Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

REST Connector - Unable to Use Connection Binding Object in Import JSON

naveenss
All-Star
All-Star

Hi,

We have an application onboarded to Saviynt using the REST connector. We are using certificate based authentication for making the API calls. As part of this, I'm passing the keyFile in the ImportAccountEntJSON as below by referring the REST developer guide.

 

{
    "accountParams": {
        "connection": "acctAuth",
        "processingType": "SequentialAndIterative",
        "statusAndThresholdConfig": {
            "statusColumn": "customproperty10",
            "activeStatus": ["true"],
            "accountThresholdValue": 1000
        },
        "call": {
            "call1": {
                "callOrder": 0,
                "listField": "Resources",
                "keyField": "accountID",
                "http": {
                    "url": "host/service/scim/Users",
                    "httpMethod": "GET",
                    "httpContentType": "application/json",
                    "ssl": {
                        "keyFile": "/saviynt_shared/saviynt/ConnectorFiles/3DEVCert.p12",
                        "keyFilePassword": "${connection.filePass}",
                        "keyManagerAlgorithm": "SunX509",
                        "keyStoreType": "JKS",
                        "sslAlgorithmName": "TLSv1.2"
                    },
                    "httpHeaders": {}
                },
                "colsToPropsMap": {
                    "accountID": "userUuid~#~char",
                    "name": "id~#~char",
                    "customproperty1": "userType~#~char",
					"customproperty2":"userName~#~char",
					"customproperty3":"locale~#~char",
					"customproperty4":"displayName~#~char",
					"customproperty5":"department~#~char",
                    "customproperty10": "active~#~bool"
                }
            }
        }
    }
}

 

 

The challenge with this is, the keyFile password must be passed in the JSON which is a sensitive information. Hence, I am trying to store the keyfile password in the ConnectionJSON and refer to the password using the binding variable like ${connection.filePass}. Below is the error seen in the logs.

java.io.IOException: keystore password was incorrect at java.security.KeyStore.load(KeyStore.java:1445) at com.saviynt.ecm.services.HttpClientUtilityService.getSSLContext(HttpClientUtilityService.groovy:1328) at com.saviynt.ecm.services.HttpClientUtilityService.getHttpClient(HttpClientUtilityService.groovy:126) at com.saviynt.ecm.services.HttpClientUtilityService.executeGetRequestWithHeaders(HttpClientUtilityService.groovy:811) at com.saviynt.ecm.services.HttpClientUtilityService.executeRequestWithHeaders(HttpClientUtilityService.groovy:661) at com.saviynt.ecm.services.HttpClientUtilityService.executeRequestWithTimeoutConfig(HttpClientUtilityService.groovy:613) at com.saviynt.provisoning.rest.RestProvisioningService.pullObjectsByRest(RestProvisioningService.groovy:4521) at com.saviynt.provisoning.rest.RestProvisioningService.isErrorRetry(RestProvisioningService.gro


Note: If I hardcode the password in the import JSON, it is working successfully. Also the below ConnectionJSON is working if I'm passing the testConnectionParams. Below is the connectionJSON

 

{
    "authentications": {
        "acctAuth": {
            "authType": "oauth2",
            "url": "XXXXXXXXXXXX",
            "httpMethod": "POST",
            "httpParams": {
                "grant_type": "client_cert"
            },
            "httpContentType": "application/x-www-form-urlencoded",
            "ssl": {
                "keyFile": "/saviynt_shared/saviynt/ConnectorFiles/3DEVCert.p12",
                "keyFilePassword": "xxxxxxxxxxxxxxxxxxx",
                "keyManagerAlgorithm": "SunX509",
                "keyStoreType": "JKS",
                "sslAlgorithmName": "TLSv1.2"
            },
			"filePass":"xxxxxxxxxxxxxxxxxxx",
            "httpHeaders": {
                "Content-Type": "application/x-www-form-urlencoded"
            },
            "retryFailureStatusCode": [
                401,
                403
            ],
            "expiryError": "ExpiredAuthenticationToken",
            "authError": [
                "SESSION_NOT_VALID",
                "AuthenticationFailed",
                "ExpiredJwtException",
                "401 Unauthorized"
            ],
            "timeOutError": "Read timed out",
            "errorPath": "code",
            "maxRefreshTryCount": 6,
            "tokenResponsePath": "access_token",
            "tokenType": "Bearer",
            "accessToken": "xxxxxxxxxxxxxxxxxxx",
            "testConnectionParams": {
                "http": {
                    "url": "host/service/scim/Users",
                    "httpHeaders": {},
                    "httpContentType": "application/json",
                    "httpMethod": "GET",
                    "ssl": {
                        "keyFile": "/saviynt_shared/saviynt/ConnectorFiles/3DEVCert.p12",
                        "keyFilePassword": "xxxxxxxxxxxxxxxxxxx",
                        "keyManagerAlgorithm": "SunX509",
                        "keyStoreType": "JKS",
                        "sslAlgorithmName": "TLSv1.2"
                    }
                },
                "successResponse": [],
                "successResponsePath": "",
                "errors": [
                    "Couldn't authenticate you"
                ],
                "errorPath": "error"
            }
        }
    }
}

 

I've referred to the below forum articles

https://forums.saviynt.com/t5/saviynt-knowledge-base/how-to-mask-password-in-rest-connector-json-by-...

https://forums.saviynt.com/t5/saviynt-knowledge-base/how-to-leverage-custom-attribute-in-rest-connec...

We are currently on v24.3. Am I missing something here?

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.
4 REPLIES 4

rushikeshvartak
All-Star
All-Star

can you try different variable name such as filepass1


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@rushikeshvartak  no this didn't work. 

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

naveenss
All-Star
All-Star

I am not sure if the binding variables are exposed inside the ssl parameter below

"ssl": {
"keyFile": "/saviynt_shared/saviynt/ConnectorFiles/3DEVCert.p12",
"keyFilePassword": "${connection.filePass}",
"keyManagerAlgorithm": "SunX509",
"keyStoreType": "JKS",
"sslAlgorithmName": "TLSv1.2"
},

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.

naveenss
All-Star
All-Star

Solved it by having two connection parameters in the connection JSON for accounts and access calls (acctAuth and entAuth). And referred this url in the importAcctEntJSON without the ssl parameter in the Import JSON. This is working as expected. Sharing the working JSONs below

Connection JSON

{
    "authentications": {
        "acctAuth": {
            "authType": "oauth2",
            "url": "host/service/scim/Users",
            "httpMethod": "POST",
            "httpParams": {},
            "httpContentType": "application/x-www-form-urlencoded",
            "ssl": {
                "keyFile": "/saviynt_shared/saviynt/ConnectorFiles/3DEVCert.p12",
                "keyFilePassword": "xxxxxxxxxxxxx",
                "keyManagerAlgorithm": "SunX509",
                "keyStoreType": "JKS",
                "sslAlgorithmName": "TLSv1.2"
            },
			"file_Pass":"xxxxxxxxx",
            "httpHeaders": {
                "Content-Type": "application/x-www-form-urlencoded"
            },
            "retryFailureStatusCode": [
                401,
                403
            ],
            "expiryError": "ExpiredAuthenticationToken",
            "authError": [
                "SESSION_NOT_VALID",
                "AuthenticationFailed",
                "ExpiredJwtException",
                "401 Unauthorized"
            ],
            "timeOutError": "Read timed out",
            "errorPath": "code",
            "maxRefreshTryCount": 6,
            "tokenResponsePath": "access_token",
            "tokenType": "Bearer",
            "accessToken": "xxxxxxxxx",
            "testConnectionParams": {
                "http": {
                    "url": "host/service/scim/Users",
                    "httpHeaders": {},
                    "httpContentType": "application/json",
                    "httpMethod": "GET",
                    "ssl": {
                        "keyFile": "/saviynt_shared/saviynt/ConnectorFiles/3DEVCert.p12",
                        "keyFilePassword": "xxxxxxxxxxxxx",
                        "keyManagerAlgorithm": "SunX509",
                        "keyStoreType": "JKS",
                        "sslAlgorithmName": "TLSv1.2"
                    }
                },
                "successResponse": [],
                "successResponsePath": "",
                "errors": [
                    "Couldn't authenticate you"
                ],
                "errorPath": "error"
            }
        },
		"entAuth": {
            "authType": "oauth2",
            "url": "host/service/scim/Groups",
            "httpMethod": "POST",
            "httpParams": {},
            "httpContentType": "application/x-www-form-urlencoded",
            "ssl": {
                "keyFile": "/saviynt_shared/saviynt/ConnectorFiles/3DEVCert.p12",
                "keyFilePassword": "xxxxxxxxx",
                "keyManagerAlgorithm": "SunX509",
                "keyStoreType": "JKS",
                "sslAlgorithmName": "TLSv1.2"
            },
			"file_Pass":"xxxxxxxxx",
            "httpHeaders": {
                "Content-Type": "application/x-www-form-urlencoded"
            },
            "retryFailureStatusCode": [
                401,
                403
            ],
            "expiryError": "ExpiredAuthenticationToken",
            "authError": [
                "SESSION_NOT_VALID",
                "AuthenticationFailed",
                "ExpiredJwtException",
                "401 Unauthorized"
            ],
            "timeOutError": "Read timed out",
            "errorPath": "code",
            "maxRefreshTryCount": 6,
            "tokenResponsePath": "access_token",
            "tokenType": "Bearer",
            "accessToken": "xxxxxxxxx",
            "testConnectionParams": {
                "http": {
                    "url": "host/service/scim/Groups",
                    "httpHeaders": {},
                    "httpContentType": "application/json",
                    "httpMethod": "GET",
                    "ssl": {
                        "keyFile": "/saviynt_shared/saviynt/ConnectorFiles/3DEVCert.p12",
                        "keyFilePassword": "xxxxxxxxx",
                        "keyManagerAlgorithm": "SunX509",
                        "keyStoreType": "JKS",
                        "sslAlgorithmName": "TLSv1.2"
                    }
                },
                "successResponse": [],
                "successResponsePath": "",
                "errors": [
                    "Couldn't authenticate you"
                ],
                "errorPath": "error"
            }
        }
    }
}

 

ImportAcctEntJSON

{
    "accountParams": {
        "connection": "acctAuth",
        "processingType": "SequentialAndIterative",
        "statusAndThresholdConfig": {
            "statusColumn": "customproperty10",
            "activeStatus": [
                "true"
            ],
            "accountThresholdValue": 1000
        },
        "call": {
            "call1": {
                "callOrder": 0,
                "listField": "Resources",
                "keyField": "accountID",
                "http": {
                    "url": "${connection.url}",
                    "httpMethod": "GET",
                    "httpContentType": "application/scim+json",
                    "httpHeaders": {}
                },
                "colsToPropsMap": {
                    "accountID": "userUuid~#~char",
                    "name": "id~#~char",
                    "displayname": "displayName~#~char",
                    "customproperty1": "userType~#~char",
                    "customproperty2": "userName~#~char",
                    "customproperty3": "locale~#~char",
                    "customproperty4": "displayName~#~char",
                    "customproperty5": "department~#~char",
                    "customproperty10": "active~#~bool",
                    "customproperty31": "STORE#ACC#ENT#MAPPINGINFO~#~char"
                },
                "pagination": {
                    "offset": {
                        "offsetParam": "startIndex",
                        "batchParam": "count",
                        "batchSize": 500,
                        "totalCountPath": "completeResponseMap.totalResults"
                    }
                }
            }
        },
        "acctEntMappings": {
            "Groups": {
                "listPath": "groups",
                "idPath": "value",
                "keyField": "entitlement_value"
            }
        }
    },
    "entitlementParams": {
        "connection": "entAuth",
        "processingType": "SequentialAndIterative",
        "entTypes": {
            "Groups": {
                "entTypeOrder": 0,
                "call": {
                    "call1": {
                        "callOrder": 0,
                        "stageNumber": 0,
                        "http": {
                            "url": "${connection.url}",
                            "httpHeaders": {},
                            "httpContentType": "application/scim+json",
                            "httpMethod": "GET"
                        },
                        "listField": "Resources",
                        "keyField": "entitlementID",
                        "colsToPropsMap": {
                            "entitlementID": "id~#~char",
                            "entitlement_value": "displayName~#~char",
"customproperty1":"urn:sap:cloud:scim:schemas:extension:custom:2.0:Group.name~#~char"
                        },
                        "pagination": {
                            "offset": {
                                "offsetParam": "startIndex",
                                "batchParam": "count",
                                "batchSize": 500,
                                "totalCountPath": "completeResponseMap.totalResults"
                            }
                        },
                        "disableDeletedEntitlements": true
                    }
                }
            }
        }
    },
    "acctEntParams": {
        "processingType": "acctToEntMapping"
    }
}

 

Regards,
Naveen Sakleshpur
If this reply answered your question, please click the Accept As Solution button to help future users who may have a similar problem.