Symantec SiteMinder

  • Private Community
 View Only

Tech Tip - CA Single Sign-On: Secure Proxy Server (SPS) configured with dedicated user fails to startup

By wonsa03 posted Nov 05, 2015 04:12 PM

  

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 6th Nov 2015


Issue:

SPS is failing to start after configuring it with a dedicated user, instead of the root user.

 

Cause:

When SPS is configured with a dedicated user, proxyserver.sh will be executed with this user, instead of root. During startup, sps.pid file is created under ${PROXY_HOME}/CA/secure-proxy/tmp directory. Hence, it requires this user to have write permission to this directory.

 

Following is observed when SPS is started with root account, while it was configured with a dedicated user:

[root@lod1111 proxy-engine]# ./sps-ctl start
httpd (pid 7814) already running
Successfully Started Apache..
Attempting to start Secure Proxy Engine..
Sending output to /opt/CA/secure-proxy/proxy-engine/logs/nohup.out.20151002_020336
/opt/CA/secure-proxy/proxy-engine/proxyserver.sh: line 184: /opt/CA/secure-proxy/proxy-engine/tmp/sps.pid: Permission denied
/opt/CA/secure-proxy/proxy-engine/proxyserver.sh: line 184: /opt/CA/secure-proxy/proxy-engine/logs/nohup.out.20151002_020336: Permission denied
Successfully Started Proxy Engine..
(Proxy Engine initialization may take a few extra seconds).

 

Resolution:

On UNIX, make sure the following is updated in the httpd.conf file:

User <dedicated_user>

LoadModule env_module modules/mod_env.so

PassEnv LD_LIBRARY_PATH

 

Also, update /tmp and /logs folders owner to this dedicated user.

 

If you have configured SPS to be Federation Gateway, Federation Web Services Application is deployed inside the Tomcat web server. Hence, please ensure that the ${PROXY_HOME}/CA/secure-proxy/Tomcat/webapps/affwebservices folder owner is updated to this dedicated user with at least 755 permissions, else you will run into HTTP error 404 with the following exception logged in the nohup log:

 

 

Oct 26, 2015 7:07:00 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [jsp] in context with path [/affwebservices] threw exception [java.lang.IllegalStateException: No output folder] with root cause
java.lang.IllegalStateException: No output folder
So, please change the tmp and logs folders owner to nobody, maintaining the permissions to secure-proxy files and folders as 755 and try start up SPS again.

0 comments
1 view