Release Notes › Known Issues › Tenant Management Issues › Delete a Tenant

Delete a Tenant

Before you delete a tenant, delete partnerships that use this tentant's user directory or modify such partnerships to use a different directory.

Use the following procedure to delete a tenant.

Note: For High Availability Systems: You need to follow the steps for each leg. You should only need to delete the tenant and directory from IM manage on the first leg.

For Disaster Recovery Systems: You need to follow the same steps at both sites. You should only need to delete the tenant and directory for IM manage at the first site.

1. Delete IME from IM Manage (only from one IM server) by accessing the IM Management Console:
   1. Got to http://<IM Host>:8080/iam/immanage/
   2. Go to Home, Environments.
   3. Select the environment for the tenant to delete.
   4. Select Delete.
2. Delete the Directory from IM Manage (only from one IM server) by accessing the IM Management Console:
   1. Go to http://<IM Host>:8080/iam/immanage/
   2. Go to Home, Directories.
   3. Select the check box for the directory corresponding to your tenant.
   4. Click Delete.

      This will not have any effect,

   5. In the SMPS, navigate to /opt/CA/siteminder./ og and in smps.log find any entry similar to the following:

      "[Delete.cpp:338][Reduce][ERROR][sm-xpsxps-03340] Cannot delete a related record. (CA.SM::UserDirectory@0e-000621de-79d1-1485-8f37-38450a82d0cb(cm3Tenant Directory):CA.SM::IMSDirectory@32-00074f6b-79d1-1485-8f37-38450a82d0cb(cm3 Tenant Directory).CA.SM::IMSDirectory.UserDirectoryLink)"
      

      The failure was because the tenant user directory couldn’t be deleted because it had a related entry which is CA.SM::IMSDirectory@32-00074f6b-79d1-1485-8f37-38450a82d0cb.

   6. Delete the related entry from SMPS by using the following steps:

      i) Run XPSExplorer.

      ii) Type F to find by XID.

      iii) Paste the XID obtained from log (CA.SM::IMSDirectory@32-00074f6b-79d1-1485-8f37-38450a82d0cb) and then press enter. The related object appears.

      iv) Press D to delete the object.

   7. Now that the related entry is deleted, delete the user directory from the IM Manage by following steps a, b, c, and d above.
3. If the domain and the directory are still in SiteMinder, restart or reboot SiteMinder services (All SMPS and Admin UI servers) as follows:

   On SMPS:

   1. service S98sm stop
   2. Service S98sm start

      On the CSP Console:

   3. service S98smAdminUI stop
   4. Service S98smAdminUI start
4. Update tenant dsa router on each IM, JCS, IMPS,  SMPS to remove tenant
   1. su – dsa  
   2. cd /opt/CA/Directory/dxserver/config/knowledge
      vi <hostname>-cam-tenant-router
   3. Delete for example:   cm3 is the tenant

      
      # CA DXserver/config/knowledge/
      #
      # Knowledge configuration file written by dxagent
      #
      # Refer to the Admin Guide for the format of the set dsa command.
      
      set dsa "s010130009046-cam-tenant-cm3" =
      {
      prefix =   <o ca><ou cam><ou cm3>
      dsa-name =   <o ca><ou cam><ou cm3><cn s010130009046-cam-tenant-cm3>
      dsa-password            = "secret"
      address         = ipv4 "s010130009046" port 50006
      disp-psap               = DISP
      snmp-port               = 50006
      console-port            = 50007
      auth-levels             = clear-password
      dsp-idle-time           = 50
      multi-write-group               = primary
      dsa-flags               = multi-write, no-service-while-recovering, multi-write-group-hub
      trust-flags             = allow-check-password, trust-conveyed-originator
      link-flags              = ssl-encryption-remote
      };
      

   4. Update the dxc file using the following commands:

      i) cd /opt/CA/Directory/dxserver/config/settings

      ii) vi <hostname>-cam-tenant-router.dxc

      iii) remove tenant for example if tenant is cm3 change:  
      set write-precedence            = s010130009046-cam-tenant-cm1, s010130009046-cam-tenant-cm3, s010130009046-cam-tenant-cm4; to set write-precedence            = s010130009046-cam-tenant-cm1, s010130009046-cam-tenant-cm4;

5. Restart the dxa router on each IM, IMPS, JCS, SMPS, and Directory system:
   1. su – dsa
   2. dxserver stop all
   3. dxserver start all
6. Remove the provisioning directory on each IMPS 
   1. cd /opt/CA/Directory/dxserver/config/knowledge
   2. vi -imps-router.dxc and remove tenant info

      For example:

      # CA DXserver/config/knowledge/
      #
      # Knowledge configuration file written by dxagent
      #
      # Refer to the Admin Guide for the format of the set dsa command.
      
      set dsa "tenant-cm3-s010130009046" =
      {
      prefix =   <dc cm3>
      dsa-name =   <dc etadb><cn tenant-cm3-s010130009046>
      dsa-password            = "secret"
      address         = ipv4 "s010130009046" port 20904
      disp-psap               = DISP
      snmp-port               = 20904
      console-port            = 20905
      auth-levels             = clear-password
      dsp-idle-time           = 50
      dsa-flags               = multi-write, no-service-while-recovering, multi-write-group-hub
      trust-flags             = allow-check-password, trust-conveyed-originator
      link-flags              = ssl-encryption-remote
      };
      

7. Update the dxc file on each IMPS server for the imps router
   1. cd /opt/CA/Directory/dxserver/config/settings
   2. vi <hostname>-imps-router.dxc
   3. change set write-precedence            = s010130009046-impd-main, s010130009046-impd-inc, s010130009046-impd-co, s010130009046-impd-notify, tenant-cm1-s010130009046, tenant-cm3-s010130009046, tenant-cm4-s010130  to set write-precedence            = s010130009046-impd-main, s010130009046-impd-inc, s010130009046-impd-co, s010130009046-impd-notify, tenant-cm1-s010130009046,  tenant-cm4-s010130
8. Restart the dsa’s on each IMPS:
   1. su – dsa
   2. dxserver stop all
   3. dxserver start all
9. Stop the DSA’s for tenants on all DIR servers:
   1. su – dsa
   2. dxserver stop <host name>-cam-tenant-<tenant tag> (ie s010130009046-cam-tenant-cm3)
   3. dxserver stop tenant-<tenant tag>-<host name> stop (ie tenant-cm17-s010130009046)
10. Remove the tenant data files from each DIR server:
    1. su – dsa
    2. cd /opt/CA/Directory/dxserver/data
    3. ls *<tenant tag>*
    4. delete all files returned from B  (for example: cam-tenant-cm3.ldif  tenant-cm3-s010130009046.db  tenant-cm3-s010130009046.tx, tenant-cm3-s010130009046.db tenant-cm3-s010130009046.tx)
       1. cam-tenant-<tenant tag>.ldif 
       2. tenant-<tenant tag>-<hostname>.db
       3. tenant-<tenant tag>-<hotname>.tx
       4. <host name>-cam-tenant-<tenant tag>-.db
       5. <hostname-cam>--tenant-<tenant tag>-.tx
11. Remove knowledge files from Directory server
    1. su – dsa
    2. cd  /opt/CA/Directory/dxserver/config/knowledge
    3. delete tenant-<tenant tag>-<hostname> .dxc (ie tenant-cm3-s010130009046.dxc)
    4. delete <host name> -cam-tenant-<tenant tag>.dxc (ie s010130009046-cam-tenant-cm3.dxc)
12. Remove the settings files on each directory server for the tenant
    1. su – dsa
    2. cd /opt/CA/Directory/dxserver/config/settings
    3. delete tenant-<tenant tag>-<hostname>.dxc (ie tenant-cm3-s010130009046.dxc)
    4. delete <host-name>-cam-tenant-<tenant tag>.dxc (ie s010130009046-cam-tenant-cm3.dxc)
13. Remove the dxi file from each directory server
    1. cd /opt/CA/Directory/dxserver/config/servers
    2. remove   tenant-<tenant tag>-<hostname>.dxi (ie tenant-cm3-s010130009046.dxi)
    3. remove <host name>-cam-tenant-<tenant tag>.dxi (ie s010130009046-cam-tenant-cm3.dxi)
14. Remove the pem files on each directory server:
    1. su – dsa
    2. cd /opt/CA/Directory/dxserver/config/ssld/personalities
    3. remove <host-name>-cam-tenant-<tenant tag>.pem (ie s010130009046-cam-tenant-cm3).pem
    4. remove tenant-<tenant tag>-<hostname>.pem (ie tenant-cm11-s010130009046.pem
15. Remove the auto start file on each directory server:
    1. su – dsa
    2. cd /opt/CA/Directory/dxserver/config/autostart
    3. remove <host name>-cam-tenant-<tenant tag> tenant-<tenant tag>-<hostname> (ie s010130009046-cam-tenant-cm3 tenant-cm3-s010130009046)
16. Remove the limits file on each directory sever
    1. su – dsa
    2. cd /opt/CA/Directory/dxserver/config/limits
    3. remove <host name>-cam-tenant-<tenant tag>.dxc (ie s010130009046-cam-tenant-cm3.dxc)
    4. tenant-<tenant tag>-<host name>.dxc (ie tenant-cm3-s010130009046.dxc)
17. Remove ssld files on each directory server
    1. su – dsa
    2. cd /opt/CA/Directory/dxserver/config/ssld
    3. remove <host name>-cam-tenant-<tenant tag>.dxc (ie s010130009046-cam-tenant-cm3.dxc)
    4. remove tenant-<tenant tag>-<hostname>.dxc (ie tenant-cm3-s010130009046.dxc)
18. Remove the log configuration files on each directory server
    1. su – dsa
    2. cd /opt/CA/Directory/dxserver/config/logging/
    3. remove tenant-<tenant Name>-<DIR Server>.dxc
    4. remove <DIR Server>-cam-tenant-<Tenant Name>.dxc
19. Restart all DSA on all Directory machines
    1. su – dsa
    2. dxserver stop all
    3. dxserver start all
20. Verify that the DSA no longer show via a dxserver status on each directory server
    1. su – dsa
    2. dxserver status
    3. Verify that the dsa for the tenant are not there:
       • <host name>-cam-tenant-<tenant tag> (ie s010130009046-cam-tenant-cm3)
       • tenant-<tenant tag>-<host name> stop (ie tenant-cm17-s010130009046)
21. Remove the Provisioning association:
    1. Use LDAP tool like JXplorer
    2. Connect to your IMPS machine using user name and password

       1) Use port 20391

       2) User DN eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb

       3) Password <your password for Provisioning DSA>

       4) Goto etadb, im, CommonObjects, Configuration, Parameters, Tenant Data, Tenant Identifiers.

       5) Delete eTConfigPramValue for the tenant tag.

22. Delete the tenant from the CSP console:
    Iin DR need to export and import Derby – Refer to the DR documentation for steps to delete a tenant for DR.
23. Inactivate the tenant from the Arcot Admin Console:
    1. Go to http://<smps host>.ca.com:9090/arcotadmin/mabamlogin.htm
    2. Search active tenants and find your tenant.
    3. Note the GUID this will help with the next step.
    4. Inactivate the tenant.
24. Delete tenant from Arcot Admin console
    1. Go to http://<smps host>.ca.com:9090/arcotadmin/mabamlogin.htm
    2. Search inactive tenants and find your tenant – the tenant was renamed by the inactive to the GUID. So you need to find the GUID which is for you tenant. If you don’t have this from the last step, look at each tenant and go to the next page and look at the DN.
    3. Delete the tenant.

Tips for Re-Deploying a Deleted Tenant

• If you get a message from a tenant deployment that the tenants is already registered with IMPS, verify that the IMPD has been updated to remove the tenant. See IMPD.
• If a tenant deployment says DSA ports are in use, make sure ports are not in use on the Directory server. See Port or verify that all the steps were done on the directory server. If needed, restart the directory servers.
• If tenant deployment says AA org exists. Then see AA.
• If tenant deployment gets errors on SMOID or duplicate records on the SiteMinder side, then run XPSExport, find the record id, and then user XPSExplorer to delete the duplicate.