1. Connector Guide for IBM RACF Advanced
  2. Troubleshooting the IBM RACF Advanced Connector

7 Troubleshooting the IBM RACF Advanced Connector

These are some helpful tips to assist in resolving problems that you may encounter while using the connector.

Table 7-1 Troubleshooting Tips

Problem Description Solution

Oracle Identity Manager cannot establish a connection with the target system.

  • Ensure that the mainframe is running.

  • Verify that the required ports are working.

  • Due to the nature of the Provisioning Agent, the LDAP Gateway must be started first, and then the mainframe JCL started task must be started. This is a requirement based on how TCP/IP operates. Check that the IP address of the server that hosts the LDAP Gateway is configured in the Reconciliation Agent JCL.

  • Read the LDAP Gateway logs to determine if messages are being sent and received.

  • Examine the Oracle Identity Manager configuration to verify that the IP address, admin ID, and admin password are correct.

  • Check with the mainframe platform manager to verify that the mainframe user account and password have not been changed.

The mainframe does not appear to respond.

  • Check the connection information that you have provided in the IT resource and the acf2Connection.properties file.

  • Check the logs. If any of the mainframe JCL jobs have reached an abnormal end, then make the required corrections and rerun the jobs.

A particular use case does not work as expected.
Check for the use case event in the LDAP Gateway logs. Then check for the event in the specific log assigned to the connector:

  • If the event has not been recorded in either of these logs, then investigate the connection between Oracle Identity Manager and the LDAP Gateway.

  • If the event is in the log but the command has not had the intended change on a mainframe user profile, then check for configuration and connections between the LDAP Gateway and the mainframe.

Verify that the message transport layer is working.

The LDAP Gateway fails and stops working

If this problem occurs, then the Reconciliation Agent stops sending messages to the LDAP Gateway. Instead, it stores them in the subpool cache.

When this happens, restart the LDAP Gateway instance so that the Reconciliation Agent reads the subpool cache and resends the messages.

The LDAP Gateway is running. However, the Reconciliation Agent fails and stops working

If this problem occurs, then all events are sent to the subpool cache. If the mainframe fails, then all messages are written to the disk.

When this happens, restart the Reconciliation Agent instance so that it reads messages from the disk or subpool cache and resends the messages.

Voyager unable to connect to the LDAP
  1. Can the LDAP server be pinged?
  2. Is the LDAP up?
  3. Is the LDAP listening on the correct port? Must be what is defined on PORT= on Voyager.
  4. Can the Server where the LDAP resides Ping Voyager?

Voyager abends: S306-30 or

Pioneer abends: S306-30

Review all RACF definitions. This abend is a incorrect definition.

Voyager or Pioneer abends other than S306-30 and SB37, SD37 or SE37

Open an Oracle SR and send the Voyager/Pioneer STC logs.

LDAP cant connect to Pioneer
  1. Verify the listening port is correct on Pioneer, must be PORT=
  2. Can the LDAP server ping Pioneer?
  3. Can Pioneer ping the Server?

ADDUSER,ALTUSER,ADDGROUP,DELUSER submitted by LDAP and it fails.

Fails with SAF RC=8, RACF RC = 8

Incorrect RACF definitions for Pioneer. Must have access to all irr.radmin.* functions.

No Data in Voyager subpool. No events coming to the LDAP

Verify the three exits are up by:

"D PROG,EXIT" the command exit should be active, "IRREVX01"