Delete a Tenant Environment

Administration Guide › Tenant Management › Delete a Tenant Environment

Delete a Tenant Environment

When you delete a tenant, all components of the tenant are permanently removed, including all provisioning stores, user stores, directories, and databases. The tenant is unregistered from the provisioning server, and deleted from the environment. Any ports that were assigned for use by the tenant are available again. Tenant data is backed up, so that you can recreate a tenant if required.

During deletion, the tenant tag is removed from the system. You can later create another tenant environment with the same name and tag.

Any partnerships created through the Single Sign-on service are not removed when you delete the tenant environment.

Important: When you delete a tenant environment after the Identity Management service has already been removed, be sure to enable Provisioning for the tenant from the Management Console before removing the tenant.

Follow these steps:

Delete the environment (only from one Identity Management server)
1. Access the Management Console
  <Host>:8080/iam/immanage/
2. Click Home, Environments.
3. Select the environment for the tenant to be deleted.
4. Select delete.
Delete Directory from the Management Console (only from one Identity Management server)
1. Access the Management Console
2. <Host>:8080/iam/immanage/
3. Click Home, Directories.
4. Select the checkbox before the directory for the tenant to be deleted.
5. Click Delete.
  You will not observe any change on the screen.

In the Policy Server, navigate to /opt/CA/siteminder/log.

Edit the smps.log file and locate an entry similar to the following:

"[Delete.cpp:338][Reduce][ERROR][sm-xpsxps-03340] Cannot delete a related record. (CA.SM::UserDirectory@0e-000621de-79d1-1485-8f37-38450a82d0cb(cm3Tenant Directory):CA.SM::IMSDirectory@32-00074f6b-79d1-1485-8f37-38450a82d0cb(cm3 Tenant Directory).CA.SM::IMSDirectory.UserDirectoryLink)"

In this example, the tenant user directory could not be deleted because it had a related entry :
```
CA.SM::IMSDirectory@32-00074f6b-79d1-1485-8f37-38450a82d0cb. 
```

Delete the related entry from Policy Server by following these steps:
1. Run XPSExplorer.
2. Type F to find by XID.
3. Paste the XID obtained from log (CA.SM::IMSDirectory@32-00074f6b-79d1-1485-8f37-38450a82d0cb)
4. Press enter. The related object is displayed.
5. Press D to delete the object.
Now that the related entry is deleted, delete the user directory from the Management Console by following step 2.
If the domain and directory still exist in SiteMinder, restart or reboot SiteMinder services.
1. On Policy Server
  service S98sm stop
  
  Service S98sm start
2. On the CSP console:
  service S98smAdminUI stop
  
  Service S98smAdminUI start

Update the tenant DSA router on each Identity Management server, CA IAM Connector Server, Provisioning Server, Policy Server to remove the tenant. Perform the following steps:

su – dsa

cd /opt/CA/Directory/dxserver/config/knowledge

Edit the <hostname>-cam-tenant-router file.

For example if cm3 is the tenant, delete the lines with cm3:

# CA DXserver/config/knowledge/
#
# Knowledge configuration file written by dxagent
#
# Refer to the Admin Guide for the format of the set dsa command.

set dsa "s010130009046-cam-tenant-cm3" =
{
prefix =   <o ca><ou cam><ou cm3>
dsa-name =   <o ca><ou cam><ou cm3><cn s010130009046-cam-tenant-cm3>
dsa-password            = "secret"
address         = ipv4 "s010130009046" port 50006
disp-psap               = DISP
snmp-port               = 50006
console-port            = 50007
auth-levels             = clear-password
dsp-idle-time           = 50
multi-write-group               = primary
dsa-flags               = multi-write, no-service-while-recovering, multi-write-group-hub
trust-flags             = allow-check-password, trust-conveyed-originator
link-flags              = ssl-encryption-remote
};

Update the DXC file:
1. cd /opt/CA/Directory/dxserver/config/settings
2. Edit the <hostname>-cam-tenant-router.dxc file.
3. Remove the tenant. For example, if the tenant is cm3, locate the following line:
  set write-precedence= s010130009046-cam-tenant-cm1, s010130009046-cam-tenant-cm3, s010130009046-cam-tenant-cm4
4. Change the entry to the following:
  set write-precedence= s010130009046-cam-tenant-cm1, s010130009046-cam-tenant-cm4;

Restart the dxa router on each Identity Management server.
```
su - dsa 
dxserver stop all 
dxserver start all 
```
Repeat steps the preceding three commands on the Provisioning Server, CA IAM Connector Server, Policy Server, and Directory Server.

Remove the provisioning directory on each Provisioning Server:

cd /opt/CA/Directory/dxserver/config/knowledge
Edit the imps-router.dxc file and remove the tenant information

For example, the file may appear as follows:

# CA DXserver/config/knowledge/
#
# Knowledge configuration file written by dxagent
#
# Refer to the Admin Guide for the format of the set dsa command.

set dsa "tenant-cm3-s010130009046" =
{
prefix =   <dc cm3>
dsa-name =   <dc etadb><cn tenant-cm3-s010130009046>
dsa-password            = "secret"
address         = ipv4 "s010130009046" port 20904
disp-psap               = DISP
snmp-port               = 20904
console-port            = 20905
auth-levels             = clear-password
dsp-idle-time           = 50
dsa-flags               = multi-write, no-service-while-recovering, multi-write-group-hub
trust-flags             = allow-check-password, trust-conveyed-originator
link-flags              = ssl-encryption-remote
};

Update the DXC file on each Provisioning Server for the Provisioning Server router:
1. cd /opt/CA/Directory/dxserver/config/settings
2. Edit the <hostname>-imps-router.dxc file
3. Locate the following line:
  set write-precedence = s010130009046-impd-main, s010130009046-impd-inc, s010130009046-impd-co, s010130009046-impd-notify, tenant-cm1-s010130009046, tenant-cm3-s010130009046, tenant-cm4-s010130
4. Replace this line with the following line:
  set write-precedence = s010130009046-impd-main, s010130009046-impd-inc, s010130009046-impd-co, s010130009046-impd-notify, tenant-cm1-s010130009046, tenant-cm4-s010130
Restart the DSAs on each Provisioning Server:
1. su – dsa
2. dxserver stop all
3. dxserver start all
Stop the DSAs for tenants on all Directory servers:
```
su - dsa 
dxserver stop <host name>-cam-tenant-<tenant tag> 
```
For example, s010130009046-cam-tenant-cm3)
```
dxserver stop tenant-<tenant tag>-<host name>  stop 
```
For example, tenant-cm17-s010130009046.
Remove the tenant data files from each DIR server:
```
su - dsa 
cd /opt/CA/Directory/dxserver/data
ls *<tenant tag>* 
```
Delete all files returned from the preceding command.

cam-tenant-<tenant tag>.ldif

tenant-<tenant tag>-<hostname>.db

tenant-<tenant tag>-<hostname>.tx

<host name>-cam-tenant-<tenant tag>-.db

<hostname-cam>--tenant-<tenant tag>-.tx

For example:
```
cam-tenant-cm3.ldif  
tenant-cm3-s010130009046.db  
tenant-cm3-s010130009046.tx 
tenant-cm3-s010130009046.db  
tenant-cm3-s010130009046.tx.
```
Remove knowledge files from Directory server
```
su - dsa 
cd  /opt/CA/Directory/dxserver/config/knowledge
delete tenant-<tenant tag>-<hostname>.dxc
```
For example, tenant-cm3-s010130009046.dxc

Delete <host name> -cam-tenant-<tenant tag>.dxc . For example:

s010130009046-cam-tenant-cm3.dxc.
Remove the settings files on each directory server for the tenant:
```
su - dsa 
cd /opt/CA/Directory/dxserver/config/settings
```
Delete tenant-<tenant tag>-<hostname>.dxc .For example, tenant-cm3-s010130009046.dxc)

Delete <host-name>-cam-tenant-<tenant tag>.dxc. For example, s010130009046-cam-tenant-cm3.dxc)
Remove the DXI file from each directory server:
cd /opt/CA/Directory/dxserver/config/servers

Remove tenant-<tenant tag>-<hostname>.dxi. For example:
tenant-cm3-s010130009046.dxi

Remove <host name>-cam-tenant-<tenant tag>.dxi. For example: s010130009046-cam-tenant-cm3.dxi.
Remove pem files on each directory server:
su – dsa

cd /opt/CA/Directory/dxserver/config/ssld/personalities

remove <host-name>-cam-tenant-<tenant tag>.pem. For example:
s010130009046-cam-tenant-cm3).pem

Remove tenant-<tenant tag>-<hostname>.pem. For example:
tenant-cm11-s010130009046.pem
Remove auto start file on each directory server:
su – dsa

cd /opt/CA/Directory/dxserver/config/autostart

Remove <host name>-cam-tenant-<tenant tag> tenant-<tenant tag>-<hostname>. For example:

s010130009046-cam-tenant-cm3
tenant-cm3-s010130009046
Remove the limits file on each directory server:
su – dsa

cd /opt/CA/Directory/dxserver/config/limits

Remove <host name>-cam-tenant-<tenant tag>.dxc. For example:
s010130009046-cam-tenant-cm3.dxc
1. tenant-<tenant tag>-<host name>.dxc
  (for example, tenant-cm3-s010130009046.dxc)
Remove ssld files on each directory server
1. su – dsa
2. cd /opt/CA/Directory/dxserver/config/ssld
3. Remove <host name>-cam-tenant-<tenant tag>.dxc. For example:
  s010130009046-cam-tenant-cm3.dxc)
4. remove tenant-<tenant tag>-<hostname>.dxc. For example:
  tenant-cm3-s010130009046.dxc)
Remove the log configuration files on each directory server
su – dsa

cd /opt/CA/Directory/dxserver/config/logging/

remove tenant-<tenant Name>-<DIR Server>.dxc

remove <DIR Server>-cam-tenant-<Tenant Name>.dxc
Restart all DSA on all Directory machines
1. su – dsa
2. dxserver stop all
3. dxserver start all
Verify that the DSA no longer shows via a dxserver status on each directory server:
1. su – dsa
2. dxserver status
3. Verify that the dsa for the tenant are not there
  <host name>-cam-tenant-<tenant tag>. For example:
  s010130009046-cam-tenant-cm3
  
  tenant-<tenant tag>-<host name> stop. For example:
  tenant-cm17-s010130009046
Remove the Provisioning association:
1. Use an LDAP tool such as JXplorer.
2. Connect to your Provisioning server system using user name and password as follows:
  Use port 20391
  
  User DN eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb
  
  Password <your password for Provisioning DSA)
  
  Goto etadb –im – CommonObjects – Configuration – Parameters – Tenant Data – Tenant Identifiers
  
  Delete eTConfigPramValue for the tenant tag.
Delete the tenant from the CSP console
If you support Disaster Recovery, export and import Derby. Refer to the Disaster Recovery Guide for steps to delete a tenant.
Inactivate the tenant from Arcot Admin Console as follows:
1. Go to <host>.ca.com:9090/arcotadmin/mabamlogin.htm
2. Search active tenants and find your tenant.
3. Note the GUID this will help with the next step.
4. Inactivate the tenant.
Delete tenant from Arcot Admin console
1. Go to <host>.ca.com:9090/arcotadmin/mabamlogin.htm
2. Search inactive tenants and find your tenant – the tenant was renamed by the inactive to the GUID. So you need to find the GUID which is for you tenant. If you do not have this information from the last step, look at each tenant and go to the next page and look at the DN.
3. Delete the tenant.

Tips for redeploying a deleted tenant

If you get a message from tenant deployment that the tenants are already registered with Provisioning Server, verify that the Provisioning Directory has been updated to remove the tenant. Return to the step 24 to remove the provisioning association.
If tenant deployment says DSA ports are in use, make sure ports are not in use on the Directory server. See the step 23 to verify that the DSA no longer show to verify all the steps were done on the directory server. If necessary, restart the directory servers.
If tenant deployment says AA org exists, see step 26 to delete the tenant from the Arcot Admin console.
If tenant deployment gets errors on SMOID or duplicate records in SiteMinder, run XPSExport to find the record id and then use XPSExplorer to delete the duplicate.

Note:For high availability, you need to follow the steps for each leg, but you should only need to delete the tenant and directory from management console on the first leg.

For disaster recovery, follow the same steps at both sites, but you should only need to delete the tenant and directory from the management console at the primary site.