000035560 - RSA SecurID Access Error: Unsuccessful publish to cloud service

Document created by RSA Customer Support Employee on Oct 4, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035560
Applies ToRSA Product Set: SecurID Access
 
IssueWhen attempting to publish changes in the SecurID Access Cloud Admin Console, the following error occurs:
 
Successful publish to identity routers. Unsuccessful publish to cloud service
 

Publish_errors
 

  1. Navigate to Platform > Identity Routers > Edit > View Log.
View_Logs
The following errors will be displayed:  

ERROR com.symplified.commons.appliance.models.policyengine.AppliancePolicyOwner[190] - Error occurred loading user stores for an appliance policy owner. User store '036f3543-f58d-4a0e-8e06-bcb3d5de39db' had no cooresponding user store. 
ERROR com.symplified.commons.appliance.models.policyengine.AppliancePolicyOwner[190] - Error occurred loading user stores for an appliance policy owner. User store 'X-Corp' had no corresponding user store. 
ERROR com.symplified.commons.appliance.models.policyengine.AppliancePolicyOwner[190] - Error occurred loading user stores for an appliance policy owner. User store '<long_guid>' had no coresponding user store.


Note that "X-Corp" is the name of the customer's configured identity source.
 
CauseA single identity source was defined with two directory servers, both pointing to the same LDAP server and with each assigned to a different IDR cluster. This is an invalid method of defining identity sources for multiple IDR clusters.
ResolutionTwo options are available to resolve this issue:
  • Edit one of the identity source's directory server definitions and change the Server field to different directory host name or IP address.
  • Remove one of the directory server definitions from the identity source. Create a second identity source and define the same directory server, but point it to the IDR cluster not used by the original identity source.
As an example:
  1. Create a new identity source named Cluster 1, pointing to ldap.corp.com and mapped to IDR cluster #1. The IDRs in cluster #1 have static host entries that map ldap.corp.com to a specific IP in data center 1. 
  2. Create another identity source named Cluster 2, also pointing to ldap.corp.com but mapped to IDR cluster #2. The IDRs in cluster #2 have static host entries that map ldap.corp.com to a certain IP in the data center 2. 
  3. Remove the original invalid identity source.
  4. Lastly, update all applications and policies to use both identity sources. Publish should now be successful. 
Workaround
 

Attachments

    Outcomes