AutoSys Application Server fails to start with PostgreSQL SSL connection error "could not load private key file
search cancel

AutoSys Application Server fails to start with PostgreSQL SSL connection error "could not load private key file

book

Article ID: 441755

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

Symptoms
When configuring AutoSys Workload Automation to connect to a PostgreSQL database using SSL/TLS with password authentication, the Application Server fails to start.

The as_server log contains the following error messages:

CAUAJM_E_18212 Failed to connect to server: [hostname.example.com],5432:aedb:aedbschema Reason: connection to server at "[hostname.example.com]" ([IP_ADDRESS]), port 5432 failed: FATAL: no pg_hba.conf entry for host "[IP_ADDRESS]", user "autosys", database "aedb", no encryption
connection to server at "[HOSTNAME]" ([IP_ADDRESS]), port 5432 failed: could not load private key file "/opt/CA/server.key"
CAUAJM_E_10649 Server [HOSTNAME],5432:aedb:aedbschema was not available during connection operation.

Environment

Environment
AutoSys Workload Automation 24.x
Database: PostgreSQL

Cause

The AutoSys services (running as the Unix user autosys) lack the necessary file-level permissions to read the SSL private key file (e.g., /opt/CA/server.key).

In a typical failure scenario, the file ownership is set to root:root with permissions that restrict access to the owner only (e.g., 640 or -rw-r-----), preventing the autosys user from loading the key required to negotiate the SSL handshake with the PostgreSQL server.

Resolution

To resolve this issue, the ownership and permissions of the SSL private key file must be adjusted to allow the autosys service account access.

  1. Identify the Key File: Locate the private key file referenced in the error log (e.g., /opt/CA/server.key).  $AUTOUSER/config.$AUTOSERV  contains reference to this key file too.
  2. Change Ownership: Change the owner of the file to the autosys user:
     
    chown autosys /opt/CA/server.key
  3. Adjust Permissions: Set the permissions to ensure the file is readable by the autosys user but protected from others (PostgreSQL often requires the key to have restrictive permissions like 0600 or 0400):
     
    chmod 400 /opt/CA/server.key
  4. Verify pg_hba.conf: Ensure the PostgreSQL pg_hba.conf file is configured to allow hostssl connections for the autosys user from the application server's IP address.
  5. Restart Services: Restart the AutoSys Application Server to apply the changes.

Note: Ensure all certificates in the chain (Root CA, Client Certificate, and Private Key) are accessible to the autosys user.

Powered by Wolken Software