Solutions
ForgeRock Identity Platform
ForgeRock Identity Cloud

Identity Cloud or IDM fail to connect to the Remote Connector Server (RCS) with a Failed to validate and load script error

Last updated Sep 23, 2021

The purpose of this article is to provide assistance if you see "Failed to validate and load script" errors when Identity Cloud or IDM fail to connect to the RCS. This issue only occurs when you are using scripted connectors.


Symptoms

Identity Cloud or IDM fail to connect to the RCS and you see errors similar to the following in the RCS logs:2021-09-22 10:22:03,537 ERROR o.f.o.c.g.ScriptedConfiguration: Failed to validate and load script: CreateScript.groovy Method: validateScript org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed: IO Exception attempting to load global transforms:/tmp/bundle-1192785746/lib/groovy-3.0.7.jar

See How do I enable debug logging and log rotation for the Remote Connector Server (RCS)? for further information on debugging.

In IDM, you will also see a similar error occurring:WARNING: Failure to activate connector. org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed: IO Exception attempting to load global transforms:/tmp/bundle-1192785746/lib/groovy-3.0.7.jar

Recent Changes

Configured a scripted connector for the RCS.

Causes

When the RCS initially starts up, it creates temporary connector bundle files in the JVM temp directory (/tmp by default on Unix® and Linux® systems). These files are required to compile scripted connectors.

When Identity Cloud or IDM attempts to connect to the RCS, the RCS uses these temporary files to compile the scripted connectors being used. Assuming they exist, the connection proceeds and everything functions as expected. If these files cannot be found, Identity Cloud or IDM will fail to connect with the “Failed to validate and load script” error seen above.

Some operating systems have a watcher process that deletes files from the temp directory automatically after a certain period of time. If this happens, the RCS will continue to operate without any errors but if something subsequently causes Identity Cloud or IDM to try to reconnect to the RCS (for example, a promotion in Identity Cloud or restarting IDM), the connection will fail because the temporary connector bundle files are missing.

Solution

This issue can be resolved by creating a dedicated temp directory for the temporary connector bundle files so they're not deleted by any watcher processes. You can do this as follows:

  1. Create a temp directory for the bundle files, for example:$ cd /path/to/openicf $ mkdir bundle_tmp
  2. If you are running RCS as a service: edit the service file (for example, rcs.service in the /etc/systemd/system directory) and update the Environment line to include the temp directory you created in step 1:-Djava.io.tmpdir=/path/to/openicf/bundle_tmpThe Environment line should now look similar to this:Environment="OPENICF_OPTS=-Xmx1024m -Djava.io.tmpdir=/path/to/openicf/bundle_tmp"
  3. Restart the RCS as follows depending on whether you are running it as a service or not; if you are not running it as a service, you will need to set the temp directory when you start it:
    • RCS as a service:$ sudo systemctl restart rcs.service
    • RCS not as a service and deployed on Unix and Linux systems:$ cd /path/to/openicf/bin $ export OPENICF_OPTS="-Djava.io.tmpdir=/path/to/openicf/bundle_tmp" $ ./ConnectorServer.sh /run
    • RCS not as a service and deployed on Microsoft® Windows® systems:C:\> cd \path\to\openicf\bin C:\path\to\openicf\bin> set OPENICF_OPTS=-Djava.io.tmpdir=/path/to/openicf/bundle_tmp  C:\path\to\openicf\bin> ConnectorServer.bat /run
  4. Verify this change has taken effect by checking that the bundle files have been created under the new temp directory (/path/to/openicf/bundle_tmp) after restarting the RCS.

See Also

RCS in Identity Cloud


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.