Symantec IGA

  • Private Community
 View Only

  • 1.  What can cause error UNWILLING_TO_PERFORM when setting up a new SCIM endpoint for IM 12.6.07?

    Posted Sep 13, 2018 06:02 AM

    I am trying to set up a new SCIM endpoint on our provisioning server (version 12.6.07), but I get the following error message:

    2018.09.13.10:40:09.026 ERROR IM Provisioning Server - :ETA_E_0003<ADI>, Endpoint 'OSB' creation failed:
    Connector Server Add failed: code 53 (UNWILLING_TO_PERFORM): failed to add entry eTDYNDirectoryName=OSB,
    eTNamespaceName=SCIM,dc=im,dc=etasa: JCS@ngcaimpro2t: SCIM: null (ldaps://ngcaimpro2t.norgesgruppen.no:20411)
    (by User 'etaadmin' - TenantNotSet) {ID=8a2e4d4a-583f-4460-936b-8f320d6b0aa5}

    Enabling logging during setup, gives some more info within the Connector Server log (jcs_conn_OSB.log):

    2018-09-13 10:40:09,003 76112269 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:40) DEBUG - HTTP Response:
    2018-09-13 10:40:09,003 76112269 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:41) DEBUG - Status Line: HTTP/1.1 200 OK
    2018-09-13 10:40:09,003 76112269 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:42) DEBUG - Status Code: 200
    2018-09-13 10:40:09,003 76112269 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:43) DEBUG - Reason Phrase: OK
    2018-09-13 10:40:09,003 76112269 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:45) DEBUG - HTTP Response Headers:
    2018-09-13 10:40:09,004 76112270 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: Date, value: Thu, 13 Sep 2018 08:40:09 GMT
    2018-09-13 10:40:09,004 76112270 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: Content-Length, value: 0
    2018-09-13 10:40:09,004 76112270 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: Content-Type, value: text/xml; charset=utf-8
    2018-09-13 10:40:09,004 76112270 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: X-ORACLE-DMS-ECID, value: b1674a62-3f09-442d-b611-25363e7bf9a8-00147291
    2018-09-13 10:40:09,005 76112271 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMMetaConnector.java:347) DEBUG - HTTP GET response content: (Service Provider Schema)
    2018-09-13 10:40:09,005 76112271 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMMetaConnector.java:348) DEBUG -
    2018-09-13 10:40:09,006 76112272 [ApacheDS Worker-thread-94] SCIM_OSB (MetaConnector.java:727) INFO - class com.ca.jcs.scim.SCIMMetaConnector: OSB [eTDYNDirectoryName=OSB,eTNamespaceName=SCIM,dc=im,dc=etasa]: Already deactivated
    2018-09-13 10:40:09,012 76112278 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMMetaConnector.java:187) DEBUG - Deactivated Connector OSB.
    2018-09-13 10:40:08,899 76112165 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:40) DEBUG - HTTP Response:
    2018-09-13 10:40:08,900 76112166 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:41) DEBUG - Status Line: HTTP/1.1 200 OK
    2018-09-13 10:40:08,900 76112166 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:42) DEBUG - Status Code: 200
    2018-09-13 10:40:08,900 76112166 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:43) DEBUG - Reason Phrase: OK
    2018-09-13 10:40:08,900 76112166 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:45) DEBUG - HTTP Response Headers:
    2018-09-13 10:40:08,901 76112167 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: Date, value: Thu, 13 Sep 2018 08:40:09 GMT
    2018-09-13 10:40:08,901 76112167 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: Content-Length, value: 569
    2018-09-13 10:40:08,901 76112167 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: Content-Type, value: application/json; charset=utf-8
    2018-09-13 10:40:08,901 76112167 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: X-ORACLE-DMS-ECID, value: b1674a62-3f09-442d-b611-25363e7bf9a8-00147290
    2018-09-13 10:40:08,902 76112168 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMMetaConnector.java:268) DEBUG - HTTP GET response content: (Service Provider Configuration)
    2018-09-13 10:40:08,902 76112168 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMMetaConnector.java:269) DEBUG - {
     "schemas" : [ "urn:scim:schemas:core:1.0" ],
     "meta" : {
     "created" : "2018-09-13T10:40:09.123+02:00",
     "location" : "http://*************/SCIM_Rest/ServiceProviderConfigs"
     },
     "patch" : {
     "supported" : false
     },
     "bulk" : {
     "supported" : false
     },
     "filter" : {
     "supported" : false
     },
     "changePassword" : {
     "supported" : false
     },
     "sort" : {
     "supported" : false
     },
     "etag" : {
     "supported" : false
     },
     "xmlDataFormat" : {
     "supported" : true
     }
    }2018-09-13 10:40:09,003 76112269 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:40) DEBUG - HTTP Response:
    2018-09-13 10:40:09,003 76112269 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:41) DEBUG - Status Line: HTTP/1.1 200 OK
    2018-09-13 10:40:09,003 76112269 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:42) DEBUG - Status Code: 200
    2018-09-13 10:40:09,003 76112269 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:43) DEBUG - Reason Phrase: OK
    2018-09-13 10:40:09,003 76112269 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:45) DEBUG - HTTP Response Headers:
    2018-09-13 10:40:09,004 76112270 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: Date, value: Thu, 13 Sep 2018 08:40:09 GMT
    2018-09-13 10:40:09,004 76112270 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: Content-Length, value: 0
    2018-09-13 10:40:09,004 76112270 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: Content-Type, value: text/xml; charset=utf-8
    2018-09-13 10:40:09,004 76112270 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMHttpResponseHandler.java:49) DEBUG - HTTP Response Header name: X-ORACLE-DMS-ECID, value: b1674a62-3f09-442d-b611-25363e7bf9a8-00147291
    2018-09-13 10:40:09,005 76112271 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMMetaConnector.java:347) DEBUG - HTTP GET response content: (Service Provider Schema)
    2018-09-13 10:40:09,005 76112271 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMMetaConnector.java:348) DEBUG -
    2018-09-13 10:40:09,006 76112272 [ApacheDS Worker-thread-94] SCIM_OSB (MetaConnector.java:727) INFO - class com.ca.jcs.scim.SCIMMetaConnector: OSB [eTDYNDirectoryName=OSB,eTNamespaceName=SCIM,dc=im,dc=etasa]:
    Already deactivated
    2018-09-13 10:40:09,012 76112278 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMMetaConnector.java:187) DEBUG - Deactivated Connector OSB.

    There are other SCIM endpoints set up from before; unfortunately the people who set them up aren't available for questions, and I don't know which changes may have been made to the provisioning server in the meantime.

    Also, the endpoint I amconnecting to is in development, so perhaps there are some protocol/schema-stuff that might be incorrect that the CA SCIM connector is unhappy with?

    Any suggestions as to what might cause this, or where/how I should look to find out more?



  • 2.  Re: What can cause error UNWILLING_TO_PERFORM when setting up a new SCIM endpoint for IM 12.6.07?

    Broadcom Employee
    Posted Sep 13, 2018 01:25 PM

    Was this working before?  The other SCIM endpoints continue to work as expected?  I have seen this error when changes on the endpoint and provisioning manager were not able to read the SCIM Base URL.



  • 3.  Re: What can cause error UNWILLING_TO_PERFORM when setting up a new SCIM endpoint for IM 12.6.07?

    Posted Sep 14, 2018 03:16 AM

    Thanks for looking at this, Scott

     

    Unfortunately, I can't say much about the other SCIM endpoints that I see on the provisioning server. This is a staging system, so the other SCIM endpoints no longer have anything to connect to, having long since been deployed into production.

    It's able to connect to the SCIM service, since it logs the data it gets when connecting to /ServiceProviderConfigs



  • 4.  Re: What can cause error UNWILLING_TO_PERFORM when setting up a new SCIM endpoint for IM 12.6.07?

    Posted Sep 14, 2018 09:51 AM

    Looking at other logs, I see the following message:

    2018-09-14 09:57:32,142 157851 [ApacheDS Worker-thread-5] (com.ca.jcs.core:com.ca.jcs.osgi.exchange.router.MessageRouter:552)
    DEBUG - The details of the remote server error are: JCS@ngcaimpro2t: The endpoint type
    eTNamespaceName=SCIM,dc=im,dc=etasa that was referenced in the request has not been activated
    org.apache.directory.shared.ldap.exception.LdapNameNotFoundException: JCS@ngcaimpro2t: The
    endpoint type eTNamespaceName=SCIM,dc=im,dc=etasa that was referenced in the request has not
    been activated

    However, looking in the Connector Server portal, "JCS :: Connector :: SCIM (com.ca.jcs.scim)" is listed as having Status Active. Is there some kind of internal inconsistency here so that I should simply scrap the SCIM enpoint type and re-do the setup of it from scratch?



  • 5.  Re: What can cause error UNWILLING_TO_PERFORM when setting up a new SCIM endpoint for IM 12.6.07?
    Best Answer

    Broadcom Employee
    Posted Sep 18, 2018 03:39 AM

    Hi Urbagurba,

     

    Look at the 2 following lines:
    2018-09-13 10:40:09,005 76112271 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMMetaConnector.java:347) DEBUG - HTTP GET response content: (Service Provider Schema)
    2018-09-13 10:40:09,005 76112271 [ApacheDS Worker-thread-94] SCIM_OSB (SCIMMetaConnector.java:348) DEBUG -
    On the second line, there is no response for the request to get the "Schemas".
    This is the root cause of this issue.
    Investigate why the endpoint cannot return the "Schemas" in REST API.
    The HTTP URL for this request is the SCIM Base URL + "/schemas".

    You can test this URL for schema from a Web Browser.
    I add that in the log we can see that the Service Provider Configuration is properly retrieved ("/ServiceProviderConfigs")
    but not the Service Provider Schema.

     

    Regards,

    Philippe.



  • 6.  Re: What can cause error UNWILLING_TO_PERFORM when setting up a new SCIM endpoint for IM 12.6.07?

    Posted Sep 18, 2018 03:53 AM

    Nice catch!

     

    Looking at the SCIM specification (DRAFT: System for Cross-Domain Identity Management:Protocol 1.1 ), the Schema resource is mentioned, but I can't find a further specification on what it should contain and how it should be formatted. Any pointers?



  • 7.  Re: What can cause error UNWILLING_TO_PERFORM when setting up a new SCIM endpoint for IM 12.6.07?

    Posted Sep 18, 2018 07:08 AM

    Looking further into it, the endpoint developer had opted to return a "200 OK" status for the Schema resource, but hadn't provided any actual content since it was unknown what it should be. Switching the reply status to "404 Not Found" convinced the connector to proceed and got the basic configuration of the endpoint into place.

     

    Thanks to everyone for the input. Seems kinda obscure a problem, but perhaps the discussion here can be of help to someone else in similar circumstances