TFIM federated SSO logins are failing. The WebSphere SystemOut and SystemErr contain an error message such as HPDBA0287E, FBTSTS012E, HPDIA0100E, free form text indicating a problem talking to the TAM servers, or that an incorrect username and password was used. This prevents TFIM from generating tokens or from providing the Point of Contact with the users credential.
The most common cause is the certificate that the TFIM runtime uses to talk to the TAM environment with the TAM JRTE API is expired or incorrect. The application is no longer able to establish SSL communication with the IVACLD or Policy Server. A TAMeB Java application by default will attempt to renew its certificate once it reaches half-life. This attempt is only made when the TFIM runtime is restarted or the configuration is reloaded. The life time of the certificate is defined in the Policy Server when the TFIM application was configured. The attribute is in the Policy Server's [ssl] stanza,
# SSL certificate lifetime in days.
# This parameter is set by the mgrsslcfg utility.
ssl-cert-life = 365
and is set when the Policy Server is configured. In TAM 5.1, the default is 365 days. In TAM 6.0.0/6.1.0/6.1.1, the default is 1460 (4 years). It may be manually changed, but requires a restart of the Policy Server. This value is not increased when upgrading from TAM 5.1. If this value is changed after the TFIM runtime is configured the old certificate will still expire on the previous value, unless the TFIM runtime is reconfigured.
Resolving the problem
This is an easy thing to resolve and will not remove any existing TFIM federations or other configurations. This may cause a brief outage for all federations, when the TFIM runtime reloads.
The fix is to go to Domain Management -> Runtime Node Management select all the nodes, click unconfigure. This will prompt for the password for the configured user account in the Domain properties. Once this completes dismiss the option to reload the runtime for now and select all the nodes again, and press the configure button. This will again prompt for the password. Once this completes press the load configuration changes to Tivoli Federated Identity Manager runtime button and the runtime will start to use the new TAM API certificate and federations should start working again.
This process will only update the internal certificate used by TFIM to talk to the Access Manager servers.
|Security||IBM Security Access Manager for Web||Java Runtime|
|Security||Tivoli Federated Identity Manager Business Gateway|
|Security||Tivoli Federated Identity Manager for z/OS|
FIM TFIM TAM TAMeB AMJRTE ISAM