We are using EEM 12.6 CR01. RHEL7.
Our shop requires us to use PAM (LDAP) based service accounts with predefined naming standards for software ownership (files and directories). Local server built-in accounts and groups are a NO NO. So, "dsa" and "etrdir" are not acceptable. We are using 'newuser' account instead to dsa for dxserver directory ownership.
We recently had to add pool members to an existing EEM cluster using the eiam-clustersetup.jar utility. After adding the dxserver couldn't start. Upon investigation it turned out the config files were re-assigned to "dsa" user which caused the hiccup.
Please update the cluster utility to first check the dxserver owner user instead of assuming that it's still "dsa".
Release : 11.3.6
Component : CA Embedded Entitlements Manager
Installed EEM on both primary and secondary. Changed the file ownership from "dsa" to 'newuser' for all the CADirectory files, in order to follow infrastructure guidelnes.
Configured the cluster setup using eiam-clustersetup.jar. Which indeed appeared to run successfully. However, the service status returned "stopped" in the clustersetup.jar prompt
# java -jar eiam-clustersetup.jar -p XXXXXXX
03/06/2021 9:38:34 AM IclUtil itechLibInit
INFO: iTechSDK initialized successfully
INFO - EIAM_HOME [/opt/CA/SharedComponents/EmbeddedEntitlementsManager/]
INFO - IGW_LOC [/opt/CA/SharedComponents/iTechnology/]
INFO - DXHOME [/opt/CA/SharedComponents/CADirectory/dxserver/]
INFO - Hostname identified as [vpl00002429.privatecloud.prod.au.internal.cba]
EiamAdmin password :
INFO - Checking server status
INFO - igateway status [stopped]
INFO - dxserver status [stopped]
The secondary EEM portal logon using EiamAdmin returns an error.
Did a manual sync between the EEM servers.
Stopped secondary EEM server. Copied over the itechpoz.db file from primary to secondary.
Deleted the itechpoz.tx file
Restarted dxserver and igateway processes.
The secondary is up and running. Able to login using EiamAdmin.
Service status in the clustersetup.jar prompt returns appropriately.
The config files ownership is overwritten by 'dsa' user if we run the DELTA/FULL sync using eiam-clustersetup.jar
We need to find out if the user 'dsa' is hardcoded? If or if not, is there a way to change the clustersetup.jar behaviour to create the config files under newuser ownership?
The solution is to change dxuser and dx group in response.properties file located in $EIAM_HOME
We changed the file onwership from dsa to sda in test environment
For example, this is the change that needs to be made in the response.properties file
Testing the Solution
As you can see the sync went without any errors.
The config files were created with the correct ownership