Documentation forDatabase Performance Analyzer

Troubleshoot the CyberArk integration

The following situations can occur when DPA is not properly configured to use CyberArk. Any misconfiguration of CyberArk should not prevent DPA from starting.

I am not able to create the repository, register a database or VM instance, or integrate the LDAP/AD or mail server

When you attempt to perform any of these actions, you see the following message:

Failed to retrieve credentials. Error sending the credential request.

To find the root cause of the problem, open DPA_install_dir\iwc\tomcat\logs\errors.log and search for any of the errors described in CyberArk configuration errors. See that section for steps to resolve the issue.

Monitoring does not start for some instances, but it does for others

The cyberark.properties file is configured correctly, but there is a mistake in the CyberArk query you provided when you registered the database instances. The CyberArk query is always validated during registration, but a change might have been made to your CyberArk CPP so the path has changed.

For each instance that is not monitored, use the Update Connection Wizard to correct the CyberArk query.

Monitoring does not start for any instances

The cyberark.properties file is probably not configured correctly. Open DPA_install_dir\iwc\tomcat\logs\errors.log and search for any of the errors described in CyberArk configuration errors. See that section for steps to resolve the issue.

CyberArk configuration errors

This section explains the most common CyberArk configuration errors that can appear in the DPA_install_dir\iwc\tomcat\logs\errors.log file.

  • PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    Problem: The CyberArk CC sever certificate is not trusted by DPA.

    Resolution: Your CyberArk CC sever certificate is not signed by a public CA. Therefore you must import the CA certificate of the CyberArk CCP into the DPA trust store.

  • The keystore could not be loaded: keystore password was incorrect

    Problem: The password to the keystore holding your private key to authenticate to CyberArk is incorrect.

    Resolution:

    1. Open the following file in a text editor:

      DPA_install_dir\iwc\tomcat\ignite_config\idc\cyberark.properties

    2. Change the value of the keystore.password property to the correct keystore password, and save the file.
    3. Restart DPA. The password is encrypted when DPA restarts.
  • Error initializing the key manager factory: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

    Problem: The password to the private key to authenticate to CyberArk is incorrect.

    Resolution:

    1. Open the following file in a text editor:

      DPA_install_dir\iwc\tomcat\ignite_config\idc\cyberark.properties

    2. Change the value of the key.password property to the correct key password, and save the file.
    3. Restart DPA. The password is encrypted when DPA restarts.
  • The keystore file could not be opened: … (The system cannot find the file specified)

    Problem: DPA cannot find the keystore to authenticate to CyberArk.

    Resolution:

    1. Open the following file in a text editor:

      DPA_install_dir\iwc\tomcat\ignite_config\idc\cyberark.properties

    2. Change the value of the keystore.location property to the correct location of the keystore, and save the file.
  • Failed to retrieve credentials for INSTANCE_NAME using request 'CYBERARK_QUERY' … UnknownHostException: No such host is known (cyberark-vaultl.ignite.local)

    Problem: The CyberArk CCP host name is incorrect.

    Resolution:

    1. Open the following file in a text editor:

      DPA_install_dir\iwc\tomcat\ignite_config\idc\cyberark.properties

    2. Update the value of the base.uri property with the correct CyberArk CCP host name, and save the file.
  • Failed to retrieve credentials for INSTANCE_NAME using request 'CYBERARK_QUERY' … Password object matching query [CYBERARK_QUERY] was not found

    Problem: The path to the CyberArk CCP to get the credentials is incorrect.

    Resolution: Use the Update Connection Wizard to correct the CyberArk query for the affected instance.

  • ERROR (2022-06-01T18:07:25,740-0400) [localhost-startStop-1] SslServiceImpl:147 - Failed to create empty custom DPA trust store.

    java.io.IOException: keystore password was incorrect

    Problem: The keystore for the custom DPA trust store is incorrect.

    Resolution:

    1. Open the following file in a text editor:

      DPA_install_dir\iwc\tomcat\ignite_config\idc\system.properties

    2. Change the value of the com.confio.security.trustStorePassword= property to the correct keystore password, and save the file.

      Make sure that com.confio.security.trustStore is pointed to the correct keystore file. By default, it should be pointed to .keystore.

    3. Restart DPA. The password is encrypted when DPA restarts.