Troubleshooting Debug Logs

The following section contains possible issues you may find in the Tenable for Fudo Debugging Log Report log files and how to resolve them.

Server did not respond to request

If the Fudo server did not respond to a request, this is usually an issue of network connectivity or SSL. Verify the given host and port are accessible from the scanner. If the Fudo PAM server is using an SSL certificate not signed by a known CA, add the appropriate CA certificate to the scanner. Or, disable SSL verification.

Incorrect API URL

Fudo responds with the following error message when the wrong API URL is used: Failed to obtain credential for target host.

Within the scan credential settings, the Fudo API URL field contains the endpoints that make up the complete URL needed to make HTTP requests to Fudo.

For Fudo v1 authentication, the Fudo API URL field must contain: /api

For Fudo v2 authentication, the Fudo API URL field must contain: /api/v2

Incorrect API username or password

The error “Failed to authenticate to Fudo API” may appear in the debug logs, and additionally the following HTTP response may be recorded in the logs:

"status": "failure", "data": {"message": "Incorrect username or password."}}

This is caused by an incorrect API username or API password.

Incorrect API KEY

A 401 Unauthorized message may be present in the debug logs. The following HTTP response might also be recorded in the logs:

Response Body ~ {

"result": "failure",

"message": "Unauthorized request."

}

This is caused by an incorrect API Key in the scan credential settings.

No accounts found

When listing accounts, Fudo returns an empty list of accounts, and an "unable to obtain a credential ID" error appears in the debug logs. The following HTTP response may also be present:

{

"items": [ ],

"result": "success"

}

The API user must be added to the safe containing the desired account. Confirm by logging into the portal with the chosen API user. This user must have access to accounts.

Accounts found, but not a matching one

If the error "unable to obtain a credential ID" appears, but the HTTP response did not contain an empty list of items, the problem is most likely that the given username/ID/address does not match accounts that the user has access to. Check the values of account name/address/ID and Use Target Address.

Object is not accessible

This HTTP response may appear in the debug logs, resulting in an error:

{"message": {"code": "NF", "data": [{"field": "Object is not accessible.", "message": "Not Found", "code": "NF"}]}}

This is usually because the API user does not have appropriate permissions. In the safe, go to the users tab, select the checkbox next to the API user, and click the manage options button. This user needs the reveal password box checked.

Checkout error

{"result": {"error_code": 1001, "error": "Checkout error occurred"}}

Trying to check out a secret that is already checked out. Assign the account a session duration and retry.

v1 Checkout error

Note: Account checkout for Fudo v1 is unsupported through API key authentication

For API v1, the integration fails when using API key to authenticate and checkout accounts since only username / password authentication is supported.

Secret used by different user

{"result": {"error_code": 1003, "error": "Secret is used by different user"}}

This can be resolved with the "force" option.