Troubleshooting

Test connection and aggregation failing with below error -
Error in aggregation: java.lang.RuntimeException: [ InvalidResponseException ] [ Possible suggestions ] Make sure standalone command works with the UNIX terminal. The standalone command is - cat /etc/group | grep -v '^+' | grep -v '^-' [ Error details ] Command failed. Status: [?2004l0[?2004h , Output: [?2004h
Resolution - One of the possible reason could be of service account having Bracketed paste mode enabled.
To disable the bracketed paste mode for a specific user, add the following line to ~/.inputrc:
set enable-bracketed-paste off

Test connection failed on SUSE computer with the following error message:

[InvalidResponseException] [Possible Suggestion ]Make sure standalone command works with the UNIX terminal. The standalone command is - echo 'TestConnection'[Error details] Unexpected output captured. Host:xxx.xx.xx.xxx. Output: sword sudo: pam_authenticate: Module is unknown SAILPOINT> Password Sh: Password: command not found.

Resolution – When the test connection fails on the SUSE computer, the following setting must be changed in the /etc/ssh/sshd_config file:

PasswordAuthentication yes

Enter the following command to restart the sshd after updating the sshd_config file:

/etc/init.d/sshd restart

Password command failed with the following error message:

sailpoint.connector.InvalidConfigurationException: [InvalidConfigurationException] [Possible suggestions] a) Make sure the provided password is correct as per the password policy defined on the UNIX machine. b) Make sure application configuration attribute 'PasswdPrompts' is set correctly. c) Tune the parameter 'sshWaitTime'. [Error details] Password prompt mismatch. Check the shell output for more details.

Password command fails if password prompts are not matching.

Resolution – Verify the password command on the Linux computer for password prompts and confirm if the required prompts are present in your application.

For example, passwd Person2

Changing password for Person2:

New Password – New Password is the prompt, so if this prompt is not present in your application, add or update it as follows:

For example:

<entry key="PasswdPrompts">
    <value>
      <Map>
        <entry key="0">
          <value>
            <Map>
              <entry key="(current) UNIX password:" value="CurrentPassword"/>
            </Map>
          </value>
        </entry>
        <entry key="1">
          <value>
            <Map>
              <entry key="Old Password:" value="CurrentPassword"/>
            </Map>
          </value>
        </entry>
        <entry key="2">
          <value>
            <Map>
              <entry key="New Password:" value="NewPassword"/>
            </Map>
          </value>
        </entry>
<entry key="3">
…
…
…
..
..
…
..
…

Aggregation or Test Connection fails with the following timeout error:

Exception during aggregation of Object Type account on Application <application name> Reason: Unable to create iterator sailpoint.connector.TimeoutException: [TimeoutException] [Possible suggestions] Tune the parameter <sshTimeOut>. [Error details] Timeout occurred while reading output stream for the executed command.

Test Connection fails with following timeout error:

[TimeoutException] [Possible suggestions] Tune the parameter <sshTimeOut>. [Error details] Timeout occurred while reading output stream for the executed command.

Resolution – Change the value of the sshWaitTime application attribute (in millisecond) as per your requirement in the Debug page of the application:

<entry key="sshWaitTime" value="500"/>

If setting sshWaitTime does not solve the issue, then connect to the Linux system using sudo user to check the system's behavior. For example, after executing the following command, it prompts for %SAILPOINTSUDO where you should enter the sudo user's password:

sudo -p %SAILPOINTSUDO echo TestConnection

If some third party software (for example, Centrify) is installed on a Linux machine, it may not prompt for %SAILPOINTSUDO. It may prompt for something different. In this case the connector does not detect if it is asking for the sudo user's password. Add the following entry key to the application Debug page to configure the connector to prompt for the sudo users password:

<entry key="SudoPasswdPrompt" value="<Custom prompt>"/>

For example, if the system prompts for the CSO Password:, add the following entry key into the application Debug page to understand that it should prompt for the sudo user's password:

<entry key="SudoPasswdPrompt" value="CSO Password:"/>

After target aggregation, the resources are not getting correlated with Account Groups.

Resolution – Ensure that your correlation rule populates Correlator.RULE_RETURN_GROUP_ATTRIBUTE as follows:

         ....
      if ( isGroup ) {
          returnMap.put(Correlator.RULE_RETURN_GROUP_ATTRIBUTE,"nativeIdentity");
          returnMap.put(Correlator.RULE_RETURN_GROUP_ATTRIBUTE_VALUE, nativeId);
      }   
         ....

Test connection fails with the following error when the sudo user is configured for public key authentication:

Test SSH communication failed over host: xxxxxxxx. Error while executing command: sudo -p %SAILPOINTSUDO echo TestConnection over host: xxxxxxxx. Invalid sudo user password.

Resolution – On the managed system:

• If the Sudoers file has a sudo user with the PASSWD attribute assigned, then the sudo user’s password specified in the application configuration password must be correct for certificate-based authentication.

• If the Sudoers file has a sudo user with the NOPASSWD attribute assigned, then the sudo user’s password specified in application configuration can be incorrect or any value. Certificate-based authentication must still work.

Note
Password is a mandatory field on the application user interface.

[InvalidConfigurationException] [Possible suggestions] a) Verify the private key file is correct for specified user. b) Verify the private key Passphrase is correct for specified user. c) Verify the private/ public key file permissions are correct on the given unix host. [Error details] Failed to authenticate the ssh credentials for the user: <user> to the host: XXX.XX.XX.XXX.

Resolution– Verify pam_tally2 counter and reset it to 0 (zero), then perform the operations again.

Enable user failed with the following error:

sailpoint.connector.InvalidResponseException: [InvalidResponseException] [Possible suggestions] Make sure standalone command works with the UNIX terminal. The standalone command is - passwd -u "<user>" [Error details] Command failed. Status: 254 , Output: Unlocking password for user <user>. passwd: Warning: unlocked password would be empty. passwd: Unsafe operation (use -f to force). passwd: Unsafe operation (use -f to force)

Resolution – Update the following entry in the connector registry/ Debug application configuration:

<entry key="enable.account" value="passwd -u -f"/>

Test connection fails on SUSE Linux because Password Authentication was not enabled.

[InvalidConfigurationException] [Possible suggestions] Provide either publickey or password as an authentication method for the user. [Error details] No supported authentication methods found on the host XXX.XX.XX.XXX for user <user>

Resolution – Perform the following steps to enable Password Authentication:

1. Change the value of Password Authentication from no to yes in /etc/ssh/sshd_config file as follows:

   PasswordAuthentication no

   To

   PasswordAuthentication yes

2. Restart the server using the following command:

   /etc/init.d/sshd restart

Resolution – Perform the following:

For RHEL 6.x and later:

1. Specify the maximum allowed failed login attempts before the account is locked by the system. Edit the configuration file pointed to by registry key:

   <entry key="get.loginsyslimit" value="cat /etc/pam.d/system-auth"/>

   Default value – /etc/pam.d/system-auth or /etc/pam.d/password-auth

   Specify maximum allowed failed login using deny=.

   For example, add the following lines in /etc/pam.d/system-auth or /etc/pam.d/password-auth:

   auth required pam_tally2.so onerr=fail deny=5

   account required pam_tally2.so

2. Ensure that the pam_tally2 command, as required in the following registry key works correctly:

   <entry key="aggregation.lockstatus" value="pam_tally2 | awk '{print $1} {print $2} '"/>

3. Ensure that the following command to get failed login works on the system:

   <entry key="get.userfailedlogin" value="pam_tally2"/>

4. Verify if unlock command specified in the registry correctly resets the failed login counter:

   Default settings – <entry key="unlock.account" value="pam_tally2 -u"/>

Note
For RHEL versions prior to version, 6.0 where the pam_tally2 module is not installed, replace pam_tally2 with faillog in the above commands.

The test connection fails with the following error message when IdentityIQ is deployed on a JBoss Application Server:

Possible suggestions] a) Check UNIX host is up and running. b) Make sure there is a smooth connectivity between Identity Server and UNIX host.
[Error details] Login failed. Error while connecting to the host <host_name>. BouncyCastle is required to read a key of type ecdsa-sha2-nistp256

Resolution – Perform the following:

1. Edit the WEB-INF/jboss-deployment-structure.xml file to add the <resources> XML tag inside the <deployment> tag as shown in the example below:

   For example:

   Copy

   <?xml version="1.0" encoding="UTF-8"?> 
   <jboss-deployment-structure> 
   <deployment> 
   <resources> 
   <resource-root path="WEB-INF/lib/bcprov-ext-jdk15on-<version>.jar" use-physical-code-source="true"/>  
   </resources> 
   </deployment> 
   </jboss-deployment-structure> 

2. Restart the JBoss Server and perform another Test Connection.

During account aggregation and account provisioning, the user status is displayed as active for a Locked user when using the pam_tally2 module for RHEL 8.

Resolution – Perform the following:

1. Specify the maximum allowed failed login attempts before the account is locked by the system. Edit the configuration file pointed to by the registry key:

   <entry key="get.loginsyslimit" value="cat /etc/pam.d/password-auth"/>

   Default value – /etc/pam.d/system-auth or /etc/pam.d/password-auth

2. Ensure that faillock command as required in the following registry key works correctly:

   <entry key="aggregation.lockstatus" value="faillock"/>

3. Ensure that the following command to get failed logins works on the system:

   <entry key="get.userfailedlogin" value="faillock"/>

4. Verify if the unlock command specified in the registry correctly resets the failed login counter:

   <entry key="unlock.account" value="faillock --user"/>

   Default settings – <entry key="unlock.account" value="pam_tally2 -u"/>

Alternative:

Resolution – Specify the maximum allowed failed login attempts before the account is locked by the system. Edit the following configuration file pointed by registry key:

<entry key="get.loginsyslimit" value="cat /etc/pam.d/password-auth"/>

If faillock is enabled using the faillock.conf file, use the following entry key:

<entry key="get.loginsyslimit" value="cat /etc/security/faillock.conf | tr -d ' '" />

Unstructured Target Aggregation fails with the timeout error when there are large number of temporary files under the directory.

Resolution: Add the required paths with the comma separated values instead of the parent directory for Target Aggregation.