000031749 - RSA Identity Managerment and Governance collector failing with error: ORA-31011: XML parsing failed and ORA-19202: Error occurred in XML processing

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031749
Applies ToRSA Product Set: Identity Management and Governance
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 6.9.1
Platform: JBoss
Platform (Other): null
O/S Version: N/A
Product Name: RSA-0018000
Product Description: Access Certification Manager
IssueThe collector fails with the following error: ORA-31011: XML parsing failed.  The Oracle alert_AVDB.log, located in /u01/app/oracle/diag/rdbms/avdb/AVDB/trace/alert_AVDB.log on hardware appliances, may also show errors that are similar to the following:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00210: expected '<' instead of 'M'
Error at line 1
ORA-06512: at "SYS.XMLTYPE", line 0
ORA-06512: at line 1 Caused By Stack com.aveksa.sdk.collector.CollectionException
CauseHTML or XML text is being deleted, truncated, or otherwise changed from a query, such as the Application Roles Query and App Roles for Accounts Query.
A query from a version before 6.9 contains markup or scripting language. When the query is migrated into version 6.9 or higher, the scripting is being removed. It may not be removed immediately, but may be re-evaluated when the collector is changed (the change does not need to be in the query).
This is caused by a new security feature in 6.9+  that can remove scripting in some situations.   Limited  configuration of this functionality is available for certain areas of the product (not collectors), by going to Admin  >  System  >  Security  then clicking Edit and going to XSS/Scripting Security.  Options are:
  • No markup input is allowed in any text field in the user interface.   Data in this state passes though a sanitizer that removes any HTML markup and scripting. (The markup is filtered out, not encoded.) This is the system’s default configuration.
  • Sanitized HTML input is allowed in text fields.  Data in this state passes through a sanitizer that removes any HTML markup not on a specific whitelist (see "Allowed Markup Input Whitelist” in the RSA IMG 6.9 Administrators Guide.  The whitelist includes nothing that allows scripting.
  • Allow any markup in particular text fields.  Data is not filtered or encoded. Any HTML markup or scripting can be entered in text fields
ResolutionThe query should be modified to not include any markup or scripting language. If this is not possible, any scripting commands need to comply with the whitelist guidelines in the RSA IMG 6.9 Administrator's Guide.