TFIM federated SSO logins are failing. The WebSphere SystemOut and SystemErr contain an error message HPDBA0287E, FBTSTS012E, or HPDIA0100E and free form text indicating a problem talking to the TAM servers or that an incorrect username and password was used. This prevents TFIM from generating tokens or from providing the Point of Contact with the users credential.
The most common cause is the certificate that the TFIM runtime uses to talk to the TAM environment with the TAM JRTE API is expired or incorrect. The application is no longer able to establish SSL communication with the IVACLD or Policy Server. A TAMeB Java application by default will attempt to renew its certificate once it reaches half-life. This attempt is only made when the TFIM runtime is restarted or the configuration is reloaded. The life time of the certificate is defined in the Policy Server when the TFIM application was configured. The attribute is in the Policy Server's [ssl] stanza,
# SSL certificate lifetime in days.
# This parameter is set by the mgrsslcfg utility.
ssl-cert-life = 365
and is set when the Policy Server is configured. In TAM 5.1, the default is 365 days. In TAM 6.0.0/6.1.0/6.1.1, the default is 1460 (4 years). It may be manually changed, but requires a restart of the Policy Server. This value is not increased when upgrading from TAM 5.1. If this value is changed after the TFIM runtime is configured the old certificate will still expire on the previous value, unless the TFIM runtime is reconfigured.
Resolving the problem
This is an easy thing to resolve and will not remove any existing TFIM federations or other configurations. This may cause a brief outage for all federations, when the TFIM runtime reloads.
The fix is to go to Domain Management -> Runtime Node Management select all the nodes, click unconfigure. This will prompt for the password for the configured user account in the Domain properties. Once this completes dismiss the option to reload the runtime for now and select all the nodes again, and press the configure button. This will again prompt for the password. Once this completes press the load configuration changes to Tivoli Federated Identity Manager runtime button and the runtime will start to use the new TAM API certificate and federations should start working again.
|Security||Tivoli Access Manager for e-business||Java Runtime|
|Security||Tivoli Federated Identity Manager Business Gateway|
|Security||Tivoli Federated Identity Manager for z/OS|
FIM TFIM TAM TAMeB AMJRTE ISAM
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.