Saviynt Forums

vmudagal1 · ‎08/22/2023

Hi All,

We are trying to import the cyberArk application data (Users, Groups, Safes and Privileged Accounts) using the rest connector below is the ConnectionJSON and ImportAccountEntJSON

ConnectionJSON : This is successful when Save & Test Connection

{
"authentications": {
"acctAuth": {
"authType": "basic",
"httpHeaders": {
"Accept": "application/xml",
"contentType": "application/json"
},
"authError": [
"ITATS366E",
"PASWS006E"
],
"url": "BaseURL/PasswordVault/API/Auth/CyberArk/Logon",
"httpMethod": "POST",
"httpContentType": "application/json",
"errorPath": "ErrorCode",
"maxRefreshTryCount": 5,
"tokenResponsePath": "string.content",
"authHeaderName": "Authorization",
"accessToken": "Basic suyssbddf",
"httpParams":{}
}
}
},
{
"username": "username_cd",
"password": "cdes_shfhb_"
}

ImportAccountEntJSON: After adding this JSON and running the Application Import Job- See error as follow

{
"accountParams": {
"connection": "acctAuth",
"processingType": "SequentialAndIterative",
"statusAndThresholdConfig": {
"statusColumn": "customproperty7",
"activeStatus": [
"true"
],
"deleteLinks": true,
"accountThresholdValue": 20,
"correlateInactiveAccounts": false,
"inactivateAccountsNotInFile": true,
"deleteAccEntForActiveAccounts": true
},
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "BaseURL/PasswordVault/API/Users",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpMethod": "GET",
"httpContentType": "application/json"
},
"listField": "Users",
"keyField": "accountID",
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "username~#~char"
},
"makeProcessingStatus": true
},
"call2": {
"callOrder": 1,
"stageNumber": 3,
"http": {
"url": "BaseURL/PasswordVault/API/Users/${accountName}",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpMethod": "GET",
"httpContentType": "application/json"
},
"inputParams": {
"dependentCall": true
},
"listField": "",
"keyField": "accountID",
"nextApiKeyField": "accountID",
"colsToPropsMap": {
"name": "username~#~char",
"status": "enableUser~#~char",
"displayName": "username~#~char",
"accounttype": "userType~#~char",
"customproperty1": "source~#~char",
"customproperty2": "componentUser~#~char",
"customproperty3": "vaultAuthorization~#~char",
"customproperty5": "location~#~char",
"customproperty6": "suspended~#~char",
"customproperty7": "enableUser~#~char",
"customproperty8": "lastSuccessfulLoginDate~#~char",
"customproperty9": "unAuthorizedInterfaces~#~char",
"customproperty10": "authenticationMethod~#~char",
"customproperty11": "passwordNeverExpires~#~char",
"customproperty12": "distinguishedName~#~char",
"customproperty13": "description~#~char",
"customproperty14": "businessAddress~#~char",
"customproperty15": "internet~#~char",
"customproperty16": "phones~#~char",
"customproperty17": "personalDetails~#~char",
"accountID": "id~#~char"
}
}
}
},
"entitlementParams": {
"processingType": "SequentialAndIterative",
"entTypes": {
"Groups": {
"entTypeOrder": 0,
"entTypeLabels": {
"customproperty1": "Group Type",
"customproperty2": "Location"
},
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"url": "BaseURL/PasswordVault/API/UserGroups",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "groupName~#~char",
"displayname": "groupName~#~char",
"description": "description~#~char",
"entitlement_glossary": "description~#~char",
"customproperty1": "groupType~#~char",
"customproperty2": "location~#~char"
},
"disableDeletedEntitlements": true
}
}
},
"Safes": {
"entTypeOrder": 1,
"entTypeLabels": {
"customproperty1": "Safe URL ID",
"customproperty2": "Location"
},
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"url": "BaseURL/PasswordVault/API/Safes",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "Safes",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "SafeUrlId~#~char",
"entitlement_value": "SafeName~#~char",
"displayname": "SafeName~#~char",
"description": "Description~#~char",
"entitlement_glossary": "SafeName~#~char",
"customproperty1": "SafeUrlId~#~char",
"customproperty2": "Location~#~char"
},
"disableDeletedEntitlements": true
}
}
},
"PrivilegedAccounts": {
"entTypeOrder": 2,
"entTypeLabels": {
"customproperty1": "userName",
"customproperty2": "Platform ID",
"customproperty3": "Safe Name",
"customproperty4": "Secret Type",
"customproperty5": "Application ID",
"customproperty6": "Active Directory ID",
"customproperty7": "automaticManagementEnabled",
"customproperty8": "Status",
"customproperty9": "lastModifiedTime",
"customproperty10": "createdTime"
},
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"url": "BaseURL/PasswordVault/API/Accounts",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "name~#~char",
"displayname": "name~#~char",
"description": "name~#~char",
"entitlement_glossary": "name~#~char",
"customproperty1": "userName~#~char",
"customproperty2": "platformId~#~char",
"customproperty3": "safeName~#~char",
"customproperty4": "secretType~#~char",
"customproperty5": "platformAccountProperties.ApplicationID~#~char",
"customproperty6": "platformAccountProperties.ActiveDirectoryID~#~char",
"customproperty7": "secretManagement.automaticManagementEnabled~#~char",
"customproperty8": "secretManagement.status~#~char",
"customproperty9": "secretManagement.lastModifiedTime~#~char",
"customproperty10": "createdTime~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},
"acctEntParams": {
"connection": "acctAuth",
"entTypes": {
"Safes": {
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"showJobHistory": true,
"processingType": "httpEntToAcct",
"http": {
"httpHeaders": {
"Authorization": "${access_token}"
},
"url": "BaseURL/PasswordVault/API/Safes/${id}/Members",
"httpContentType": "application/x-www-form-urlencoded",
"httpMethod": "GET"
},
"listField": "SafeMembers",
"entKeyField": "entitlementID",
"acctIdPath": "MemberName",
"acctKeyField": "name"
}
}
}
}
},
"entMappingParams": {
"processingType": "SequentialAndIterative",
"entTypes": {
"Safes": {
"ent1KeyField": "entitlement_value",
"call": {
"call1": {
"connection": "acctAuth",
"callOrder": 0,
"stageNumber": 0,
"http": {
"httpHeaders": {
"Authorization": "${access_token}"
},
"url": "BaseURL/PasswordVault/API/Accounts",
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "value",
"ent1IdPath": "safeName",
"ent2IdPath": "id",
"ent2KeyField": "entitlementID",
"targetEntType": "PrivilegedAccounts",
"mappingTypes": [
"ENT2"
]
}
}
}
}
}
}

Error Message in the job details:

Logs :

2023-08-22T14:02:41+05:30-ecm-worker-{"log":"2023-08-22 08:32:40,778 [quartzScheduler_Worker-6] DEBUG rest.RestProvisioningService - responseError : PASWS006E\n","stream":"stdout","time":"2023-08-22T08:32:40.778502228Z"}

2023-08-22T14:02:41+05:30-ecm-worker-{"log":"2023-08-22 08:32:40,778 [quartzScheduler_Worker-6] DEBUG rest.RestProvisioningService - isAuthError: true\n","stream":"stdout","time":"2023-08-22T08:32:40.778610632Z"}

2023-08-22T14:02:41+05:30-ecm-worker-{"log":"2023-08-22 08:32:40,778 [quartzScheduler_Worker-6] DEBUG rest.RestProvisioningService - Access token expired. throwing PASWS006E / [ITATS366E, PASWS006E] exception for retry\n","stream":"stdout","time":"2023-08-22T08:32:40.778616921Z"}

2023-08-22T14:02:41+05:30-ecm-worker-{"log":"2023-08-22 08:32:40,778 [quartzScheduler_Worker-6] ERROR rest.RestProvisioningService - Exception in pullObjectsByRest :PASWS006E\n","stream":"stdout","time":"2023-08-22T08:32:40.778674485Z"}

2023-08-22T14:02:41+05:30-ecm-worker-{"log":"2023-08-22 08:32:40,778 [quartzScheduler_Worker-6] ERROR rest.RestProvisioningService - Inside token Expiry Exception block. connectionParamMap.refreshTryCount : 0\n","stream":"stdout","time":"2023-08-22T08:32:40.779024359Z"}

2023-08-22T14:02:41+05:30-ecm-worker-{"log":"2023-08-22 08:32:40,778 [quartzScheduler_Worker-6] DEBUG rest.RestProvisioningService - Incrementing connectionParamMap.refreshTryCount : 1\n","stream":"stdout","time":"2023-08-22T08:32:40.779036346Z"}

2023-08-22T14:02:41+05:30-ecm-worker-{"log":"2023-08-22 08:32:40,779 [quartzScheduler_Worker-6] DEBUG rest.RestProvisioningService - maxRefreshTryCount : 5\n","stream":"stdout","time":"2023-08-22T08:32:40.779046465Z"}

2023-08-22T14:02:41+05:30-ecm-worker-{"log":"2023-08-22 08:32:40,779 [quartzScheduler_Worker-6] ERROR rest.RestProvisioningService - Exception in populateHttpParamsForBasic :\n","stream":"stdout","time":"2023-08-22T08:32:40.77957681Z"}

2023-08-22T14:02:41+05:30-ecm-worker-{"log":"java.lang.NullPointerException: Cannot get property 'userName' on null object\n","stream":"stdout","time":"2023-08-22T08:32:40.779584313Z"}

Could anyone please let know what I am missing or going wrong with in the JSON's ? Any help would be good.

Thank you,

Vidya D Mudagal

sudeshjaiswal · ‎08/23/2023

Hello @vmudagal1,

Can you please try passing the Username /password as mentioned in the developer handbooks,
Sample:

{
  "authentications": {
    "acctAuth": {
      "authType": "Basic",
      "url": "https://<domain name>",
      "httpMethod": "POST",
      "httpParams": {},
      "httpHeaders": {},
      "httpContentType": "text/html",
      "properties": {
        "userName": "username",
        "password": "password"
      },
      "expiryError": "Couldn't authenticate you",
      "authError": [
        "Couldn't authenticate you"
      ],
      "timeOutError": "Read timed out",
      "errorPath": "error",
      "maxRefreshTryCount": 5,
      "tokenResponsePath": "access_token",
      "tokenType": "Basic",
      "accessToken": "Basic asdfghjkl",
      "testConnectionParams": {
        "http": {
          "url": "https://<domain name>/api/v2/users.json",
          "httpHeaders": {
            "Authorization": "${access_token}"
          },
          "httpContentType": "application/json",
          "httpMethod": "GET"
        },
        "successResponse": [],
        "successResponsePath": "",
        "errors": [
          "Couldn't authenticate you"
        ],
        "errorPath": "error"
      }
    }
  }
}

For Ref:-
https://docs.saviyntcloud.com/bundle/REST-v23x/page/Content/Developers-Handbook.htm
https://docs.saviyntcloud.com/bundle/CyberArk-REST-v2022x/page/Content/Understanding-the-Integration...

If you find the above response useful, Kindly Mark it as "Accept As Solution".

vmudagal1 · ‎08/23/2023

Hi @sudeshjaiswal

Thank you for your response. The below JSON worked to pull few of the data like Account, Groups and Privileged Accounts.

Connection JSON

{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"httpHeaders": {
"Accept": "application/xml",
"contentType": "application/json"
},
"authError": ["ITATS366E","PASWS006E"],
"url": "https://HOSTNAME/PasswordVault/API/Auth/CyberArk/Logon",
"httpMethod": "POST",
"httpContentType": "application/json",
"errorPath": "ErrorCode",
"maxRefreshTryCount": 5,
"tokenResponsePath": "string.content",
"authHeaderName": "Authorization",
"accessToken": "Basic dgddyfSJASG",
"httpParams": "{\"username\":\"@username\",\"password\":\"@password\"}",
"retryFailureStatusCode": [
401,
403
]
}
}
}

Thanks,

Vidya D Mudagal

Bharadwaj · ‎08/31/2023

Hi Vidya,

Thanks for the information. We also have similar implementation where we are integrating CyberArk using a REST connector. However, we are seeing the below error during creating the account. (attached below).

Note: Tasks are getting completed in Saviynt but the provisioning is not working in reality.

Did you come across this error before or could you please let me know if you see any error?

Error:

Connection Json:

{
"authentications": {
"acctAuth": {
"authType": "oauth2",
"httpHeaders": {
"Accept": "application/xml",
"contentType": "application/json"
},
"authError": ["ITATS366E","PASWS006E"],
"url": "https://XXXX/passwordvault/api/Auth/cyberark/logon",
"httpMethod": "POST",
"httpContentType": "application/json",
"errorPath": "ErrorCode",
"maxRefreshTryCount": 5,
"tokenResponsePath": "string.content",
"authHeaderName": "Authorization",
"accessToken": "Basic dgddyfSJASG",
"httpParams": "{\"username\":\"@username\",\"password\":\"@password\"}",
"retryFailureStatusCode": [
401,
403
]
}
}
}

CreateAccountJson for reference:

{
"accountIdPath": "accountName",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"call": [
{
"name": "call1",
"connection": "acctAuth",
"url": "https://XXXXX/passwordvault/api/accounts",
"httpMethod": "POST",
"httpParams": "{\"name\": \"${task.accountName}\", \"address\": \"myXXX.com\", \"userName\":\"${task.accountName}\", \"platformId\": \"WinServerLocal\", \"safeName\": \"Icc_Safe_Test\", \"secretType\": \"password\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201
]
}
}
]
}

Thanks!

vmudagal1 · ‎08/31/2023

Hi @Bharadwaj,

I am still trying to get the data import to Saviynt for the membership of entitlement and account.

As for the "Access Token is null" I haven't come across this error until now.

Thank you,

Vidya D Mudagal

Bharadwaj · ‎08/31/2023

Hi @Vedanth_BK , @nimitdave

Could you please let us know what could be the issue here?

Providing you the screenshots of the logon URL response and the respective body for creating account that worked in Postman.

Logon response from Postman:

Create account body(working) from Postman:

Response:

Appreciate your help!

Thanks!

Darshanjain · ‎09/01/2023

Hi @Bharadwaj

Can you please keep the below param as blank as for token its null and try it.

"tokenResponsePath": "",

Thanks

Darshan

parthaghosh · ‎09/13/2023

Hi Darshan,

this is also not working. ("tokenResponsePath": "",)

the connection JSON cannot capture the session token from the response.

any other way, to capture the token comes without a jsonPath in the response?

regards,

partha

parthaghosh · ‎09/15/2023

Hi Darshan,

we trird the connection JSON with "authType": "BasicWithAccessToken"

{

"authentications": {

"acctAuth": {

"authType": "BasicWithAccessToken",

"httpHeaders": {

"contentType": "application/x-www-form-urlencoded"

},

"authError": [

"ITATS366E",

"PASWS006E"

],

"url": https://*********/passwordvault/api/Auth/cyberark/logon,

"httpMethod": "POST",

"httpContentType": "application/x-www-form-urlencoded",

"errorPath": "ErrorCode",

"maxRefreshTryCount": 5,

"tokenResponsePath": "string.content",

"authHeaderName": "Authorization",

"accessToken": "",

"tokenType": "Basic",

"httpParams": {

"username": "***********",

"password": "*************",

"concurrentSession": "true"

},

"retryFailureStatusCode": [

401,

403

],

"testConnectionParams": {

"http": {

"url": https://*********/passwordvault/API/Accounts?limit=25,

"httpHeaders": {

"Authorization": "${access_token}",

"Accept": "application/json"

},

"httpContentType": "application/json",

"httpMethod": "GET"

},

"successResponses": {

"statusCode": [

200,

201

]

},

"successResponsePath": "",

"errors": [

"Couldn't authenticate you"

],

"errorPath": "error"

}

But that didnot work either.

its throwing below error

Darshanjain · ‎09/15/2023

Hi @parthaghosh

On the postman response, if you click on raw how does it see, the main issue is response is not in json format and its not picking

Thanks

Darshan

parthaghosh · ‎09/19/2023

Hi @Darshanjain ,

The RAW view is also a simple text. "<TOKEN>"

this response is a simplet string, not in JSON format.

I was just being curious, it the connector has a limitation that it cannot capture the token from the response string, is it resolved in th higher version?
if so, then, can it be back ported to our version (5.5 sp3.12) using a patch, as a temporary solution?
Then we can approach the support.

pleaase advise.

regards,

Partha

parthaghosh · ‎09/20/2023

Hi @Darshanjain ,

CyberArk Gen-1 auth call is working fine. we are getting a JSON response and token is captured with "tokenResponsePath": "CyberArkLogonResult".

Darshanjain · ‎09/20/2023

Okay Thanks for the update and hope now all the calls are working.

Thanks

Darshan

parthaghosh · ‎09/20/2023

yes

vmudagal1 · ‎11/02/2023

Hi @parthaghosh,

When running Access Import Job, I see below errorcode in logs in Saviynt and dont see a JOb end date time being logged in job details page.

Dont see a complete import of data the job is not reaching the "acctEntParams" section as its getting terminated without any job details being logged.

Errorcode:CAWS00001E

I am using Gen 2 API calls of CyberArk as given in the Documentation. Did using Gen 1 API call import all the records of data into Saviynt and any issues of jobs getting terminated after long runs?

Request to provide your input.

Thank you,

Vidya D Mudagal

Saviynt Forums

CyberArk Integration using REST connector - Session Token error(PASWS006E) and Null Object Error