IBM Support

IBM Security Directory Server 6.4 Known Issues

Troubleshooting


Problem

This technical note lists the known issues with IBM Security Directory Server, Version 6.4.

Symptom

Installation wizard allows only one option to be selected for post-installation launch

When you install multiple offerings together, the launchers from each offering are represented as parallel options in the installation summary page after successful installation. One offering can have multiple launchers. However, you can select only one program to be launched when you click Finish. This as per the current design of IBM Installation Manager.

To work around this limitation, you must manually start any other programs that you require post-installation.


Unable to install IBM Security Directory Server, Version 6.4 using IBM Installation Manager, Version 1.7

The following error appears when you try to install:

  • java.lang.UnsupportedClassVersionError: JVMCFRE003 bad major version; class=com/ibm/security/directoryserver/installer/ui/panels/DB2Panel, offset=6


This error occurs because IBM Security Directory Server, Version 6.4 installer is built by using IBM SDK Java™ Technology Edition, Version 7. However, IBM Installation Manager, Version 1.7 runs with IBM SDK Java™ Technology Edition, Version 6.

To resolve this issue, you must upgrade IBM Installation Manager to Version 1.8 and then try to install IBM Security Directory Server, Version 6.4.


Config utilities fail to configure an instance with advanced options, such as table space, on UNIX operating systems

Config utilities, such as Instance Administration Tool and Instance Configuration Tool, fail on UNIX platforms when you use them with advanced options, such as table space container.

The following error messages might be displayed on the config utilities result screen:

  • Updating the database: <inst_name>
    Failed to update the database: <inst_name>
    Removing database: <inst_name>
    Stopping database manager for the database instance: <inst_name>
    Stopped database manager for the database instance: <inst_name>
    Failed to add database 'name' to directory server instance: <inst_name>
    The program did not complete successfully. View earlier error message for information about the exact error.


To resolve this issue, if you trying to use the config utility, you must unconfigure the database. Then, use the command-line utility idscfgdb to configure the database with advanced options, such as table space.


Web Administration Tool displays the word "Version" in English even for non-English locales

The Web Administration Tool displays the version information of the configured instance when you are logged in on that instance. This information is displayed, for example, as Version: 6.4.0.0. However, the word "Version" is not translated and hence it is displayed in English irrespective of the locale specified in the browser settings.

This is a known issue with IBM Security Directory Server, Version 6.4. There is no work around for this issue.


The idslogmgmt tool does not start on Windows 2008 and 2012 systems

To work around this issue, open the following file:

  • <tds_install_dir>/java/jre/lib/security/java.policy


Add the following lines to the file:

  • grant codeBase "file:C:/Program Files/IBM/TDI/V7.1.1/jars/3rdparty/IBM/derby*" {
    permission java.security.AllPermission;
    };


The idslogmgmt tool uses the IBM SDK Java™ Technology Edition that is packaged with IBM Security Directory Server and not IBM Security Directory Integrator.

For more information, see the technical note at http://www-01.ibm.com/support/docview.wss?uid=swg21450475


The deployment path for Web Administration Tool is disabled in IBM Installation Manager Modify wizard

This issue might occur if you installed IBM Security Directory Server (all features) by using IBM Installation Manager, and specified to deploy Web Administration Tool manually later. Then, if you uninstall Web Administration Tool and install it again by using the Modify wizard, the deployment path field is disabled. To work around this issue, toggle between the radio buttons. The deployment path field is now enabled for editing


Bind request is not sent to supplier for failed password compare request

When the ReplicationSecurityAttributes feature is enabled, if there is a bad bind request on a read-only replica, the replica sends a bind request to its supplier to replicate the failure. However, for a compare request when the target is userPassword, if the result is false, no bind request is sent by the read-only replica.

This is a known issue with IBM Security Directory Server, Version 6.4.


Installation Manager does not allow to proceed further due to disk space issue

During installation, you might encounter disk space related errors on custom panels and the Installation Manager cannot proceed. To work around this issue, ensure that a minimum of 4GB free disk space is available on each of these listed file system partitions: /opt, /usr, /var, and /tmp, before you start installation. If all partitions are mounted on root /, then a minimum of 10GB free disk space must be available.


Log file contains installation errors

When IBM Security Directory Server is installed, some errors are reported in the log file, for example, "Error loading com.ibm.icu 4.4.2.v20110823 ..." These errors are not real and can be safely ignored.


Pass-through authentication (PTA) bind with Active Directory as the PTA server fails sometimes with PTA bind return code 89

This issue occurs intermittently and only when PTA is configured with Active Directory over SSL To work around this issue, restart the pass-through authentication server.


Marginal performance degradation may occur for proxy server for add and modsn operations

This is currently a known issue in this release.


Performance may decrease when uploading records in audit database

The performance of idslogmgmt utility to upload the records in the audit database may decrease as time proceeds. This is currently a known issue in this release.


Dynamic reports do not display all records on last page

When you generate dynamic reports at the same time when the idslogmgmt tool is parallelly loading data in the audit database, the records on the last page from certain tables are not displayed. However, when more records are added to the last page, and the last page becomes the previous page, the records start getting displayed.

To work around this issue, generate the report after the loading is completed.


idscfgaudit.cmd script hangs on Windows 2008 and Windows 2012

The idscfgauditdb.cmd script might hang indefinitely on Windows 2008 and 2012 operating systems when trying to create the audit database. If the script is run in verbose mode, it might hang when it encounters a command with a piped findstr in it.
For example:
net user   | findstr /I "\<!user!\>"  1>NUL


Windows Local Migration

The local migration from 6.3.1.23 to SDS 64 fails on Windows x86_64(Windows Server 2008 R2, Windows Server 2012 R2).

Advance password policy is getting applied to the user who doesn't have userpassword attribute.
Consider the following scenario:
a) Advanced password policy is enabled.
b) A userA who doesn't have an initial (first time) password.
c) Another user - say transactadmin has rights (sufficient ACLs) to modify userA's password.
d) transactadmin tries to bind with own credentials and tries to set the password of UserA, which violates some of the password policy rules in Advanced Password policy.
        
At step d. the password set operation fails with "Constraint violation" error as Advanced policy rules are violated.
Advanced password policy rules should not be applied for first time userpassword set operation of any backend user.
Note: Above scenario works fine if working with other password policies and Advanced password policy is disabled.

Pass through Authentication returns different results for idsldapcompare utility with delete password plugin enabled.
PTA(without attribute mapping) is enabled.
When idsldapcompare executed for a user who is not present on authentication server irrespective of whether it is present/not present on PTA server.
- idsldapcompare returns "No such object" when delpassword plugin enabled.
- idsldapcompare returns Compare "false" when delpassword plugin disabled.
Note : Above scenario is not applicable to PTA setup configured with attribute mapping.

If Advanced password policy is enabled and an ldap user has cn=noPwdPolicy value set in ibm-pwdIndividualPolicyDN attribute then for such a user all the Advanced password policy rules are still applied, this is a limitation.

With latest Java versions, idsldapdiff utility and JNDI tools execution fails on ISDS 6.4.0.18; when bind is attempted on SSL ports.
Problem:

If the Server and Client-Side Certificates generated for SSL communication have a different dn than the hostname parameter of the idsldapdiff utility or JNDI Tools, then  
1. The communication fails with the following error, for idsldapdiff (when -sh, -ch parameters differ than the certificate dn):
    GLPJBP006E Error occurred while connecting to server: <hostname>: <SSLPort>=
    (ISDS 6.4.0.18 specific issue. Not applicable from ISDS 6.4.0.19 onwards)

2. The JNDI utilities (LDAPAdd/LDAPModify/LDAPSearch) fails to execute with the following error (when the -h parameter differs than the certificate dn):
     javax.net.ssl.SSLException: Connection has been shut down: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
    No name matching <hostname> found
    simple bind failed: <hostname>: <ssl_port>

Cause : The latest Java versions from Java 8.0.5.20 onwards, does a strict host name verification against the server certificate.
Solutions :
1. For idsldapdiff error :
    A. Modify the idsldapdiff wrapper script to contain the following lines - (ISDS 6.4.0.18 specific changes. Not applicable from ISDS 6.4.0.19 onwards)
    Aix/Linux -
    Include the following line -
        JVM="${JVM} -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true "
    Just before this line -
        eval `echo ${JVM} ${IDS_JVM_PROPERTIES} ${PROGNAME}  '"$@"'`

    Final two lines of the script (with the change included) -
        JVM="${JVM} -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true "
        eval `echo ${JVM} ${IDS_JVM_PROPERTIES} ${PROGNAME}  '"$@"'`
    Windows -
    Include the following line -
        set JVM="%JVM% -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
    Just Before this line -
        "%JVM%" %IDS_TMP_PROG%  %*
    Final two lines of the script (with the change included) -
        set JVM="%JVM% -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true" 
        "%JVM%" %IDS_TMP_PROG%  %*
    With this change, there is no mandate that server side and client-side certificates' dn should match with the -ch and -sh parameters of idsldapdiff.

    B. Give the exact matching dn (either FQDN or short hostname of the server or client as appropriate) in the Certificates as that of -sh and -ch parameters of idsldapdiff utility.

2. For JNDI tools execution specify the “-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true” while executing the JNDI client utilities, before the classpath argument as follows:
    # ../../../java/bin/java -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -classpath .:../../../javalib/TDSJNDIolkit.jar:../../../javib/IBMLDAPJavaBer.jar com.ibm.ldap.bp.client.ldapadd.LDAPAdd -h <FQDN_of_ISDS_SERVER>  -Z -K <Path_of_client_jks_file> -P <pwd> -Kt jks -Tk <Path_of_client_jks_file> -Tp <pwd> -Tt jks -D cn=root -w <ISDS_Primary_Admin_pwd>    -p <SSL_Port>

Documentation errata


Windows 32-bit client-only packages are not provided with IBM Security Directory Server, Version 6.4. However, the following documentation refers to Windows 32-bit client-only, which is not applicable:


There is a typographical error in the syntax provided on the following page:
http://www.ibm.com/support/knowledgecenter/SSVJJU_6.4.0/com.ibm.IBMDS.doc_6.4/c_tg_aix_other_env_var.html
MALLOCOPTIONS=multipheap must be changed to MALLOCOPTIONS=multiheap

[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.4","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
09 October 2019

UID

swg21692309