000033406 - RSA Identity Governance and Lifecycle IBM Lotus Notes (Domino) collector does not collect group data.

Document created by RSA Customer Support Employee on Oct 4, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033406
Applies ToRSA Product Set: Identity Management and Governance
RSA Version/Condition: 6.9.1, 7.0.0, 7.0.1
Product Name: RSA Identity Governance and Lifecycle
 
 
IssueRSA Identity Governance and Lifecycle IBM Lotus Notes (Domino) collector collects user information but does not collect group data.  
The following error message is found in the aveksaServer.log (/home/oracle/wildfly-8.2.0.Final/standalone/log/aveksaServer.log) file.

06/09/2016 19:25:09.374 WARN  (ApplyChangesRegularThread-255) [com.aveksa.collector.lotusnotes.CollectorUtil] NotesException: 
Session closed due to communications failure
NotesException: Session closed due to communications failure

CauseBy default, the IBM Lotus Notes (Domino) server imposes a 60 minute idle timeout on all client connections.  If the Lotus Notes server does not detect a new request on an existing authenticated client session within a 60 minute window, it will invalidate the connection.  The RSA Via L&G collector leverages the IBM lotus Notes Java API layer to establish a connection to the IBM Lotus Notes server to first download the list of users and then download a list of user groups.  The request for a list of users is considered by the API as a single request.  If the process of retrieving the entire list of IBM Lotus Notes users takes longer than 60 minutes, then the retrieval of the users will complete, but the session will be invalidated and the subsequent request for the user groups will fail.  
The following versions are suceeptable to this issue. 
  • RSA Identity Governance and Lifecycle 6.9.1 patch P15 or earlier,
  • RSA Identity Governance and Lifecycle 7.0.0 patch P03 or earlier, and
  • RSA Identity Governance and Lifecycle 7.0.1 GA release version.
ResolutionAn additional connection pool refresh has been implemented after the user collection has completed and before the group collection is started to ensure that the connection if valid.
This fix is available in the following patches for RSA Identity Governance and Lifecycle.  
  • RSA Identity Management and Governance 6.9.1 patch P16 or later,
  • RSA RSA Via Lifecycle and Governance 7.0.0 patch P04 or later, and
  • RSA Identity Governance and Lifecycle 7.0.1 patch P01 or later.
 
WorkaroundIncrease the IBM Lotus Notes Idle Session Timeout value to a value in minutes longer than the time required to collect the IBM Lotus Notes user data.  Consult your IBM Lotus Notes documentation for more information on this setting. 
  1. Login to the Domino Admin Console with a valid admin name and password.
  2. Click on the Configuration tab.
  3. In the left pane, select Server from the list.
  4. In the left pane, select Current Server Document.
  5. Select the Internet Protocols tab.
  6. Select the DIIOP tab.
  7. Set the Idle Session Timeout (the default value is 60 minutes).
User-added image

The RSA Lotus Notes Account Data Collector performs best when the RSA Identity Governance and Lifecycle server is local to the IBM Lotus Notes server.  If the server is remote and has a high latency rate, you might consider installing a remote agent to reduce the collection time. 

Attachments

    Outcomes