Attempts to add a second Identity Server into an IDP cluster on Windows fails with a keystore error.

  • Document ID:7005799
  • Creation Date:21-Apr-2010
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      Access Manager (NAM)

Environment

Novell Access Manager 3.1 SP1 IR2 Identity Server on Windows
Novell Access Manager 3.1 SP1 IR2 Administration Console on Windows
Novell Access Manager 3.1 SP1 IR2 Linux Access Gateway

Situation

Not able to add a second Identity server to an Identity server cluster on Windows 2003.
It failed with the following error: Unable to read keystore : C:\Program Files\Novell\devman\jcc/certs/idp/signing.keystore

As seen from the appsc0.log file which indicates we have an IDP in the config store with problems:

222(D)2010-03-17T13:58:48Z(L)application.sc.core(T)16(C)com.volera.vcdn.application.sc.core.DeviceManager(M)getNIDSServerContext(Msg)<amLogEntry> 2010-03-17T09:58:48Z SEVERE DeviceManager: AM#100902096: Error - Could not find idp-F767343F2D1C4412 </amLogEntry>
com.volera.vcdn.application.sc.core.KeyManager(M)modifyKeyStoreEntryXml(E)java.lang.NullPointerException
at com.volera.vcdn.application.sc.core.Info.getXmlValue(y:1606)
at com.volera.vcdn.application.sc.core.DeviceInfo.getActualDeviceType(y:3207)
at com.volera.vcdn.application.sc.core.DeviceManager.getAssociatedESPAgent(y:1550)
at com.volera.vcdn.application.sc.core.DeviceManager.clearInfoCache(y:1785)
at com.volera.vcdn.application.sc.core.Info.setDocument(y:1403)
at com.volera.vcdn.application.sc.core.KeyManager.modifyKeyStoreEntryXml(y:663)
at com.volera.roma.app.handler.CertHandler.addKeyToKeystore(y:3163)
at com.volera.roma.app.handler.CertHandler.addKeyToKeystore(y:183)
at com.volera.roma.app.handler.CertHandler.B(y:6513)
at com.volera.roma.app.handler.CertHandler.addServerToCluster(y:208)
at com.volera.roma.app.handler.CertHandler.addServerToCluster(y:944)
at com.volera.roma.app.handler.CertHandler.processRequest(y:3182)

The IDP with the referenced device id was no longer visible in the Administration Console.

Resolution

In case you encounter symptoms that could indicate a corrupt datastore entry or missing devices in the Administration Console server you can do the following steps:

In the Administration Console under Auditing, Troubleshooting, Configuration you will have an entry called:
Devices with Corrupt Data Store Entries

If an empty value is written to an XML attribute, the device with this invalid configuration appears in this list.
Click the Repair button to rewrite the invalid attribute values.

If nothings shows or problem persist it is advisable to open up a service request with Novell technical Support to have it further investigated.
 

 

Additional Information

The romaIDPDeviceXMLDoc attribute of the mentioned IDP was empty causing problems for newly installed IDPS.