What is Okta On-prem Connector?
Okta created the On-prem Connector for SAP Netweaver ABAP to provide an out-of-the-box solution that connects SAP on-premises applications with Okta Identity Governance. It enables the discovery, visibility, and management of SAP entitlements (Roles) directly within Okta. This integration enhances security, saves time, and simplifies governance by eliminating the need for custom integrations and streamlining entitlement management.
SAP Solutions based on SAP Netweaver ABAP Application Server (6.10, 6.20, 6.30, 2004, 7.x) are supported. For example, BW/BI, GRC, SRM, PI, CRM, HCM, and ECC. S4/HANA is supported with limited capability. S4/HANA cloud editions are not supported.
This article aims to list common errors encountered during the setup of the On-prem Connector for SAP Netweaver ABAP and provide easy troubleshooting suggestions.
- Error: Connection timed out: connect
- Error: java.net.UnknownHostException: [FQDN address]
- Error: failed: Name or password is incorrect
- Error: Please check and ensure Provisioning Agent is running
- Error: http protocol is not supported
- Error: Failed to create user, enter an initial password
- Error: Uninstall script not found or not executable
- Error: Config file (.opcconfig) not found in /home/ec2-user/bin. Exiting… while uninstalling OPC agent
- Error: Connector Agent Installation Fails to Start
- Frequent SAP System Connection Failures
- Error: Unauthorized Error During User Operations
- Connecting to a SAP System Requiring Multiple Hops
Error: Connection timed out: connect
Cause
-
Incorrect IP address in the Fully Qualified Domain Name (FQDN), specifically the machine's IP address where the On-prem Connector is located.
Solution
-
Verify and provide the correct IP address of the machine where the On-prem Connector is located.
-
Uninstall any unnecessary On-prem Connectors, ensuring only the relevant one is retained.
Error: java.net.UnknownHostException: [FQDN address]
Cause
-
The specified Fully Qualified Domain Name (FQDN) is incorrect or unresolvable. This typically occurs when the FQDN does not correctly point to the machine where the On-prem Connector is located.
-
Examples of FQDNs
-
Valid: server1.example.com, my-computer.office.local
-
Invalid:
-
Partial FQDN: server1 (missing domain)
-
Unresolvable FQDN: not-a-real-server.example.com (doesn't resolve on the network)
-
-
Solution
-
Ensure that the correct FQDN is provided. Verify the FQDN of the machine hosting the On-prem Connector and update the configuration accordingly.
Error: failed: Name or password is incorrect
Cause
-
Incorrect user name and password of the SAP service account.
Solution
-
Enter the correct user name and password of the SAP service account during provisioning setup.
Error: Please check and ensure Provisioning Agent is running
Cause
-
Okta Provisioning Agent is down or disrupted.
Solution
-
Ensure the Okta Provisioning Agent is active and the machine on which it is running is accessible.
Error: http protocol is not supported
Cause
Okta Provisioning Agent is not configured for HTTP protocol.
Solution
Allow HTTP in OPP Agent by navigating to /opt/OktaProvisioningAgent/conf/
Edit OktaProvisioningAgent.conf
and restart the Okta Provisioning Agent. Detailed guidance on restarting the Okta Provisioning Agent is available in the OPP Agent: Unable to Start Okta Provisioning Agent Service document.
Error: Failed to create user, enter an initial password
Cause
-
The default password policy in Okta does not match the SAP password policy.
Solution
-
Ensure the default password policy in Okta matches the SAP password policy.
Error: Uninstall script not found or not executable
Cause
-
The Okta On-prem Connector was installed on Linux using privileged user access (e.g., sudo), but the user is attempting to uninstall it without the necessary elevated privileges.
Solution
-
If the installation was performed using privileged user access, ensure that the uninstallation is also executed with the appropriate elevated privileges.
Error: Config file (.opcconfig) not found in /home/ec2-user/bin. Exiting… while uninstalling OPC agent
Cause
-
Okta On-prem Connector has been installed in a custom path.
Solution
- To resolve this issue, navigate to <custom-path>/Atom_atom_* directory and run the ./uninstall command to uninstall the agent.
Error: Connector Agent Installation Fails to Start
Cause
-
The connector agent (Atom) installation fails or the service fails to start after installation, particularly in Red Hat (or similar) Linux environments. This issue is often caused by an incompatible Java version installed by default on the host virtual machine. The connector agent requires a specific Java version that may differ from the system's default.
Solution
-
To bypass local Java environment conflicts, run the connector agent inside a Docker container. Use the official Atom Docker image, which includes a pre-configured, compatible Java environment.
Error: Frequent SAP System Connection Failures
Cause
-
The connector frequently fails to establish a connection to the SAP system. The most common cause is incorrect SAP user credentials (username or password). The error messages may not explicitly state "authentication failure," making diagnosis difficult without checking the connector's logs.
Solution
-
Before testing the connection, always verify that the SAP service account credentials are correct, current, and that the account is not locked or expired within the SAP system.
Error: Unauthorized Error During User Operations
Cause
-
During user import or provisioning tasks, errors like “unauthorized” or “user does not have required access” are received. The SAP service account is missing specific authorizations. This can occur even if the documented minimum permissions have been assigned, often due to custom security configurations within the target SAP environment.
Solution
-
- Ask the SAP security team to run an authorization trace (e.g.,
ST01orSTAUTHTRACE) in the SAP system. - While the trace is active, attempt the failing operation (like a user import).
- The trace will capture the exact authorization objects and permissions that are missing.
- Add these missing authorizations to the SAP service account's security profile.
- Ask the SAP security team to run an authorization trace (e.g.,
Connecting to a SAP System Requiring Multiple Hops
Cause
-
The connection to the SAP-managed system fails because the route requires passing through multiple network hops (for example, one or more SAProuters). A standard host/port connection string cannot navigate a multi-hop route.
Solution
- Construct a specific SAP connection string that defines the complete path. The format typically uses /H/ for each host and /S/ for each service/port.
Example String:/H/[Hop_1_Address]/S/[Port]/H/[Hop_2_Address]/S/[Port]/H/[Final_SAP_Host]
