Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

The following error message appears when test connection fails:

java.io.IOException: Corrupt Mac on input

OR

Error: Login failed. Error while connecting to host: xxxxx. The message store has reached EOF

Resolution: Add Cipher 3des-cbc or blowfish-cbc to the list of Cipher’s in /etc/ssh/sshd_config file and restart sshd.

For X86: include 3des-cbc or blowfish-cbc in the Ciphers list.

For example, Ciphers aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc, arcfour, arcfour128, arcfour256, 3des-cbc, blowfish-cbc

For SPARC: include 3des-cbc in the Ciphers list.

For example, Ciphers aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc, arcfour, arcfour128, arcfour256, 3des-cbc

The following error message appears when test connection fails:

[InvalidConfigurationException] [Possible suggestions] Provide right credentials. [Error details] Failed to authenticate the ssh credentials for user: <user> to the host: XXX.XX.XX.XXX

Resolution: Update /etc/ssh/sshd_config file for the following entry and restart sshd: PasswordAuthentication yes

The following error message appears when aggregation fails:

Exception during aggregation of Object Type account on Application Solaris. Reason: Unable to create iterator sailpoint.connector.InvalidResponseException: [InvalidResponseException] [Possible suggestions] Make sure standalone command works with the UNIX terminal. The standalone command is - cat /etc/group | grep -v '^+' | grep -v '^-' [Error details] Command failed. Status: 1, Output: sh: spt_tmp_groupsb257b857860c4518a5fcac11f789a133: cannot create [Permission denied]

Resolution: Create a home directory for the sudo user and run aggregation again. Ensure that the sudo user is able to create files in its home directory.

The following error message appears when aggregation fails:

Fails with error Login failed. Failed to authenticate the ssh credentials for user: test to host: xxxxxx

Resolution: The ksh93 shell is the default shell /usr/sbin/sh -> ../bin/i86/ksh93.

In the default installation of Solaris 11, bash and tcsh are installed. One of them should be used for provisioning. Use the application attribute DEFAULT_SSH_SHELL.

For more information on the DEFAULT_SSH_SHELL parameter, refer to Additional Configuration Parameters for SSH Configuration.

Aggregation/test connection fails with the following timeout error:

Exception during aggregation of Object Type account on Application Solaris. Reason: Unable to create iterator sailpoint.connector.TimeoutException: [TimeoutException ] [Possible suggestions] Tune the parameter <sshTimeOut>. [Error details] Timeout occurred while reading output stream for the executed command.

Test Connection fails with following timeout error:

[TimeoutException] [Possible suggestions] Tune the parameter <sshTimeOut>. [Error details] Timeout occurred while reading output stream for the executed command.

Resolution: Change the value of the sshWaitTime (in milliseconds) application attribute as per your requirement in the debug page of the application:

<entry key="sshWaitTime" value="500"/>

There is a timeout error for the Solaris instances. If your Solaris system has third-party software (for example, Centrify) installed, then it does not display a custom prompt.

Note
If setting sshWaitTime does not solve the problem, connect to the Solaris machine using the sudo user to check the system's behavior.

After executing the following command, it should prompt for %SAILPOINTSUDO where the user enters the sudo's password:

sudo -p %SAILPOINTSUDO echo TestConnection

However, because of third party software (for example, Centrify) that is installed on the Solaris system, it does not prompt for the %SAILPOINTSUDO, it displays a different prompt. In this case, the connector does not detect that it is asking for the sudo's password.

For example, if the system prompts for the CSO Password. Then the source understands that it is a prompt for the sudo user's password.

Resolution: Add the following entry key in the application debug page for the Connector to understand that it is the sudo users password prompt:

<entry key="SudoPasswdPrompt" value="<custom prompt>"/>

For example:

<entry key="SudoPasswdPrompt" value="CSO Password:"/>

After target aggregation the resources are not getting correlated with Account Groups.

Resolution: Ensure that your correlation rule populates Correlator.RULE_RETURN_GROUP_ATTRIBUTE as follows:

Copy 
         ....
      if (isGroup) {
          returnMap.put(Correlator.RULE_RETURN_GROUP_ATTRIBUTE,"nativeIdentity");
          returnMap.put(Correlator.RULE_RETURN_GROUP_ATTRIBUTE_VALUE, nativeId);
      }   
         ....

Test connection fails for key based authentication with the following error.

Login failed. Error while connecting to host:<hostname>. Cannot read key file.

Resolution: Perform the following steps to generate/convert private/public keys in a format that is supported by UNIX direct connectors.

Generate keys using openssl. You can use this method for any version of SSH.

  • openssl <gendsa/genrsa> -des3 -out <private_key> 1024

  • Change the permission on the <private_key> file as follows:

    chmod 0600 <private_key>

  • Create the public key from the private_key :

    ssh-keygen -y -f <private_key> > <public_key>

  • Use the <private_key> and <public_key> files for authentication.

  • Create the private and public key using the following command:

    ssh-keygen -t <dsa/rsa> -b 1024  

    By default files with name id_dsa/id_rsa and id_dsa.pub/id_rsa.pub are created.

  • Convert the <private key> to have the DES-EDE3-CBC encryption algorithm by using the following command:

    openssl <dsa/rsa> -in <private_key> -out <new_private_key> -des3

  • Change the permission on the <new_private_key> file as follows:

    chmod 0600 <new_private_key>

  • Create the public key file using the new private key as follows:

    ssh-keygen -y -f <new_private_key> > <new_public_key>

  • Use the <new_private_key> and <new_public_key> files for authentication.

Test connection fails with the following error when sudo user is configured for public key authentication:

[InvalidResponseException] [Possible Suggestion] Make sure standalone command works with the UNIX terminal. The standalone command is - echo 'TestConnection'[Error details] Unexpected output captured. Test SSH communication failed over host: xxxxxxxx. Error while executing command: sudo -p %SAILPOINTSUDO echo TestConnection over host: xxxxxxxx. Invalid sudo user password.

Resolution: On managed systems, if the Sudoers file has a sudo user with the PASSWD attribute assigned, then the sudo user’s password specified in the application configuration password must be correct for certificate based authentication.

Or, if the Sudoers file has a sudo user with the NOPASSWD attribute assigned, then the sudo user’s password specified in application configuration password can be incorrect/or any value and Certificate based authentication will still work.

Note
Password is a mandatory field on the application UI.

The following error message appears when aggregation fails:

Exception during aggregation of Object Type account on Application Solaristrouble. Reason: Unable to create iterator sailpoint.connector.InvalidResponseException: [InvalidResponseException] [Possible suggestions] Make sure standalone command works with the UNIX terminal. The standalone command is - date '+%m/%d/%Y %H:%M:%S' [Error details] Command failed. Cannot collect systems current date. Status: SAILPOINT>echo $? 0

Resolution: Add the following entry for application attribute in the debug page of the application:

<entry key="DEFAULT_SSH_SHELL" value="bash"/>

Solaris restricts you to selecting 16 groups at a time to allocate to any user although IdentityIQ supports selecting more than 16 through the console. In this case only the first 16 selected groups will be allocated to the user.

Note
This issue does not display any type of error from IdentityIQ and access requests are marked as committed.

Resolution: To add additional groups (exceeding 16), you must add the groups in batches of 16 at a time.

Test connection fails with the following error message when IdentityIQ is deployed on JBoss Application Server:

Possible suggestions] a) Check UNIX host is up and running. b) Make sure there is a smooth connectivity between Identity Server and UNIX host.

[Error details] Login failed. Error while connecting to the host <host_name>. BouncyCastle is required to read a key of type ecdsa-sha2-nistp256

Resolution: Perform the following

  • Edit the WEB-INF/jboss-deployment-structure.xml file to add the <resources> xml tag inside the <deployment> tag as shown in the example.

    Copy 

    <?xml version="1.0" encoding="UTF-8"?> 
    <jboss-deployment-structure> 
        <deployment> 
            <resources> 
                <resource-root path="WEB-INF/lib/bcprov-ext-jdk15on-<version>.jar" use-physical-code-source="true"/>  
            </resources> 
        </deployment> 
    </jboss-deployment-structure> 

  • Restart the JBoss Server and perform Test Connection.

Test Connection and other operations fail with csh shell Sudo user credentials with the following error message:

[InvalidResponseException] [Possible suggestions] Make sure standalone command works with the UNIX terminal. The standalone command is - csh [Error details] 'csh' is not set on your machine. Output: Variable syntaxldom5%. SessionOutput: Last login: <Current Timestamp> from <Host IP> Oracle Corporation <Version> ldom5% csh ldom5% echo $? Variable syntax ldom5%

Resolution: Add the following entry of application attribute in the application debug page and perform the operations again:

<entry key="GetExitStatus" value="echo $status"/>