Troubleshooting

Error message:

Resolution: Update the client language in the source XML from <entry key="clientLanguage" value="EN"/> to <entry key="clientLanguage" value="E"/> value and retry aggregation.

This is the BAPI behavior when the Role Details attribute is missing from account schema.

Resolution: Add the Role Details attribute in account schema to resolve the issue.

<AttributeDefinition name="Role Details" type="string">

<Description>Role Details of the User</Description>

</AttributeDefinition>

Resolution: Go into the groups tab of the account and ensure that the User Group has been assigned.

When creating a new account, the password is not deactivated even when the correct parameters are passed.

Resolution: Add CODVN in the create account provisioning form. If you need the password to be deactivated, then the password should not be sent from the plan. When the provisioning form is displayed, clear out the password field. The password deactivated field should be set as X/true.

Exception while getting system info from CVERS and PRDVERS tables

sailpoint.connector.ConnectorException: Caused by class com.sap.conn.jco.AbapException: (126) TABLE_ACCESS_NOT_ALLOWED: Message 000 of class null type : . SAP_QUERY_TABLE_NAME:CVERS

Resolution: Provide the correct permissions to the service account user on the CVERS and PRDVERS tables. Additionally, ensure both of the following additions have been made:

1. CVERS/PRDVERS is added in S_TABU_NAME authorization object.

2. CVERS/PRDVERS is added in SAILPOIN/CONF table.

An Error message is displayed when using Function Module /SAILPOIN/SAIL_READ_TABLE and /SAILPOIN /SAIL_READ_TABLE_LEG

Exception during aggregation. Reason: java.lang.RuntimeException: ASSIGN_TYPE_CONFLICT while querying table *Table_Name*. One of the fields queried (field1,field2,field3… ) may have incorrect COLUMN_LENGTH set in /SAILPOIN/CONF table. Please refer ASSIGN_TYPE_CONFLICT in troubleshooting section of documentation for more details.

Resolution: Ensure COLUMN_LENGTH is correctly configured for the fields of *Table_Name* in /SAILPOIN/CONF table . This can be validated through the t-code "SE11" while viewing the table details under the Fields tab.

Data was lost while copying a valuePOST

Resolution: If SAP has been patched to SP 17 or later, change the client language to a single character. For example, if the client language is EN, change it to E. For more information on the One Character Code for Language, refer to the SAP KB article.

Could not initialize class com.sap.conn.jco.rt.JCoRuntimeFactory

Resolution: The host value must be updated on VA with the FQDN of the SAP server. Re-upload the sapjco and libsapjco jars on the UI.

[ ConnectorException ] [ Error details ] Exception occurred while test configuration operation, refer logs for more details. Initialization of repository destination SAP - PMP failed: Logon data incomplete.

Resolution: Ensure the Flag for "Entry for RFC activated " is unchecked and not selected in SAP server.

In a SAP CUA landscape, a SAP role or profile requires a SUBSYSTEM to distribute the user to. The facility to select or specify the same, while requesting an entitlement for an account, is absent.

Resolution: The subsystem name is prepended to the Account-Group while aggregating account-groups from a SAP CUA system. As a result, only a limited subset of subsystem and account-group combinations are available while requesting entitlements, and thus distributing users, in a SAP CUA landscape.

Invalid Entitlement. managedAttribute is missing.

Resolution: In Account Schema, update the schemaObjectType value of the Roles and Child Roles attributes to Group.

Even after the execution of Refresh Entitlement Correlation the entitlements are not getting deleted from the current access page.

Resolution: Execute the Perform Identity Request Maintenance task to remove those entitlements. Ensure that the Verify provisioning for requests option is selected for this task.

The change password feature is not working with SNC, when PRODUCTIVE_PWD attribute is X.

Resolution:

POST

Where:

• <url> is the URL for the customer's Identity Security Cloud instance.

• <sourceID> is the Source ID (number) obtained through the UI.

In the body of the POST, set form-data values as follows:

• Key: connector_productivePasswordValue

• Value: Value for example, 1. By default the value is X.

Resolution 2: Check the following jco parameters and add them in the source xml as per your environment requirements:

<entry key="jco.client.snc_mode">
 <value>
 <Boolean>true</Boolean>
</value>

<entry key="jco.client.snc_qop" value="X"/>

The possible values of X are:

• 1: Authentication only

• 2: Integrity protection

• 3: Privacy protection

• 8: Use the value from snc/data_protection/use on the SAP Application Server.

<entry key="jco.client.snc_qop" value="X"/>

The possible values of X are:

• 0: Single Sign-On protocol disabled

• 1: Single Sign-On protocol enabled

Set the value to 0 as of JCo 3.0.9

Resolution 3: Ensure the SNC name in table SNCSYSACL (transaction SNC0), is not maintained. If it is present, remove the entry from the table.

Aggregation fails with the following error due to not having proper authorization of authorization object 'S_TABU_DIS (Activities: All Activities)'.

Resolution: Provide the authorization of authorization object S_TABU_DIS (Activities: All Activities)

Activities-All

Table Authorization Group-* (means all)

Or skip aggregation of license data of the user by adding the following entry key using the REST API as follows:

POST <url>/api/source/update/<sourceID>

Where:

• <url> is the URL for the customer's Identity Security Cloud instance

• <sourceID> is the Source ID (number) obtained through the UI

In the body of the POST, set form-data values as follows:

• Key: connector_skipLicenseData

• Value: true

Test connection fails with the following error message:

com.sap.conn.rfc.driver.CpicDirver

Resolution: Download the latest SAPJCO.jar and SAPJCO.dll files from SAP Marketplace and then use that SAPJCO Jar file with the latest downloaded SAPJCO dll file.

Resolution: In Account-Group Aggregation, if the Role and Profile Description is required in a language other than English, add the descriptionLanguage parameter with the correct value.

POST <url>/api/source/update/<sourceID>

Where:

• <url> is the URL for the customer's Identity Security Cloud instance

• <sourceID> is the Source ID (number) obtained through the UI

In the body of the POST, set form-data values as follows:

• Key: connector_descriptionLanguage

• Value: The language code. For example, D.

In the above example, the value D is the language code for Dutch language supported by SAP.

If the descriptionLanguage parameter is not provided, the descriptions displayed are in English language.

Test connection /aggregation fails with the following error message:

Bad username or password. com.sap.conn.jco.JCoException: (109)

RFC_ERROR_CANCELLED: Handle close pending

Resolution: Ensure that the administrator user specified in application has sufficient rights on the SAP systems as mentioned in the Administrator Permissions section.

Resolution: Use the REST API to add an entry for jco.client.pcs attribute

POST <url>/api/source/update/<sourceID>

Where:

• <url> is the URL for the customer's Identity Security Cloud instance

• <sourceID> is the Source ID (number) obtained through the UI

In the body of the POST, set form-data values as follows:

• Key: connector_ jco.client.pcs

• Value: 2

"RfcGetException: Name or password is incorrect (repeat logon)"

Exception: java.lang.OutOfMemoryError: Java heap space

Resolution: One of the possible reasons for this failure is that a role contains a large number of Authorization Objects. To resolve this error, set the splitAuthObjectValues attribute using the REST API and use the body of :

[

{

"op": "add",

"path": "/connectorAttributes/splitAuthObjectValues",

"value": true

}

]

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

Provisioning fails with the following error message when trying to configure SNC using SAP JCO version 3.1 and when the client.snc_sso parameter is set to 0 in the application debug page:

"WARN: Warning from SAP while executing function [BAPI_USER_CHANGE]Password for user XXXX changed, but not set as productive"

Resolution: The value of client.snc_sso parameter must be set to 1 (that is, client.snc_sso = 1) or not defined (default is 1) in the SAP application. On the SAP managed system, JCO (SNC Name) value must not be specified in JCO ACL, that is JCO entry must be deleted from SNC0 tcode (table SNCSYSACL). Refer to SAP Note # 3016480 as recommended by SAP and only specific to SAP JCO 3.1.x.

"sailpoint.connector.ConnectionFailedException: Server is DOWN or Connection parameters are incorrect.

OR

ERROR hostname 'sailpoint-va' unknown\nTIME

OR

JCO_ERROR_COMMUNICATION: Connect to SAP gateway failed

Resolution: There are three possible options to solve this error.

Option 1: One of the reasons for the issue to occur is the IP address of the VA is not recognized by the connector. To resolve this, you must make an entry in hosts.yaml with the IP address of the VA as well as the managed source (SAP server).

For example:

hosts:

10.200.80.60: -SAPSER4

10.22.131.14: -sailpoint-va

Where 10.200.80.60 is the IP and SAPSER4 is the hostname of the SAP server, and 10.22.131.14 is the IP of the VA and sailpoint-va is the default name of the VA. Ensure that SAP is installed with JCO enabled.

Similarly, add the IP and hostname of the VA being used in the file. Restart CCG/ Reboot VA after the update.

Option 2: Add Route entry in static.network file to persist routing table entry of the VA hostname. To do so, perform the following steps:

1. In your VA, go to ../etc/systemd/network/static.network

2. Add the following entry:

   [Route]

   Gateway=<10.0.0.1>

   Destination=<public_ip>/<netmask>

3. Run sudo systemctl restart systemd-networkd to apply the configuration.

4. Run route -n to show routes.

5. Restart CCG/ Reboot VA and check if the entry still persisted.

Option 3: Update DNS entries for VAs on your network so that FQDN resolves for each VA. To do so, perform the following steps:

1. Run sudo hostnamectl set-hostname <hostname of your choice> to set the VA hostname.

2. Run the hostname command to validate.

3. Run sudo reboot to reboot the VA.

The VA should reflect the new hostname.

[ ConnectorException ] [ Error details ] Exception occurred while test configuration operation, refer logs for more details. Initialization of repository destination SAP FS failed: Unencrypted communication is rejected by this system.

Resolution – Please check the ‘snc/only_encrypted_rfc’ parameter on SAP server, if set to 1, SAP server expects encrypted connections to it. We need to either set the value for this parameter to 0 or setup SNC connection both on IdentityNow UI and SAP server to communicate.

When parallel requests are sent from the SailPoint platform to SAP for provisioning entitlements or attributes associated with the same identity, the provisioning request may fail with a following error-

"Locked by user <user id>"

Resolution – The restriction to not update any user with multiple consecutive requests has been implemented by SAP. This is a common practice built with most of the ERP systems to avoid conflicting changes to be made to any record. If the user id is already being edited by any request, the system stops the other requests to perform further updates on it until the previous request is complete.

The workaround to resolve this situation could be to implement re-tries and introduce delay conditions between consecutive requests or when this specific error is observed.