000031737 - PersistenceException caused by ORA-22835 when AFX provisioning rule attempts to add a new user in RSA IMG 6.9.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031737
Applies ToRSA Product Set: Identity Management and Governance (IMG), Aveksa
RSA Product/Service Type: Access Fulfillment Express (AFX)
RSA Version/Condition: 6.9.1
IssueThe provisioning rule for new users fails when the AFX Connector attempts to create Microsoft Active Directory accounts.
The aveksaServer.log logs an error similar to the following:
11/09/2015 07:57:13.200 ERROR (http- [com.aveksa.gui.components.table.special.SQLTable] Error getting Object List.  SQL=select * from (select AV_DATA_ROWS.*, rownum AV_DATA_ROW_NUMBER from (select * from (select pcrd.ID,

The following exception is subsequently thrown:
com.aveksa.server.db.PersistenceException: Executing JDBC query failed [select * from (select AV_DATA_ROWS.*, rownum AV_DATA_ROW_NUMBER from (select * from (select pcrd.ID,

The "caused" message below is also thrown.

Caused by: java.sql.SQLException: ORA-22835: Buffer too small for CLOB to CHAR or BLOB to RAW conversion (actual: 5081, maximum: 4000)


CauseThe ORA-22835 exception occurs when a SQL "TO_CHAR" statement attempts to convert a CLOB object to a CHAR object and the CLOB object exceeds 4000 bytes. The 4000 byte limit is a hard limit and is not configurable.  ORA-22835 is a new exception, in older (Oracle 10.x and earlier) versions of Oracle SQL if the BLOB object was to large the object would be truncated without any error message.
When this error occurs during an AFX provisioning event it is caused by an attempt to convert the SQL statement used to define the attributes to be added to the AD user to a string.  This can occur if the Account Template used to define the AD user contains a very large number of user attributes.
Note that the number of attributes you can add before encountering this error depends on the size of the SQL used to define them so there is no hard limit.   Typically this problem only occurs when 20 or more attributes are defined. 
WorkaroundReduce the number of user attributes defined in the "Account Template" (Under Requests/Configuration under the Templates tab) assocated with the Account until the error no longer occurs.  
Typically RSA Aveksa should be able to support about 20 attributes.