Secure Proxy Server fails to startup

book

Article ID: 32436

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue:

SPS is failing to start after configuring it with a dedicated user, instead of the root user.

 

Cause:

When SPS is configured with a dedicated user, proxyserver.sh will be executed with this user, instead of root. During startup, sps.pid file is created under ${PROXY_HOME}/CA/secure-proxy/tmp directory. Hence, it requires this user to have write permission to this directory.

 

Following is observed when SPS is started with root account, while it was configured with a dedicated user:

[[email protected] proxy-engine]# ./sps-ctl start 
httpd (pid 7814) already running 
Successfully Started Apache.. 
Attempting to start Secure Proxy Engine.. 
Sending output to /opt/CA/secure-proxy/proxy-engine/logs/nohup.out.20151002_020336 
/opt/CA/secure-proxy/proxy-engine/proxyserver.sh: line 184: /opt/CA/secure-proxy/proxy-engine/tmp/sps.pid: Permission denied 
/opt/CA/secure-proxy/proxy-engine/proxyserver.sh: line 184: /opt/CA/secure-proxy/proxy-engine/logs/nohup.out.20151002_020336: Permission denied 
Successfully Started Proxy Engine.. 
(Proxy Engine initialization may take a few extra seconds).

 

Resolution:

On UNIX, make sure the following is updated in the httpd.conf file:

User <dedicated_user>

LoadModule env_module modules/mod_env.so

PassEnv LD_LIBRARY_PATH

 

Also, update /tmp and /logs folders owner to this dedicated user.

 

If you have configured SPS to be Federation Gateway, Federation Web Services Application is deployed inside the Tomcat web server. Hence, please ensure that the ${PROXY_HOME}/CA/secure-proxy/Tomcat/webapps/affwebservices folder owner is updated to this dedicated user with at least 755 permissions, else you will run into HTTP error 404 with the following exception logged in the nohup log:

  

 

Oct 26, 2015 7:07:00 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [jsp] in context with path [/affwebservices] threw exception [java.lang.IllegalStateException: No output folder] with root cause
java.lang.IllegalStateException: No output folder
So, please change the tmp and logs folders owner to nobody, maintaining the permissions to secure-proxy files and folders as 755 and try start up SPS again.

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: