitting prov policies, received blank screen and when refresh, multiple errors
– Fon Kwok: e-mailed recommendations on 4/28 – increase appl_heap_size and possible script errors in our workflow

4/28  PMR 55425,122 – While tuning ccc2kitim1, I found the LDAP db and the ITIM db are both named ITIMDB.  Now what?  Must we
rebuild, or can we survive as is?  — Charles says we should keep itimdb & ldapdb separate.  Can retrofit.
Got instructions to do so.

4/29  PMR 55593,122 Gail Gladney – IDS tables in ITIMDB instead of LDAPDB – what are table names, how can we separate?
update — why do we have 2 db systems, one in caps, one in lower?  There are db instances called itim,
itimdb,    and db2admin; databases named itim, itimdb, and test1 — where did these come from?
*- Kevin Gehrlein-* on callback; sent note w/DB2, IDS, & ITIM interplay questions; he will take to his DB2             resource
4:30 — escalated ticket
Fix: set db2instance=db2admin then connect to ldapdb

4/28  PMR 55737,122 Gary Larson – Novell RECON hands with a PDU 3000 limit message
“PDU has reached released entry limit of 3001, limit is current set to 3000”
Gary indicated it would continue after a period of time

4/29  PMR 55924,122 Rick Schlosser –  Clarification of RACF attribute erracupassdate
Recommended to filter out disabled accounts (erAccountStatus=0)
to remove disabled account records.
Received 5/5 closing 55924,122
…    I’m afraid I gave you some bumb information – I told             you to do a filtered recon thinking that since the RACF agent is now
DAML instead of ftp that filtering would work just like the other DAML-based             agents – unfortunately, I noticed in the release.txt file for the agent
that filterered recons are not supported – yet.

5/3   PMR 56399,122 – RACF agent cert install gives error (dat file missing)
– GL get exact error & make sure that he’s running certtool w/ switches & make sure rwe perms are on the         file

5/3   PMR 56405,122 – Refreshing with an existing pending request returns zero pending, then 1, then 0, etc
– Gary Larson: set webclient to debug in enrolelogging.properties, recreate, and send itim.log(S)
– 5/11 have not been able to recreate, asked Gary to close – dh

5/4   PMR 56529,122 – Dup Accounts on RACF East (use Nancy Jones Racf East Inactive as example)
– Fon Kwok – send him logs

5/4   PMR 56673,122 – How to set up security in DB2 for multiple domain user IDs
David Guliano –    x3606
db2 set db2_grp_lookup=domain
db2 get dbm cfg
db2 update dbm cfg sysadm_group <group>
change account that services is using
– did not work, asked for callback 5/10 – did not receive
– 5/11 escalated and raised severity
– 5/12 did a trace – IDs with IBM in the name do not work

5/5   PMR 56882,122 – How to set up ACI to browse all accounts & people
Add ACIs for all these Object types: All classes of accounts, Identity Manager User, Location, Organizational Unit, Person

5/5   PMR 56920,122 – corba errors on login – bad param 0x4f4d0006 java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx is not serializable
– Charles:  disable check policy to speed up recons
Check db2cli.log in ldap/var –> buffer pool too small
FIX:  set bufferpools to 4096 and 48000 -dh

5/7   PMR 57180,122 – sev1 RACF recons are failing – started task is crashing – <Message Id=”The element type “SearchResponse” must be terminated by the matching end-tag “</SearchResponse>”.: null”></Message>
Cynthia  what os agent is on and what
Noel Lewis , ,  – send racf agent log, itim log & screenshot of error
Last (& last successful) recon on 4/21
-5/14 set up 2 server config, 5/15 still failing
-5/21 try allocating 1Gb to RACF – 5/23 still failing
-5/24 asked for callback
– Casey Peel & Scott Pierce – ITIM tuning experts
-6/4 tried Fernando’s () suggestions to try scoped recon and get surrogate error
Fern cell
-6/9 Fern found a problem with brackets on one account, ZIO57 – changed that and got warning instead of failures, # signs in group names causing warning -> they will make it an APAR
– 6/17 APAR/devtrack# IY57993/dt# s13035 – “racf translation code pages not translating correctly”
– scheduled for next release of RACF agent – due in mid August

5/10  PMR 57579,122 – NT recons are dropping accounts.
Steve Runyon  –  email to
– 5/11 – ftp’d logs to service2.boulder.ibm.com and e-mailed Steve, idmgr, and Brian M. -dh
– 6/3 – Steve checking with Fernandon
– 6/15 – John Pontius  called to help troubleshoot
– spent weeks at Kmart w/ ITIM 1.2 in 2001 – with – Daniel Crum, Andy Rucker – other dev
– has worked a lot with tuning
– we only need 5-10 OChandlers for LDAP
– 6/17 sent them new logs for user & harped on the lack of retransmit wait states in the code. – DH
– I did some more checking and ran network traces and found that itim2 was having trouble talking to itim1.  Changed the agent to run on itim2 for user and got 954 more NT accounts – fixed!
– asked for APAR – need to handle transmits
– 2nd APAR – should report “failed” if recon stops at “S” or “T” rather finish
– Rick Schlosser

5/11  PMR 57870,122 – bufferpool error in logs (IDS), within TIM — “no pages currently available in bufferpool ‘2’” -rjb
Thomas – sent error log, tuning doc, db2diag.log
5/12 3:30 – status update – rjb
5/12 4:20 – Thomas Aaron/Austin (IDS team) sees no prob with IDS – re-routes ticket to ITIM queue

5/25  PMR 65644,122 – WAS crashing – Dr. Watsons
Fon – set APP_CTL_HEAP_SZ value on the itim db (default 128) to 1024
** incorporate this into build **

5/26  PMR 67027,122 – RACF recons don’t abort
– Changed to FITS MR0608041221

5/31  PMR 67028,122 – Stopping WAS service – get error service is not responding to control function even though java.exe stops

6/01  PMR 66831,122 – Netware accounts missing after running recons – not orphans or accounts
– Fon Kwok – Fern said try new ldap and new profile, but got original obj class violations
–  # signs in the groups causing problems – APAR IY58402

6/8   PMR 67924,122 – HTTPS setup – getting port 443 thru, but not https
– 6/16, escalated to sev 1: can’t get http://password/enrole to respond
– 6/16, based on redbooks research, I found the solution and closed ticket before callback – rjb

6/09  PMR 68263,122 – Invalid Http Request Target when selecting Administrators under Configuration
Charles –
– Caused by an itim account that is an administrator where the people record (owner) did not exist
– deleted systemuser record (itim account) from ldap, and tested good

6/16  PMR 69482,122 – 1300 RACF East accounts missing
Charles –  – sent logs
6/18 – ran recon with just 7 of the missing accounts in a dataset that Russ created, and all 7 came into LDAP.  ran another full recon and all but 2 or 3 accounts are in there now

6/22  PMR 70552,122 – send to Jane – sev1 – RACF accounts do not unlock when password is reset
Fon – not supported, can make FITS – became FITS # MR0722046856

6/25  PMR 71122,122 – When pwds are reset, they are sent in clear text over e-mail.
– combine e-mails into one for multiple resets and inhibit pwd in e-mail
– Rich Schlosser  – set notifyPassword=false in enrole.properties

6/25- PMR 71177,122 \Ran recon on Novell RECON, the account dropped from 13K to 1K records.   12K have been lost.

Interim Fix 14 – released May 14

….    Hi Phil – got your PMR 71177,122,000  – from the description it sounds like there was some sort of failure in the agent recon that caused only a portion of the total number of accounts to be returned – ITIM, of course, thinks those accounts were deleted from the managed platform and in turns deletes them from ITIM – check the agent log for any errors
…    Is there an apar for this/
…    ?
…    No – various conditions that seem legit to the agent can cause this sort of thing – for example, someone changing the security authority of the agent account such that it now can no longer access all the users – only a subset – not apar-able
…    I didn’t know recons removed accounts
…    Do recons remove accounts?
…    hold on
…    the purpose of a recon is to have itim mirror the managed platform – if attributes change on the managed platform the attributes will change in itim (and policies will be optionally checked and enforced).  If an account exists on ITIM today and tomorrow a recon is run and that account no longer exists, itim will reflect the reality of the managed platform and delete the account from itim.
…    We had 13K accounts, and now have only 1K.
…    and?
…    12K accounts should not have been deleted.
…    unless 12k accounts were not returned in the recon
…    that’s why you need to look at the agent log
…    Why would the recon end with a warning?  I was told this was OK?
…    Why would the recon make any change if the download was not successful?
…    I don’t know Phil – if we knew what was going on in the agent log we might be able to piece it together
…    If I tar up the NetwareAgent.logs, can you look at them with me.
…    sure
…    It is 218 MB, where do I send it?
…    218mb tar’d?
…    yes, I’ll try a compress
…    try feathering too
…    got it
…    It is down to 25 MB
…    Where do i send it?
…    hold on
…    ftp testcase.boulder.ibm.com
User (testcase.boulder.ibm.com:(none)): anonymous
Password: your email address
ftp> cd software
ftp> cd toibm
ftp> cd tivoli_support
ftp> bin
ftp> put yourfilename
…    it has been sent
…    I’ve found 22,000+  NDS Error 34841  Attribute value retrieval failure in SearchConnection
…    Check with your NDS admin or systems person on what that error means …
…    or Google it
…    It is not acceptable that 12k account records were removed from ITIM.
…    that’s fine – and I agree – but first line of defense will need to be fixing your 22000+ errors
…    How?
…    what does error 34841 mean?  Whatever it’s saying needs to be fixed …. that’s why you should talk to your NDS admin or systems person
…    OK, but I need an APAR open’ed.  If I am in production this becomes a fatal flaw.   If a download is unsuccessful, or some error occurs the product should make no changes.   The recon must be broken into multiple steps, first download, and then build…  This must be known by the ITIM by now.
…    agreed
…    you may not get the rapid response you want, though, once it gets to apar-land – unless someone takes a strong advocacy role with the powers that be
…    OK, I really want an APAR.  This has happened to us at  before.   I’m sure it will happen again.  It only affects me this weekend, but it will affect the entire IBM  account once it moves into production.   I am a very bad negotiator, but I feel very strongly that this part of the product is broke.  Can I have an apar number?
….    I don’t assign apar numbers – I write up the bug information in the pmr and requeue it for someone to actually assign the apar – so use the PMR number for now
…    I want an APAR, please pass me to someone who writes APARS
…    you’re 4.5.1 with what level of fix?
…    os for server?
…    was/db2?
…    I’m 4.5.1 on Win2000
…    fix level?
…    sp 4
…    on itim, not w2k
…    Build 5147
…    that’s the base – any interim fixes on top of that?
…    I’ve written up your PMR and pushed it to the queue that will drive the creation of an apar.  The person who ordinarily does this just departed (minutes ago) for a three-week vacation – her standins will take care of this – probably not today but certainly early next week.  If you want immediate action, call Dan Barto at  or Peter Wolf at .  Tell them your PMR number (71177,122,000)  and that you require an immediate apar to be issued.
…    No Rick.  No call is needed.  I just didn’t want this issue to slip through the cracks.    I will update the local management team, and restart on Monday.  Thanks for helping me.


Your PMR# 71177,122,000  has had a defect logged in the APAR/devtrack system.  Your APAR/devtrack# IY58359/dt# 13128  has been forward to Level 3 group for research.  I will let alert you of any updates as Level 3 progress.


Meghan Ritschel

6/28/05 PMR 50143,122  Created for DAML_SSL data transfer error during ITIM Netware Recon.   Number of Netware accounts is 7661.

7/15  PMR 74793,122 – After applying if09, logins hang, sev1
Gary Larson  – send itim.log w/ 4 debug options set
LDAP was down – DB2 db was not starting due to error SQL1042C – reboot fixed

7/16  PMR 80147,122 – After applying if09,14, cannot reset passwords, sev1, CLI0610E Invalid column number SQLSTATE=S1002
Ivan Watkins –   Apply fixpack 16, worked

7/20  PMR 80859,122 – How to reset Netware passwords to not force 2nd change upon logon
Fon Kwok – dev could not recreate, so I recreated & sent him detailed steps
– became APAR/devtrack# IY59507/dt# s13203

7/22  PMR 81234,122 – Cannot delete ITIM accounts, Account is not a DirectoryObjectEntity
Gary Larson – send itim log, properties files, systemout & err

7/23  PMR 81474,122 – User IDs with # signs cannot register.
ITIM accounts are not created due to ldap error 34: invalid DN syntax
-was already opened as an apar – IY58402 – no ETA
7/26 – Need update asap on how to rollback to 4.5.1 base.  Cannot uninstall fp’s
Ivan Watkins

7/23  PMR 81476,122 – Get strange error when resetting users’ own passwords: com.ibm.itim.webclient.organization.account.ChangePasswordServlet.PASSWORD_CHANGE_RESULT
Barry Evans ,  cell

7/26  PMR 81851,122 – How to set expiration on temp password during registration
Noel Lewis – need to know how the 24 hour setting in Properties is used. (isn’t working for our register.jsp
7/26  PMR 82152,122 – How to rollback to 4.5.1 base
– install, say ‘yes’ to upgrade, then redo post build steps

7/27  PMR 82255,122 – sev1 Users unable to reset their own passwords on NT, Novell, RACF since application of FP16
Barry Evans – closed when rolled back to base 4.5.1

7/28/05   82565,122 – Getting JNDI_operation_error when opening Configuration, Entity types, Account, changepassword.  ITIM.log shows LDAP error code 32 – No such object; remaining name ‘ou=category,ou=itim,’

8/4   PMR 83867,122 – Cannot create accounts on agent platforms on itim3

8/10  PMR 85246,122 – XML parser errors in systemout.log on itim3
– update – J2CA0125W error, error parsing XML document at WAS/properties/j2c.properties – which has a May timestamp

8/11  PMR 85542,122 – WAS 5.0.2, CF3 error on itim1 – install of CF3
failed on webui
– Phil found issue with JAVA_HOME and WAS_HOME in setupcmdline.bat file – had been set with double quotes, but found issue with space in ..Program Files/WebSphere…, so changed it to Progra~1; but then had problem with dbl quotes; removing dbl quotes solved problem
– closed 8/13

7/19/2005    PMR 82335,122 – Setting up recon to Active Directory agent.  What is the permissions /auth level required for related userid.
– Clyde Zoch  replied passwordAdmins_Energy should work, but no guarantees since “none of this is documented anywhere”
– Domain Admins is their recommendation
– Closed 7/19

7/19/2005    PMR 82338,122 – recommended ITIM, DB2, WAS, LDAP product levels
– all components supported through 8/06
– closed 7/19

7/19/2005    PMR 82414,122 – is it possible to run Reconciliations based upon previous reconciliations

7/19/2005   PMR 82427,122 – DH – Why ACI for help desk isn’t allowing read/search of person records and password resets
– Checked Org Tree Special Access under Group Detail for the group, and it worked on 1st test, but spotty success after subsequent tests
– Fon Kwok: check accesscontrollist.refreshInterval=5 in enrole.properties and turn on logging for authentication=debug


December 2, 2009

After compiling notes for years on IBM Tivoli Identity Manager (ITIM), I’ve decided to share them.  Hope they help!