IBM Security Identity Manager Database How To

How to update ITIM MS SQL JDBC driver

Here is an example of what needs to be done for MSSQLJDBC v3

  1. Stop ITIM (IBM WebSphere Application Server V7.0)
  2. Stop SQL Server Agent (MSSQLSERVER), SQL Server (MSSQLSERVER)
  3. Copy sqljdbc_3.0.1301.101\xa\x64\sqljdbc_xa.dll to "x:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqljdbc_xa.dll"
  4. Start SQL Server Agent (MSSQLSERVER), SQL Server (MSSQLSERVER)
  5. Executed sqljdbc_3.0.1301.101\xa\xa_install.sql in the SQL Server Management studio
  6. Copy AND RENAME sqljdbc_3.0.1301.101\sqljdbc4.jar to "x:\Program Files\IBM\itim\lib\sqljdbc.jar"
  7. Start TIM

How to trim ITIM data manually to a specified time period

If for some reason you are averse to running

F:\Program Files\ibm\itim\bin\win\DBPurge.cmd -age <days>

Then run the following script

use itimdb
ALTER DATABASE itimdb SET RECOVERY SIMPLE
GO
DECLARE @yearsago datetime
SET @yearsago = dateadd(yy, -2, getdate())
RAISERROR ('Counting processes...', 0, 1) WITH NOWAIT
DECLARE @process_count int
SELECT @process_count = count(*) FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
   AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
   OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
      AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago)
WHILE @process_count > 0
    BEGIN 
        RAISERROR ('Processing 2000 processes of %i left', 0, 1, @process_count) WITH NOWAIT
        CHECKPOINT
        DELETE FROM ENROLE.PROCESSLOG WHERE PROCESS_ID IN
            (SELECT top 2000 ID FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
               AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
               OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
                  AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago))
        CHECKPOINT
        DELETE FROM ENROLE.PROCESSDATA WHERE PROCESS_ID IN
            (SELECT top 2000 ID FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
               AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
               OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
                  AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago))
        CHECKPOINT
        DELETE FROM ENROLE.WORKITEM WHERE PROCESS_ID IN
            (SELECT top 2000 ID FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
               AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
               OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
                  AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago))
        CHECKPOINT
        DELETE FROM ENROLE.PENDING WHERE PROCESS_ID IN
            (SELECT top 2000 ID FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
               AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
               OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
                  AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago))
        CHECKPOINT
        DELETE FROM ENROLE.PASSWORD_TRANSACTION WHERE PROCESS_ID IN
            (SELECT top 2000 ID FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
               AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
               OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
                  AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago))
        CHECKPOINT
        DELETE FROM ENROLE.WORKFLOW_CALLBACK WHERE PROCESS_ID IN
            (SELECT top 2000 ID FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
               AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
               OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
                  AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago))
        CHECKPOINT
        DELETE FROM ENROLE.ACTIVITY_LOCK WHERE PROCESS_ID IN
            (SELECT top 2000 ID FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
               AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
               OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
                  AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago))
        CHECKPOINT
        DELETE FROM ENROLE.ACTIVITY WHERE PROCESS_ID IN
            (SELECT top 2000 ID FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
               AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
               OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
                  AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago))
        CHECKPOINT
        DELETE FROM ENROLE.PROCESS WHERE ID IN
            (SELECT top 2000 ID FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
               AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
               OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
                  AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago))
        CHECKPOINT
        SELECT @process_count = count(*) FROM ENROLE.PROCESS ps WHERE (COMPLETED IS NOT NULL  
               AND convert(datetime, substring(ps.completed, 1, 19)) < @yearsago)
               OR (COMPLETED IS NULL AND LASTMODIFIED IS NOT NULL
                  AND convert(datetime, substring(ps.lastmodified, 1, 19)) < @yearsago)
    END
RAISERROR ('Processing reconciliations...', 0, 1) WITH NOWAIT
DECLARE @recon_count int
SELECT @recon_count = count(*) FROM ENROLE.RECONCILIATION rec WHERE STARTED IS NOT NULL AND rec.started < @yearsago
WHILE @recon_count > 0
    BEGIN 
        RAISERROR ('Processing 250 reconciliations of %i left', 0, 1, @recon_count) WITH NOWAIT
        CHECKPOINT
        DELETE FROM ENROLE.RECONCILIATION_INFO WHERE RECONID IN
            (SELECT top 250 RECONID FROM ENROLE.RECONCILIATION rec WHERE STARTED IS NOT NULL AND rec.started < @yearsago)
        CHECKPOINT
        DELETE FROM ENROLE.RECONCILIATION WHERE RECONID IN
            (SELECT top 250 RECONID FROM ENROLE.RECONCILIATION rec WHERE STARTED IS NOT NULL AND rec.started < @yearsago)
        CHECKPOINT
        SELECT @recon_count = count(*) FROM ENROLE.RECONCILIATION rec WHERE STARTED IS NOT NULL AND rec.started < @yearsago
    END
RAISERROR ('Processing remote services requests...', 0, 1) WITH NOWAIT
DECLARE @rsr_count int
SELECT @rsr_count = count(*) FROM enrole.REMOTE_SERVICES_REQUESTS WHERE request_id NOT IN (SELECT cast(id AS varchar (20)) FROM enrole.ACTIVITY)
WHILE @rsr_count > 0
    BEGIN 
        RAISERROR ('Clearing 2000 remote services requests of %i left', 0, 1, @rsr_count) WITH NOWAIT
        CHECKPOINT
        DELETE FROM enrole.REMOTE_SERVICES_REQUESTS WHERE REQUEST_ID IN
            (SELECT top 2000 REQUEST_ID FROM enrole.REMOTE_SERVICES_REQUESTS WHERE request_id NOT IN 
                (SELECT cast(id AS varchar (20)) FROM enrole.ACTIVITY))
        CHECKPOINT
        SELECT @rsr_count = count(*) FROM enrole.REMOTE_SERVICES_REQUESTS WHERE request_id NOT IN (SELECT cast(id AS varchar (20)) FROM enrole.ACTIVITY)
    END
RAISERROR ('Shrinking the database...', 0, 1, @rsr_count) WITH NOWAIT
DBCC SHRINKDATABASE(itimdb)

ALTER DATABASE itimdb SET RECOVERY FULL
GO

Also note that some events might not be properly cleaned up if they are broken and do not have a timestamp.

How to remove all non-completed processes and actions from TIM

Be aware that running the following also removes Aborted, Suspended, Scheduled and Terminated processes.

delete from enrole.PROCESSLOG where PROCESS_ID in (select ID from enrole.PROCESS where STATE <> 'C')
delete from enrole.PROCESSDATA where PROCESS_ID in (select ID from enrole.PROCESS where STATE <> 'C')
delete from enrole.WORKITEM where PROCESS_ID in (select ID from enrole.PROCESS where STATE <> 'C')
delete from enrole.PENDING where PROCESS_ID in (select ID from enrole.PROCESS where STATE <> 'C') 
delete from enrole.PASSWORD_TRANSACTION where PROCESS_ID in (select ID from enrole.PROCESS where STATE <> 'C')
delete from enrole.activity_lock where PROCESS_ID in (select ID from enrole.PROCESS where STATE <> 'C')
delete from enrole.ACTIVITY where PROCESS_ID in (select ID from enrole.PROCESS where STATE <> 'C')
delete from enrole.WORKFLOW_CALLBACK where PROCESS_ID in (select ID from enrole.PROCESS where STATE <> 'C')
delete from enrole.scheduled_message where REFERENCE_ID in (select ID from enrole.PROCESS where STATE <> 'C')
delete from enrole.PROCESS where STATE <> 'C'
delete from enrole.REMOTE_SERVICES_REQUESTS where request_id not in (select cast(id as varchar (20)) from enrole.ACTIVITY)
delete from ITIML000.SIB000
delete from ITIML000.SIB001
delete from ITIML000.SIB002
delete from ITIML000.SIBCLASSMAP
delete from ITIML000.SIBKEYS
delete from ITIML000.SIBLISTING
delete from ITIML000.SIBOWNER
delete from ITIML000.SIBXACTS

How to remedy the missing processes in the table

If you get something like "com.ibm.itim.workflow.engine.AssertionFailure: CTGIMA416E The following process cannot be found in the database. Process ID: 26233666218944200000" Caused by: com.ibm.itim.workflow.model.type.MissingEntity: CTGIMA416E The following process cannot be found in the database. Process ID: 26233666218944200000 Try doing this

 insert INTO PROCESS (ROOT_PROCESS_ID, ID, NAME, TYPE, DEFINITION_ID) values (26233666218944200000, 26233666218944200000, 'workaround', 'UC','NONE')
 insert INTO PROCESS (ROOT_PROCESS_ID, ID, NAME, TYPE, DEFINITION_ID) values (26233666218944200000, 26233666218944200000, 'workaround', 'UC','NONE')

Then investigate the missing processes further

How to analyze performance of an ITIM SQL server

You could leave a Performance Monitor (part of the SQL Server Management Studio) running overnight and then let it figure stuff out. Or you can do the following:

set showplan_all on 
go 
SELECT top 76 ID, ROOT_PROCESS_ID, PARENT_ID, PARENT_ACTIVITY_ID, NAME, TYPE, DEFINITION_ID, REQUESTER_TYPE, REQUESTER, REQUESTER_NAME, DESCRIPTION, PRIORITY, SCHEDULED, STARTED, COMPLETED, LASTMODIFIED, SUBMITTED, STATE, NOTIFY, REQUESTEE, REQUESTEE_NAME, SUBJECT, COMMENTS, RESULT_SUMMARY, TENANT, SUBJECT_PROFILE, SUBJECT_SERVICE, SUBJECT_ACCESS_ID, SUBJECT_ACCESS_NAME, SHORT_DETAIL, RESULT_DETAIL FROM enrole.PROCESS WHERE PARENT_ACTIVITY_ID = ######################## ORDER BY ID ASC 
go 
set showplan_all off 
go

You are interested to see how the columns of the showplan_all output that list the EstimatedIO, EstimatedCPU, and TotalSubtreeCost compare with the values seen in the sql profiler output.On a database on test servers that is very small compared to your database, for example the same query in sql profiler output shows an EstimatedIO value of 0.0046.

sqlcmd -Q "DBCC showcontig "('enrole.process') with tableresults, all_indexes" > process.out 
sqlcmd -Q "DBCC showcontig "('enrole.activity') with tableresults, all_indexes" > activity.out 
sqlcmd -Q "DBCC showcontig "('enrole.processlog') with tableresults, all_indexes" > processlog.out

How to configure DB2 to work with TIM

The thing you have to do is enable shared memory in AIX. DB2 will not run properly if you don't. Add the following to <insthome>/sqllib/db2profile

EXTSHM=ON
export EXTSHM

Add EXTSHM=ON to the /etc/environment filename. From a DB2 command prompt, run the following command:

db2set DB2ENVLIST=EXTSHM

Add the following lines to /home/wasadmin/sqllib/db2profile

EXTSHM=ON
export EXTSHM

Reboot the machine to make the sure the changes take affect. You can reboot the machine by typing shutdown -r now from a terminal as root. After the machine reboots run

db2set DB2ENVLIST=EXTSHM

as root and

wasadmin

How to run dbpurge for ITIM AKA Database maintenance

The IBM Tivoli Identity Manager database stores data for both in-progress and completed system transactions in addition to auditing information. This database grows unbounded and should be cleaned up as your corporate policy allows. For best performance, keep as little data as necessary in the live database and use database backups for older data sets. The DBPurge utility included with the IBM Tivoli Identity Manager product automates removing entries from the database over a certain age. This utility works with all support databases and processes all time-based data, including transaction, audit, and reconciliation records.

Determining the values

  • itim_home - The home directory for IBM Tivoli Identity Manager, such as /opt/IBM/itim
  • os_type - The operating system time of the IBM Tivoli Identity Manager server, either win or unix.
  • days_to_retain - The number of days of data to retain, any records in the database older than this value will be removed.
  • purge_trans - A boolean flag indicating if transactional data older than days_to_retain will be removed during the purge. Default: true.
  • purge_audit - A boolean flag indicating if the audit data older than days_to_retain will be removed during the purge. Default: true.
  • purge_recon - A boolean flag indicating if reconciliation data older than days_to_retain will be removed during the purge. Default: true.

To start the database purging, run the following command all on one line:

itim_home/bin/os_type/DBpurge -age days_to_retain -workflow purge_trans -audit purge_audit -recon purge_recon 

The DBPurge utility provided with ITIM 4.6 and 5.0 is used to remove completed transaction records from the ITIM database which completed before a specified date. This is done by accessing all PROCESS records which completed before a specific time, then iterating through these rows and removing related rows in child tables that reference these completed records.

  • * NOTE *** DBPurge does not backup or archive records, it just removes them, so be sure to execute the proper database backup prior to executing DBPurge.

The DBPurge utility resides in the following OS specific directories:

  • <ITIM_HOME>/bin/unix directory for Unix systems
  • <ITIM_HOME>/bin/win directory for Windows systems

The documentation available on ITIM's DBPurge process is currently somewhat limited. The queries used in the DBPurge process should have indexes built for them to prevent full table scans.


@HowTo @ITIM