KB Article #177343
copilot login issue/problem when with CG users
Problem
copilot login problems with CG
tmattu : user 'xxxxx' login failed: Passport AM authentication failed
Resolution
Steps below apply to issues when doing the authentication to Passport AM.
Issue can be related to older bugs related to the certificates renewal process ending with possible broken links into the Passport DB.
Even after both products (CG and CFT) upgrade, some broken links can remain.
How to identify the root cause of a Copilot login issue:
1.Check the settings
Verify where is defined the user who attempts to log in?
If defined as a Central Governance user, In which Organization?
Then verify at CFT side:
am.type=passport
am.passport.cg.organization=<theOrganization>
copilot.misc.createprocessasuser=No
Verify the TCP port from UCONF variable am.passport.port is reachable.
2.Enable traces
Enable developer traces at XPAM connector and XPAM API setting the following environment variables:
XTRACE_CFT_XPAM_LEVEL=3
XTRACE_XPAM_LEVEL=3
XTRACE_OUTPUT_FILENAME=$CFTDIRRUNTIME/run/xpam.trc
3.Attempt to log in
Restart Copilot server and attempt to log in.
4.Send back to support collected traces
Generate a cft_support
Send back to support both the cft_support and the file $CFTDIRRUNTIME/run/xpam.trc
Possible fix to try :
If XPAM trace show certificate issue related like in below example:
<err:PassPortResponse xmlns:err="http://www.axway.com/passport/Schemas/V1/Error [^]" updateDate="2015-08-19T09:53:15.000+02:00" responseTo="2" id="2"><err:error id="51" group="AM_SERVER" description="The certificate that you use is not associated to any instance."/></err:PassPortResponse>"
(We get this message when a link is broken in the Passport database)
How to force the renewal of the CFT Governance certificate:
Stop Copilot server
Force the certificate renewal by setting an already past date:
Run: cftutil uconfset id=cg.certificate.governance.renewal_datetime,value=20150101000000
Start Copilot server
Attempt to log in
NOTE: Starting from CFT 3.1.3 SP5 and higher versions, the Copilot default traces are more verbose about connection issues to Passport.