File Upload Utility

BlessyMat_AA · September 18, 2024, 4:05pm

I am receiving below “Connection Timeout” in our env, what are the parameters that I will need to check to resolve the issue. Please advise.

Command used=> java -jar FileUploadUtility.jar --url https://xx.identitynow.com --clientId xx --clientSecret xx --file D:\sailpoint\xx -R

Scope of PAT used in jar file=> sp:scopes:all

<
java.net.SocketTimeoutException: Connect timed out
at java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:546)
at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:597)
at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:333)
at java.base/java.net.Socket.connect(Socket.java:648)
        at okhttp3.internal.platform.Platform.connectSocket(Platform.java:130)
        at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:263)
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:183)
        at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
        at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
        at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
        at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
        at okhttp3.RealCall.execute(RealCall.java:81)
        at retrofit2.OkHttpCall.execute(OkHttpCall.java:207)
        at sailpoint.service.SailPointService.createSession(SailPointService.java:110)
        at sailpoint.utils.FileUploadUtility.call(FileUploadUtility.java:235)
        at sailpoint.utils.FileUploadUtility.main(FileUploadUtility.java:145)/>

neil_mcglennon · September 19, 2024, 11:27am

From Troubleshooting section on Timeouts:

Timeouts are usually an indication that File Upload Utility is attempting to communicate with the SailPoint Cloud and not getting a response. Usually, this due to network security controls, such as firewalls, preventing the communication. Work with your network teams to make sure you can reach the SailPoint Cloud, and if necessary, adjust Timeout Configurations or even leverage Proxy Configurations if so required.

Hope this helps!

Santhakumar · September 22, 2024, 2:09pm

Did we get the powershell script that has been used in this video?

colin_mckibben · September 23, 2024, 12:58pm

Hi Shantha,
Are you referring the the script that was used in Krish’s livestream last week? If yes, he’s in the process of submitting it to the CoLab

ajtardio · September 27, 2024, 5:23pm

Got help from Support - it’s literally just replacing the current .jar file with the new .jar - no commands actually need run. You can get the new version from the Current Release link at the top of this page.

anon50892160 · October 23, 2024, 2:01am

I understand that UTF-8 (Unicode) is the supported character code for multibyte data(account entitlement), is that correct?
In Japan, there are still cases where other character encodings such as Shift JIS are used, but after converting to UTF-8, it is necessary to use it, right?

edmarks · October 24, 2024, 9:09pm

Does anyone know if the File Upload Utility is compatible with AWS Corretto OpenJDK (OpenJDK Download - Corretto - AWS)?

neil_mcglennon · October 28, 2024, 3:30pm

It is! I actually develop and test File Upload Utility against that version of OpenJDK.

neil_mcglennon · October 29, 2024, 1:50pm

Hi @anon50892160 - Good question. File Upload Utility itself doesn’t process the file or check for encodings, it just transports it to the cloud via API. I am not sure what all the API validates, before it is handed to the delimited file connector for parsing. The delimited file connector defaults to UTF-8 encoding, but I think theres a setting which can override this. Just keep in mind the data that goes back to ISC’s data stores is in fact UTF-8; so if you read in a different encoding it will be ‘cast’ to our default (expected) encoding. If this isn’t re-encoded correctly this could look like spurious characters, which is why we recommend UTF-8 encoding as theres no room for error. Hope this helps!

JedHyder · November 8, 2024, 1:02pm

Neils project is really good, and it is also cross platform(linux/windows/mac). But in navigate I heard from a few customers that would like similar functionality that you are asking about. Also, they were looking for a method could follow to easily migrate the IIQ beanshell delimited files to ISC. I was able to spend a week with a test tenant to create a project that I believe will provide most of this functionality. Sato, with a bit of scripting, this project has a feature that you might be able to use to do the processing you are needing.
GitHub - jhyderjhyder/IdentityNow_AutoLoader: IdentityNow ISC AutoLoader for Delimited Files. The project needs some testing with large files. But because you can write a PowerShell script to pre-process the file, then you can validate the format or even rewrite it. If you find defects or enhancements, you would like to see please let me know. Also, this project will run as a windows service, so I think it would be easier to support for many users. If it gets traction/demand in the community, then I will work with SailPoint to add it to the colab.

VincentChu · December 9, 2024, 6:53am

Any update for the error code 503? We have been getting it recently. Not sure what is the reason. Can someone share the details?

neil_mcglennon · December 9, 2024, 4:48pm

I love this idea. Great work @JedHyder!

colin_mckibben · December 9, 2024, 8:08pm

I encourage you to do this so you can earn some Ambassador points from your work!

Bhekamandla · February 19, 2025, 3:49pm

Hi Neil,

I’m also getting error 500 with message “An internal fault occurred.” while using version 4.1.0. Did you manage to find a solution for Minh? I tried replicating the issue using Postman but the request was successful, so I’m not sure what the cause of the is.

Regards,
Bhekamandla

mhoang · February 19, 2025, 4:09pm

Hi,

If I recall, there was a small error in the input file. There was a double quote on one of the fields.

I use Visual Studio Code w/ lint extension to check the csv file to make sure it correct.

Medo1 · February 26, 2025, 7:54pm

Was there any solution for this error?

neil_mcglennon · February 26, 2025, 9:12pm

Connection resets are usually a network device, proxy, or firewall disconnecting your attempted connection to the cloud. I would seek advice with your network administrators from where this is being run. Most organizations require proxy configuration (which file upload utility supports).

naluvala · May 6, 2025, 5:48am

@neil_mcglennon

I am using 4.1.0 file upload utility and jdk 21 when i followed u r process i am getting the below error. Can u please let me know what might be the issue.

Checking credentials…
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1318)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1195)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1138)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at retrofit2.OkHttpCall.execute(OkHttpCall.java:207)
at sailpoint.service.SailPointService.createSession(SailPointService.java:110)
at sailpoint.utils.FileUploadUtility.call(FileUploadUtility.java:245)
at sailpoint.utils.FileUploadUtility.main(FileUploadUtility.java:145)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
at java.base/sun.security.validator.Validator.validate(Validator.java:256)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1302)
… 35 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
… 40 more
Analyzing account file: Downloads\f16541b2dc9c4bc2b846ed70a00cc075-testFileUploadUtility.csv
Analyzing account file: f16541b2dc9c4bc2b846ed70a00cc075-testFileUploadUtility.csv
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:383)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1318)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1195)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1138)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:447)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:206)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at retrofit2.OkHttpCall.execute(OkHttpCall.java:207)
at sailpoint.service.SailPointService.createSession(SailPointService.java:110)
at sailpoint.service.SailPointService.getAuthenticatedService(SailPointService.java:53)
at sailpoint.service.SailPointService.aggregateAccounts(SailPointService.java:144)
at sailpoint.utils.FileUploadUtility.processFile(FileUploadUtility.java:333)
at sailpoint.utils.FileUploadUtility.call(FileUploadUtility.java:273)
at sailpoint.utils.FileUploadUtility.main(FileUploadUtility.java:145)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
at java.base/sun.security.validator.Validator.validate(Validator.java:256)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:230)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1302)
… 38 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
… 43 more
File [f16541b2dc9c4bc2b846ed70a00cc075-testFileUploadUtility.csv]: Error: Cannot invoke “sailpoint.object.Session.getAccessToken()” because “this.session” is null
Complete.

Elapsed time: 0 seconds
Files processed: 1

Success: 0

Error: 1

Skipped: 0

narayanag · May 11, 2025, 8:50pm

@naluvala Welcome to Sailpoint developer community !!

I’ve debugged the issue on my end and did not encounter the problem. I suggest exploring this direction as well. While I’m not fully confident in the solution I’m proposing, I wanted to share my thought process for consideration.  ```
How to Fix It:  
=========
 Step 1: Export the Certificate
 ==================================
Use a browser or openssl to get the SSL certificate chain for the target host (example: https://<org>.identitynow.com).

echo | openssl s_client -showcerts -servername <org>.identitynow.com -connect <org>.identitynow.com:443

Copy the certificate block:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Save it as identitynow.crt.


Step 2: Import the Certificate into Java Truststore:
================================================
Locate your Java truststore path (e.g., $JAVA_HOME/lib/security/cacerts)
Default password is usually: changeit


keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts \
  -storepass changeit -noprompt -alias identitynow \
  -file identitynow.crt
  
  Now re-run the IdentityNow File Upload Utility. It should trust the server's certificate and successfully authenticate.

richasg · July 4, 2025, 8:18pm

Hi Guys,

I have added the following features / changes in a new PR due to experience with client needs.

I think that this PR helps the stability of the utility and provides features that are more aligned to an enterprise application.

github.com/sailpoint-oss/colab-file-upload-utility

Config file support, Log4j, and proxy env vars

main ← Astral-Media-AU:feature/config-file

opened 08:01PM - 04 Jul 25 UTC

richastral

+1684 -1306

# Feature Update I have added the following features / changes in this PR due t…o experience with client needs. I think that this PR helps the stability of the utility and provides features that are more aligned to an enterprise application. ## Configuration File Alternative to Command-Line Arguments This PR for the `SailPoint File Upload Utility` supports configuration using a JSON file to reduce the complexity of the configuration and command line arguments and supports additional features. Below is an example of a configuration file: ```json { "tenant": { "url": "https://<example>.api.identitynow.com", "clientId": "env", "clientSecret": "env" }, "proxy": { "enabled": false, "host": "", "port": 1234, "user": "", "password": "" }, "aggregations": [ { "sourceId": "<example source id>>", "disableOptimization": false, "objectType": "Account", "recursive": false, "simulate": false, "timeout": 10000, "extensions": [ "csv", "tsv" ], "enableFileJourney": true, "structure": { "in": "/data/sailpoint/in", "stage": "/data/sailpoint/stage", "archive": "/data/sailpoint/archive", "error": "/data/sailpoint/error" } } ], "ks": "", "iv": "" } ``` Most of the values in the config file directly relate to the command line arguments outlined in the [README.md](./README.md), organized more efficiently with some additional features outlined below: ### Attributes The following attributes and objects are required to be present in the configuration file. If there is no value for a specific attribute, the blank `""` is accepted and `[]` for arrays: |Object|Name|Type|Description| |---|---|---|---| ||`tenant`|`Tenant`|Object to outline the details of the SailPoint tenant to connect to.| |`Tenant`|`url`|`String`|Contains the details of the SailPoint tenant to connect to.| |`Tenant`|`clientId`|`String`|SailPoint Client ID (PAT). If value of `env` is provided, then the value for environment variable `SAIL_CLIENT_ID` will be used.| |`Tenant`|`clientSecret`|`String`|SailPoint Client Secret (PAT). If value of `env` is provided, then the value for environment variable `SAIL_CLIENT_SECRET` will be used. Note: Plain text `clientId` is automatically encrypted on first run.| ||`aggregations`|`Aggregation (Array)`|Array of `Aggregation` objects which contain the configuration for each source o be aggregated.| |`Aggregation`|`sourceId`|`String`|SailPoint ID for the Source to be aggregated. If File Upload Utility cannot find the specified `sourceId` in the tenant's configuration, then it will skip the aggregation and move on to the next if there is one.| |`Aggregation`|`objectType`|`String`|`Account` or `Entitlement` Schema| |`Aggregation`|`recursive`|`Boolean`|Recursively search directories| |`Aggregation`|`timeout`|`Integer`|Timeout (in milliseconds). Default: 10000 (10s)| |`Aggregation`|`disableOptimization`|`Boolean`|Disable Optimization on Account Aggregation| |`Aggregation`|`simulate`|`Boolean`|Simulation Mode. Scans for files but does not aggregate.| |`Aggregation`|`extensions`|`String (Array)`|List of extensions to search for within the directory structure.| |`Aggregation`|`enableFileJourney`|`Boolean`|Flag to enable file processing to move files to `in`, `staging`, `archive` or `error`| |`Aggregation`|`structure`|`Structure`|Directory structure for importing files| |`Structure`|`in`|`String`|Path to file or directory for aggregation| |`Structure`|`stage`|`String`|Path to directory for processing aggregations| |`Structure`|`archive`|`String`|Path to directory for successful aggregations| |`Structure`|`error`|`String`|Path to directory for failed aggregations| ||`proxy`|`Proxy`|Object to outline the details of a proxy server (if required).| |`Proxy`|`enabled`|`Boolean`|Flag to enable Web (HTTP) proxies support.| |`Proxy`|`host`|`String`|Hostname for proxy server (if `enabled` is set to `true`).| |`Proxy`|`port`|`Integer`|Proxy TCP port for proxy server (if `enabled` is set to `true`).| |`Proxy`|`user`|`String`|Username for proxy server (if `enabled` is set to `true`).| |`Proxy`|`password`|`String`|Password for proxy server (if `enabled` is set to `true`). Note: Plain text `clientId` is automatically encrypted on first run.| ||`ks`|`String`|Internally used. Soon to be removed.| ||`iv`|`String`|Internally used. Soon to be removed.| ### New Features The following new features have been introduced as part of the configuration file: #### One File Config One single file for configuration, reducing the reliance on command line arguments, helps the maintenance of the application. #### Individual Source Aggregation Configuration Previously, the following settings could only be set as globally for the application's run (regardless of the files and sources being aggregated): - timeout - disableOptimization - extensions - simulate As of now each of these options can be configured per-source, enabling a more granular configuration, as shown below: ```json { ... "aggregations": [ { "sourceId": "<<<source id>>>", "disableOptimization": false, "objectType": "Account", "recursive": false, "simulate": false, "timeout": 10000, "extensions": [ "csv", "tsv" ], "enableFileJourney": true, "structure": { "in": "/data/sailpoint/in", "stage": "/data/sailpoint/stage", "archive": "/data/sailpoint/archive", "error": "/data/sailpoint/error" } } ], ... } ``` #### File Archival / File Journey - Built in In many cases, files are picked up from a directory and processed, and there is often a reliance of a separate or overarching script of some sort (`bash`/`PowerShell` for example) which either picks the file up for processing by this application, or moves the file to an archival directory. This has been addressed with the `structure` object within the configuration: ```json { ... "aggregations": [ { "sourceId": "<example source id>>", ... "extensions": [ "csv", "tsv" ], "enableFileJourney": true, "structure": { "in": "/data/sailpoint/in", "stage": "/data/sailpoint/stage", "archive": "/data/sailpoint/archive", "error": "/data/sailpoint/error" } } ], ... } ``` As can be seen above, if the `enableFileJourney` flag is set to `true` the following happens during processing: 1) The directory specified in the `in` attribute is scanned for files with extensions which match one of the `extensions` also specified. 2) Upon finding a file, the file is renamed with a prefix of teh date and time e.g. `20250705010203_<filename>`. 3) The file `20250705010203_<filename>` is then moved to the diectory specified in the `stage` attribute so to clean the `in` directory. 4) The file is then attempted to be imported / aggregated. 5) If the file is successfully aggregated, the file is moved in to the directory specified in the `archive` folder. 6) If the aggregation of the file fails for any reason, the file is moved in to the directory specified in the `error` attribute. If the `enableFileJourney` flag is set to `false` the following happens during processing: 1) The directory specified in the `in` attribute is scanned for files with extensions which match one of the `extensions` also specified. 2) The file is then attempted to be imported / aggregated. #### On-the-fly Encryption of Credentials As per the original codebase, the environment variables for the tenant Client ID and Secret can be used. However if this is not viable, the Client Secret can be entered **Free Text** in to the configuration file. However, upon the first run on the application, the secret will be encrypted and no longer be human readable. Note: Currently this is not a fool-proof encryption method as the keys are stored in the config file, this is only a deterrent at this time. A more suitable alternative is currently being looked in to. ## Logging Support with Log4j 2 This PR for `SailPoint File Upload Utility` replaces the basic logging functionality and implements `Apache Log4j 2`, providing a robust and consistent mechanism for capturing and managing application logs. This enhancement enables fine-grained control over log levels, formatting, and output destinations, making it easier for developers and administrators to monitor and troubleshoot the utility in a variety of environments. By adopting Log4j 2, the utility inherently supports streaming log data to `Security Information and Event Management (SIEM)` solutions such as `Splunk`, `ELK Stack`, or other centralized log aggregation platforms. This is particularly valuable for enterprise deployments, where maintaining visibility, ensuring compliance, and detecting anomalies in real time are critical requirements. Key benefits of this implementation include: - **Flexible Configuration:** Customize log levels and appenders (e.g., console, rolling files) via simple configuration changes without modifying the application code. - **Enterprise Integration:** Seamlessly forward logs to SIEM systems to support centralized monitoring and alerting pipelines. - **Enhanced Debugging and Auditing:** Provides clear, structured logs to facilitate operational support and forensic analysis. ### Default Configuration The default configuration is outlined below and logs detailed output to the console and to the file `logs/FileUpload.log`: ```properties # Root logger option rootLogger=INFO, STDOUT, LOGFILE # Define console appender appender.console=org.apache.log4j.ConsoleAppender appender.console.name = STDOUT appender.console.type = Console appender.console.layout.type = PatternLayout appender.console.layout.pattern = [%-5level] %msg%n # Define rolling file appender appender.file.type = File appender.file.name = LOGFILE appender.file.fileName = logs/FileUpload.log appender.file.layout.type = PatternLayout appender.file.layout.pattern = [%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n appender.file.filter.threshold.type = ThresholdFilter appender.file.filter.threshold.level = info ``` You can override the default configuration by specifying the `-Dlog4j.configurationFile=directory/file.xml` on the command line as outlined below. ### Log4J Configuration Formats Log4J supports both `properties` format and `xml`. The above configuration `properties` file can alternatively be provided as an `xml` file as below: ```xml <?xml version="1.0" encoding="UTF-8"?> <Configuration status="WARN"> <Appenders> <Console name="STDOUT" target="SYSTEM_OUT"> <PatternLayout pattern="[%level] %msg%n"/> </Console> <File name="LOGFILE" fileName="logs/FileUpload.log"> <PatternLayout pattern="[%level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n"/> <ThresholdFilter level="info" onMatch="ACCEPT" onMismatch="DENY"/> </File> </Appenders> <Loggers> <Root level="INFO"> <AppenderRef ref="STDOUT"/> <AppenderRef ref="LOGFILE"/> </Root> </Loggers> </Configuration> ``` Both the `properties` and the `xml` file achieve the same result which is: - Output runtime messages to the console. - Log runtime messages to a file `logs/FileUpload.log` with a little more detail. - Both output the log level of INFO. ### Custom Logging As previously mentioned you can provide your own log configuration file that will override the default log configuration. This can be easily achieved by adding `-Dlog4j.configurationFile=directory/file.xml` to the command line and provinding a valid Log4j2 `properties` or `xml` file, for example: - `java -Dlog4j.configurationFile=directory/file.xml -jar sailpoint-file-upload-utility.jar <commands>` - `java -Dlog4j.configurationFile=directory/file.properties -jar sailpoint-file-upload-utility.jar <commands>` ### Security Information and Event Management (SIEM) `Apache Log4j 2` is designed to be highly extensible and integrates smoothly with `SIEM` systems without requiring significant custom development. Out of the box, Log4j 2 provides multiple mechanisms to stream or forward logs to external systems like `Splunk`, `ELK (Elasticsearch, Logstash, Kibana)`, `QRadar`, and other SIEM platforms. For this reason, I have integrated Log4j. #### Basic Integration (Splunk) Example The following example and instructions facilitate logging from the `SailPoint File Upload Utility` to an instance of `Splunk` by providing a custom `Log4j 2 Configuration File` on the command line. This example assumes you have an instance of Splunk available that has: 1) A HTTP Event Collector enabled [Splunk HEC Documentation](https://dev.splunk.com/enterprise/docs/devtools/httpeventcollector/). 2) An access token for the HTTP Event Collector. 3) Firewall rules from the File Uploader machine to the Splunk instance. ##### Log4j Configuration The following outlines a configuration file that does the following: - Prints the log output to the console. - Appends the log output to the file `logs/FileUpload.log` with more detail. - Pushes the log output to the `Splunk` server outlined in the appenders section. - The log level of DEBUG for is used for testing purposes. ```xml <?xml version="1.0" encoding="UTF-8"?> <Configuration status="WARN"> <Appenders> <Console name="STDOUT" target="SYSTEM_OUT"> <PatternLayout pattern="[%level] %msg%n"/> </Console> <File name="LOGFILE" fileName="logs/FileUpload.log"> <PatternLayout pattern="[%level] %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %c{1} - %msg%n"/> <ThresholdFilter level="info" onMatch="ACCEPT" onMismatch="DENY"/> </File> <Http name="SPLUNK" url="https://<<<Splunk:Instance>>>/services/collector/raw"> <Property name="Authorization" value="Splunk <<<Splunk:Access Token>>>"/> <Property name="Content-Type" value="application/json"/> <PatternLayout pattern="%d %m%n"/> </Http> </Appenders> <Loggers> <Root level="DEBUG"> <AppenderRef ref="STDOUT"/> <AppenderRef ref="LOGFILE"/> <AppenderRef ref="SPLUNK"/> </Root> </Loggers> </Configuration> ``` ##### Command Line Arguments As previously mentioned you can override the default configuration by specifying the `-Dlog4j.configurationFile=directory/file.xml` on the command line to point to your custom `Splunk` log configuration above: ```bash java -Dlog4j.configurationFile=/path/to/splunk-logging.xml -jar /path/to/sailpoint-file-upload-utility-4.1.1-all.jar <commands> ``` Example: ```bash java -Dlog4j.configurationFile=/var/uploader/splunk-logging.xml -jar /var/uploader/sailpoint-file-upload-utility-4.1.1-all.jar --config-file /var/uploader/my-config.json ``` ### Further Log Configuration For more details on configuring logging for your environment using `Log4j`, refer to the [Log4j 2 Documentation](https://logging.apache.org/log4j/2.x/manual/configuration.html) or utilize the examples outlined above. ## Added Environment Variables for Proxy Username and Password As with the environment variables for Client ID and Secret, I have added functionality to specify the proxy username and password with the following environment variables: - SAIL_PROXY_USER - SAIL_PROXY_PASS These can be used by either setting the value `env` for `--proxyUser` and or `--proxyPassword` on the command line or setting the respective values to `env` in the config file: ```json { ... "proxy": { "enabled": true, "host": "my-proxy.host", "port": 1234, "user": "env", "password": "env" }, ... } ``` The above configuration will retrieve the proxy username and password fro the the environment variables.

New Features:
Configuration File as Alternative to Command-Line Arguments:
Added support for configuration using a JSON file to reduce the complexity of the configuration and reduces command line arguments and supports additional features.

Individual Source Aggregation Configuration:
Previously, the following settings could only be set as globally for the application’s run (regardless of the files and sources being aggregated):

timeout
disableOptimization
extensions
simulate

As of now each of these options can be configured per-source, enabling a more granular configuration. This also includes On-the-fly Encryption of Credentials.

File Archival / File Journey - Built in:
In many cases, files are picked up from a directory and processed, and there is often a reliance of a separate or overarching script of some sort (bash/PowerShell for example) which either picks the file up for processing by this application, or moves the file to an archival directory.

This has been addressed with the structure object within the configuration that allows defining in, stage, archive and error directories.

Logging Support with Log4j 2:
I have replaced the basic logging functionality and implemented Apache Log4j 2, providing a robust and consistent mechanism for capturing and managing application logs. This enhancement enables fine-grained control over log levels, formatting, and output destinations, making it easier for developers and administrators to monitor and troubleshoot the utility in a variety of environments.

By adopting Log4j 2, the utility inherently supports streaming log data to Security Information and Event Management (SIEM) solutions such as Splunk, ELK Stack, or other centralized log aggregation platforms. This is particularly valuable for enterprise deployments, where maintaining visibility, ensuring compliance, and detecting anomalies in real time are critical requirements.

Key benefits of this implementation include:
Flexible Configuration: Customize log levels and appenders (e.g., console, rolling files) via simple configuration changes without modifying the application code.
Enterprise Integration: Seamlessly forward logs to SIEM systems to support centralized monitoring and alerting pipelines.
Enhanced Debugging and Auditing: Provides clear, structured logs to facilitate operational support and forensic analysis.

I have included documentation to configure Splunk, which I have tested.

Added Environment Variables for Proxy Username and Password:
As with the environment variables for Client ID and Secret, I have added functionality to specify the proxy username and password with the following environment variables:
SAIL_PROXY_USER
SAIL_PROXY_PASS

These can be used by either setting the value env for --proxyUser and or --proxyPassword on the command line or setting the respective values to env in the config file.

Topic		Replies	Views
SailPoint File Upload Utility 4.0.0 ISC Discussion and Questions apis , identity-security-cloud	7	256	August 16, 2024
File Upload Utility Automation Scripts Community Tools identity-security-cloud , community-developed	0	279	October 2, 2024
SailPoint IdentityNow File Upload Utility Version 3.0.2 is failing ISC Discussion and Questions identity-security-cloud	4	53	November 10, 2024
File Upload Utility Plans with API Deprecations ISC Discussion and Questions apis , aggregation , identity-security-cloud , flat-file-connector	40	3044	August 20, 2024
File Upload Utility - Entitlement Feed File Upload ISC Discussion and Questions aggregation , identity-security-cloud	4	515	January 15, 2024