000038812 - Salesforce AFX Connector provisioning fails with 'Error occured while generating access token from refresh token'  and INVALID_SESSION_ID in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Apr 30, 2020Last modified by RSA Customer Support Employee on Apr 30, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000038812
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1, 7.2.0
 
Issue
After creating a Salesforce AFX Connector and verifying that a test of the connector successfully obtains an OAuth2 token as in the example below, provisioning to the endpoint using the new SalesForce AFX Connector fails when used the next day.
 


User-added image




The AFX connector log file ($AFX_HOME/esb/logs/esb.AFX-CONN-SalesforceConnector_<date>.log) has the following error:


2020-02-20 15:54:10.705 [ERROR] com.aveksa.AFX.server.runtime.esb.salesforce.service.UserSalesforceServiceImpl:361 -
Add Account to group failed due to following error: com.aveksa.AFX.server.runtime.esb.salesforce.service.SalesforceException: Unauthorized User:
Error code returned:  401  [{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]
com.aveksa.AFX.server.runtime.esb.salesforce.service.SalesforceException: Unauthorized User:
Error code returned:  401  [{"message":"Session expired or invalid","errorCode":"INVALID_SESSION_ID"}]

at com.aveksa.AFX.server.runtime.esb.salesforce.service.SalesforceService.getStream(SalesforceService.java:277)
at com.aveksa.AFX.server.runtime.esb.salesforce.service.SalesforceService.getEntityIdByName(SalesforceService.java:331)
at com.aveksa.AFX.server.runtime.esb.salesforce.service.UserSalesforceServiceImpl.addAccountToGroup(UserSalesforceServiceImpl.java:178)
at com.aveksa.AFX.server.runtime.esb.salesforce.esb.SalesforceComponent.onCall(SalesforceComponent.java:105)
at org.mule.model.resolvers.CallableEntryPointResolver.invoke(CallableEntryPointResolver.java:46)
at org.mule.model.resolvers.DefaultEntryPointResolverSet.invoke(DefaultEntryPointResolverSet.java:36)
at org.mule.component.DefaultComponentLifecycleAdapter.invoke(DefaultComponentLifecycleAdapter.java:339)
at org.mule.component.AbstractJavaComponent.invokeComponentInstance(AbstractJavaComponent.java:82)
at org.mule.component.AbstractJavaComponent.doInvoke(AbstractJavaComponent.java:73)
at org.mule.component.AbstractComponent.invokeInternal(AbstractComponent.java:122)
at org.mule.component.AbstractComponent.access$000(AbstractComponent.java:57)
at org.mule.component.AbstractComponent$1$1.process(AbstractComponent.java:238)



The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) has a related error:


02/27/2020 09:29:56.618 ERROR (pool-700-thread-1) [com.aveksa.server.core.oauth2.OAuth2Handler]
Error occured while generating access token from refresh token
java.net.ConnectException: Connection timed out (Connection timed out)

    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.net.Socket.connect(Socket.java:589)
    at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:673)
    at sun.security.ssl.SSLSocketImpl.<init>(SSLSocketImpl.java:477)
    at sun.security.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:153)
    at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:81)
    at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:126)
    at com.aveksa.common.tls.CustomSecureProtocolSocketFactory.createSocket(CustomSecureProtocolSocketFactory.java:57)
    at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
    at com.aveksa.server.core.oauth2.OAuth2Handler.getTokenFromRefreshToken(OAuth2Handler.java:192)
    at com.aveksa.server.core.oauth2.OAuth2ServiceProvider.getAccessTokenUsingRefreshToken(OAuth2ServiceProvider.java:158)
    at com.aveksa.gui.util.oauth2.TokenExpiryHandler.run(TokenExpiryHandler.java:50)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

(...)


Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
 
CauseThis is a known issue reported in engineering ticket ACM-104033.
 
ResolutionThis issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release.
 

Attachments

    Outcomes