Error when connecting to Thycotic using scim2.0

Hi,

We are trying to integrate IdentityNow and thycotic using the SCIM 2.0 connector.
We have SCIM connector provided by thycotic installed in the server which communicates to the secret server.

In the SCIM 2.0 connector we are providing the base URL of the SCIM connector.
Even after adding all the credentials when we do test connection we are getting this error back - Test Connection Failed : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Can you please help us with the reason that this error might occur for?

Thanks,
Karthik

Hi Karthik, I’m not an IDN expert but the error appears to be a server certificate issue/trust.

Hi Karthik,

Indeed as @AlejandroGilHammer has suggested this error would usually be associated with an authentication issue during the test connection.

Does the Thycotic server/connection require a certificate for connectivity? What type of authentication does the Thycotic server require in this case? If a certificate is required, then we will need to copy this chain of trust i.e the Root CA or similar into the Virtual Appliance keystore,
i.e. certificates folder. We can provide these steps, however in the meantime I would check the following points below first.

Recommend a few tips during troubleshooting of connections in general:

  • If possible, simulate the connection outside of IdentityNow, is it possible to test the service account/authentication mechanism outside of IdentityNow?

  • Attempt to assign a service account with Administrator privileges as a test, to ensure there are no permission related issues.

  • Perform connectivity tests as advised in the VA Troubleshooting guide, do you see the same error: Sign In to Compass - Compass (such as nc command or similar)

I came across the following Thycotic docment which may be useful to review too:

Kind Regards,

Omar Khote, CISSP.

Hey again @Karthik,

Please let us know if the above helps you resolve the error; good luck!

Hi @omar.khote

Does the Thycotic server/connection require a certificate for connectivity? - Yes we have a valid SSL Certificate on the secret server.

What type of authentication does the Thycotic server require in this case? - We are using basic authentication.

If a certificate is required, then we will need to copy this chain of trust i.e the Root CA or similar into the Virtual Appliance keystore,
i.e. certificates folder. - We have the certificate placed in the thycotic, do we also need to copy this certificate into the Virtual Appliance? How can I achieve this?

Recommend a few tips during troubleshooting of connections in general:

If possible, simulate the connection outside of IdentityNow, is it possible to test the service account/authentication mechanism outside of IdentityNow? - Yes we tried through postman and getting getaddrinfo ENOTFOUND error. But we are able to log into the server with the same credentials and validated that the user has admin privileges.

Attempt to assign a service account with Administrator privileges as a test, to ensure there are no permission related issues. - We have the service account with admin privileges.

Thanks for the answers Karthik,

Is the certificate self-signed by any chance on the Thycotic server?
Are you connecting via hostname or IP address to the server?

If you are using a self-signed certificate, would need to copy over the full chain onto the VA via the following steps:

  1. Copy the PEM-encoded certificates to the /home/sailpoint/certificates directory. This directory might not be empty because it’s where the VA adds any certs it grabs from the source.

  2. Restart CCG. You can use either of the following commands:
    ‘sudo systemctl restart ccg’

  3. Watch the /home/sailpoint/log/ccg-start.log. If this is successful, import should log message.

Note: Above steps are essentially the same as defined when configuring TLS to Active Directory:
https://community.sailpoint.com/t5/IdentityNow-Connectors/TLS-Configuration-on-Virtual-Appliances/ta-p/74434#toc-hId-479772855

What is your VA configuration type, can you execute a curl command or any other troubleshooting commands and resolve the address to the server fine? Have you executed any of the openssl commands in the VA troubleshooting guide?

The getaddrinfo ENOTFOUND error, is an error you would see on the client side, where for instance name resolution of that server is not possible, so this could also be DNS related.

The next best step if all above has been performed is to verify connectivity using openssl via the Virtual Appliance, to test connectivity to the SCIM server and review the certificates(once copied over), please see the commands in the VA troubleshooting guide.

e.g.
openssl s_client --CAfile certificates/examplecer.pem -connect test.yourthycoticserver.com:443
openssl verify examplecer.pem
(above command assumes copied over the certificates to VA).

Hey @Karthik to add to above, please also double check again and ensure the details entered into the Source Configuration of the SCIM IdentityNow connector are completely correct and there are no issues with the details entered.