Red Hat 7 Apache 2.4 startup fails when SSO Web Agent is installed - fails to load Kerberos module mod_auth_gssapi.so

book

Article ID: 7209

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

After having followed that KD 

  systemctl and Web Agent startup settings for Red Hat Apache Web Server 2.4.x
  https://knowledge.broadcom.com/external/article?articleId=4165


we still see errors while trying to start the Web Agent. The errors
are detailed below.

[[email protected] bin]# apachectl start

  Job for httpd.service failed because the control process exited with
  error code. See "systemctl status httpd.service" and "journalctl
  -xe" for details.

[[email protected] bin]# systemctl status httpd.service -l

httpd.service - The Apache HTTP Server

   Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2017-06-22 19:58:02 EDT; 16s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 6202 ExecStopPost=/usr/bin/kdestroy -A (code=exited, status=127)
  Process: 6200 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 6196 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
  Process: 5646 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
  Main PID: 6196 (code=exited, status=1/FAILURE)
  Jun 22 19:58:01 server ipa-httpd-kdcproxy[5646]: ipa         : WARNING  Unable to connect to dirsrv: Timeout exceeded
  Jun 22 19:58:01 server ipa-httpd-kdcproxy[5646]: ipa         : WARNING  Disabling KDC proxy
  Jun 22 19:58:01 server httpd[6196]: httpd: Syntax error on line 62 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.modules.d/10-auth_gssapi.conf: Cannot load modules/mod_auth_gssapi.so into server: /etc/httpd/modules/mod_auth_gssapi.so: symbol gss_mech_iakerb, version gssapi_krb5_2_MIT not defined in file libgssapi_krb5.so.2 with link time reference
  Jun 22 19:58:02 server systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
  Jun 22 19:58:02 server kill[6200]: kill: cannot find process ""
  Jun 22 19:58:02 server systemd[1]: httpd.service: control process exited, code=exited status=1
  Jun 22 19:58:02 server kdestroy[6202]: /usr/bin/kdestroy: relocation error: /usr/bin/kdestroy: symbol krb5_cccol_cursor_new, version krb5_3_MIT not defined in file libkrb5.so.3 with link time reference
  Jun 22 19:58:02 server systemd[1]: Failed to start The Apache HTTP Server.
  Jun 22 19:58:02 server systemd[1]: Unit httpd.service entered failed state.
  Jun 22 19:58:02 server systemd[1]: httpd.service failed.

How can we solve this ?

 

Cause

 

The cause of the error is due to the system is loading an outdated SSO
Web Agent Kerberos module.

The MIT Kerberos module was updated in the newer webagent agent
versions. In the older agents (as recent as 12.52 SP1 CR06), the
Kerberos module is outdated if you use RedHat7.

 

Environment

 

Web Agent 12.52 SP1 CR06 on Apache 2.4 on RedHat 7

 

Resolution

 

Since this is the case, you will need to modify LD_LIBRARY_PATH to
include /lib64 in front of the Web Agent paths. This ensures that the
Apache/RedHat 7 Kerberos module gets loaded before the Web Agent's
module. Again, please reference to the following KD 

  systemctl and Web Agent startup settings for Red Hat Apache Web Server 2.4.x
  https://knowledge.broadcom.com/external/article?articleId=4165

for steps on where and how to modify LD_LIBRARY_PATH.

Here is a sample of the contents of ”ca_wa_env.sh” which should be
included in /etc/sysconfig/httpd. (Bold is effective and others are
commented out)

  NETE_WA_ROOT=/opt/CA/webagent 
  #export NETE_WA_ROOT 

  NETE_WA_PATH=/opt/CA/webagent/bin 
  #NETE_WA_PATH=${NETE_WA_ROOT}/bin 
  #export NETE_WA_PATH 

  CAPKIHOME=/opt/CA/webagent/CAPKI 
  #export CAPKIHOME 

  LD_LIBRARY_PATH=/lib64:/opt/ca/webagent/bin:/opt/ca/webagent/bin/thirdparty:/opt/CA/SharedComponents/lib:/opt/CA/CAlib:/opt/CA/DSM/caf/lib
  #LD_LIBRARY_PATH=${NETE_WA_ROOT}/bin:${NETE_WA_ROOT}/bin/thirdparty:${LD_LIBRARY_PATH} 
  #export LD_LIBRARY_PATH 

  PATH=/opt/ca/webagent/bin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/CA/SharedComponents/bin:/opt/CA/SharedComponents/ccs/cam/bin:/root/bin 
  #PATH=${NETE_WA_PATH}:${PATH} 
  #export PATH

 

Additional Information

 

  systemctl and Web Agent startup settings for Red Hat Apache Web Server 2.4.x
  https://knowledge.broadcom.com/external/article?articleId=4165