Salesforce

AFX Server and Connector failures if AFX is started as the root user in RSA Identity Governance & Lifecycle

Printable View
Header
AFX Server and Connector failures if AFX is started as the root user in RSA Identity Governance & Lifecycle
AFX-Server-failures-if-AFX-is-started-as-the-root-user-in-RSA-Identity-Governance-Lifecycle
AFX Server failures if AFX is started as the root user in RSA Identity Governance & Lifecycle
Work in Progress
3,231.11
Article Content
 
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All
 
If an AFX server is started as the root user, problems can occur that will prevent correct management of the server and its connectors. 
 

EXAMPLES:

  • When subsequently trying to manage the server as the less privileged afx user, the following errors may occur:
  • afx stop may fail with:
ERROR: java.io.IOException: Operation not permitted
  • afx start may fail with
Mule Enterprise Edition is already running
  • If the AFX server is subsequently stopped as the root user and later started as the afx user, other problems may occur such as:
  • afx start may fail with:
WARNING!! Timed out waiting for AFX applications to start. Please check AFX application log files for detailed status information
  • The user interface (AFX > Server) may indicate that the AFX server is Running (green) but the AFX connectors (AFX > Connectors) may show with a status of Deployed (yellow) or Not Deployed (red)
  • An AFX-related process is still running:
ps -ef | grep AFX
root     20019     1  0 09:57 pts/1  00:20:57 /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/bin/java 
-Xms512m -Xmx512m -Dorg.apache.activemq.UseDedicatedTaskRunner=true 
-Djava.util.logging.config.file=logging.properties 
-Dcom.sun.xml.bind.v2.bytecode.ClassTailor.noOptimize=true -XX:MaxMetaspaceSize=512m 
-XX:+AlwaysPreTouch -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled 
-XX:+UseStringDeduplication -XX:InitiatingHeapOccupancyPercent=5 
-Dcom.sun.management.jmxremote.port=1099 
-Dcom.sun.management.jmxremote.password.file=/home/oracle/AFX/activemq/conf/jmx.password 
-Dcom.sun.management.jmxremote.access.file=/home/oracle/AFX/activemq/conf/jmx.access 
-Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote 
-Dactivemq.classpath=/home/oracle/AFX/activemq/conf; -Dactivemq.home=/home/oracle/AFX/activemq 
-Dactivemq.base=/home/oracle/AFX/activemq -Djava.security.egd=file:/dev/./urandom 
-jar /home/oracle/AFX/activemq/bin/run.jar start
  • File permissions are incorrect as noted by executing the below as the afx user:
cd $AFX_HOME/bin
./setPerms.sh
Updating permissions for files in /home/oracle/AFX
chmod: changing permissions of `/home/oracle/AFX/esb/logs/active/esb.AFX-MAIN-PERSISTED.log': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/esb/logs/active/esb.AFX-CONN-AD-connector.log': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/esb/logs/active/esb.AFX-INIT-PERSISTED.log': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/esb/logs/sent/esb.AFX-CONN-AD-connector.log.20190624_095849_883': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/esb/logs/sent/log-batch-290214ce-e1e6-4759-b2ab-1e9392f24c30.xml': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/esb/conf/client.keystore': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/activemq/data/kahadb/lock': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/mmc-console/logs/manager.2019-06-24.log': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/mmc-console/logs/host-manager.2019-06-24.log': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/mmc-console/mmc-data/workspaces/default/index/indexes_7p8q': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/mmc-console/mmc-data/workspaces/default/index/_7p8n/segments.gen': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/mmc-console/mmc-data/workspaces/default/index/_7p8n/segments_2': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/mmc-console/mmc-data/workspaces/default/index/_7p8n/_0.cfs': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/mmc-console/mmc-data/workspaces/default/index/_7p8n/cache.inSegmentParents': Operation not permitted
chmod: changing permissions of `/home/oracle/AFX/mmc-console/mmc-data/db/log/log1054.dat': Operation not permitted done
  • Checking any one of the above files shows the file owned by root instead of by the afx user:
ll /home/oracle/AFX/esb/conf/client.keystore
-rw-r--r-- 1 root root 5329 Mar  2 15:07 /home/oracle/AFX/esb/conf/client.keystore
  • Checking AFX ports such as 61616, 8585, or 8444 via netstat may show a port unexpectedly in use:
cd $AVEKSA_HOME/database/DBA/AVDB/scripts 
netstat -an | grep 61616
tcp        0      0 127.0.0.1:18212         127.0.0.1:61616         ESTABLISHED
tcp        0      0 127.0.0.1:18207         127.0.0.1:61616         ESTABLISHED
tcp        0      0 127.0.0.1:18206         127.0.0.1:61616         ESTABLISHED
tcp        0      0 127.0.0.1:18213         127.0.0.1:61616         ESTABLISHED
tcp        0      0 127.0.0.1:18208         127.0.0.1:61616         ESTABLISHED
tcp        0      0 127.0.0.1:18166         127.0.0.1:61616         ESTABLISHED
tcp        0      0 127.0.0.1:18214         127.0.0.1:61616         ESTABLISHED
tcp        0      0 127.0.0.1:18167         127.0.0.1:61616         ESTABLISHED
tcp        0      0 127.0.0.1:18168         127.0.0.1:61616         ESTABLISHED
tcp        0      0 127.0.0.1:61616         :::*                    LISTEN

 
Starting an AFX server as the root user will change some AFX file permissions to root which prevents successful startup by less privileged users such as the afx user. Additionally, even after stopping an AFX server as root, AFX processes may still be running and using required AFX ports. 
 
To resolve this issue, stop AFX as the root user, remove any existing AFX processes, modify the AFX file ownership and restart AFX as the afx user.
  1. As the root  user, login in to the server where AFX is installed.
  2. Stop AFX
cd $AFX_HOME/bin
./afx stop
  1. Check for any AFX processes that may still be running after afx has shut down. Kill any AFX processes found:
For example: 
ps -ef | grep AFX
root     20019     1  0 09:57 pts/1  00:20:57 /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/bin/java 
-Xms512m -Xmx512m -Dorg.apache.activemq.UseDedicatedTaskRunner=true 
-Djava.util.logging.config.file=logging.properties 
-Dcom.sun.xml.bind.v2.bytecode.ClassTailor.noOptimize=true -XX:MaxMetaspaceSize=512m 
-XX:+AlwaysPreTouch -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+ParallelRefProcEnabled 
-XX:+UseStringDeduplication -XX:InitiatingHeapOccupancyPercent=5 
-Dcom.sun.management.jmxremote.port=1099 
-Dcom.sun.management.jmxremote.password.file=/home/oracle/AFX/activemq/conf/jmx.password 
-Dcom.sun.management.jmxremote.access.file=/home/oracle/AFX/activemq/conf/jmx.access 
-Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote 
-Dactivemq.classpath=/home/oracle/AFX/activemq/conf; -Dactivemq.home=/home/oracle/AFX/activemq 
-Dactivemq.base=/home/oracle/AFX/activemq -Djava.security.egd=file:/dev/./urandom 
-jar /home/oracle/AFX/activemq/bin/run.jar start
kill -9 20019
  1. Ensure that all AFX files and directories have the correct owner and group.  For example if the afx user is oracle, execute the following commands to set the owner and group as appropriate:
/home/oracle/AFX # chown oracle -R *
/home/oracle/AFX # chgrp oinstall -R *
  1. After all AFX processes have been stopped and the file permissions and ownership corrected on the AFX files and directories, start AFX as the afx user:
afx start

 
000030656
Article Settings
External
Manual
Ted Barbour
6/26/2015 3:37 PM
Ted Barbour
Article Assignment
 
 
 
Article Properties
Published
Knowledge
000063071
Ted Barbour
Katrina Nash
English
Powered by