Hello,
We are getting this error exception for connector rule and can’t find reference to it in the documentation or forums. The rule supposed to call a fairly straightforward powershell script but doesn’t look like it is making its way through the IQService. Error, rule, ps script, and log are included below. Any assistance would be greatly appreciated.
Thank you.
Error:
{"exception":{"stacktrace":"sailpoint.tools.GeneralException: Errors returned from IQService. Before Script returned non-zero exit code : 1 : \n\tat sailpoint.connector.RPCService.checkForErrors(RPCService.java:967)\n\tat sailpoint.connector.RPCService.parseResponse(RPCService.java:798)\n\tat sailpoint.connector.RPCService.execute(RPCService.java:531)\n\tat sailpoint.connector.AzureADConnector.callIQService(AzureADConnector.java:10288)\n\tat sailpoint.connector.AzureADConnector.provision(AzureADConnector.java:5986)\n\tat sailpoint.connector.ConnectorProxy.provision(ConnectorProxy.java:1116)\n\tat com.sailpoint.ccg.cloud.container.Container.provision(Container.java:303)\n\tat com.sailpoint.ccg.cloud.container.ContainerIntegration.provision(ContainerIntegration.java:156)\n\tat com.sailpoint.ccg.handler.ProvisionHandler.invoke(ProvisionHandler.java:190)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler.handleMessage(CcgPipelineMessageHandler.java:42)\n\tat com.sailpoint.pipeline.server.PipelineServer$InboundQueueListener$MessageHandler.run(PipelineServer.java:369)\n\tat java.base\/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)\n\tat java.base\/java.util.concurrent.FutureTask.run(FutureTask.java:264)\n\tat java.base\/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)\n\tat java.base\/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)\n\tat java.base\/java.lang.Thread.run(Thread.java:829)\n","exception_class":"sailpoint.tools.GeneralException","exception_message":"Errors returned from IQService. Before Script returned non-zero exit code : 1 : "},"stack":"ccg","pod":"stg03-useast1","connector-logging":"148","Operation":"Modify","clusterId":"308","buildNumber":"894","apiUsername":"494e1363-6a67-490d-8e5a-5e352dc4b1c8","orgType":"","file":"RPCService.java","encryption":"1266","messageType":"provision","connector-bundle-identityiq":"197","line_number":554,"@version":1,"CB_version":"458","logger_name":"sailpoint.connector.RPCService","mantis-client":"1266","class":"sailpoint.connector.RPCService","ParentOperation":"ProvisioningOperation","clientId":"788","request_milliseconds":"1916","source_host":"89f91d68e9ab","method":"execute","org":"<name>","level":"ERROR","IdentityIQ":"8.0 Build 8c8b048e0b1-20230412-073948","message":"Exception occurred while executing the RPCRequest: Errors returned from IQService. Before Script returned non-zero exit code : 1 : ","pipeline":"1266","@timestamp":"2023-06-23T17:20:44.625Z","NativeIdentity":"999077508","thread_name":"pool-7-thread-15","metrics":"1266","region":"us-east-1","AppType":"Azure Active Directory","Application":"Azure Active Directory Test [source]","request_id":"b610071c22e94f49bef51d85ee3dd486","CB_Type":"connector-bundle-directories","queue":"<tenentCluster>","SCIM Common":"8.0 Build 00b1f252d1b-20200225-190809"}
Rule:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Test Distro Group Rule" type="ConnectorBeforeModify">
<Attributes>
<Map>
<entry key="ObjectOrientedScript" value="true" />
<entry key="disabled" value="false" />
<entry key="extension" value=".ps1" />
<entry key="program" value="powershell.exe" />
<entry key="sourceVersion" value="1.0" />
<entry key="timeout" value="300" />
</Map>
</Attributes>
<Description>
This is an IQService afterScript - On a successful provisioning event, this after script should be used as the starting point to
initiate a separate PowerShell script residing on the client's IQService server.
Configuration tasks include the following:
- Set a proper location for the $logFile variable.
- Set the proper script location and name for the $command variable.
- Set the $enableDebug flag to $true or $false to toggle debug mode.
</Description>
<Source>
<![CDATA[
$logDate = Get-Date -UFormat "%Y%m%d"
$logFile = "E:\Scripts\Logs\ConnectorAfterCreate_$logDate.log"
$command = "E:\Scripts\test.ps1"
$enableDebug = $true
#====================-------Helper functions-------====================
function LogToFile([String] $info) {
$info | Out-File $logFile -Append
}
#====================-------Get the request object-------====================
Try{
if($enableDebug) {
LogToFile("Entering SailPoint rule")
}
Add-type -path E:\IQService\Utils.dll;
$sReader = New-Object System.IO.StringReader([System.String]$env:Request);
$xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
$requestAsString = $requestObject.nativeIdentity
if($enableDebug) {
LogToFile("Request as XML object is: $requestAsString")
}
#Call the client script
$command = -join ($command, " -requestString '$requestAsString'")
Invoke-Expression $command
}Catch{
$ErrorMessage = $_.Exception.Message
$ErrorItem = $_.Exception.ItemName
LogToFile("Error: Item = $ErrorItem -> Message = $ErrorMessage")
}
if($enableDebug) {
LogToFile("Exiting SailPoint rule")
}
]]>
</Source>
</Rule>
PS Script:
###############################################################################################################################
# SETUP
# Instructions (for each IQService host that could run the script):
# - Update the path to Utils.dll (can be an unqualified path like "Utils.dll" since script is copied to IQService folder for execution)
# - Make sure Utils.dll is in the specified folder on each IQService host
# - Be sure the account that runs IQService has appropriate permissions to create directories and set permissions on them
# - Be sure to set the "run as" account for the IQService in Windows Service to the above-specified account instead of just the "logged on" user
# - Set a proper location for the $logFile variable
# - Set the $enableDebug flag to $true or $false to toggle debug mode
###############################################################################################################################
param (
[Parameter(Mandatory=$true)][System.String]$requestString
)
#include SailPoint library
Add-Type -Path "E:\IQService\Utils.dll";
#log file info
$logDate = Get-Date -UFormat "%Y%m%d"
$logFile = "E:\Scripts\Logs\SourceBeforeCreateScript_$logDate.log"
$enableDebug = $true
###############################################################################################################################
# HELPER FUNCTIONS
###############################################################################################################################
#save logging files to a separate txt file
function LogToFile([String] $info) {
$info | Out-File $logFile -Append
}
#if we have a non-null account request, get our value; otherwise return nothing
function Get-AttributeValueFromAccountRequest([sailpoint.Utils.objects.AccountRequest] $request, [String] $targetAttribute) {
$value = $null;
if ($request) {
foreach ($attrib in $request.AttributeRequests) {
if ($attrib.Name -eq $targetAttribute) {
$value = $attrib.Value;
break;
}
}
} else {
LogToFile("Account request object was null");
}
return $value;
}
###############################################################################################################################
# BODY
###############################################################################################################################
if($enableDebug) {
LogToFile("Entering beforeScript")
}
try {
##########################
# Begin SailPoint protected code -- do not modify this code block
#
$sReader = New-Object System.IO.StringReader([System.String]$requestString);
$xmlReader = [System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
#debug line for testing
if($enableDebug) {
LogToFile("Request object contents:")
LogToFile($requestObject | Out-String)
}
#
# End SailPoint protected code
##########################
##########################
# Begin Client-provided code
#get the necessary info we need from the accountRequest object
#as an example: $nativeIdentity = $requestObject.nativeIdentity
#do whatever work needs to be done here
#
# End Client-provided code
}
catch {
$ErrorMessage = $_.Exception.Message
$ErrorItem = $_.Exception.ItemName
LogToFile("Error: Item = $ErrorItem -> Message = $ErrorMessage")
}
if($enableDebug) {
LogToFile("Exiting beforeScript")
}
Log:
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "Listening on TLS Port: [5052]"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "Connection Read Timeout: [15]"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "TraceLevel: [3]"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "TraceFile: [logme.txt]"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "Running As: [LocalSystem]"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "CommandLine Arguments"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "Argument[0] ==>'-s'"
06/22/2023 16:08:20 : ServiceMain [ Thread-1 ] INFO : "ServiceName : IQService-Instance1
Display Name : SailPoint IQService-Instance1
Configured TLS Port : 5052
Connection Read Timeout : 15
Update Interval : 30
Build version : IQService-May-2023
Build timestamp : 05/26/2023 06:19 AM -0500
Build location : master
Build builder : jenkins
Build Number : 523
Executable : E:\IQService\IQService.exe
File Size : 78056
File Date : 6/1/2023 8:56:12 AM
Trace Level : 3 [ debug ]
Secondary Service : IQService-Instance1-Secondary
Secondary Service TLS Port: 5053
Secondary Service Status : RUNNING
UpdateService Status : NOT CONFIGURED