I’m trying to realize a POC regarding Virtual Appliance monitoring/supervision. In my client sandbox environment, I created a new cluster and initially deployed a VA with 8 GB RAM and 2 CPUs (below minimum requirements) in virtualBox. I
Increased resources to 16 GB RAM and 4 CPUs to meet minimum requirements. I succeeded in activating opentelemetry tool on VA in order to generate and send core essential metrics to my external monitoring tool (Grafana Cloud). The problem is the CCG metrics that are not sent and I’m quite sure it’s because the service is not started on my VA and I don’t know why. I tried multiple Cluster restarts, VA direct reboots, I also waited several hours to maybe have the service activated but nothing happened.
Identity Security Cloud sent VA_REBOOT job (UUID: 451aafba-8ff3-42f5-8a30-c177ac62f0de) with state “FINISHED”
Manually rebooted the VA via sudo reboot
CCG still not deploying after reboot. I attached 2 screenshots to show the UI display and some debbuging on the VA.
Try running this bash script on the VA boxes. This may identify a connectivity issue retrieving the containers.
I don’t believe the va images contain all of the containers any longer and it is pulling the containers down.
#!/bin/bash
echo "Starting SailPoint VA connectivity test..."
echo "----------------------------------------------"
# Define the list of hosts to test
# NOTE: For wildcard domains, we pick a specific, known host (e.g., 'www.')
HOSTS_TO_TEST=(
# Flatcar (updates)
"www.flatcar-linux.org"
# SailPoint (core services)
"api.identitynow.com"
"www.sailpoint.com"
"va-access.infra.identitynow.com"
# Note: If you have a specific tenant URL like 'my-tenant.identitynow.com', add it here!
# LaunchDarkly (feature flags)
"app.launchdarkly.com"
# AWS S3 (general)
"s3.amazonaws.com"
# AWS ECR (container images)
"api.ecr.us-east-1.amazonaws.com"
"ecr.us-east-1.amazonaws.com"
"874540850173.dkr.ecr.us-east-1.amazonaws.com"
"229634586956.dkr.ecr.us-gov-west-1.amazonaws.com"
)
# Loop through each host and test it
for HOST in "${HOSTS_TO_TEST[@]}"; do
echo -n "Testing: $HOST ... "
# Use curl with -v (verbose) and -I (HEAD request)
# Redirect stderr (verbose output) and stdout (headers) to /dev/null
# We only care about the exit code.
if curl -v -I "https://{$HOST}" --connect-timeout 5 &> /dev/null; then
echo "✅ SUCCESS"
else
echo "❌ FAILURE"
echo " (Tip: Run 'curl -v https://{$HOST}' for detailed error info)"
fi
done
echo "----------------------------------------------"
echo "Test complete."
How long did you wait prior to doing a restart on the VA or stopping and starting the cluster? I would try a new deployment of a VA and after letting it pair, letting it sit over night with no reboots.
{“@timestamp”:“2026-03-27T13:03:49.569”,“level”:“INFO”,“type”:“job”,“message”:“Processing INPROGRESS job 161a7bbd-949c-485b-b150-00e3067884f3 of type VA_UPGRADE”}
When I check the details in the ISC UI I have these 4 services but with CCG always missing :
It seems that the VA reaches the endpoints where images and sailpoint resources are located.
I’ve read in another post that for others, they had to wait some hours before CCG is downloaded and deployed automatically and properly in the VA but I have no clue in the duration or time period.
Another person suggested to create a first Source the cluster that contains the virtual appliance. (he has made WebService sources that just “test connection” to google.com as a means of loading CCG.) Post : CCG in new VA not present - #2 by jsosa From Stephen Holinaty. I already configured an LDAP source with this cluster but my test connection is failing I’m wondering if it’s not because of the absence of CCG in the VA ?
Best regards and many thanks in advance for your efforts in helping me in this topic.
Yes it’s a customer based tenant and I have downloaded it from the link in the UI setup of Virtual appliances. I’ve run the stunt.sh script also, should it be transfered to sailpoint support exclusively ?
Good news I finally was able to launch ccg service successfully. The big hurdle was that the Virtual Appliance (VA) could not pull the required CCG Docker image due to restricted outbound connectivity. I was running the VA that I get from ISC UI link in Oracle Virtualbox and the VA was in bridge mode for network preventing the automated pull of the SailPoint CCG image from the official repository.
The Fix: We ensured the NAT mode was set in network settings .
Then the ecs login : /opt/sailpoint/share/ecs/ecs-login
Pulling manually the image : sudo docker pull ``874540850173.dkr.ecr.us-east-1.amazonaws.com/sailpoint/ccg:latest (used :latest in place of :current)
And finally setting the tag : sudo docker tag ``874540850173.dkr.ecr.us-east-1.amazonaws.com/sailpoint/ccg:latest`` ``874540850173.dkr.ecr.us-east-1.amazonaws.com/sailpoint/ccg:current.
Remodifying network settings of VA in virtualbox to Bridge.
After this we started ccg service successfully.
Enabling CCG Metrics (OpenTelemetry Bridge)
With the image locally available, we then focused on “injecting” the monitoring capabilities into the Java runtime.
Environmental Injection: We updated the persistent configuration file /home/sailpoint/docker-ccg-extras.env to bypass the VA’s restricted filesystem.
OTEL Parameters: We added the OpenTelemetry (OTEL) variables:
OTEL_EXPORTER_OTLP_ENDPOINT: The monitoring tool OTLP URL (mine was Grafana Cloud).
OTEL_EXPORTER_OTLP_HEADERS: Your API Token.
OTEL_RESOURCE_ATTRIBUTES: To identify this specific VA in your dashboard.
but my test connection is failing I’m wondering if it’s not because of the absence of CCG in the VA ?