Use > Data Flow Management > Integrations > Integrating UCMDB with CyberArk Enterprise Password Vault > CyberArk Integration Troubleshooting and Limitations

CyberArk Integration Troubleshooting and Limitations

  • Problem: Failed to use CyberArk credential. You may find in WrapperProbeGw.log an error message similar to the following:

    jvm 2 | <2017-09-28 14:48:24,210> 2639189 [ERROR] [AdHoc:AD_HOC_TASK_PATTERN_ID-25-1506581322093] (CyberArkPasswordVaultGetter.java:214) - Failed quering password from CyberArk Vault. safe=UCMDBTestSafe,folder=Root,reference=UCMDBSmith-cyberark-testing-refid865Inte,parameters={}jvm 2 | class javapasswordsdk.exceptions.PSDKException: APPAP133E Failed to verify application authentication data: path "C:/UCMDB/DataFlowProbe/bin/jre/lib/rt.jar;C:/UCMDB/DataFlowProbe/lib/discovery-library.jar;C:/UCMDB/DataFlowProbe/lib/discovery-probe.jar;C:/UCMDB/DataFlowProbe/lib/federation.jar;C:/UCMDB/DataFlowProbe/lib/jetty-all.jar;C:/UCMDB/DataFlowProbe/lib/spring-aop.jar;C:/UCMDB/DataFlowProbe/lib/spring-context.jar;Java Unknown Path - Reason: The path investigation method returned null for class "$Proxy59.class"" is unauthorized

    Note that the text highlighted above is the reference string. In your environment it may be different.

    Cause: Starting with version 11.0, the default path for probe is changed to C:\UCMDB\DataFlowProbe.

    Solution: Add one path authentication to application in CyberArk Server: C:\UCMDB\DataFlowProbe

    For detailed instructions, see step 4. Create and configure an application ID.

  • Symptom: Received an error message "User <ApplicationID> is not defined" when running the checkCyberArkConn.bat script to test connection.

    Possible Cause: The application ID is not added to the Safe in CyberArk.

    Solution:  Add the applicaition ID to the Safe in CyberArk. For detailed instructions, see Create and configure an application ID.

  • Symptom: Checking credential failed with an error message similar to the following:

    Failed to get credential XYZ, please check the related error logs in probe side.

    Scenarios:

    • Found the following error messages in the WrapperProbeGw.log:

      • ... Failed to get credential for id 52_1_CMS - Failed quering CyberArk Password, Application ID is empty.

      • ...Failed to get credential for id 2_1_CMS - Failed quering attribute from CyberArk Password.

      Possible Cause: Application ID or Classpath is not properly set.

      Solution: Set application ID and classpath properly. For detailed instructions, see Set ApplicationID and Classpath parameters manually.

    • Found the following error message in the WrapperProbeGw.logQuery string not legal. Should be "safe\folder\name".

      Possible Cause: The format of the Reference ID is not correct.

      Solution: Update the reference ID by strictly following the reference ID format:

      <Safe_Name>\<Folder Path>\<ReferenceID>

      Where <Safe_Name> is the Safe value in CyberArk, <Folder Path> is the folder where the Safe belongs to, and <ReferenceID> is the name of the CyberArk account you specified or auto-generated in CyberArk.

      For example, NancySafe\Root\nancy-cyberark-testing-refid.

    • Found the following error message in the WrapperProbeGw.log

      Password object matching query [object=ABC;Folder=Root;Safe=XYZ] was not found (Diagnotic Info: 9). Please check that there is a password object that answers your query in the vault and that both the provider and the application user have the appropriate permissions needed in order to use the password.

      Possible Cause: The CyberArk Credential Provider user was not added as a member to the Safe.

      Solution: Add the CyberArk Credential Provider user as a member to the Safe in CyberArk, as follows:

      For detailed instructions, see How to Create and Configure CyberArk Account for the Integration.

    • Found the following error message in the WrapperProbeGw.logError: CASVL012E User Name [ApplicationID] is invalid.

      Possible Cause: This is related to the authentication. The OS user was not properly set when creating the Application ID in CyberArk.

      Solution: If the Probe is running as a service, add NT AUTHORITY\SYSTEM as OS user.

      If the Probe is running as console, add the <hostname\username> as OS User.

  • PROBLEM: After enabling CyberArk integration, there are no CyberArk related fields in the Protocol Parameters dialog for some protocols. Is it possible to add CyberArk credential reference to those protocols?

    Solution: Yes. Apart from UDDI Registry and Universal Discovery protocols (which have no passwords at all), we can add CyberArk credential reference to these protocols with the help of JMX methods. For a list of protocols that are supported from JMX, see Supported Protocols. For detailed instructions, see How to Add CyberArk Credential for Protocols from JMX.

  • Limitation: Probe will not be able to retrieve passwords from CyberArk if it is running on the local system account and that this account is not added as a member to the CyberArk Safe. 
  • PROBLEM: After enabling CyberArk integration and the FIPS mode, check credential for CyberArk failed on Windows platform. This is because the file path separator "\" in the conf files cannot be properly processed on Windows platform. (QCCR1H104637)

    Solution: When enabling CyberArk integration and the FIPS mode on Windows platforms, make sure you replace the file path separator "\" with "/" in the conf files.

    For example, replace the file path separator "\" in the following setting:

    wrapper.java.classpath.8=C:\Program Files (x86)\CyberArkApplication\PasswordSdk\JavaPasswordSDK.jar

    with "/", as shown below:

    wrapper.java.classpath.8=C:/Program Files (x86)/CyberArkApplication/PasswordSdk/JavaPasswordSDK.jar

  • PROBLEM: After adding a new probe to the UCMDB server that was already switched to the FIPS mode, the automatic FIPS switch process for the new probe might fail. This is because once the newly installed probe is started, it downloads all the resources from the UCMDB server, and when the probe gets the probe upgrade package, it would schedule a restart, which blocks the automatic FIPS Switch process. (QCCR1H106595)

    Workaround: Once you find that the automatic FIPS Swtich process for a new probe failed,

    1. Copy the jar files of JCE Unlimited Strength Jurisdiction Policy Files 8 into the %\DataFlowProbe_HOME%\bin\jre\lib\security directory on the Data Flow Probe machine.

      For more information about how to obtain the files, see the Universal CMDB FIPS Deployment Guide.

    2. Add the following line into the DataFlowProbe.properties file on the Data Flow Probe machine, and then save the file.

      probe.fips.status=1
    3. Restart the Data Flow Probe.

    Note If the Data Flow Probe is in separate mode, you need to perform the above steps for both the Probe Manager and Probe Gateway instances.

  • PROBLEM: When running discovery jobs or checking credentials, the following error occurs:

    Failed to verify application authentication data: Hash XXX is unauthorized.

    This is caused by inconsistent hash values between UCMDB and CyberArk Server.

    Workaround: Check if the hash value is the same as the one you configured on the CyberArk server. If different, regenerate the hash value and then fill the new hash value in the CyberArk server. For instructions, see How to Calculate Hash Code for JARs with Annotation.