IBM Support

Risk-based access: Deployment failure

Troubleshooting


Problem

The deployment of risk-based access with the manageRbaConfiguration {-operation deploy} command fails.

Symptom

(1) An explicit success message is not displayed: After you deploy risk-based access by using the manageRbaConfiguration {-operation deploy} command, an explicit success message might not be displayed on the wsadmin console. If an explicit success message is not displayed, the status of the deploy operation status must be considered as unsuccessful.

(2) The policy evaluation fails. When risk-based access deployment fails, sometimes the policy evaluation might give errors. The errors are because of the values that are missing for the parameters that are calculated by the risk-based access PIP implementations. You can see these errors in the external authorization service (EAS) trace log, if it is enabled, and in the WebSphere Application Server logs.

(3)If you are using the embedded solidDB database, after you restart your system, you might get errors that the database is not available when you start an application that uses risk-based access.

Resolving The Problem

(1) f you do not get a success message after deployment, check the WebSphere Application Server trace files for possible exception information.

(2) If the policy evaluation fails, check the following file:
/was_profile_root/config/cells/<cell-name>/rtss/security-services.xmi
The content of this file must match the content of following file:
/fim_install_dir/rba/rtss/security-services-template.xmi
If it does not match, then copy the content of this latter file into the file under was_profile_root hierarchy. Restart WebSphere Application Server.

(3) If you are using the default embedded database option, risk-based access deployment creates and starts up the initial embedded database instance. However, when the system is restarted, risk-based access attempts to automatically start the embedded database instance only when the attribute collection REST service is accessed.

This service is usually automatically accessed when the external client applications have embedded the risk-based access Attribute Capture JavaScript module, and the user tries to load an application page which launches execution of this client-side JavaScript code.

When the setup is not yet done for Attribute Capture module, the embedded database remains in SHUTDOWN state unless it is manually started. For example, if the user launches the IBM Tivoli Federated Identity Manager Federated First Steps wizard for the very first time, after restarting the machine, failures are reported by the application due to unavailability of the database.

To resolve this issue, you must manually start up the embedded SolidDB database by running following command:

fim_install_dir/rba/solidDB/bin/<OS type>/solid -U RBA_DB -C RBA_DB -xdisableallmessageboxes -xhide -c fim_install_dir/rba/solidDB/RBA_DB

After you manually start the database, restart WebSphere Application Server, and then launch the IBM Tivoli Federated Identity Manager Federated First Steps wizard.

[{"Product":{"code":"SSZSXU","label":"Tivoli Federated Identity Manager"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"6.2.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21620526