Skip to Content

URL "http://<host>:<port>/idm/admin" brings "Service is down" message (IdM 7.2)

Hello community,

I need your help again, another "little" problem just won't go away quietly.

My problem:

It's pretty simple really... when I call http://<host>:<port>/idm/admin in our (prod) portal 7.3, I get the following:

What's not right with this picture is, the status of the IdM applications in the NWA look like this:

The NWA clearly thinks, the services are running (except for the one that's not needed). I even stopped and started them several times, but the message just won't change (except when I stopped the IDM Data Source, then I got a nice big error).

Some comments:

1. I know that the action idm_monitoring_administration is needed. It's added to a role named idm.monitoring and that role is assigned to my user.

2. My user has also IdM admin rights.

3. We have a test portal with the same release and SP versions, same action-role-user-combo, same status in the NWA and it's working just fine on that system.

My question:

Why is the service down and more important: how do I get it running? Is there another place I need to start something, too? I read the doc Installing and configuring the Identity Management User Interface (page 30 "Access to Monitoring ("Monitoring" tab)" is the thing I'm talking about here) and there is no mention of starting something to use that tab/service.

I just don't know where to look anymore.  Help, please. πŸ˜•

ScreenShot260.jpg (10.7 kB)
ScreenShot261.jpg (16.6 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    Nov 15, 2012 at 12:39 PM

    Hello guys,

    so I'm back with more news.


    Indeed I found something in the logs:

    retrieveGlobalConstants[EXCEPTION]com.sap.idm.jmx.exceptions.IdmException:
    No permission to view configuration data at com.sap.idm.jmx.impl.SAP_ITSAM_IDM_Service_ConfigChangeImpl.retrieveGlobalConstants(SAP_ITSAM_IDM_Service_ConfigChangeImpl.java:537)at com.sap.idm.jmx.impl.SAP_ITSAM_IDM_Se...

    And another thing, too:

    I logged on with the standard "administrator"-account (UME-user) and you won't believe it, that one worked.
    Which confuses me even more, because my account has  (among others) the superadmin-role and the administrator-role AND is a member of the administrators-group.

    So I tested with a simple ume-user, which has just the everyone-role assigned. I gave it the superadmin-role, too and the idm.authenticated and idm.monitoring-role and... that one can call the monitoring-tab, too!

    But my LDAP-account with the same rights can't. At least in the prod portal, because in the testsystem it's working. I'm just... -.-

    So it IS a problem with the priviledges (yay for the misleading message), but I just don't know WHAT is missing. I even compared my priviledges from test- and prod-portal and everything I have assigned in the testportal I also have assigned in the prod-system.

    Has anybody any ideas left? I don't want to log out from the portal and log in with an UME-account just to be able to see that monitoring tab (and I'm pretty sure my colleague thinks like that, too).

    Regards,

    Steffi.

    EDIT

    After a lot of account copying and testing with UME and LDAP accounts it's safe to say: it's something about my account.

    Tried with another LDAP account of mine: works

    Copied my LDAP account to a UME account: works

    Copied my LDAP account to a test LDAP account: works

    Obviously it's nothing general, though I don't understand what's causing this chaos. πŸ˜• BUT I have a solution/workaround, so there's that at least.

    I'll talk to my colleague next week (who has the same problem) and we'll try to kind of re-create our LDAP accounts, since that seems the way to go here.

    Thank you all for your help on this. 😊

    Regards,

    Steffi.

    Message was edited by: Steffi Warnecke

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 14, 2012 at 03:38 AM

    I guess the problem is with the data source nameΒ  - Your datasource name should be "IDM_DataSource"Β  , please check and give a try.

    Thanks ,

    Dev

    Add comment
    10|10000 characters needed characters exceeded

    • Nope, I didn't change anything in the properties.

      F5 didn't work, but at least that made me grin. πŸ˜€

      I'll check the logs tomorrow. For today, I had enough.

      Thank you guys for your help so far!

  • Jul 30, 2013 at 11:38 AM

    Hi Steffi,

    It is possible on a production system to have your user in two different places (i.e. UME and Active Directory). If it is so, you should remove one of the registrations and this will resolve your problem.

    Best regards,

    Ivan

    Add comment
    10|10000 characters needed characters exceeded

    • I had tested that, too (see the edit in the big green post πŸ˜‰) and with a new ume-user (that had just very little permissions) and even a new ldap-user (copy of mine) it worked perfectly. It was just a problem with this particular account and the one of my colleague, too. That's why I was so confused. ^^

      But as I said, now it works with both accounts. 😊

  • avatar image
    Former Member
    Oct 25, 2013 at 08:58 PM

    Hello Everyone.

    I know that this post is quite old, but perhaps this information will prove useful to someone.

    I have had exaclty the same issue and it occured, that I actually have had too much authorizations.

    In my case however, it was not about UME authorizations, but Identity Store authorizations, where I have had following privilege assigned (amongst others):

    MX_PRIV:WD:TAB_TRACE

    When I removed this priv from my user in Identity Center, suddently Admin page loaded properly.

    I hope that helps someone.

    Kind Regards,

    Darek.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Clotilde Martinez

      Hello Clotilde,

      I have read Your reply and I have set the MX_TRACE_RT to FALSE (I had it set to TRUE), but it didn't solve the issue. But Your post pointed me to the Trace privilege. Removing it from my user made me able to use the admin panel.

      And, as Steffi has noticed, this is actually just a workaround, as it makes me unable to use the Trace functionality from the UI.

      Do You see the "Trace" tab in Admin panel after setting the MX_TRACE_RT constant to FALSE?

      Kind Regards,

      Darek.