Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

Test connection and aggregation failing with below error -
Error in aggregation: java.lang.RuntimeException: [ InvalidResponseException ] [ Possible suggestions ] Make sure standalone command works with the UNIX terminal. The standalone command is - cat /etc/group | grep -v '^+' | grep -v '^-' [ Error details ] Command failed. Status: [?2004l0[?2004h , Output: [?2004h
Resolution - One of the possible reason could be of service account having Bracketed paste mode enabled.
To disable the bracketed paste mode for a specific user, add the following line to ~/.inputrc:
set enable-bracketed-paste off

Test connection failed on SUSE computer with the following error message:

[InvalidResponseException] [Possible Suggestion ]Make sure standalone command works with the UNIX terminal. The standalone command is - echo 'TestConnection'[Error details] Unexpected output captured. Host:xxx.xx.xx.xxx. Output: sword sudo: pam_authenticate: Module is unknown SAILPOINT> Password Sh: Password: command not found.

Resolution – When the test connection fails on the SUSE computer, the following setting must be changed in the /etc/ssh/sshd_config file:

PasswordAuthentication yes

Enter the following command to restart the sshd after updating the sshd_config file:

/etc/init.d/sshd restart

Password command failed with the following error message:

sailpoint.connector.InvalidConfigurationException: [InvalidConfigurationException] [Possible suggestions] a) Make sure the provided password is correct as per the password policy defined on the UNIX machine. b) Make sure application configuration attribute 'PasswdPrompts' is set correctly. c) Tune the parameter 'sshWaitTime'. [Error details] Password prompt mismatch. Check the shell output for more details.

Password command fails if password prompts are not matching.

Resolution – Verify the password command on the Linux computer for password prompts and confirm if the required prompts are present in your application.

For example, passwd Person2

Changing password for Person2:

New Password – New Password is the prompt, so if this prompt is not present in your application, add or update it as follows:

For example:

Copy 
<entry key="PasswdPrompts">
    <value>
      <Map>
        <entry key="0">
          <value>
            <Map>
              <entry key="(current) UNIX password:" value="CurrentPassword"/>
            </Map>
          </value>
        </entry>
        <entry key="1">
          <value>
            <Map>
              <entry key="Old Password:" value="CurrentPassword"/>
            </Map>
          </value>
        </entry>
        <entry key="2">
          <value>
            <Map>
              <entry key="New Password:" value="NewPassword"/>
            </Map>
          </value>
        </entry>
<entry key="3">



..
..

..

Aggregation or Test Connection fails with the following timeout error:

Exception during aggregation of Object Type account on Application <application name> Reason: Unable to create iterator sailpoint.connector.TimeoutException: [TimeoutException] [Possible suggestions] Tune the parameter <sshTimeOut>. [Error details] Timeout occurred while reading output stream for the executed command.

Test Connection fails with following timeout error:

[TimeoutException] [Possible suggestions] Tune the parameter <sshTimeOut>. [Error details] Timeout occurred while reading output stream for the executed command.

Resolution – Change the value of the sshWaitTime application attribute (in millisecond) as per your requirement using the REST API:

  • Keyconnector_sshWaitTime

  • value500

If setting sshWaitTime does not solve the issue, then connect to the Linux system using sudo user to check the system's behavior. For example, after executing the following command, it prompts for %SAILPOINTSUDO where you should enter the sudo user's password:

sudo -p %SAILPOINTSUDO echo TestConnection

For example, if the system prompts for the CSO Password:, set the following attribute using the REST API to understand that it should prompt for the sudo user's password:

  • Keyconnector_SudoPasswdPrompt

  • Value<custom prompt> which is CSO Password

Login failed. Error while connecting to host:<hostname>. Cannot read key file.

Resolution – Perform the following steps to generate or convert private/public keys into a format supported by UNIX direct connectors:

This method can be used for any version of SSH.

  1. Create private key using the following command:

    openssl <gendsa/genrsa> -des3 -out <private_key> 1024

  2. Change the permission on the <private_key> file as follows:

    chmod 0600 <private_key>

  3. Create public key from private_key:

    ssh-keygen -y -f <private_key> > <public_key>

  4. Use the <private_key> and <public_key> files for authentication.

For OpenSSH 5.8 or above.

  1. Create private and public keys using the following command:

    ssh-keygen -t <dsa/rsa> -b 1024  

    By default files with name id_dsa/id_rsa and id_dsa.pub/id_rsa.pub will be created.

  2. Convert the <private key> to have the DES-EDE3-CBC encryption algorithm by using the following command:

    openssl <dsa/rsa> -in <private_key> -out <new_private_key> -des3

  3. Change the permission on the <new_private_key> file as follows:

    chmod 0600 <new_private_key>

  4. Create a public key file using the new private key as follows:

    ssh-keygen -y -f <new_private_key> > <new_public_key>

  5. Use the <new_private_key> and <new_public_key> files for authentication.

Failed to authenticate provided ssh credentials to the host

Resolution – In RHEL FIPS mode, the system ssh-keyscan cannot retrieve server RSA keys. Ensure that you use ECDSA keys for public key authentication configuration. To create private and public keys, use the following command:

ssh-keygen -t <ecdsa>

By default, files with the names; id_ecdsa and id_ecdsa.pub are created. Repeat the same steps as provided in the steps for generating keys.

Enable user failed with the following error:

sailpoint.connector.InvalidResponseException: [InvalidResponseException] [Possible suggestions] Make sure standalone command works with the UNIX terminal. The standalone command is - passwd -u "<user>" [Error details] Command failed. Status: 254 , Output: Unlocking password for user <user>. passwd: Warning: unlocked password would be empty. passwd: Unsafe operation (use -f to force). passwd: Unsafe operation (use -f to force)

Resolution – Update the following entry using the REST API:

  • Keyconnector_enable.account

  • Valuepasswd -u -f

Test connection fails on SUSE Linux because Password Authentication was not enabled.

[InvalidConfigurationException] [Possible suggestions] Provide either publickey or password as an authentication method for the user. [Error details] No supported authentication methods found on the host XXX.XX.XX.XXX for user <user>

Resolution – Perform the following steps to enable Password Authentication:

  1. Change the value of Password Authentication from no to yes in /etc/ssh/sshd_config file as follows:

    PasswordAuthentication no

    To

    PasswordAuthentication yes

  2. Restart the server using the following command:

    /etc/init.d/sshd restart

Resolution – Perform the following:

For RHEL 6.x and later:

  1. Specify the maximum allowed failed login attempts before the account is locked by the system. Edit the configuration file pointed to by registry key:

    <entry key="get.loginsyslimit" value="cat /etc/pam.d/system-auth"/>

    Default value – /etc/pam.d/system-auth or /etc/pam.d/password-auth

    Specify maximum allowed failed login using deny=.

    For example, add the following lines in /etc/pam.d/system-auth or /etc/pam.d/password-auth:

    auth required pam_tally2.so onerr=fail deny=5

    account required pam_tally2.so

  2. Ensure that the pam_tally2 command, as required in the following registry key works correctly:

    <entry key="aggregation.lockstatus" value="pam_tally2 | awk '{print $1} {print $2} '"/>

  3. Ensure that the following command to get failed login works on the system:

    <entry key="get.userfailedlogin" value="pam_tally2"/>

  4. Verify if unlock command specified in the registry correctly resets the failed login counter:

    Default settings – <entry key="unlock.account" value="pam_tally2 -u"/>

Note
For RHEL versions prior to version, 6.0 where the pam_tally2 module is not installed, replace pam_tally2 with faillog in the above commands.

During account aggregation and account provisioning, the user status is displayed as active for a Locked user when using the pam_tally2 module for RHEL 8.

Resolution – Perform the following:

  1. Specify the maximum allowed failed login attempts before the account is locked by the system. Edit the configuration file pointed to by the registry key:

    <entry key="get.loginsyslimit" value="cat /etc/pam.d/password-auth"/>

    Default value/etc/pam.d/system-auth or /etc/pam.d/password-auth

  2. Ensure that faillock command as required in the following registry key works correctly:

    <entry key="aggregation.lockstatus" value="faillock"/>

  3. Ensure that the following command to get failed logins works on the system:

    <entry key="get.userfailedlogin" value="faillock"/>

  4. Verify if the unlock command specified in the registry correctly resets the failed login counter:

    <entry key="unlock.account" value="faillock --user"/>

    Default settings<entry key="unlock.account" value="pam_tally2 -u"/>

Alternative:

Resolution – Specify the maximum allowed failed login attempts before the account is locked by the system. Edit the following configuration file pointed by registry key:

<entry key="get.loginsyslimit" value="cat /etc/pam.d/password-auth"/>

If faillock is enabled using the faillock.conf file, use the following entry key:

<entry key="get.loginsyslimit" value="cat /etc/security/faillock.conf | tr -d ' '" />