KB Article #177343

copilot login issue/problem when with CG users

Problem

copilot login problems with CG


tmattu : user 'xxxxx' login failed: Passport AM authentication failed

Resolution

Steps below apply to issues when doing the authentication to Passport AM.

Issue can be related to older bugs related to the certificates renewal process ending with possible broken links into the Passport DB.

Even after both products (CG and CFT) upgrade, some broken links can remain.


How to identify the root cause of a Copilot login issue:


1.Check the settings


Verify where is defined the user who attempts to log in?


If defined as a Central Governance user, In which Organization?


Then verify at CFT side:


am.type=passport


am.passport.cg.organization=<theOrganization>


copilot.misc.createprocessasuser=No


Verify the TCP port from UCONF variable am.passport.port is reachable.


2.Enable traces


Enable developer traces at XPAM connector and XPAM API setting the following environment variables:


XTRACE_CFT_XPAM_LEVEL=3


XTRACE_XPAM_LEVEL=3


XTRACE_OUTPUT_FILENAME=$CFTDIRRUNTIME/run/xpam.trc


3.Attempt to log in


Restart Copilot server and attempt to log in.


4.Send back to support collected traces


Generate a cft_support


Send back to support both the cft_support and the file $CFTDIRRUNTIME/run/xpam.trc


Possible fix to try :


If XPAM trace show certificate issue related like in below example:


<err:PassPortResponse xmlns:err="http://www.axway.com/passport/Schemas/V1/Error [^]" updateDate="2015-08-19T09:53:15.000+02:00" responseTo="2" id="2"><err:error id="51" group="AM_SERVER" description="The certificate that you use is not associated to any instance."/></err:PassPortResponse>"


(We get this message when a link is broken in the Passport database)


How to force the renewal of the CFT Governance certificate:


Stop Copilot server


Force the certificate renewal by setting an already past date:

Run: cftutil uconfset id=cg.certificate.governance.renewal_datetime,value=20150101000000


Start Copilot server


Attempt to log in


NOTE: Starting from CFT 3.1.3 SP5 and higher versions, the Copilot default traces are more verbose about connection issues to Passport.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.