Issue:
We're running a Policy Server and when we try to reach its ports using
telnet from range 44441 to 44444 and from a Web Agent machine, we get
the error "Connection refused". Could you help us to make the ports
available ?
Environment:
Policy Server 12.8 on RedHat 7;
Cause:
On the Policy Server machine,
- Disable temporarly SELinux :
# setenforce 0
How can I Disable SELinux in CentOS 7/6 and Fedora 18-24
https://www.tecmint.com/disable-selinux-temporarily-permanently-in-centos-rhel-fedora/
- Disable temporarly firewall :
# iptables -F
- Verify that SELinux is disable
Run command
# getenforce
It should gives
disabled
Run command
# iptables -L
It should gives :
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Start the Policy Server and try to reach the Policy Server ports.
Resolution:
Modifying iptables (Firewall) rules and applying SELinux configuration
as per documentation made the Policy Server ports availables.
Additional Information:
(Optional) Add Exceptions to Security–Enhanced Linux (SELinux)
https://docops.ca.com/ca-single-sign-on/12-8/en/installing/install-a-policy-server/install-policy-server-on-unix/run-the-installer
The command for the Firewall and SELinux are temporary settings. To
prevent the issue to re-occur, you may want to disable Firewall and
SELinux permanently :
SELinux
Configure Security–Enhanced Linux (SELinux) to Work with CA Single Sign-On
Follow these steps:
Access the /etc/selinux/config file.
Run the following command to check the current status:
sestatus
If SELinux is set to enforcing, change the status to either permissive
or disabled.
SELINUX=permissive
or
SELINUX=disabled
https://docops.ca.com/ca-single-sign-on/12-8/en/installing/install-a-policy-server/install-policy-server-on-unix/run-the-installer
KB : KB000131795