Solving problem SailPoint IdentityIQ “Mark Invalid Error”

Problem description 

When we try to correlate the accounts into SailPoint’s identityIQ using multiple authoritative sources the following
exception may arise.

Why this happens

The main reason for this error is ambiguity of accounts. After the account aggregation task completed when we try to run the task refresh identity cubes. Task is not running and error is displays as Task stopped by user. When you see the log file there a exception named Mark Invalid.



Case 1

The main cause for this error is, If you have added more than one authoritative sources marked for one identity. The following exception will arise. that means you have added two Authoritative sources representing the same data if run the aggregation task the accounts will be populated with their name then If we perform refresh identity cubes task the accounts will not linked its respective manager account because there will be an ambiguity between two accounts which has to be correlate as manager account.

Case 2

In other cases if you have any accounts or identities not properly deleted.


The solution I found is to get backup of the rules and application into a xml file using the console.Shutdown the application server and drop all the tables in database using the sql scripts provided by identityIQ then create the tables using the scripts. Import the init.xml using the iiq console.Then import the xml file which represents the application object. Then if you run the aggregation and correlation tasks you can see that all the identities and their managers are correlated in identity warehouse.

Requirements Gathering for an IDM Solution

Requirements Gathering

Understanding the AS-IS and TO BE states of the enterprise IT infrastructure is the most important key to achieve success for any Identity management. Approaching such challenge with a wonderful questionnaire would lead to a win-win situation for both the customer as well as the implementer.

At ENH iSecure, we face the challenge of requirements gathering with a strong questionnaire that helps us understand the requirements of the customer very easily. The following list comprises of some important questions during the initial requirement gathering which are part of the questionnaire:

Identity Vault establishment:

Identity vault establishment is the first step of any Identity management implementation. It involves creating a central identity store which shall be the heart of the implementation. As part of the identity vault establishment and future management, we would put up the following questions to the customer:

Initial Creation of Identity vault:

1. What are the sources that help us create the identity vault?
They can be delimited files present at the Unix location or active directory or a HRMS.
2. Are these sources distributed across multiple applications? In case they do find all the applications across which the trusted sources are distributed.

Regarding the Identity vault maintenance:

1. Are there any specific organizational requirements regarding updation of identity vault? Sometimes it is possible that such updations happen at a specific date to match the server loads and burst in server loads because of sudden peaks in usage. For example, Universities which admit many students at spring or fall.
2. How often would we want the incremental updations to happen to the identity vault? How often are complete updations expected?

Information related users:

1. What are the various types of people whom the identity management solutions monitors? For example, employees, contractors, rehires, customers and any other types of users.
2. What are the various operations that could happen to the users of the identity management system? For example, promotion or termination of employees could be operation on the user. Expiry of contract for contractors could be a situation.
3. Identity management solutions maintains users in various states. For examples most of the identity management solutions have an active, disabled or terminated states for users. How are these states expected to change with respect to various actions on the users?

Provisioning related information:

1. What are the various target applications that are present in the IT infrastructure that need to be monitored by the solution?
2. How does the communication to the applications from the identity management solutions happen? Is there a bus service that is running that needs to be passed through or can they be directly communicate to?
3. Are there any rare applications for which we do not have any prebuilt connectors to work with? In such cases we need to develop connectors for communication to happen.
4. What are the various accounts and privileges to be provided to various kinds of users with different attribute values?
5. In case there is any change is user attributes or state of the user , how to deal with the transition to new state of user? For example, in rehire kind of scenario, we temporarily disable the users. Also in case there is a state change, all the accounts that need to provisioned in the state have to be provisioned.

Requests based provisioning:

1. Is there a requirement for users to request various accounts or privileges in various applications? What are the various resources that a particular kind of user can request and what is it that they can’t request?
2. How should the various requests be processed? Is there any complex approval process that is involved? For example sometimes it is required that IT Admin as well the manager are expected to approve provisioning an account.

Enabling Active directory SSL authentication

Using JNDI we can access the active directory, but if we want to access the active directory using the secure port we need to get the certificate issued by the active directory certification services.

The certificate helps to authenticate the server over SSL.

SSL authentication is useful when we need to perform the administrative stuff like changing password using JNDI.

Active directory enables us to access the server over SSL using the certificate issued by that server.

To access the active directory using the JNDI we need to get the certificate issued by the active directory and import that into java key tool.


1.     Creating and exporting certificate file

We can export the certificate which can accept the SSL authentication in many ways. But in this article we are exporting the certificate using the internet explorer and command prompt.

Note: to export the certificate, server should be installed with active directory certification services. Refer the following link to install the ADCS

         i.            Exporting the certificate using the internet explorer
  • Open in the internet explorer in the windows server and click on internet options
  • navigate to content and click on certificate


  • In the certificates tab navigate to trusted root certificates and click on the certificate with your server name. (in this case server name is ADSERVER)


  • A new popup will populate with certificate name that you have selected, in that click on details tab and select copy file option.





  • Then new popup windows will appear, in that click next.





  • select the option do not export private key and click next




  • Select the base 64 encoded and click next.



  • Provide the path and name to certificate.
  • Verify the options and click on finish.





      ii.            Exporting the certificate using command prompt
  • open command prompt in your windows server
  • navigate to the folder where you want save certificate
  • enter the following command to export the certificate

> certutil -ca.cert sslcert.cer



2.    Importing certificate into java keytool


After exporting the sslcert.cer file, copy the file into host machine installed with java.

The following steps explains to import sslcert.cer file into java key tool in various environments

        i.            Linux
  • Open the terminal in the folder which containing the exported file
  • execute the following command

# keytool -importcer -keystore JAVA_HOME/jre/lib/security/cacerts -file sslcert.cer

  • Default password for the keystore is: changeit
  • Enter yes to import the certificate to key store


     ii.            Windows
  • Open the command prompt in administrator.
  • navigate to the folder containing exported certificate file
  • Execute the following command

> keytool -importcer -keystore JAVA_HOME/jre/lib/security/cacerts -file sslcert.cer

  • Default password for the keystore is: changeit
  • Enter yes to import the certificate to key store



Solving the problem with privileged ports in ODSEE instance creation

It is possible that creation of an instance in Oracle Directory Server might end up with the following error message:

port number 389 is a privileged port.

This happens because all the ports less than 1024 on Linux are treated as privileged. Most of our well know ports like 389 for the LDAP, 80 for HTTP, 443 for HTTPS reside in this range of ports.

Linux enforces that the services cannot be created at the privileged ports until and unless the privileges are escalated.

In this particular case, we can start the instance using the following command:

sudo dsadm start <path-to-instance>

The main reason for need for extra privileges when we use the privileges may be because there is a chance that the firewalls do not block traffic from these ports. Any attacker who might be interested in stealing your data over the network could be opening such ports so that he could escape firewalls. To reduce the attack surface, it is enforced that the privileged port need root access.

Solving the problem “Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’ ”

MySQL server is usually connected by using the following command

mysql      –u      root      –p

some times we may encounter the following the error

can’t connect to local MySQL server through socket /var/lib/mysql/mysql.sock

A socket is used to bridge connection between the server and client.

Error message explains that it is not able to find that socket file.

Socket file is automatically created when we start the MySQL server and disappears automatically when the server is stopped.

This problem most probably arises when you accidentally delete it or if you reinstall same server again or because of server might not be running currently.

Current running state of the server could be known using the following command

service     mysqld     status

Use the following command to solve the issue

sudo     /etc/init.d/mysqld     restart

The above command is used to restart the MySQL server so that the socket file can be created.

Using lists in Identity IQ workflows at approval steps

Sailpoint’s Identity IQ converts all the empty lists that go through an approval step in a workflow into NULL values. This does not hold the same with non-empty lists.

null diagram

For example, we have a global variable in the workflow which is an empty ArrayList ( [] ). It is going to be converted to ( NULL ) once it goes through an approval step. So in order that the lists work as per our need, we could provide a dummy value so that list is never converted to NULL when it goes through an approval.

Enabling Oracle Linux to listen for requests over the network

Oracle Linux has a default firewall in the name of package “iptables“. This firewall is enabled by default when installed .Without disabling or modifying it we could not access most of the  services provided by the Linux. For example, you may not be able to access your database and tomcat over the network.

We can disable the firewall by following the below procedure :

Firstly we need to install the iptables-services package by using following command –

sudo yum install iptables-services

Next disable the firewall by using following commands:

sudo service iptables start

sudo service iptables stop 

sudo chkconfig iptables off

To punch or block specific ports and for more information , refer to the following link.

Oracle Database Installation – Circumventing the requirement for pdksh package


Oracle Database 11G R2 has many packages as dependencies. Amongst such packages is pdksh packages which is no longer a part of yum repositories. The pdksh is not  needed as long as your ksh package is installed. Oracle Linux has ksh installed by default. Trying to install the pdksh using rpm could cause a conflict between these packages.

Problems with pdksh could be easily resolved by modifying the configuration of the verification utility of the oracle database. By default, this utility assumes that the Linux distribution being used is OEL4. All the dependencies were verified considering the OEL4. Changing the value of Linux distribution being used could solve the problem with pdksh. If you are using OEL 6, change the value of Linux distribution OEL6. Similarly if you are using OEL 7 , change the value of Linux distribution to OEL7.


Following are the exact instructions regarding the procedure.


Let   <db_extract>      be the location of your database extract.

cd   <db_extract>/database/stage/cvu/admin/

vim cvu_config

The following screenshots guide you regarding the same:


  1. Navigating to the required directory
  2. Default cvu_config


3.Modified cvu_config


You should be finding a property named CVU_ASSUME_DISTID whose default value is OEL4

If you are using OEL6 change it to OEL6. If you are using OEL7 change it to OEL7.

Restart the configuration utility and you should not be finding the requirement for pdksh anymore.

Solving the problem with ‘&’ character while importing files into IdentityIQ

Sailpoint’s IdentityIQ uses xml files for importing various objects like applications, rules. If you have a script that uses a ‘logical and’ (&)  in your code , normally the import fails. This is because of the way in which normal xml files are read. This is one of the special characters.

To solve the problem replace all the ‘logical and’s which are represented by the character ‘&’ to ‘&amp;’. This would make your import successful.

Kindly observe the following screenshot for reference:

ampersand in xml

Find related information at this link.