Symantec Access Management

Team,

We recently Upgraded our CA SSO Infrastructure from 12.5 to 12.7. We are looking for Start up and Stop Scripts for CA Access Gateway (Proxy Server) , something similar to the S98SM scripts for RHEL 7.X. Since in RHEL 7.x we need to use Systemctl and service to write the start up and stop script and not the rc2.d way, it is failing.

We wanted something like:

https://support.ca.com/us/knowledge-base-articles.TEC1171385.html

https://docops.ca.com/ca-single-sign-on/12-6-01/en/installing/install-a-policy-server/install-policy-server-on-unix/configure-auto-startup 

Thanks,

Avinash

Try this

[Unit]

Description=CA Access Gateway

After=syslog.target network.target

[Service]

Type=forking

Environment=JAVA_HOME=${JAVA_ROOT}/jre

Environment=CATALINA_PID=${APP_DIR}/proxy-engine/tmp/sps.pid

Environment=CATALINA_HOME=${APP_DIR}/Tomcat

Environment=CATALINA_BASE=${APP_DIR}/Tomcat

Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'

Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=${APP_DIR}/proxy-engine/sps-ctl start

ExecStop=${APP_DIR}/proxy-engine/sps-ctl stop

User=smuser

Group=smgroup

UMask=0007

RestartSec=10

Restart=always

[Install]

WantedBy=multi-user.target

Thanks a lot David, let me try this and get back to you with the results.

Thanks,

Avinash

Team,

We are getting the following error:

● S98SPS.service - CA Access Gateway
   Loaded: loaded (/etc/systemd/system/S98SPS.service; enabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu 2017-11-16 11:01:44 EST; 668ms ago
  Process: 30546 ExecStart=/opt/Siteminder/secure-proxy/proxy-engine/sps-ctl startSSL (code=exited, status=203/EXEC)

S98SPS.service: control process exited, code=exited status=203
Failed to start CA Access Gateway.
Unit S98SPS.service entered failed state.
S98SPS.service failed.

The script we used is:

[Unit]
Description=CA Access Gateway
After=syslog.target network.target
[Service]
Type=forking
Environment=JAVA_HOME=/opt/Siteminder/jdk1.8.0_151/jdk1.8.0_151/jre
Environment=CATALINA_PID=/opt/Siteminder/secure-proxy/proxy-engine/tmp/sps.pid
Environment=CATALINA_HOME=/opt/Siteminder/secure-proxy/Tomcat
Environment=CATALINA_BASE=/opt/Siteminder/secure-proxy/Tomcat
Environment='CATALINA_OPTS=--Dcatalina.base=${TOMCAT_HOME} -Dcatalina.home=${TOMCAT_HOME} -Djava.io.tmpdir=${TOMCAT_HOME}/temp -DHT
TPClient.log.mask=0 -DHTTPClient.Modules=HTTPClient.RetryModule|org.tigris.noodle.NoodleCookieModule|HTTPClient.DefaultM
odule -Dlogger.properties=${TOMCAT_HOME}/properties/logger.properties -Djava.endorsed.dirs=${TOMCAT_HOME}/endorsed $STS_
AGENT_LOG_CONFIG_FILE -Dfile.encoding=UTF8 -DIWACONFIGHOME=$IWACONFIGHOME_STS -Djavax.net.debug=alln'
Environment='JAVA_OPTS=-ms256m -mx1024m'
ExecStart=/opt/Siteminder/secure-proxy/proxy-engine/sps-ctl startSSL
ExecStop=/opt/Siteminder/secure-proxy/proxy-engine/sps-ctl stop
User=smuser
Group=smuser
UMask=0007
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target

Please do let me know if I am missing something .

Thanks,

Avinash

Hi 

For SPS starting as root would be needed to allow access to listen on :80 and :443

Also systemd did not expand environment variables, although that was somethign they were goign to fix. 

Here is script from another CA Services consultant from an earlier internal discussion, Rich_Faust : 

[Unit]

Description=CA Access Gateway Service

After=syslog.target network.target

[Service]

Type=forking

Environment=JAVA_HOME=/apps/java/latest/bin/java

Environment=CATALINA_PID=/apps/CA/secure-proxy/gateway/secure_proxy/proxy-engine/tmp/sps.pid

Environment=CATALINA_HOME=/apps/CA/secure-proxy/gateway/Tomcat

Environment=CATALINA_BASE=/apps/CA/secure-proxy/gateway/Tomcat

Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'

Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/apps/CA/secure-proxy/gateway/proxy-engine/sps-ctl startssl

ExecStop=/apps/CA/secure-proxy/gateway/proxy-engine/sps-ctl stop

User=root

Group=root

UMask=0007

RestartSec=60

Restart=always

[Install]

WantedBy=multi-user.target

Then: 

    systemctl status ca-access-gateway

was used to show the output. 

Cheers - Mark

-- 

PS : No credit to me for this one, I was just keeping eye on the issue since it is one I will face :-)

Hello Mark,

A similar script was given to me by David in the morning. I tried the script and I got the below mentioned error:

S98SPS.service - CA Access Gateway
   Loaded: loaded (/etc/systemd/system/S98SPS.service; enabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu 2017-11-16 11:01:44 EST; 668ms ago
  Process: 30546 ExecStart=/opt/Siteminder/secure-proxy/proxy-engine/sps-ctl startSSL (code=exited, status=203/EXEC)

S98SPS.service: control process exited, code=exited status=203
Failed to start CA Access Gateway.
Unit S98SPS.service entered failed state.
S98SPS.service failed.

I am starting the SPS as smuser and not as root. I have a quick question, where do I Pull CATALINA_OPTS and JAVA_OPTS , I am thinking from proxyserver.sh. Please find the below script which I used in my environment.

[Unit]

Description=CA Access Gateway
After=syslog.target network.target
[Service]
Type=forking
Environment=JAVA_HOME=/opt/Siteminder/jdk1.8.0_151/jdk1.8.0_151/jre
Environment=CATALINA_PID=/opt/Siteminder/secure-proxy/proxy-engine/tmp/sps.pid
Environment=CATALINA_HOME=/opt/Siteminder/secure-proxy/Tomcat
Environment=CATALINA_BASE=/opt/Siteminder/secure-proxy/Tomcat
Environment='CATALINA_OPTS=--Dcatalina.base=${TOMCAT_HOME} -Dcatalina.home=${TOMCAT_HOME} -Djava.io.tmpdir=${TOMCAT_HOME}/temp -DHT
TPClient.log.mask=0 -DHTTPClient.Modules=HTTPClient.RetryModule|org.tigris.noodle.NoodleCookieModule|HTTPClient.DefaultM
odule -Dlogger.properties=${TOMCAT_HOME}/properties/logger.properties -Djava.endorsed.dirs=${TOMCAT_HOME}/endorsed $STS_
AGENT_LOG_CONFIG_FILE -Dfile.encoding=UTF8 -DIWACONFIGHOME=$IWACONFIGHOME_STS -Djavax.net.debug=alln'
Environment='JAVA_OPTS=-ms256m -mx1024m'
ExecStart=/opt/Siteminder/secure-proxy/proxy-engine/sps-ctl startSSL
ExecStop=/opt/Siteminder/secure-proxy/proxy-engine/sps-ctl stop
User=smuser
Group=smuser
UMask=0007
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target

Please do let me know what am I missing.

Thanks,

Avinash

Hi, you probably missed these two points : 

• For SPS starting as root would be needed to allow access to listen on :80 and :443

• Also systemd did not expand environment variables, although that was somethign they were goign to fix. 

Those were ones I know needed to be fixed.

Optional: 

• Also Restart setting was longer,   RestartSec=60 - Richard has siad 10sec was too short.  

• systemctl status ca-access-gateway
      gives nice log of dependencies as starting up - and I think last failure details. 

• The environment variables should be from : ca_sps_env.sh  
  I did see some of those were from proxyserver.sh - I personally didnt think they should be needed - if they are set in the run script - but as I said I have not tested it.

But finally, if you check server.log/nohup*out logs there is likely to be something indicating why startup failed. 

Cheers - Mark

You should probably try the script I posted, it was an internal forum post, but that was Richard's final working systemd script - it does not use env variables ${TOMCAT_HOME} and runs the startup as user root to allow access to :80 and :443  (change to smuser happens after startup).  Cheers - Mark

Mark,

I used the below Script as suggested by you:

[Unit]
Description=CA Access Gateway Service
After=syslog.target network.target
[Service]
Type=forking
Environment=JAVA_HOME=/opt/Siteminder/jdk1.8.0_151/jdk1.8.0_151
Environment=CATALINA_PID=/opt/Siteminder/secure-proxy/proxy-engine/tmp/sps.pid
Environment=CATALINA_HOME=/opt/Siteminder/secure-proxy/Tomcat
Environment=CATALINA_BASE=/opt/Siteminder/secure-proxy/Tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment=' and =-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'
ExecStart=/opt/Siteminder/secure-proxy/proxy-engine/sps-ctl startSSL
ExecStop=/opt/Siteminder/secure-proxy/proxy-engine/sps-ctl stop
User=root
Group=root
UMask=0007
RestartSec=60
Restart=always
[Install]

We are getting the following error:

● S98SPS.service - CA Access Gateway Service
   Loaded: loaded (/etc/systemd/system/S98SPS.service; enabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Fri 2017-11-17 10:28:45 EST; 7s ago
  Process: 20398 ExecStart=/opt/Siteminder/secure-proxy/proxy-engine/sps-ctl startSSL (code=exited, status=203/EXEC)

S98SPS.service: control process exited, code=exited status=203
Failed to start CA Access Gateway Service.
Unit S98SPS.service entered failed state.
S98SPS.service failed.

And there is no Update in the Server.log or nohup. log, bun in var/log/messages we are getting:

systemd: Failed at step EXEC spawning /opt/Siteminder/secure-proxy/proxy-engine/sps-ctl: Exec format error
systemd: Failed at step EXEC spawning /opt/Siteminder/secure-proxy/proxy-engine/sps-ctl: Exec format error

Thanks,

Avinash

Hi Avi 

For: 

systemd: Failed at step EXEC spawning /opt/Siteminder/secure-proxy/proxy-engine/sps-ctl: Exec format error

The first line of the script sps-ctl says what shell interpreter runs the script - it probably is : 

#!/bin/sh

I am not in position to check at the moment, "Exec format error" usually means it cannot find that program /bin/sh, so you probably need to install /bin/sh - or change it to /bin/bash in sps-ctl and proxyserver.sh (or to an interpreter that you do have).

I understand that : 

     systemctl status ca-access-gateway

gives some information about failed startup state as well - from log I saw elsewhere 

Cheers - Mark

For Access Gateway 12.8 - again not my work but passing on what someone has given to me : this time from Jiangping Li : 

1) Problem with #!/bin/sh not being at top of sps-ctl script is still an issue, and that had to be moved to the top of the file.

2) The script much the same but removed all the Environment settings 
(I did think these should not have been needed in the R12.7 release either, but I was not testing it, so copied what was given to me in full - maybe whatever cascading need for them has been removed)

From Jiangping Li. : seems like I can use the following service unit file to get it work:

[Unit]

Description=CA Access Gateway Service

Requires=network.target

[Service]

Type=forking

User=root

ExecStart=/opt/CA/secure-proxy/proxy-engine/sps-ctl start

ExecStop=/opt/CA/secure-proxy/proxy-engine/sps-ctl stop

RestartSec=60

Restart=always

[Install]

WantedBy=multi-user.target

Cheers - Mark

Team,

One more thing is we have Disabled SE Linux. We have the following line :

SELINUX=disabled

Under /etc/selinux/config. and when we run the getenforce the output is disabled.

$ getenforce
Disabled

Thanks,

Avi