problem on installing PAMSC 14.1 CP3
Article ID: 227149
Updated On:
Products
CA Privileged Access Manager - Server Control (PAMSC)
Issue/Introduction
PAMSC 14.1 CP3 cannot be started by seload if CP3 is installed without SMF configuration on Solaris.
This doesn't happen on CP2.
This doesn't happen on CP2.
During installation using install_base, there is a selection if SMF service is used.
The problem happens if answering No to the selection (default is Yes).
The problem happens if answering No to the selection (default is Yes).
-----
------------------[ Add CA Privileged Access Manager Server Control to SMF ]-------------------
CA Privileged Access Manager Server Control can be started using SMF commands.
CA Privileged Access Manager Server Control installation process will now install a seosd service in SMF.
------------------[ Add CA Privileged Access Manager Server Control to SMF ]-------------------
CA Privileged Access Manager Server Control can be started using SMF commands.
CA Privileged Access Manager Server Control installation process will now install a seosd service in SMF.
Do you want to be able to start CA Privileged Access Manager Server Control using SMF ? [Y/n]:n
-----
Environment
Release : 14.1 CP3
Component : PAM SERVER CONTROL ENDPOINT Solaris
Cause
On CP3, PAMSC was made an SMF service (seosd) as per the further developments on Oracle 11, where services started via legacy init scripts are discouraged and are likely to be dropped altogether. A change in that area was necessitated because installation did not make proper changes for seosd as SMF service on Solaris 11.x, so even manifest was insalled the service would not work properly. That won't be noticed unless one try to manipulate/check seosd via SMF , but some of our customers expect it to work as SMF now. Thus, seosd should be installed now as an SMF service. One can continue to leverage PAMSC via the traditional seload and secons commands, with svcadm or mix both.
Resolution
The fix is made not to show the selection of using SMF service, and the SMF service is always created.
The fix will be included in future release.
The fix will be included in future release.
The workaround for this is to create seosd SMF service manually.
Here is a script for it:
-----
#!/bin/sh
PATH=/usr/bin:/bin:/usr/sbin
SEOSDIR=/opt/CA/PAMSC
AC_MANIFEST_DIR=/lib/svc/manifest/application/security
AC_METHOD_PATH=/lib/svc/method/security-ca_ac
MANIFEST=seosd.xml
service=seosd
Here is a script for it:
-----
#!/bin/sh
PATH=/usr/bin:/bin:/usr/sbin
SEOSDIR=/opt/CA/PAMSC
AC_MANIFEST_DIR=/lib/svc/manifest/application/security
AC_METHOD_PATH=/lib/svc/method/security-ca_ac
MANIFEST=seosd.xml
service=seosd
cp $SEOSDIR/data/SMF/security-ca_ac $AC_METHOD_PATH
svcs /milestone/sysconfig >/dev/null 2>&1
if [ $? -eq 0 ]; then
sed '/milestone/s|/config|/sysconfig|' /opt/CA/PAMSC/data/SMF/seosd.xml > ${TMPDIR:-/tmp}/seosd.xml-$$ && mv ${TMPDIR:-/tmp}/seosd.xml-$$ /opt/CA/PAMSC/data/SMF/seosd.xml
rm -f ${TMPDIR:-/tmp}/seosd.xml-$$ 2>/dev/null
fi
svccfg import $SEOSDIR/data/SMF/seosd.xml
sleep 2 # because svccfg command runs asynchronously
cp ${SEOSDIR}/data/SMF/${MANIFEST} ${AC_MANIFEST_DIR}/
cp ${SEOSDIR}/data/SMF/security-ca_ac $AC_METHOD_PATH > /dev/null 2>&1
svcadm restart manifest-import
if [ $? = 0 ] ; then
echo "$service manifest imported to SMF."
else
echo "Failed to import $service manifest to SMF."
fi
echo "Checking seosd service ..."
svcs -a | grep 'svc:/security/seosd'
if [ $? -eq 0 ]; then
echo svcadm or seload/secons commands can be used now to start/stop PAMSC
fi
-----
svcs /milestone/sysconfig >/dev/null 2>&1
if [ $? -eq 0 ]; then
sed '/milestone/s|/config|/sysconfig|' /opt/CA/PAMSC/data/SMF/seosd.xml > ${TMPDIR:-/tmp}/seosd.xml-$$ && mv ${TMPDIR:-/tmp}/seosd.xml-$$ /opt/CA/PAMSC/data/SMF/seosd.xml
rm -f ${TMPDIR:-/tmp}/seosd.xml-$$ 2>/dev/null
fi
svccfg import $SEOSDIR/data/SMF/seosd.xml
sleep 2 # because svccfg command runs asynchronously
cp ${SEOSDIR}/data/SMF/${MANIFEST} ${AC_MANIFEST_DIR}/
cp ${SEOSDIR}/data/SMF/security-ca_ac $AC_METHOD_PATH > /dev/null 2>&1
svcadm restart manifest-import
if [ $? = 0 ] ; then
echo "$service manifest imported to SMF."
else
echo "Failed to import $service manifest to SMF."
fi
echo "Checking seosd service ..."
svcs -a | grep 'svc:/security/seosd'
if [ $? -eq 0 ]; then
echo svcadm or seload/secons commands can be used now to start/stop PAMSC
fi
-----
Additional Information
Important notes:
1. since an SMF service is managed by SMF, service output is controlled by it and as a consequence must be examined using SMF tools, e.g., svcs command;
2. because PAMSC runs as a SMF service, most of the seload output is no longer displayed, which does not mean that PAMSC does not start however, and one should give it its normal time to start (or start synchronously as svcadm enable -s seosd)
1. since an SMF service is managed by SMF, service output is controlled by it and as a consequence must be examined using SMF tools, e.g., svcs command;
2. because PAMSC runs as a SMF service, most of the seload output is no longer displayed, which does not mean that PAMSC does not start however, and one should give it its normal time to start (or start synchronously as svcadm enable -s seosd)
Feedback
Yes
No
Powered by
