Error Messages

From Swivel Knowledgebase Wiki

Contents 1 Introduction 2 General Errors 3 Authentication and RADIUS Errors 4 Synchronisation and LDAP (Active Directory) Errors 5 Transport Related Errors 6 Database Errors 7 Apache Tomcat Errors

Introduction

PINsafe writes information and error messages to its logs files or to syslog. This page provides more information about these messages and likely root-causes.

General Errors

PINsafe is currently not able to run correctly. Please check your server.

This can be see when trying to login to the PINsafe administration console. Check the system logs for errors and see PINsafe Administration Console Absent

Corrupt Log File Stack Trace on Log Viewer screen

This is caused by invalid characters in the log file. If you set the log file size to be very small (eg 10k) and then create a few log entries by requesting TURing images, the log file will roll over to a new file and the log viewer page should again render properly. Do not forget to reset the log file size back to a sensible value. To identify the root cause retrieve the log files directly from the server.

<username>: Failed to start a single channel session: AGENT_ERROR_USER_LOCKED.

When a user requests a TURing image or a SMS security string in on-demand mode, this starts a PINsafe authentication session. This error indicates that this session start has failed because the user-account is locked. The account should be unlocked by going to the admin console, finding the users account and selecting the unlock option;.

Session start failed for user: graham, error: Single channel image request by username is disabled.

There are two ways that a TURing image can be requested. Firstly an agent starts a session, reads the Session ID and then requests the image by sending the session ID to PINsafe. The second way is where those two steps are combined into a single step, an agent just passes PINsafe the username, the session is started and the TURing image returned in one step. To support this second model PINsafe must be configured to Allow Session Start by Username or Allow Image Request by Username.

Session start failed for user: x, error: No Data for user was found. or error: No data for the user was found The requested user does not exist in the database. If the user does exist in the repository (eg Active Directory) then PINsafe needs to sync with that repository.

<username>: Failed to start a single channel session: AGENT_ERROR_USER_NOT_IN_GROUP. <Agent Name>: Error occurred during login for user: xxxxx, error: User does not belong in the correct group within the user repository to continue the authentication attempt

PINsafe can be configured so that only members of certain groups can authenticate via certain agents. This error indicates that a user is trying to authenticate against an Agent that they are not authorised to do. In 3.x versions of PINsafe it maybe necessary to synchronise with the repository for any changes in these policies to be affected. Also seen in relation to ChangePIN where a user is trying to use the incorrect transport to change their PIN number.

PINsafe license contains an error.

The license is invalid or has not been correctly entered.

ERROR - The number of users in the PINsafe users group has exceeded the license

exceeded licensed users

The number of licensed users has been exceeded. Note that this message will be displayed even if a new larger license is installed until Tomcat is restarted.

ChangePIN failed for user: xxxx, Error: The PIN is not complex enough.

The PIN entered is too simple and breaks the PINsafe rules defined in the Administration Console, The default for repeated digits is 0 and allows for no repeated digits.

CHANGE_PIN_PIN_ERROR:

The original OTC is incorrect. A correct OTC must be entered before a new OTC is entered. If using the single Channel TURing image, ensure session request by username is enabled under Server/Single Channel.

Login failed for user: test, error: The user does not have a PIN set.

If this is also seen with the following:

Exception occurred checking agent: SQL Exception: Invalid transaction state..

The following also may be seen when a users PIN is reset:

Exception occurred checking agent: SQL Exception: A lock could not be obtained within the time requested.

A lock file may exist on the database that was not cleared properly. To resolve this issue;

Stop Tomcat

go to <path to Tomcat>\webapps\pinsafe\WEB-INF\db\swivel

Example on an appliance: \usr\local\apache-tomcat\webapps\pinsafe\WEB-INF\db\swivel

Check for and delete any .lck files.

Start Tomcat

LOG_PINSAFE_CREDENTIALS_EXCEPTION, java.lang.NumberFormatException: For input string: ""

The PIN number for a user cannot be obtained. This can be caused by the following:

PINsafe being unable to decrypt the PIN such as when timezone has changed.

Auto set credentials has been turned off and the user has been created without a PIN.

A PINless user is changed to a PIN user and no PIN has been allocated.

Loading transport class "com.swiveltechnologies.pinsafe.server.transport.SmtpTransport" failed, error: java.lang.reflect.InvocationTargetException. java.lang.reflect.InvocationTargetException

This error has been seen where incompatible java class versions are being used. Verify any java classes that have been imported to the PINsafe server.

Repository "Active Directory", cannot be added to the database: possibly already exists.

This error can occur if the repository name already exists or the Database is still set to shipping mode. The repository "local" can be used but will also generate this error but can be ignored.

bash: keytool: command not found

This error is seen when keytool cannot be found in the users path. This will be part of the Java path, and will depend upon the Java Version, Example: /usr/java/jre1.6.0_18/bin/keytool

Authentication and RADIUS Errors

Login failed for user: test

The user failed to login. For User login problems see User login fails

An error occurred, please check your credentials. If the error persists contact your PINsafe Administrator.

Seen on a user login. See the following: User login fails

The user does not have any security strings suitable for authentication

For a user to authenticate they need to have been presented with a security string either as a TURing image or as a Security String message (e.g. SMS). This error indicates that a user has tried to authenticate despite the fact that they do not have a valid security string. This maybe because they have used the wrong name to request the security string or the security string they had been sent has expired

admin:Exception occurred checking agent: SQL Exception: Invalid transaction state.

admin:Credentials invalid for user "graham"

graham:Failed to login user graham, error: The user does not have a PIN set.

The credentials invalid message can mean that the incorrect OTC has been entered. With the SQL Invalid transaction state message and invalid credentials may occur if the timezone has been altered. If the timezone has changed then the message that the user does not have a PIN set may also be displayed. Set timezone back to its original settings.

<username> Failed to login. RADIUS: <86> Access-Request(1) LEN=57 <IP address>:12004 Access-Request by <username> Failed: AccessRejectException:

If RADIUS based auth attempt and RADIUS logging enabled. Possible options are: This indicates the user has failed to authenticate successfully. If no other errors are logged in relation to the authentication attempt then the cause is that the user entered the wrong credentials.

This can be caused when an SMS message is to be entered but a Single Channel Image is started, if so then it is expecting a single channel OTC login, until the image times out (default 120 seconds).

The wrong security string index was used (use OTC-String Index, Example 9381-01).

A previously used OTC was attempted to be used again.

RADIUS: <72> Access-Request(1) LEN=130 192.168.1.1:9328 Access-Request by domain\user Failed: AccessRejectException: AGENT_ERROR_NO_USER_DATA

The user does not exist in the system. Where the domain name is required to differentiate users of the same name, set the PINsafe repository username attribute to be userPrincipalName, and instead login with username@domain. You are unable to pass DOMAIN\username in a RADIUS request.

RADIUS: <0> Access-Request(1) LEN=60 192.168.1.1:1685 Access-Request by username Failed: AccessRejectException: AGENT_ERROR_BAD_OTC
xxx.xxx.x.xx:<name>Login failed for user: <user>, error: The one-time code was missing or malformed.

This indicates that PINsafe has been unable to extract the one-time code from the RADIUS request. This is usually because the shared-secret set on PINsafe does not match the shared secret set up on the NAS (VPN). Check/reset both shared secrets, check a password has not been accidentally set for the user. See also AGENT ERROR BAD OTC and Reset a Users Password

RADIUS: <0> Access-Request(1) LEN=192.168.0.1:1001 Access Request by username Failed: AccessRejectException: AGENT_ERROR_NO_SECURITY_STRINGS

and

Login failed for user:username, error: The user does not have any security strings suitable for the authentication.

The user is attempting a dual channel authentication, but the user has not been sent any security strings. This can be because:

No transport has been defined for the security strings to be sent

Older versions of PINsafe did not send the security strings if users were added to a group

The access device is adding the domain name to the authentication in the format domain\username

A user is attempting a single channel authentication, but the single channel request has not reached PINsafe

PINsafe 3.8.4256 has an error whereby On demand authentication security strings do not match those in the View Security strings.

RADIUS error: The user does not have a PIN set and Access-Request by username Failed: AccessRejectException: AGENT_ERROR_NO_PIN

This may be seen when the PINsafe system cannot read the users PIN number such as after a time zone change.

RADIUS: <9> Access-Request(1) LEN=56 10.0.1.1:32773 Access-Request by test Failed: AccessRejectException: Two Stage Password Fail

Two stage authentication is being used and a password is expected to be entered.

RADIUS: <0> Access-Request(1) LEN=45 x.x.x.x:7423 Packet DROPPED: Source IP address [x.x.x.x] does not have a NAS entry

Log Error: The agent is not authorised to access the server, IP: xx.xx.xx.xxx

An agent/NAS has made a request to PINsafe but that agent/NAS is not authorised to do so. The agent/NAS needs to be configured with a specified IP address and shared secret. If not matching entry is found for the agent/RADIUS request is refused and this error is logged.

RADIUS: <87> Access-Accept(2) LEN=57 <IP address>:12004 Access-Request WARN : x.x.x.x device 2:Exception occurred during login for user: username, exception: java.lang.StringIndexOutOfBoundsException: String index out of range: 4

Indicates that the user had entered a one-time code that is greater than the PIN length.

INFO RADIUS: <0> Access-Request(1) LEN=78 192.168.1.1:4175 PACKET DROPPED - MESSAGE AUTHENTICATOR IS INCORRECT

This indicates that the shared secret on the access device and the PINsafe NAS setting do not match

INFO RADIUS: <0> Access-Request(1) LEN=78 192.168.1.1:4175 PACKET DROPPED - Duplicate packet from NAS

This can be caused by the following:

• If the PINsafe server sends the reply but it is not received by the access device, the access device may try to resend the RADIUS request. This can be caused by the Access device sending a RADIUS request from an external interface, but not accepting the response through that external interface.
• When an authentication fails the RADIUS client may retry sending additional authentication requests. Resolve the initial issue causing the failure.
• Some access devices may make additional RADIUS requests for group membership checks.
• If a PINsafe Virtual IP (VIP) address is used the RADIUS request may be made against the PINsafe VIP, but the RADIUS response may be sent from the real IP address of the PINsafe server, and be blocked by the access device due to IP spoofing rules. Duplicate packets may be then seen, as the access device has not seen a response from the PINsafe server, so repeats the authentication. This can be resolved by using the real IP address of the PINsafe server for the RADIUS request rather than the VIP, but may impact the solution in place.

RADIUS: <0> Access-Request(1) LEN=60 192.168.9.250:1496 PACKET DROPPED - Badly formed Attribute Block, Attribute at position 2 of type User-Password (2) has no data value (forbidden).- 12 octets not processed after error.

The request to the PINsafe RADIUS server is in an incorrect format, attributes are missing. To rectify, set the permit empty attributes to Yes in the RADIUS server settings.

RADIUS: <10> Access-Challenge(11) LEN=56 10.0.1.1:32772 Access-Request by test resulted in Access-Challenge

Two Stage authentication is enabled and the PINsafe server has responded requesting a One Time Code to be entered.

RADIUS: <0> Access-Reject(1) LEN=70 x.x.x.x:1097? Access-Request by admin Failed: AccssReject Exception: AGENT_ERROR_AUTH_METHOD_UNSUPPORTED

An authentication method is being used which is different to that permitted for the Access device. i.e. single channel authentication is being used where only dual channel authentication is permitted or dual channel authentication is being used where only single channel authentication is permitted. Check the NAS entry on the PINsafe server for the correct value.

INFO RADIUS: <5> Access-Request(1) LEN=65 192.168.1.1:25292 Access-Request by graham Failed: AccessRejectException: AGENT_ERROR_THIRDPARTY

INFO 192.168.1.1 VPN:Login failed for user: graham, error: Third party authentication failed.

A Third party authentication such as PositiveID, has failed for the PINsafe user.

RADIUS: <0> Access-Request(1) LEN=64 x.x.x.x:1265 Access-Request by username Failed: AccessRejectException: Two Stage Password Fail

x.x.x.x Identifier:Failed to get LDAP context for username@domain

The check password with repository is failing for the first stage of two stage authentication. This could be due to an incorrect password being entered.

AgentXML request failed, error: The agent is not authorised to access the server.

An Agent-XML request is being made against the PINsafe server but is not permitted to do so. If access should be allowed create an entry on the PINsafe Administration Console under Server/Agents. If an entry exists verify the shared secret is the same on PINsafe and the access device.

AgentXML request failed, error: The XML request sent from the agent was malformed.

The Agent XML request contains an error check the format. Spaces may also cause errors.

Invalid agent definition, name: MBCPHSG2, hostname/IP: XXXYYY

The hostname provided does not resolve into a valid IP address.

Failed to get LDAP context for user

This error can be seen when making an authentication and the option to check password with repository is set to true and the user enters a password. This response is on AD as well as LDAP.

It could also be because the LDAP repository is expecting credentials in the form username@domain. You can fix this by using credentials in this form for the repository admin credentials (in the repository definition). If there is an '@' in the username for the repository definition, PINsafe tries to use the same domain when checking users passwords.

User "graham" has been locked, reason: The user was required to change their PIN before this authentication.

The user account has been locked. This will occur if the user is required to change their PIN such as after an admin reset or after first login. When they try and login again, this error message will be displayed. Unlock the user account, ensure user knows they must change their PIN.

Access-Request by graham Failed: AccessRejectException: AGENT_ERROR_PIN_NOT_CHANGED

The users PIN was not changed. This could be caused by the account being locked, such as through a previous failed changePIN attempt.

FLUSHING_IMAGE_CACHE, ClientAbortException: java.net.SocketException: Connection reset

This error message can be seen in the PINsafe log when a Windows login is attempting to use an animated gif. Turn off animated gifs on PINsafe.

RADIUS server failed to start, error: com.theorem.radserver3.RADIUSServerException: RADIUS authentication server receiver thread failed to start: Failed to create RADIUS server socket on port 1812: java.net.BindException: Cannot assign requested address.

RADIUS server failed to start, error: com.theorem.radserver3.RADIUSServerException: RADIUS authentication server receiver thread failed to start: Failed to create RADIUS server socket on port 1812: java.net.BindException: Address already in use.

RADIUS: Failed to create RADIUS server socket on port 1812: java.net.BindException: Address already in use

The RADIUS server cannot start as the port is already in use. Verify that there are no other applications or other versions of PINsafe running RADIUS and that the IP address entered on the PINsafe RADIUS server is that of the PINsafe server, or blank to receive RADIUS requests on any of its interfaces.

Synchronisation and LDAP (Active Directory) Errors

Introduction When PINsafe integrates with external systems such as Active Directory, it detects errors raised by those third-party systems. A full list of possible errors is outside the scope of this page, however the more common errors are described below. Other sites, e.g. http://ldapwiki.willeke.com/Wiki.jsp?page=LDAPResultCodes will provide LDAP error-code listings.

Abandoned User Sync for repository

If a synchronisation encounters an error then the sync job will stop. Check the settings are correct, particularly LDAP group names, and check the logs for further associated errors.

SEVERE Exception occurred: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]

This is usually caused by when incorrect authentication is made against an AD domain. Check the username and password being used for the LDAP synchronisation, check the password has not been changed and the account is still active.

Test the user account with an LDAP browser.

Other possible errors for AcceptSecurityContext: AcceptSecurityContect error, data xxx, vece are as follows:

• 525 user not found
• 52e invalid credentials
• 530 not permitted to logon at this time
• 531 not permitted to logon at this workstation
• 532 password expired
• 533 account disabled
• 701 account expired
• 773 user must reset password
• 775 user account locked

ERROR Exception occurred: during repository attribute query, object:<name>, attribute: sAMAccountName, exception:java.naming.InvalidNameException There is a syntax error in the ldap query being attempted, most likely cause is an error in the repository group definitions, check these definitions, possibly cross-reference with an LDAP browser.

Exception occured during repository group member query, group: CN=PINsafe2factor,CN=Users,DC=PINsafe,DC=swivel,DC=secure, exception javax.naming.CommunicationException: 192.168.0.1:389 [Root exception is java.net.NoRouteToHostException: No route to host]

The error No Route to Host indicates a networking issue. Check to see if the PINsafe server can Ping or Telnet on port 389 (or required port) to the AD or LDAP server.

No value for username attribute <attributeName> The user CN=x-x-x-x,CN=y,DC=z,DC=company,DC=com has no value for username attribute <AttributeName>. User not added
ERROR - Exception occured during repository attribute query, object: CN=something,OU=oux,offices,OU=Com,DC=bob,DC=corp, attribute: sAMAccountName, exception:javax.naming.NameNotFoundException: [LDAP: error code 32 -0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT)

The user within the repository has no value set for the attribute that is configured to be used as the PINsafe username; therefore an account cannot be created for that user. For example if PINsafe was configured to use the Active Directory attribute for email address for the PINsafe account name and this value was not set in AD for a given user.

This may happen when a user has been added to a trusted domain where PINsafe is looking for users within that group, only the fact that the user is a member of the group is available, and not the attributes of that user. Create a PINsafe AD repository to read the trusted AD domain or use an AD Global catalogue server.

ERROR 192.168.1.1 admin:Exception occured during repository group member query, group: CN=PINsafeusers,OU=PINsafe,DC=xxx,DC=swivelsecure,DC=com, exception ADserver1.xxx.swivelsecure.com:389

or

ERROR 192.168.1.1 admin:Exception occured during repository group member query, group: CN=PINsafeusers,OU=PINsafe,DC=xxx,DC=swivelsecure,DC=com, exception javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: OU=Swivelsecure,DC=Swivelsecure,DC=com]; remaining name CN=Users,OU=Swivelsecure,DC=Swivelsecure,DC=com

This can be caused by a user who is a member of the group PINsafeusers but is part of another domain. PINsafe will not be able to read the attributes for that user. PINsafe would need to connect to that AD domain or read a Global Catalogue Server. It can also be caused by an incorrectly specified LDAP path, verify that the LDAP path is correct.

Exception occurred: during repository group member query, group: javax.naming.CommunicationException: xxx.xxx.xxx.xxx:389 [Root exception is java.net.NoRouteToHostException: No route to host],exception %2

or

Exception occured during repository group member query, group: CN=PINsafeUsers,OU=Groups,DC=swivelsecure,DC=com, exception javax.naming.CommunicationException: ad.swivelsecure.com:389 [Root exception is java.net.UnknownHostException: ad.swivelsecure.com]

The PINsafe server cannot resolve the host name of the LDAP/Active Directory server or cannot route to it. Check the DNS settings for the PINsafe server and the hostname defined in the repository configuration.

ERROR Exception occurred during internal database access, exception: SQL Exception: The statement was aborted because it would have caused a duplicate key value in a unique or primary key constraint or unique index identified by 'SQL070416065001590' defined on 'PINSAFEJ'

This error occurs if PINsafe attempts to create a new user with a non-unique username. This can occur if two different repositories contain users with the same username. For example if you create a user called admin in the xml repository and a user exists within AD that is also called admin, the attempt to create the second account called admin will fail and this error will be reported. Care must be taken when working with Active-Active pairs, as the database is shared but the xml repositories are not. Therefore if you create an account in each xml repository called admin, pinsafe will try and create two pinsafe accounts called admin and this error will result.

Exception occurred during database access, exception: com.microsoft.sqlserver.jdbc.SQLServerException: Violation of UNIQUE KEY constraint 'UQ__PINSAFEJ__6477ECF3'. Cannot insert duplicate key in object 'dbo.PINSAFEJ'.

A user already exists with the same username. Up to and including PINsafe 3.8 it may indicate that the user may have been created in a different case which PINsafe has not differentiated as a new user.

Invalid Credentials

The PINsafe server has been unable to decrypt the credentials for as user. This is seen if the timezone has been changed and the system rebooted. Set the Time Zone back to the previous value and reboot. When an authentication is made the following error may be seen in RADIUS error: The user does not have a PIN set and Access-Request by username Failed: AccessRejectException: AGENT_ERROR_NO_PIN

Browser limit exceeded

The LDAP folder contains more entries than the LDAP browser can read. PINsafe 3.6 and 3.7 has a limit of 1500 entries. To view more items than the PINsafe LDAP browser allows then try using a 3rd party LDAP browser product.

ERROR - Exception occurred during repository group member query, group: CN=PinSafeUsers,CN=Users,DC=swivelsecure,DC=com, exception 192.168.0.100:389; socket closed

Synchronisation with the data source has been stopped after the port was closed, this could be caused if the system is shutdown or rebooted. Check to see if this is a one off instance or occurs multiple times.

javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'CN=Swivel PINsafe'

This is caused when PINsafe cannot find the specified group. Check the group pathname.

Exception occured during repository group member query, group: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09018A, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, vece], exception CN=PINsafeUsers,CN=Users,DC=swivelsecure,DC=com

SSL is enabled on the AD server, configure the PINsafe server to use LDAP over SSL is required.

ConnectException: Connection timed out

PINsafe cannot connect to the LDAP or AD data source, check network connectivity

Exception occurred checking agent: com.mysql.jdbc.MysqlDataTruncation: Data truncation: Data too long for column 'B' at row 1

The repository name specified was too long. Repository names can only be up to 32 characters in length.

Transport Related Errors

The user does not have an associated alert transport

PINsafe is unable to send alert information (Such as new PIN numbers, account lockout information), to the user as they do not have a transport method for sending them. See User_does_not_have_an_associated_alert_transport

No Transport Attribute found for User
No Alert Transport Attribute found for User

This message occurs if the PINsafe server has attempted to send a security string or an alert message to the user, but does not have the required information, i.e. where to send the message, to do so. Check that the (Alert) Transport attribute has been set correctly and that this attribute has been set for the user. For example for integrating with AD, check that the attribute has been set to telephoneNumber or Mobile as required

Dual channel message request failed, error: On-demand dual channel delivery is disabled.

A dual channel message request was made but the On-demand delivery is not enabled. If it should be enabled, on the PINsafe Administration console select Server/Dual Channel, then set On-demand delivery to Yes.

LOG_MESSAGE_REQUEST_DISALLOWED

A Dual Channel security String request has been made by a user who is does not have dual channel permissions.

LOG_MESSAGE_REQUEST_FAILED_FOR_UNKNOWN_USER

A Dual Channel security string request has been made for a user that is not in the PINsafe database.

Message has been retried too many times, being removed from message queue, user: <username>, destination: 441234567890.
The message has been attempted to be resent more than the specified number of retry attempts. Check the logs for messages to indicate why the sending of the message failed.

Message send failed for user <username>

Message send failed for user <username>, destination: 441234567890. Message will be retried later. The message has failed to be resent and will be retried. Check the logs for other transport-specific messages that indicate why transmission failed, eg network connectivity issue of lack of credit on SMS provider account.

Transport Queue has become locked:<Transport Name>

This indicates that the transport queue has taken too long in an attempt to send a message. This can occasionally occur in normal operation if, for example, an intermittent network issue has affected communication with an SMS provider. If you see this message you should monitor the logs to ensure that subsequent messages sends are successful. If it appears that messages are no longer being sent then tomcat may need to be restarted. Increasing the Message send Timeout in the Transport/General may help.

Membership of multiple alert transport groups is not permitted for user:

This occurs when users are member of more than one group that is assigned to a string transport entry or alert transport entry. The cause for this can be when users are added either purposely or accidentally to additional groups on the Active Directory or whichever repository type you are syncing with and a subsequent User Sync takes place in PINsafe.

To resolve this issue, on the PINsafe administration console select the User Administration screen. Find a user that is suffering from this problem. Change the View drop down on the User Administration screen to be 'Groups'. Make a note of the groups that the user is assigned to (represented by a tick/check mark). Then visit the Transport -> General screen. You now need to look for Transports you have defined, where these groups have a 'Alert repository group' drop down containing either of the groups you noted in the previous step. It is not possible to have a user assigned to more than one transport sting or transport alert. So you will need to remove the users from the offending group which has led to this situation.

Membership of multiple transport groups is not permitted:

A user can only have one transport method for sending security strings, a second transport method may be used for sending alerts. PINsafe groups can be structured to ensure membership of only one transport group.

User "admin" is a member of multiple transport groups

Warning that a user is a member of more than one transport group. Ensure that users have only one group that is assigned a transport.

WARN SMS_Transport message sending failed, error: java.net.UnknownHostException:

The host to which the message is being sent to cannot be found. Check DNS and network.

SMTP Transport failed to send Credentials to "xxx@xxx.xx", exception: com.sun.mail.smtp.SMTPSendFailedException: 501 #5.1.3 Partial domain not allowed: 'localhost'

The SMTP From address has a localhost entry, this should be substituted for a valid email address.

SMTP Transport failed to send Security Strings to "user@domainname", exception: javax.mail.MessagingException: Exception reading response; nested exception is: java.net.SocketException: Connection reset

This error can be caused by a standard SMTP connection to a port that is only configured to receive SSL connections.

ERROR Could not connect to SMTP host: smtp.company.com, port: 25; nested exception is: java.net.ConnectException: connection to smtp.company.com timed out

The PINsafe server is unable to connect to the mail gateway, check that a network path exists to the mail server.

TRANSPORT_LOADED: SMTP EXCEPTION IN TRANSPORT:id SMTPnull

A bug in PINsafe 3.8 prevents the delivery of security strings by SMTP (email), it does not affect SMTP to SMS or other transport classes, it also does not affect alerts. Upgrade to a more recent version."

iTagg message sending failed, error: error code|error text|submission reference 102|submission failed due to insufficient credit|0

The SMS gateway has run out of credit to send SMS messages.

Clickatell message sending failed, error: org.marre.sms.SmsException: org.marre.sms.transport.clickatell.ClickatellException: Clickatell error. Error 001, Authentication failed

Wrong username, password or API ID for Clickatell SMS account

java.net.ConnectException: connection timed out: connect

Connection to Clickatell SMS Gateway failed with the connection timing out. Verify that the PINsafe server connection to the SMS gateway is not being clocked by a firewall or proxy server.

AQL_TRANSPORT_ERROR0 Destination number(s) error +441234 567890

SMS message has failed to be sent due to space in telephone number

SMTP Transport failed to send Credentials to "user@domain.com", exception: com.sun.mail.SMTPSendFailedException: 504 Need Fully Qualified Address

The from address in the email transport needs to be a full valid email address.

LOG_HTTP_TRANSPORT_ERROR, Unable to tunnel through proxy. Proxy returns "HTTP/1.1 502 Proxy Error ( The ISA Server denies the specified Uniform Resource Locator (URL). )"

The SMS gateway may use HTTP or HTTPS to send security strings and requires an outbound connection from the PINsafe server. The proxy information for the transport has not been configured correctly. Check the port, username and password. If all the details are correct, and exception may need to be entered on the Proxy server to allow access from the PINsafe server to the SMS gateway.

SMTP Transport failed to send Credentials to "username@domain.com", exception: com.sun.mail.smtp.SMTPSendFailedException: 530 5.7.0 Must issue a STARTTLS command first.

TLS or STARTTLS is currently not supported for the email server configuration

SMTP Transport failed to send Security Strings to "user@emailaddress.com", exception: javax.mail.AuthenticationFailedException

Incorrect Username or Password, check the settings on the PINsafe Administration console under Server/SMTP

TRANSPORT_LOADED: YPF_SMTP WEXCEPTION IN TRANSPORT:id YPF_SMTPnull

A bug in PINsafe 3.8 prevents the delivery of security strings by SMTP (email), it does not affect SMTP to SMS or other transport classes, it also does not affect alerts. Upgrade to a more recent version.

AQL_TRANSPORT_ERROR0 Insufficient credit or invalid number of msg/destination

Either the account does not have enough credit to send an SMS and new credits must be purchased or the phone number is incorrect and the message cannot be sent.

Failure Please check your settings or try again later. Message: Provision Failure

The following log message may be seen in the PINsafe Administration Console:

User "gfield" provision failed, A valid session could not be loaded or created for the user.

This can be caused by an incorrect Mobile Provision Code, or the time allowed for provisioning a device has been exceeded.

SwivletException : SE007: java.io. IO exception:-5120

This error message has been seen with an incorrectly configured DNS entry in the Java Mobile Phone client

AgentXML request failed, error: No suitable authentication method for the user "qwerty" was found. The user may be missing from the user repository or a synchronisation has not yet occurred.

or

Mobile request from unknown user; the user needs to reprovision

A Mobile Provision Code was entered for a user who is not present on the PINsafe user database.

Port currently owned by Unknown Windows Application
This error is specific to use of a GSM Modem. It implies that another application is using the serial port designated for use for the GSM Modem. Close any applications that maybe using the port, e.g. WinTerm may have been used for testing, and re-allocate the port on the PINsafe GSM Modem config screen.

LOG_HTTP_TRANSPORT_ERROR, 503 Service Unavailable, Message added to message queue for user: xxxxxx, destination nnnnnnnnnn, Message send failed for user xxxx, destination nnnnnnnnnn message will be retried later, VODAFONE ERROR: 13 An internal error occurred.

GSM using Vodafone, error due to mobile network issue

LOG_GSM_FAIL, org.marre.sms.SmsException: Send failed: Unexpected response Last Response:

Message send failed for user: XYZ123, destination: <<MOBILENUMBER>>. Message will be retried later.

Message has been retried too many times, being removed from message queue, user: XYZ123, destination: <<MOBILENUMBER>>.

This is the sequence of events associated with a failure to send a SMS message. The Unexpected response message indicates a failure to communicate with the GSM modem. A common cause of this is incorrect Flow Control settings, try software Flow Control.

Loading transport class "com.swiveltechnologies.pinsafe.server.transport.TransportName" failed, error: java.lang.ClassNotFoundException: com.swiveltechnologies.pinsafe.server.transport.TransportName

The java class cannot be foound. Possible causes of this error are:

Mispelling of the class name on the transport->general screen

Class file not being in the correct location on the appliance

Class file not having the correect ownsership or file permissions

Tomcat has not been restarted

Database Errors

Exception occurred during database access, exception: com.mysql.jdbc.exceptions.MySQLIntegrityConstraintViolationException: Duplicate entry 'username' for key 2

Failed to create PINsafe data for user: username. User already exists?

Exception occurred during database access, exception: com.mysql.jdbc.exceptions.MySQLIntegrityConstraintViolationException: Duplicate entry 'username' for key 3

The username already exists in the PINsafe database and a new account cannot be created with the same username. Either ensure usernames are unique or use FQDN.

Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.server.user.database.DatabaseException: java.lang.ClassNotFoundException: com.microsoft.sqlserver.jdbc.SQLServerDriver

The java database driver cannot be found. Ensure that it has been uploaded to the correct location and has the correct file ownership and permissions.

Exception occurred checking agent: java.sql.SQLException: ORA-01400: cannot insert NULL into ("USPINSAFE"."PINSAFEM"."B")

This has been seen when using Oracle 10g as a database, and is because Oracle does not differntiate between a NULL (i.e. missing) string value and a string of length zero. The following command allows null string values to be used: ALTER TABLE PINSAFEM MODIFY B VARCHAR(15) NULL;

JRUN:Exception occurred checking agent: SQL Exception: An SQL data change is not permitted for a read-only connection, user or database.

This has been seen on the internal PINsafe Database where the permissions have been incorrectly set. see Permissions and Ownership

ERROR 1218 (08S01) at line 1: Error connecting to master: Lost connection to MySQL: Lost connection to MySQL server during query

This can be seen on running the database sync commands. Verify that a network connection exists and that the IP addresses are connect. Verify that the /etc/my.cnf file has the IP address of the Primary Master.

[ERROR] Slave I/O thread: error connecting to master 'replication@192.168.0.36:3306': Error: 'Can't connect to MySQL server on '192.168.0.36' (4)' errno: 2003 retry-time: 60 retries: 86400 101020 14:36:27 InnoDB: Started; log sequence number 0 2972511 101020

[Note] Recovering after a crash using /var/lib/mysql/bin 101020 14:36:27 [Note] Starting crash recovery...

[Note] Crash recovery finished.

These errors can be seen on a slave with the incorrect Primary Master IP address in the /etc/my.cnf. This should be configured through the CMI

PINsafe data migration failed! com.swiveltechnologies.pinsafe.server.user.database.DatabaseException: com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: Incorrect database name 'pinsafe_rep '

Wrong database name has been specified. In this case the database should have been pinsafe

Exception occurred during database access, exception: SQL Exception: A lock could not be obtained within the time requested

The database could not be accessed. This can occur if the timezone is changed. Set Timezone back to its original setting.

can't serialize access for this transaction

This is an error seen with Oracle databases and means that the data has changed since the transaction started. This has been seen where two PINsafe appliances are synchronising data at the same time. Ensure that either only one PINsafe server is synchronising data, or that they do so at different times.

Exception occurred checking agent: com.microsoft.sqlserver.jdbc.SQLServerException: Transaction (Process ID 70) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

Connection to the PINsafe Database (here a MS SQL Db), has been lost and the process thread has been locked.

PINsafe data error please restart the PINsafe server "PINsafe_Server". If the issue continues please contact support.

A process has become locked, and requires PINsafe to restart

Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.user.database.DatabaseException: com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection to the host has failed. java.net.ConnectException: Connection refused: connect

The connection to the Database has been refused

Exception occurred during database access, exception: com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection to the host has failed. java.net.BindException: Address already in use: connect

Connection to the database has failed due to a current connection with the database

admin:Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.server.user.database.DatabaseException: java.lang.ClassNotFoundException: com.microsoft.sqlserver:jdbc.SQLServerDriver

ERROR 127.0.0.1 admin:Failed trying to load JDBC driver class

The Java class path for the driver is incorrect and cannot be loaded (in this instance a : has been used instead of a .)

Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.user.database.DatabaseException: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TYPE = INNODB DEFAULT CHARSET = utf8 COLLATE = utf8_bin' at line 1

There is an issue with PINsafe and MySQl 5.5, contact Swivel Support for a fix.

admin:Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.server.user.database.DatabaseException: java.sql.SQLRecoverableException: I/O-Error: The Network Adapter could not establish the connection

ERROR x.x.x.x admin:Unable to open the database: java.sql.SQLRecoverableException: I/O-Error: The Network Adapter could not establish the connection

The connection to the firewall cannot be established. Check firewall rules are not blocking the connection.

ERROR x.x.x. admin:Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.server.user.database.DatabaseException: java.sql.SQLRecoverableException: I/O-Error: Invalid connection string format, a valid format is: "//host[:port][/service_name]"

ERROR x.x.x.x admin:Unable to open the database: java.sql.SQLRecoverableException: I/O-Error: Invalid connection string format, a valid format is: "//host[:port][/service_name]"

The database connection URL is incorrect, check the settings.

ERROR x.x.x.x admin:Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.server.user.database.DatabaseException: java.sql.SQLRecoverableException: I/O-Error: Unknown host specified

ERROR x.x.x.x admin:Unable to open the database: java.sql.SQLRecoverableException: I/O-Error: Unknown host specified

Incorrect hostname specified for Db server

ERROR x.x.x.x admin:Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.server.user.database.DatabaseException: java.sql.SQLRecoverableException: I/O-Error: Invalid number format for port number

ERROR x.x.x.x admin:Unable to open the database: java.sql.SQLRecoverableException: I/O-Fehler: Invalid number format for port number

The port number is not specified correctly, check for non numeric characters and that it has been specified.

ERROR x.x.x.x admin:Exception occurred during database access, exception: com.swiveltechnologies.pinsafe.server.user.database.DatabaseException: java.lang.ClassNotFoundException: oracle.jdbc.driver.oracledriver

ERROR x.x.x.x admin:Failed trying to load JDBC driver class

The driver has failed to load, in this instance oracle.jdbc.driver.oracledriver has been specified instead of oracle.jdbc.driver.OracleDriver

Apache Tomcat Errors

ERROR - Saving the XML config file "/usr/local/tomcat/webapps/pinsafe/WEB-INF/conf/config.xml" failed, error: java.io.IOException: No space left on device.

java.io.IOException: No space left on device at java.io.FileOutputStream.writeBytes(Native Method)

The device has run out of disk space. Free up disk space to allow Tomcat to start.

SEVERE: Servlet /pinsafe threw load() exception java.lang.OutOfMemoryError: Java heap space

This error can be seen when there is insufficient memory to run PINsafe, particularly where there are several PINsafe instances running on the PINsafe server. To increase the memory available on a Microsoft Windows system,double click on the Apache Tomcat Taskbar Monitir to bring up the properties and select the Java Tab. Set the Initial Memory Pool and Maximum memory pool to suitable sizes.

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Error instantiating servlet class com.swiveltechnologies.pinsafe.ui.AdminLogin org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664) org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) java.lang.Thread.run(Unknown Source)

root cause

java.lang.ExceptionInInitializerError sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) java.lang.reflect.Constructor.newInstance(Unknown Source) java.lang.Class.newInstance0(Unknown Source) java.lang.Class.newInstance(Unknown Source) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869) org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664) org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80) org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) java.lang.Thread.run(Unknown Source)

This has been seen when the config.xml file has become corrupted and half the file is not present.

To look for errors open the config.xml file with Internet Explorer and look for any errors.

HTTP Status 500 -

--------------------------------------------------------------------------------

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

java.lang.NullPointerException com.swiveltechnologies.pinsafe.server.session.SessionQueue.createFakeSession(SessionQueue.java:39) com.swiveltechnologies.pinsafe.server.user.LocalAuth.sessionStart(LocalAuth.java:860) com.swiveltechnologies.pinsafe.server.ui.AdminLogin.doPost(AdminLogin.java:192) javax.servlet.http.HttpServlet.service(HttpServlet.java:641) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) com.swiveltechnologies.pinsafe.server.filter.AdminConsoleFilter.doFilter(AdminConsoleFilter.java:135)

This has been seen to be caused by an incorrect setting in the config.xml file

ERROR: XML validation of "/usr/local/tomcat/webapps/pinsafe/WEB-INF/conf/config.xml" failed, error: Element has xsi:nil attribute but is not nillable in element map@http://swiveltechnologies.com/xmlconfig, line: <value xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://swiveltechnologies.co m/xmlconfig"/>.

ERROR: XML validation of "/usr/local/tomcat/webapps/pinsafe/WEB-INF/conf/config.xml.old" failed, error: Element has xsi:nil attribute but is not nillable in element map@http://swiveltechnologies.com/xmlconfig, line: <value xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://swiveltechnologies.com/xmlconfig"/>.

The above error can be seen in the catalia.out log file. This can prevent Apache Tomcatfrom starting up. It is caused by additional Transport Attributes being created without group entries. To resolve the issue, stop Tomcat, backup the config.xml file, locate the entry which contains the line <value xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/> and remove the required Transport Attribute from <element> to <\element>

Example:

<element>
         <string name="name">
           <value>Mobile</value>
         </string>
         <map name="attribute" server="LDAP server">
           <value>Mobile</value>
         </map>
         <map name="attribute" server="local_primary">
           <value xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
         </map>
       </element>

See Also: Transport Attribute nil attribute but is not nillable