Troubleshooting

Error message:

Resolution: Update the client language in the source XML from <entry key="clientLanguage" value="EN"/> to <entry key="clientLanguage" value="E"/> value and retry aggregation.

This is the BAPI behavior when the Role Details attribute is missing from account schema.

Resolution: Add the Role Details attribute in account schema to resolve the issue.

<AttributeDefinition name="Role Details" type="string">

<Description>Role Details of the User</Description>

</AttributeDefinition>

Resolution: Go into the groups tab of the account and ensure that the User Group has been assigned.

When creating a new account, the password is not deactivated even when the correct parameters are passed.

Resolution: Add CODVN in the create account provisioning form. If you need the password to be deactivated, then the password should not be sent from the plan. When the provisioning form is displayed, clear out the password field. The password deactivated field should be set as X/true.

Exception while getting system info from CVERS and PRDVERS tables

sailpoint.connector.ConnectorException: Caused by class com.sap.conn.jco.AbapException: (126) TABLE_ACCESS_NOT_ALLOWED: Message 000 of class null type : . SAP_QUERY_TABLE_NAME:CVERS

Resolution: Provide the correct permissions to the service account user on the CVERS and PRDVERS tables. Additionally, ensure both of the following additions have been made:

1. CVERS/PRDVERS is added in S_TABU_NAME authorization object.

2. CVERS/PRDVERS is added in SAILPOIN/CONF table.

An Error message is displayed when using Function Module /SAILPOIN/SAIL_READ_TABLE and /SAILPOIN /SAIL_READ_TABLE_LEG

Exception during aggregation. Reason: java.lang.RuntimeException: ASSIGN_TYPE_CONFLICT while querying table *Table_Name*. One of the fields queried (field1,field2,field3… ) may have incorrect COLUMN_LENGTH set in /SAILPOIN/CONF table. Please refer ASSIGN_TYPE_CONFLICT in troubleshooting section of documentation for more details.

Resolution: Ensure COLUMN_LENGTH is correctly configured for the fields of *Table_Name* in /SAILPOIN/CONF table . This can be validated through the t-code "SE11" while viewing the table details under the Fields tab.

Data was lost while copying a valuePOST

Resolution: If SAP has been patched to SP 17 or later, change the client language to a single character. For example, if the client language is EN, change it to E. For more information on the One Character Code for Language, refer to the SAP KB article.

Could not initialize class com.sap.conn.jco.rt.JCoRuntimeFactory

Resolution: Update the Visual C++ libraries to the latest version and try test connection after tomcat restart.

[ ConnectorException ] [ Error details ] Exception occurred while test configuration operation, refer logs for more details. Initialization of repository destination SAP - PMP failed: Logon data incomplete.

Resolution: Ensure the Flag for "Entry for RFC activated " is unchecked and not selected in SAP server.

In a SAP CUA landscape, a SAP role or profile requires a SUBSYSTEM to distribute the user to. The facility to select or specify the same, while requesting an entitlement for an account, is absent.

Resolution: The subsystem name is prepended to the Account-Group while aggregating account-groups from a SAP CUA system. As a result, only a limited subset of subsystem and account-group combinations are available while requesting entitlements, and thus distributing users, in a SAP CUA landscape.

Even after the execution of Refresh Entitlement Correlation the entitlements are not getting deleted from the current access page.

Resolution: Execute the Perform Identity Request Maintenance task to remove those entitlements. Ensure that the Verify provisioning for requests option is selected for this task.

After upgrade to the existing application, the password is not set in permanent mode, even when the user is created with the Password in permanent mode attribute selected.

This behavior occurs since the attribute name has changed from Password in permanent mode to Productive Password.

Resolution: In the debug page rename Password in permanent mode to Productive Password in schema and provisioning plan.

Some attributes are not working after upgrading from version 6.0 patch 7 and version 6.1 to the IdentityIQ version.

Resolution: Open the application debug page of version 6.4 and use the following corresponding parameters:

In the SAP Direct connector the SAPJCO libraries are used, which need permission to make connection with the SAP Server. The user who does not have these permissions will not be able to log in and will not be a valid member of the authentication process.

Resolution: Perform the following to add the administrator permissions:

1. Run the PFCG transaction (Profile generator, maintain your roles, authorizations, and profiles) and enter the role name.

2. Select Single and save the Role created.

3. Select Authorization > Display Authorization Data.

   The template displays. Cancel the template as it's not needed.

4. Select Manual and add the following:

   • S_RFC (All Activities)

   • S_USER_AGR (Activities: 02, 03, 22, 36, 78)

   • S_USER_GRP (Activities: 01, 02, 03, 05, 06, 22, 78)

   • S_USER_PRO (Activities: 01, 02, 03, 06, 07, 22)

   • S_USER_AUT (Activities : 03, 08)

   • S_USER_SAS (Activities : 01, 06, 22)

   • S_TABU_DIS (Activities: All Activities)
     (Additionally for SAP CUA System) S_USER_SYS (Activities: 03, 59, 68, 78)

   • Select the Generate (Shift+F5) icon.

   • Select the Save (Ctrl+S) icon.

   • Select Back (F3) icon.

5. Select the Generate (Shift+F5) icon and assign the above created role to a SAP user who must be an administrator.

6. Run the PFCG transaction.

7. Provide the role name which the customer has created.

8. Select the USER tab > User Comparison.

When performing Delta Aggregation after an upgrade, the following error message appears:

Aggregation date needs to be set in configuration.

Resolution: Open the SAP-Direct application debug page and set the following parameters:

<entry key="lastAggregationDate" value="2014-06-21"/>

<entry key="lastAggregationTime" value="20:54:34"/>

In the above parameters the format of Date and Time are as follows:

• Date: yyyy-MM-dd (the date should be the current date of the SAP server)

• Time: HH:mm:ss (the time should be the current time of the SAP server)

The change password feature is not working with SNC, when PRODUCTIVE_PWD attribute is X.

Resolution: Define the productivePasswordValue attribute in debug pages as follows:

<entry key="productivePasswordValue" value="1">

By default the code would consider the value as X.

Resolution 2: Check the following jco parameters and add them in the source xml as per your environment requirements:

<entry key="jco.client.snc_mode">
 <value>
 <Boolean>true</Boolean>
</value>

<entry key="jco.client.snc_qop" value="X"/>

The possible values of X are:

• 1: Authentication only

• 2: Integrity protection

• 3: Privacy protection

• 8: Use the value from snc/data_protection/use on the SAP Application Server.

<entry key="jco.client.snc_qop" value="X"/>

The possible values of X are:

• 0: Single Sign-On protocol disabled

• 1: Single Sign-On protocol enabled

Set the value to 0 as of JCo 3.0.9

Resolution 3: Ensure the SNC name in table SNCSYSACL (transaction SNC0), is not maintained. If it is present, remove the entry from the table.

Aggregation fails with the following error due to not having proper authorization of authorization object 'S_TABU_DIS (Activities: All Activities)'.

Resolution: Provide the authorization of authorization object S_TABU_DIS (Activities: All Activities)

Activities-All

Table Authorization Group-* (means all)

Or skip aggregation of license data of the user by adding the following entry key in debug pages of the application:

<entry key="skipLicenseData">    
    <value>
        <Boolean>true</Boolean>
    </value>
</entry>

Test connection fails with the following error message:

com.sap.conn.rfc.driver.CpicDirver

Resolution: Download the latest SAPJCO.jar and SAPJCO.dll files from SAP Marketplace and then use that SAPJCO Jar file with the latest downloaded SAPJCO dll file.

Resolution: In Account-Group Aggregation, if the Role and Profile Description is required in a language other than English, add the descriptionLanguage parameter with the correct value.

For example:

<entry key="descriptionLanguage" value="D"/>

In the above example, the value D is the language code for Dutch language supported by SAP.

If the descriptionLanguage parameter is not provided, the descriptions displayed are in English language.

The following error message appears when login to IdentityIQ for username and password with UTF-8 characters:

ERROR http-8080-1 sailpoint.server.Authenticator:323 - sailpoint.connector.AuthenticationFailedExcept
com.sap.conn.jco.JCoException: (109) RFC_ERROR_CANCELLED: Handle close pending

Resolution: Add the following entry in the application debug page:

<entry key="jco.client.codepage" value="4110"/>

Test connection /aggregation fails with the following error message:

Bad username or password. com.sap.conn.jco.JCoException: (109)

RFC_ERROR_CANCELLED: Handle close pending

Resolution: Ensure that the administrator user specified in application has sufficient rights on the SAP systems as mentioned in the Required Permissions section.

Resolution: Add the following entry in the application debug page:

<entry key="jco.client.pcs" value="2"/>

Test connection fails with the following error may be due to the libraries not getting loaded in Java even when all the required libraries are there in the required path:

[ConnectorException] [Error details] Destination Listener not initialized. Please make sure that all required libraries are in path.

Resolution: This issue can be resolved by performing the following procedure:

1. Create a folder / directory and place all the required libraries in it as mentioned in Prerequisites.

2. Set the following environment variable:

   • LD_LIBRARY_PATH: The location of libraries in Linux

   • PATH: The location of libraries in Windows

   • CLASSPATH: The location of libraries in Linux / Windows

   For example,

   For linux it should be as follows:

   LD_LIBRARY_PATH=/home/admin/lib

   CLASSPATH = /home/admin/lib/sapjco3.jar

   For Windows it should be as follows:

   PATH=/home/admin/lib

   CLASSPATH = /home/admin/lib/sapjco3.jar

Test connection fails with the following error even when all the required jars are there in the required path:

JCo initialization failed with java.lang.UnsatisfiedLinkError: C:\apache-tomcat-9.0.35\webapps\identityiq\WEB-INF\lib\sapjco3.dll: Can't find dependent libraries

Resolution: To resolve the issue implement the following setup:

Microsoft Visual Studio 2005 C/C++ runtime libraries (version 8.0.50727.6195)

The VC++ 2013 can be downloaded from https://support.microsoft.com/en-us/help/4032938/update-for-visual-c-2013-redistributable-package.

Exception: java.lang.OutOfMemoryError: Java heap space

One of the possible reasons is the role containing large number of Authorization Objects.

Resolution: To resolve this issue add the following entry key in the application debug page:

<entry key="splitAuthObjectValues">  
    <value>
        <Boolean>true</Boolean>
    </value>
</entry>

Provisioning fails with the following error message when trying to configure SNC using SAP JCO version 3.1 and when the client.snc_sso parameter is set to 0 in the application debug page:

"WARN: Warning from SAP while executing function [BAPI_USER_CHANGE]Password for user XXXX changed, but not set as productive"

Resolution: The value of client.snc_sso parameter must be set to 1 (that is, client.snc_sso = 1) or not defined (default is 1) in the SAP application. On the SAP managed system, JCO (SNC Name) value must not be specified in JCO ACL, that is JCO entry must be deleted from SNC0 tcode (table SNCSYSACL). Refer to SAP Note # 3016480 as recommended by SAP and only specific to SAP JCO 3.1.x.

[ ConnectorException ] [ Error details ] Exception occurred while test configuration operation, refer logs for more details. Initialization of repository destination SAP FS failed: Unencrypted communication is rejected by this system.

Resolution – Please check the ‘snc/only_encrypted_rfc’ parameter on SAP server, if set to 1, SAP server expects encrypted connections to it. We need to either set the value for this parameter to 0 or setup SNC connection both on IdentityIQ UI and SAP server to communicate.

When parallel requests are sent from the SailPoint platform to SAP for provisioning entitlements or attributes associated with the same identity, the provisioning request may fail with a following error-

"Locked by user <user id>"

Resolution – The restriction to not update any user with multiple consecutive requests has been implemented by SAP. This is a common practice built with most of the ERP systems to avoid conflicting changes to be made to any record. If the user id is already being edited by any request, the system stops the other requests to perform further updates on it until the previous request is complete.

The workaround to resolve this situation could be to implement re-tries and introduce delay conditions between consecutive requests or when this specific error is observed.

Provisioning fails with either a Locked by user error or a connection reset error.

Resolution: To configure retry mechanism in the SAP Direct connector, ensure to add the following attributes in the application XML via Debug page:

<entry key="retryWaitTime" value=“30”>
<entry key="maxRetryCount" value="3">
<entry key="retryableErrors">
    <value>
        <List>
            <String>error msgs</String>
        </List>
    </value>
</entry>

where, retryWaitTime is in seconds. The default value of retryWaitTime is 5 sec. The default value of maxRetryCount is 3.

Resolution: Change the language on the managed system to a single letter (that is, from EN to E) and then, run aggregation.