Troubleshooting

If you encounter any of the following issues or errors, SailPoint recommends that you follow the guidance provided below to resolve the error before contacting SailPoint Support.

Resolution: Make sure that the additional attribute description in the account schema matches the name of the attribute configured in additional attribute BAPI.

ERROR SPSAPROUTER: route permission denied (xxx.xx.X.X to xxx.xxx.Y.Y, 3300.)

Resolution: Add the following entry in the saprouttab of your SAProuter:

P xxx.xx.X.X xxx.xxx.Y.Y 3300

Activate the new saprouttab with the following command or restart the SAProuter:

saprouter -n

_JCo initialization failed with java.lang.UnsatisfiedLinkError: C:\apache-tomcat-9.0.35\webapps\identityiq\WEB-INF\lib\sapjco3.dll: Can't find dependent libraries

Resolution: To resolve the issue implement the following setup:

Microsoft Visual Studio 2005 C/C++ runtime libraries (version 8.0.50727.6195)

The VC++ 2013 can be downloaded from https://support.microsoft.com/en-us/help/4032938/update-for-visual-c-2013-redistributable-package.

Error: Could not initialize class com.sap.conn.jco.rt.JCoRuntimeFactory" in Test Connection and Aggregation in IdentityNow

Resolution: The host value must be updated on the VA with the FQDN of the SAP server. Reupload the sapjco and libsapjco jars on the UI.

"sailpoint.connector.ConnectionFailedException: Server is DOWN or Connection parameters are incorrect.

OR

ERROR hostname 'sailpoint-va' unknown\nTIME

OR

JCO_ERROR_COMMUNICATION: Connect to SAP gateway failed

Resolution: There are three possible options to solve this error.

Option 1: One of the reasons for the issue to occur is the IP address of the VA is not recognized by the connector. To resolve this, you need to make an entry in hosts.yaml file with the IP address of the VA as well as the managed source (SAP server).

Note
For information on creating a hosts.yaml file, refer to Configuring a Hosts.yaml File.

Example:

hosts:

10.200.80.60: -SAPSER4

10.22.131.14: -sailpoint-va

Where 10.200.80.60 is the IP, SAPSER4 is the hostname of the SAP server, 10.22.131.14 is the IP of the VA, and sailpoint-va is the default name of the VA. Ensure that SAP is installed with JCO enabled.

Similarly, add the IP and hostname of the VA being used in the file. Restart CCG/ Reboot the VA after the update.

Option 2: Add a Route entry in the static.network file to persist routing the table entry of the VA hostname. To do so, perform the following steps: 

  1. In your VA, go to ../etc/systemd/network/static.network

  2. Add the following entry:

    [Route]

    Gateway=<10.0.0.1>

    Destination=<public_ip>/<netmask>

  3. Run sudo systemctl restart systemd-networkd to apply the configuration.

  4. Run route -n to show the routes.

  5. Restart CCG/ Reboot the VA and check if the entry still persisted.

Option 3: Update DNS entries for VAs on your network so that FQDN resolves for each VA. To do so, perform the following steps:

  1. Run sudo hostnamectl set-hostname <hostname of your choice> to set the VA hostname.

  2. Run the hostname command to validate.

  3. Run sudo reboot to reboot the VA.

The VA should reflect the new hostname.

Resolution: Account aggregation takes a longer time if the SAP target system and the VA are in two separate regions. To resolve the issue, move the VA region to the SAP region to reduce the aggregation time.

The following error message is displayed when using the /SAILPOIN/SAIL_READ_TABLE or /SAILPOIN/SAIL_READ_TABLE_LEG function modules:

Exception during aggregation. Reason: java.lang.RuntimeException: ASSIGN_TYPE_CONFLICT while querying table *Table_Name*. One of the fields queried (field1,field2,field3… ) may have incorrect COLUMN_LENGTH or COLUMN_DTYPE set in /SAILPOIN/CONF table. Please refer ASSIGN_TYPE_CONFLICT in troubleshooting section of documentation for more details.

Resolution: Ensure COLUMN_LENGTH/COLUMN_DTYPE is correctly configured for the fields of *Table_Name* in the /SAILPOIN/CONF table. This can be validated through the t-code "SE11" while viewing the table details, under the Fields tab.

Resolution: Ensure that SailPoint's function module is installed on the SAP system as per Install SAILPOIN Add-On.

Data was lost while copying a valuePOST

Resolution: If SAP has been patched to SP 17 or later, change the client language to a single character. For example, if the client language is EN, change it to E.

[ ConnectorException ] [ Error details ] Exception occurred while test configuration operation, refer logs for more details. Initialization of repository destination SAP FS failed: Unencrypted communication is rejected by this system.

Resolution – Please check the ‘snc/only_encrypted_rfc’ parameter on SAP server, if set to 1, SAP server expects encrypted connections to it. We need to either set the value for this parameter to 0 or setup SNC connection both on IdentityNow UI and SAP server to communicate.

Provisioning fails with the following error message when trying to configure SNC using SAP JCO version 3.1 and when the client.snc_sso parameter is set to 0 in the application debug page:

"WARN: Warning from SAP while executing function [BAPI_USER_CHANGE]Password for user XXXX changed, but not set as productive"

Resolution: The value of client.snc_sso parameter must be set to 1 (that is, client.snc_sso = 1) or not defined (default is 1) in the SAP application. On the SAP managed system, JCO (SNC Name) value must not be specified in JCO ACL, that is JCO entry must be deleted from SNC0 tcode (table SNCSYSACL). Refer to SAP Note # 3016480 as recommended by SAP and only specific to SAP JCO 3.1.x.

The change password feature is not working with SNC, when PRODUCTIVE_PWD attribute is X.

Resolution: Define the productivePasswordValue in a POST via REST API.

Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.

In the body of the POST, set form-data values as follows:

Copy 
[
    {
        "op": "add",
        "path": "/connectorAttributes/connector_productivePasswordValue",
        "value": "1"
    }
]

Note
In the sample above, the value is 1. By default, the value is X.

Resolution 2: Check the following JCO parameters and add them in the source XML as per your environment requirements:

Copy 
<entry key="jco.client.snc_mode">
 <value>
 <Boolean>true</Boolean>
</value>
Copy 
<entry key="jco.client.snc_qop" value="X"/>

The possible values of X are:

  • 1: Authentication only

  • 2: Integrity protection

  • 3: Privacy protection

  • 8: Use the value from snc/data_protection/use on the SAP Application Server.

<entry key="jco.client.snc_qop" value="X"/>

The possible values of X are:

  • 0: Single Sign-On protocol disabled

  • 1: Single Sign-On protocol enabled

Note
Set the value to 0 as of JCO 3.0.9

Resolution 3: Ensure the SNC name in table SNCSYSACL (transaction SNC0), is not maintained. If it is present, remove the entry from the table.