Access-Gateway returned error after upgraded 12.8.06 from 12.8.04

book

Article ID: 227363

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

After upgrading Access Gateway from R12.8SP4 to R12.8SP6, following error is displayed when accessing the server.

 

Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

 

server.log has the following error.

[01/Dec/2021:01:01:01-123] [ERROR] - ProxyServer initialization failed.
[01/Dec/2021:01:01:01-123] [ERROR] - Config File: '/opt/CA/secure-proxy/proxy-engine/conf/server.conf')
[01/Dec/2021:01:01:01-123] [ERROR] - java.lang.Exception: org.apache.catalina.LifecycleException: Protocol handler initialization failed
[01/Dec/2021:01:01:01-123] [ERROR] -  at com.netegrity.proxy.ProxyServer.initCatalina(Unknown Source)
[01/Dec/2021:01:01:01-123] [ERROR] -  at com.netegrity.proxy.ProxyServer.init(Unknown Source)
........
[01/Dec/2021:01:01:01-124] [ERROR] - Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
[01/Dec/2021:01:01:01-125] [ERROR] -  at org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
[01/Dec/2021:01:01:01-125] [ERROR] -  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
........
[01/Dec/2021:01:01:01-126] [ERROR] - Caused by: java.net.SocketException: Protocol family unavailable
[01/Dec/2021:01:01:01-126] [ERROR] -  at sun.nio.ch.Net.bind0(Native Method)
[01/Dec/2021:01:01:01-126] [ERROR] -  at sun.nio.ch.Net.bind(Net.java:461)
........

 

Cause

Starting from R12.8SP5 Access Gateway, the "server.conf" has following change.

R12.8SP4

<Server>
 #General Server Information

 #Define the listeners between
 #HTTP listener and proxy engine 
 worker.ajp13.port=8009
 worker.ajp13.host=localhost
 worker.shutdown.port=8005

 

R12.8SP5/6

<Server>
 #General Server Information

 #Define the listeners between
 #HTTP listener and proxy engine 
 worker.ajp13.port=8009
 worker.ajp13.host=::1
 worker.shutdown.port=8005

 

They are both listening on loopback address but one is ipv4 and another is ipv6.

So in case if you have explicitly disabled ipv6 on the server, probably due to hardening process, then the Proxy Engine can no longer listen on the specified address hence the error.

 

Following is a demonstration of ipv6 being disabled.

Before disabling IPv6

$ ifconfig -a
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.33  netmask 255.255.252.0  broadcast 172.17.3.255
        inet6 fe80::20c:29ff:feb5:a4ac  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b5:a4:ac  txqueuelen 1000  (Ethernet)
        RX packets 4283589  bytes 3705255697 (3.4 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2821941  bytes 1241545434 (1.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1970997  bytes 12455630018 (11.6 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1970997  bytes 12455630018 (11.6 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

After disabling IPV6

[[email protected] ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
[[email protected] ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6 = 1


[[email protected] ~]# ifconfig -a
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.33  netmask 255.255.252.0  broadcast 172.17.3.255
        ether 00:0c:29:b5:a4:ac  txqueuelen 1000  (Ethernet)
        RX packets 4284067  bytes 3705440475 (3.4 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2822301  bytes 1241724545 (1.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1971413  bytes 12455861332 (11.6 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1971413  bytes 12455861332 (11.6 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

As a result, "::1" cannot be used.

[[email protected] ~]# ssh ::1
ssh: connect to host ::1 port 22: Network is unreachable

[[email protected] ~]# ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:ZHj3q5iSqxeRweBcqsarzdbUcu3APT7Gg1cvN8OXN6w.
ECDSA key fingerprint is MD5:95:4a:c2:98:16:65:e1:ac:33:b4:f0:53:96:9f:da:ae.
Are you sure you want to continue connecting (yes/no)? no

Host key verification failed.

 

Environment

Release : 12.8.05 and above

Component : Access Gateway

Resolution

Update the server.conf file by replacing the "::1" address to "localhost" if you have disabled ipv6.

Powered by Wolken Software