We are using EEM 12.6 CR01. RHEL7. 

Our shop requires us to use PAM (LDAP) based service accounts with predefined naming standards for software ownership (files and directories). Local server built-in accounts and groups are a NO NO. So, "dsa" and "etrdir" are not acceptable. We are using 'newuser' account instead to dsa for dxserver directory ownership. 

We recently had to add pool members to an existing EEM cluster using the eiam-clustersetup.jar utility. After adding the dxserver couldn't start. Upon investigation it turned out the config files were re-assigned to "dsa" user which caused the hiccup. 

Please update the cluster utility to first check the dxserver owner user instead of assuming that it's still "dsa". 

Release : 11.3.6

Component : CA Embedded Entitlements Manager

Installed EEM on both primary and secondary. Changed the file ownership from "dsa" to 'newuser' for all the CADirectory files, in order to follow infrastructure guidelnes.
Configured the cluster setup using eiam-clustersetup.jar. Which indeed appeared to run successfully. However, the service status returned "stopped" in the clustersetup.jar prompt 

# java -jar eiam-clustersetup.jar -p XXXXXXX
03/06/2021 9:38:34 AM IclUtil itechLibInit
INFO: iTechSDK initialized successfully
INFO  - EIAM_HOME [/opt/CA/SharedComponents/EmbeddedEntitlementsManager/]
INFO  - IGW_LOC [/opt/CA/SharedComponents/iTechnology/]
INFO  - DXHOME [/opt/CA/SharedComponents/CADirectory/dxserver/]
INFO  - Hostname identified as [vpl00002429.privatecloud.prod.au.internal.cba]
EiamAdmin password :
INFO  - Checking server status
INFO  - igateway status      [stopped]
INFO  - dxserver status      [stopped]
======

The secondary EEM portal logon using EiamAdmin returns an error.

Did a manual sync between the EEM servers. 
Stopped secondary EEM server. Copied over the itechpoz.db file from primary to secondary.
Deleted the itechpoz.tx file
Restarted dxserver and igateway processes.

The secondary is up and running. Able to login using EiamAdmin.
Service status in the clustersetup.jar prompt returns appropriately. 

The config files ownership is overwritten by 'dsa' user if we run the DELTA/FULL sync using eiam-clustersetup.jar 
We need to find out if the user 'dsa' is hardcoded? If or if not, is there a way to change the clustersetup.jar behaviour to create the config files under newuser ownership?

The solution is  to change dxuser and dx group in response.properties file located in $EIAM_HOME

We changed the file onwership from dsa to sda in test environment

For example, this is the change that needs to be made in the response.properties file

DXUSER=dsa
DXGROUP=etrdir

response.properties in $EIAM_HOME

Testing the Solution

[root@ibntest000985 bin]# java -jar eiam-clustersetup.jar -p ibntest001391.bpc.broadcom.net
Jul 16, 2021 2:24:13 AM IclUtil itechLibInit
INFO: iTechSDK initialized successfully
INFO  - EIAM_HOME [/opt/CA/SharedComponents/EmbeddedEntitlementsManager/]
INFO  - IGW_LOC [/opt/CA/SharedComponents/iTechnology/]
INFO  - DXHOME [/opt/CA/Directory/dxserver/]
INFO  - Hostname identified as [ibntest000985.bpc.broadcom.net]
EiamAdmin password :
INFO  - Checking server status
INFO  - igateway status      [started]
INFO  - dxserver status      [started]

Are you sure you want to continue? [Y/N]:y
[ibntest000985.bpc.broadcom.net]>list
-------------------------------------------------------
INFO  - Summary
=======================================================
INFO  - Listing failover nodes for server
-------------------------------------------------------
INFO  - Hostname:Dsa Port

-------------------------------------------------------
INFO  - ibntest000985.bpc.broadcom.net(*):509

-------------------------------------------------------
[ibntest000985.bpc.broadcom.net]>sync
=======================================================
INFO  - Select current machine hostname
=======================================================
INFO  -    [1] ibntest001391.bpc.broadcom.net:509
INFO  -    [2] ibntest000985.bpc.broadcom.net:509
Select Hostname from [1 - 2] : 2
INFO  - Synchronization level
INFO  -    [1] [NEW] secondary node is being added first time
INFO  -    [2] [DELTA] secondary node is being synced to update configurations
Select Synchronization mode from [1 - 2] : 1
=======================================================
INFO  - Syncing with primary server
-------------------------------------------------------
Primary server                 Secondary server
-------------------------------------------------------
ibntest001391.bpc.broadcom.net ibntest000985.bpc.broadcom.net
-------------------------------------------------------
INFO  - Re-configuring of server may lead to loss of data, it is advised to perform a backup of configuration and data store.
Are you sure you want to continue? [Y/N]:y
INFO  - Stopping dxserver service
INFO  - Stopping igateway service
INFO  - Configuring the knowledge group file
INFO  - ----------------------------------------------------
INFO  - The knowledge group file iTechPoz.dxg resides in the directory: /opt/CA/Directory/dxserver//config/knowledge/itechpoz.dxg
INFO  -
INFO  - Node was removed successfully
INFO  - Fetching configuration from ibntest001391.bpc.broadcom.net
INFO  - Adding self node [ibntest000985.bpc.broadcom.net]
INFO  - Generating:  : /opt/CA/SharedComponents/iTechnology/iAuthority.conf
INFO  - Generating:  : /opt/CA/SharedComponents/iTechnology/iControl.conf
INFO  - Generating:  : /opt/CA/SharedComponents/iTechnology/rootcert.cer
INFO  - Generating:  : /opt/CA/SharedComponents/iTechnology/rootcert.key
INFO  -
INFO  -
INFO  - Generating certificate for host : ibntest001391.bpc.broadcom.net
INFO  -
INFO  -
INFO  - Generating file : /opt/CA/Directory/dxserver/config/ssld/itechpoz-trusted.pem
INFO  -
INFO  - Adding failover node [ibntest001391.bpc.broadcom.net]
INFO  - Generating:  : /opt/CA/SharedComponents/iTechnology/iControl.conf
INFO  - Configuring DSA itechpoz for host ibntest000985.bpc.broadcom.net
INFO  - Configuring the itechpoz knowledge file
INFO  - ----------------------------------------------------
INFO  - The itechpoz knowledge file /opt/CA/Directory/dxserver//config/knowledge/itechpoz.dxc.dxc  resides in the directory: {2}
INFO  - Writing the itechpoz knowledge file
INFO  -
INFO  - Configuring DSA itechpoz-ibntest001391.bpc.broadcom.net for host ibntest001391.bpc.broadcom.net
INFO  - Configuring the itechpoz-ibntest001391.bpc.broadcom.net knowledge file
INFO  - ----------------------------------------------------
INFO  - The itechpoz-ibntest001391.bpc.broadcom.net knowledge file /opt/CA/Directory/dxserver//config/knowledge/itechpoz-ibntest001391.bpc.broadcom.net.dxc.dxc  resides in the directory: {2}
INFO  - Writing the itechpoz-ibntest001391.bpc.broadcom.net knowledge file
INFO  -
INFO  - Configuring the knowledge group file
INFO  - ----------------------------------------------------
INFO  - The knowledge group file iTechPoz.dxg resides in the directory: /opt/CA/Directory/dxserver//config/knowledge/itechpoz.dxg
INFO  -
INFO  - Configuring the settings file
INFO  - ----------------------------------------------------
INFO  - /opt/CA/Directory/dxserver//config/settings/itechpoz.dxc
INFO  -
INFO  - Clearing secondary server dsa-db
INFO  - Starting dxserver service
INFO  - Starting igateway service
INFO  - Run [status] to get server details.
[ibntest000985.bpc.broadcom.net]>status
INFO  - Checking server status
INFO  - igateway status      [started]
INFO  - dxserver status      [started]

As you can see the sync went without any errors.

The config files were created with the correct ownership

]# pwd
/opt/CA/Directory/dxserver/config/knowledge
[root@ibntest000985 knowledge]# ls -l
total 20
-rw-rw-r-- 1 sda sda  608 Jul 16 02:25 itechpoz.dxc
-rw-rw-r-- 1 sda sda  165 Jul 16 02:25 itechpoz.dxg
-rw-r--r-- 1 sda sda  638 Jul 16 02:25 itechpoz-ibntest001391.bpc.broadcom.net.dxc
-rw-r----- 1 sda sda 5242 Apr 18  2018 knowledge.help