ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

problem on installing PAMSC 14.1 CP3

book

Article ID: 227149

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

PAMSC 14.1 CP3 cannot be started by seload if CP3 is installed without SMF configuration on Solaris.
This doesn't happen on CP2.
 
During installation using install_base, there is a selection if SMF service is used.
The problem happens if answering No to the selection (default is Yes).
 
-----
------------------[ Add CA Privileged Access Manager Server Control to SMF ]-------------------
  CA Privileged Access Manager Server Control can be started using SMF commands.
  CA Privileged Access Manager Server Control installation process will now install a seosd service in SMF.
Do you want to be able to start CA Privileged Access Manager Server Control using SMF ? [Y/n]:n
-----

Cause

On CP3, PAMSC was made an SMF service (seosd) as per the further developments on Oracle 11, where services started via legacy init scripts are discouraged and are likely to be dropped altogether. A change in that area was necessitated because installation did not make proper changes for seosd as SMF service on Solaris 11.x, so even manifest was insalled the service would not work properly. That won't be noticed unless one try to manipulate/check seosd via SMF , but some of our customers expect it to work as SMF now. Thus, seosd should be installed now as an SMF service. One can continue to leverage PAMSC via the traditional seload and secons commands, with svcadm or mix both.

Environment

Release : 14.1 CP3
Component : PAM SERVER CONTROL ENDPOINT Solaris

Resolution

The fix is made not to show the selection of using SMF service, and the SMF service is always created.
The fix will be included in future release.
 
The workaround for this is to create seosd SMF service manually.
Here is a script for it:
-----
#!/bin/sh
PATH=/usr/bin:/bin:/usr/sbin
SEOSDIR=/opt/CA/PAMSC
AC_MANIFEST_DIR=/lib/svc/manifest/application/security
AC_METHOD_PATH=/lib/svc/method/security-ca_ac
MANIFEST=seosd.xml
service=seosd
cp $SEOSDIR/data/SMF/security-ca_ac $AC_METHOD_PATH
svcs /milestone/sysconfig >/dev/null 2>&1
if [ $? -eq 0 ]; then
   sed '/milestone/s|/config|/sysconfig|' /opt/CA/PAMSC/data/SMF/seosd.xml > ${TMPDIR:-/tmp}/seosd.xml-$$ && mv ${TMPDIR:-/tmp}/seosd.xml-$$ /opt/CA/PAMSC/data/SMF/seosd.xml
   rm -f ${TMPDIR:-/tmp}/seosd.xml-$$ 2>/dev/null
fi
svccfg import $SEOSDIR/data/SMF/seosd.xml
sleep 2 # because svccfg command runs asynchronously
cp ${SEOSDIR}/data/SMF/${MANIFEST} ${AC_MANIFEST_DIR}/
cp ${SEOSDIR}/data/SMF/security-ca_ac $AC_METHOD_PATH > /dev/null 2>&1
svcadm restart manifest-import
if [ $? = 0 ] ; then
   echo "$service manifest imported to SMF."
else
   echo "Failed to import $service manifest to SMF."
fi
echo "Checking seosd service ..."
svcs -a | grep 'svc:/security/seosd' 
if [ $? -eq 0 ]; then
   echo svcadm or seload/secons commands can be used now to start/stop PAMSC
fi
-----

Additional Information

Important notes:
1. since an SMF service is managed by SMF, service output is controlled by it and as a consequence must be examined using SMF tools, e.g., svcs command;
2. because PAMSC runs as a SMF service, most of the seload output is no longer displayed, which does not mean that PAMSC does not start however, and one should give it its normal time to start (or start synchronously as svcadm enable -s seosd)