Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

Test Connection fails for managed systems with the following error when the SSH login prompt appears with a delay:

[TimeoutException] [Possible suggestions] Tune the parameter <sshTimeOut>. [Error details] Timeout occurred while setting the shell 'sh'

This error occurs when the connector tries to log in to the target managed system with SSH and execute the sh command. The sh command fails because of the delay on the target managed system for the SSHLogin prompt to appear.

Resolution – To resolve this issue, adjust the following timeout parameters in the application Debug page:

  • sshWaitTime – Default value – 500 ms

    This timeout parameter is responsible for the wait to receive a command output.

  • SSHTimeOut – Default value – 120000 ms

This timeout parameter is responsible for tuning the maximum time for a SSH command to execute. After this timeout, the connection is dropped and the operation will time out, even if the command execution is in progress on the target host.

Aggregation/test connection fails with the following timeout error:

Exception during aggregation of Object Type account on Application <application name> Reason: Unable to create iterator sailpoint.connector.TimeoutException: [TimeoutException] [Possible suggestions] Tune the parameter <sshTimeOut>. [Error details] Timeout occurred while reading command response.

Test Connection fails with following timeout error:

[TimeoutException] [Possible suggestions] Tune the parameter <sshTimeOut>. [Error details] Timeout occurred while reading output stream for the executed command.

Resolution – Change the value of the sshWaitTime (in millisecond) application attribute as required in the application Debug page:

<entry key="sshWaitTime" value="500"/>

If setting sshWaitTime does not solve the issue, then connect to the AIX system using the sudo user to check the system's behavior. For example, after executing the following command, it prompts for %SAILPOINTSUDO where you can enter the sudo user's password:

sudo -p %SAILPOINTSUDO echo TestConnection

But in some third party software (for example, Centrify) which may be installed on the AIX machine, it doesn't prompt for %SAILPOINTSUDO, it instead prompts something else. Therefore, the connector doesn't detect that the software is asking for the sudo user's password. Add the following entry key in the application Debug page to manually configure the sudo user's password prompt as what the software is prompting:

<entry key="SudoPasswdPrompt" value="<third party software prompt>"/>

For example, if the system prompts CSO Password:, add the following entry key in the application Debug page to define it the sudo user's password prompt:

<entry key="SudoPasswdPrompt" value="CSO Password:"/>

After target aggregation, the resources are not getting correlated with Account Groups.

Resolution – Ensure that your correlation rule populates "Correlator.RULE_RETURN_GROUP_ATTRIBUTE" as follows:

Copy 
         ....
      if ( isGroup ) {
          returnMap.put(Correlator.RULE_RETURN_GROUP_ATTRIBUTE,"nativeIdentity");
          returnMap.put(Correlator.RULE_RETURN_GROUP_ATTRIBUTE_VALUE, nativeId);
      }   
         ....

Test connection fails for key based authentication with the following error.

Login failed. Error while connecting to host:<hostname>. Cannot read key file.

Resolution – Perform the following steps to generate/convert private/public keys in a format supported by UNIX direct connectors.

Generate keys using OpenSSL. This method can be used for any version of SSH.

  1. Create a private key using the following command:

    openssl <gendsa/genrsa> -des3 -out <private_key> 1024

  2. Change the permission on the <private_key> file as follows:

    chmod 0600 <private_key>

  3. Create a public key from the private_key file:

    ssh-keygen -y -f <private_key> > <public_key>

  4. Use the <private_key> and <public_key> files for authentication.

Generate keys using ssh-keygen. (OpenSSH 5.8 or above)

  1. Create private and public key using the following command:

    ssh-keygen -t <dsa/rsa> -b 1024  

    By default, files with name id_dsa/id_rsa and id_dsa.pub/id_rsa.pub will be created.

  2. Convert <private key> to have the DES-EDE3-CBC encryption algorithm by using the following command:

    openssl <dsa/rsa> -in <private_key> -out <new_private_key> -des3

  3. Change the permission on the <new_private_key> file as follows:

    chmod 0600 <new_private_key>

  4. Create a public key file using the <new_private_key> file as follows:

    ssh-keygen -y -f <new_private_key> > <new_public_key>

  5. Use the <new_private_key> and <new_public_key> files for authentication.

Test connection fails with the following error when sudo user is configured for public key authentication:

[InvalidConfigurationException] [Possible suggestions] a) Verify the private key file is correct for specified user. b) Verify the private key Passphrase is correct for specified user. c) Verify the private/public key file permissions are correct on the given unix host. [Error details] Failed to authenticate the ssh credentials for the user: to the host:

Resolution – Verify the sudo user’s password specified in the application configuration is correct as required for certificate based authentication.

Test connection fails with the following error message when IdentityIQ is deployed on a JBoss Application Server:

Possible suggestions] a) Check UNIX host is up and running. b) Make sure there is a smooth connectivity between Identity Server and UNIX host.
[Error details] Login failed. Error while connecting to the host <host_name>. BouncyCastle is required to read a key of type ecdsa-sha2-nistp256

Resolution – Perform the following:

  1. Edit the WEB-INF/jboss-deployment-structure.xml file to add the <resources> XML tag inside the <deployment> tag as shown in the example below:

    Copy 

    <?xml version="1.0" encoding="UTF-8"?> 
                                            <jboss-deployment-structure> 
                                            <deployment> 
                                            <resources> 
                                            <resource-root path="WEB-INF/lib/bcprov-ext-jdk15on-<version>.jar" use-physical-code-source="true"/>  
                                            </resources> 
                                            </deployment> 
                                        </jboss-deployment-structure> 

  2. Restart the JBoss Server and perform a Test Connection.

Test connection fails with the following error when sudo user is configured for public key authentication:

[ InvalidConfigurationException ] [ Possible suggestions ] a) Verify the private key file is correct for specified user. b) Verify the private key Passphrase is correct for specified user. c) Verify the private/public key file permissions are correct on the given unix host. [ Error details ] Failed to authenticate the ssh credentials for the user: to the host:

Resolution – Verify the sudo user’s password as specified at configuration. The password must be correct for certificate based authentication.