000035077 - RSA Archer GRC SaaS Account Collector connection failed in RSA Identity Governance and Lifecycle

Document created by RSA Customer Support Employee on May 24, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035077
Applies ToRSA Product Set: Identity Governance and Lifecycle
RSA Version/Condition: 7.0.1
IssueAn RSA Archer GRC account collector is connecting to a hosted Archer installation and failing with the following error in the collection run:
EC[31002] Context[Collector Name=Archer_ADC, Agent Name=AveksaAgent, Data Run ID=15971
Reason=com.aveksa.common.ConnectException: Connection Failed] Message[Data collection failed on the agent].

In the aveksaServer.log, the following error is shown:
04/20/2017 07:10:02.783 ERROR (ApplyChangesRegularThread-5882) [com.aveksa.collector.archer.ArcherConnObj] Exception occurred in login:Invalid Operation
04/20/2017 07:10:02.784 ERROR (ApplyChangesRegularThread-5882) [com.aveksa.client.datacollector.framework.DataCollectorManager] DCM281: Collection Failed:
CollectionFailedEvent[cmi = CollectionMetaInfo[{ID=280, run_id=16770, collector_id=6, test-run=false, collector_name=Aveksa_ADC, data_size=0,
message = null cause = com.aveksa.common.ConnectException: Connection Failed]
com.aveksa.common.ConnectException: Connection Failed
at com.aveksa.collector.archer.ArcherConnObj.login(ArcherConnObj.java:145)
at com.aveksa.collector.archer.adc.ArcherAccountDataReader.testConnection(ArcherAccountDataReader.java:135)
at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectData(AccountDataCollector.java:351)
at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collect(AccountDataCollector.java:302)
at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collect(AccountDataCollector.java:269)
at com.aveksa.client.datacollector.framework.DataCollectorManager.collect(DataCollectorManager.java:535)
at com.aveksa.client.component.collector.DefaultCollectorManager.actUpon(DefaultCollectorManager.java:203)
at com.aveksa.client.component.collector.DefaultCollectorManager.handle(DefaultCollectorManager.java:102)
at com.aveksa.client.component.event.DefaultEventManager.handle(DefaultEventManager.java:60)
at com.aveksa.client.datacollector.framework.SimpleEventSource.notifyListeners(SimpleEventSource.java:67)
at com.aveksa.client.component.communication.DefaultCommunicationManager.notifyEvent(DefaultCommunicationManager.java:377)
at com.aveksa.client.component.communication.ChangeListHandler.applyChanges(ChangeListHandler.java:364)
at com.aveksa.client.component.communication.ChangeListHandler.access$300(ChangeListHandler.java:58)
at com.aveksa.client.component.communication.ChangeListHandler$ChangeApplyingRunnable.run(ChangeListHandler.java:275)
at java.lang.Thread.run(Thread.java:745)

The Archer Access Fulfillment Express (AFX) connector login connection works fine with the same credentials.
CauseThe XML may not be getting formatted correctly from the Aveksa Data Collector (ADC) configuration that gets put in the request to RSA Archer GRC. The Application Name is showing as mandatory and in some cases it should not be entered. The password may also be getting truncated. 
When configuring the Archer collector within RSA Identity Governance and Lifecycle, you will be presented with the following screen. Specifically notice the Admin Password and Application Name fields.  When configuring a connection to a SaaS/hosted deployment of Archer, there may only be the default app instance located within the root of the application container and so there will be no Application Name to enter into the required field.  In this case, you simply enter in the base of the URL for the Archer application in the Host field.  However, the Application Name field is mandatory, and this is an issue within the default view. Notice the radio buttons at the top of the UI for Default and XML, this allows for a workaround as described below.

Archer ADC default configuration

In order to proceed with configuration, you will need to switch the view from Default to XML as shown below:
Archer ADC XML configuration

In this view you will have access to the raw XML and can edit the values directly.  In this example, you can clear out the value for Application, leaving it blank.  

Also of note is that, as of the writing of this article, any value populated in the Password field in the default view will not carry over to the XML view.  As you can see above, the password is ****, and this will always be the case when switching views.  In order to successfully complete the configuration of the Archer Collector within RSA Identity Governance and Lifecycle, you will need to replace the string of asterisks with the plain text password and finish the collector configuration.  Once completed, the password will be stored securely; however, any future modifications will require the password to be entered again.