search cancel

Unable to register External connector server on vApp

book

Article ID: 112265

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Suite

Issue/Introduction

To provision to a Windows-based endpoint (such as Active Directory, Exchange), you must install CA Connector Server on a Windows server.  To do this you need to follow the steps below:
 
  1. Log in to the Virtual Appliance.
     
  2. Select External Tools by clicking the Hamburger icon available on the upper left corner of the menu bar.
     
  3. Install the Connector Server by following the instructions that are provided under the Remote Connector Server (for Windows OS) section.
    Caution: As part of the installation, do not register the Connector Server with the Provisioning Server.
     
  4. After the installation succeeds, register the remote Connector Server with the Virtual Appliance. 
    In the given box, enter the IP Address or the Hostname of the remote Connector Server and click Add.

When registering the newly installed external connector server (ccs connector) with the vApp server, it fails to register and displays the following error message in the Web User Interface (webui) screen.

Error fetching list of registered connector servers: Script terminated due to SSH command timeout running command on host

Errors are captured in the logs similar to those below:

ca_vapp_main.log
-----------------------
yyyy MMM DD hh:mm:ss [hostname] ListRegisteredExternalConnectorServers Script started
yyyy MMM DD hh:mm:ss [hostname] ListRegisteredExternalConnectorServers [ERROR] Error fetching list of registered connector servers (error #124)
yyyy MMM DD hh:mm:ss [hostname] ListRegisteredExternalConnectorServers Script terminated due to SSH command timeout running command on host xxx.xxx.xxx.xxx

-----------------------

The JCS logs from the vApp will include errors similar to the one below:
-----------------------
2018-11-21 16:15:09,721 442248226 [ApacheDS Worker-thread-150] (com.ca.jcs.security.login:com.ca.jcs.security.JCSLoginModule:166) INFO - Authentication failed: Bad credentials It indicates that the login credentials on the JCS on that vApp are invalid.

Environment

CA Identity Manage Suite Virtual Appliance (vAPP) 14.x

Resolution

This issue is can be a result of a couple of issue, either the use of incorrect credentials to authenticate the Connector Server or the JCS service being blocked or stalled.
In the first instance retry the correct login credentials, however if the JCS service is stalled, simply restart the JCS service on the vApp machine by 'restart_jcs' command.

Also check in Windows Connector Server have windows firewall blocking access to necessary ports.

In case can't stop Windows Firewall try add these ports in Windows Firewall 
netsh firewall add portopening TCP 20390 "CA-CS SERVER 20390"
netsh firewall add portopening TCP 20410 "CA-CS LDAP 20410"
netsh firewall add portopening TCP 20411 "CA-CS LDAPS 20411"
netsh firewall add portopening TCP 22001 "CA-CS Broker-HTTP 22001"
netsh firewall add portopening TCP 22002 "CA-CS BROKER-HTTPS 22002"
netsh firewall add portopening TCP 20080 "CA-CS WEB-HTTP 20080"
netsh firewall add portopening TCP 20443 "CA-CS WEB-HTTPS 20443"
netsh firewall add portopening TCP 22099 "CA-CS RMI 22099"

Additional Information

The password on the JCS service is set at the time of deployment, if the credentials are not known you may need to reinstall the vAPP.

The same error also can happen after registered and trying to reload to see the registered connector servers.

This can happen if Windows Firewall in connector server or another security program is blocking connector server ports docops suggests disable temporarily windows firewall or if not possible can use this port list to add exception in windows firewall that will allow these ports:

netsh firewall add portopening TCP 20390 "CA-CS SERVER 20390"
netsh firewall add portopening TCP 20410 "CA-CS LDAP 20410"
netsh firewall add portopening TCP 20411 "CA-CS LDAPS 20411"
netsh firewall add portopening TCP 22001 "CA-CS Broker-HTTP 22001"
netsh firewall add portopening TCP 22002 "CA-CS BROKER-HTTPS 22002"
netsh firewall add portopening TCP 20080 "CA-CS WEB-HTTP 20080"
netsh firewall add portopening TCP 20443 "CA-CS WEB-HTTPS 20443"
netsh firewall add portopening TCP 22099 "CA-CS RMI 22099"