How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I troubleshoot common issues in IDM (All versions)?

Last updated Apr 8, 2021

The purpose of this article is to provide troubleshooting tips and answers to common issues in IDM.


2 readers recommend this article

Server Stopped in Background

When you start the server in the background without having disabled the text console, the job can stop immediately after startup:

$ ./startup.sh & [2] 346 $ ./startup.sh Executing ./startup.sh... Using OPENIDM_HOME:   /path/to/idm Using PROJECT_HOME:   /path/to/idm Using OPENIDM_OPTS: -Xmx1024m -Xms1024m Using LOGGING_CONFIG: -Djava.util.logging.config.file=/path/to/idm/conf/logging.properties Using boot properties at /path/to/idm/resolver/boot.properties -> [2]+ Stopped ./startup.sh

To resolve this problem, make sure you remove the /path/to/idm/bundle/org.apache.felix.shell.tui-1.4.1.jar before you start the server. Also remove the Felix cache files in /path/to/idm/felix-cache/.

The scr list Command Shows Sync Service As Unsatisfied

You might encounter this message in the logs:

WARNING: Loading configuration file /path/to/idm/conf/sync.json failed org.forgerock.openidm.config.InvalidException: Configuration for org.forgerock.openidm.sync could not be parsed and may not be valid JSON : Unexpected character ('}' (code 125)): expected a value at [Source: java.io.StringReader@3951f910; line: 24, column: 6] at org.forgerock.openidm.config.crypto.ConfigCrypto.parse... at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt... at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig...

This indicates a syntax error in /path/to/idm/conf/sync.json. After fixing your configuration, change to the /path/to/idm/ directory and use the cli.sh validate command to check that your configuration files are valid:

$ ./cli.sh validate Executing ./cli.sh... Starting shell in /path/to/idm Using boot properties at /path/to/idm/resolver/boot.properties ................................................................... [Validating] Load JSON configuration files from: [Validating] /path/to/idm/conf [Validating] audit.json .................................. SUCCESS [Validating] authentication.json ......................... SUCCESS ... [Validating] sync.json ................................... SUCCESS [Validating] ui-configuration.json ....................... SUCCESS [Validating] ui-countries.json ........................... SUCCESS [Validating] workflow.json ............................... SUCCESS

JSON Parsing Error

You might encounter this error message in the logs:

"Configuration for org.forgerock.openidm.provisioner.openicf could not be parsed and may not be valid JSON : Unexpected character ('}' (code 125)): was expecting double-quote to start field name"

The error message usually indicates the precise point where the JSON file has the syntax problem. The error above was caused by an extra comma in the JSON file, {"attributeName":{},{},}. The second comma is redundant.

The situation usually results in the service that the specific JSON file configures being left in the unsatisfied state.

After fixing your configuration, change to the /path/to/idm/ directory and use the cli.sh validate command to check that your configuration files are valid:

$ ./cli.sh validate Executing ./cli.sh... Starting shell in /path/to/idm Using boot properties at /path/to/idm/resolver/boot.properties ................................................................... [Validating] Load JSON configuration files from: [Validating]     /path/to/idm/conf [Validating] audit.json .................................. SUCCESS [Validating] authentication.json ......................... SUCCESS   ... [Validating] sync.json ................................... SUCCESS [Validating] ui-configuration.json ....................... SUCCESS [Validating] ui-countries.json ........................... SUCCESS [Validating] workflow.json ............................... SUCCESS

Bad Connector Host Reference in Provisioner Configuration

You might see the following error when a provisioner configuration loads:

Wait for meta data for config org.forgerock.openidm.provisioner.openicf-hrdb

In this case the configuration fails to load because information is missing. One possible cause is an incorrect value for connectorHostRef in the provisioner configuration file.

For local Java® connector servers, the following rules apply:

  • If the connector .jar is installed as a bundle under /path/to/idm/bundle, then the value must be:  "connectorHostRef" : "osgi:service/org.forgerock.openicf.framework.api.osgi.ConnectorManager",
  • If the connector .jar is installed as a connector under /path/to/idm/connectors, then the value must be: "connectorHostRef" : "#LOCAL",

Missing Name Attribute

In this case, the situation in the audit recon log shows "NULL".

A missing name attribute error, followed by an IllegalArgumentException, points to misconfiguration of the correlation rule, with the correlation query pointing to the external system. Such queries usually reference the "name" field which, if empty, leads to the error below:

Jan 20, 2012 1:59:58 PM org.forgerock.openidm.provisioner.openicf.commons.AttributeInfoHelper build SEVERE: Failed to build name attribute out of [null] Jan 20, 2012 1:59:58 PM org.forgerock.openidm.provisioner.openicf.impl.OpenICFProvisionerService query SEVERE: Operation [query, system/ad/account] failed with Exception on system object: java.lang.IllegalArgumentException: Attribute value must be an instance of String. Jan 20, 2012 1:59:58 PM org.forgerock.openidm.router.JsonResourceRouterService handle WARNING: JSON resource exception org.forgerock.json.resource.JsonResourceException: IllegalArgumentException at org.forgerock.openidm.provisioner....OpenICFProvisionerService.query... at org.forgerock.openidm.provisioner.....OpenICFProvisionerService.handle... at org.forgerock.openidm.provisioner.impl.SystemObjectSetService.handle... at org.forgerock.json.resource.JsonResourceRouter.handle...

Check your correlationQuery. Another symptom of a broken correlation query is that the audit recon log shows a situation of "NULL", and no onCreate, onUpdate or similar scripts are executed.

See Also

Troubleshooting IDM

Connector Developer's Guide › Troubleshooting Connectors

Synchronization Guide › Troubleshooting LiveSync Failures

Password Synchronization Plugin Guide › Troubleshoot Password Synchronization

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.