000021850 - Wrong permissions on the data subdirectory in RSA ACE/Server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021850
Applies ToRSA ACE/Server
UNIX
IssueWrong permissions on the data subdirectory in RSA ACE/Server
Error: "Cannot find or open file /apps/ace601/ace/data/sdlog.db, errno = 13. (43)" in RSA ACE/Server
RSA ACE/Server does not start
RSA ACE/Server file ownership set to a user other than root
ResolutionWhen trying to start the ACE/Server, error messages to the following are displayed:
09:21:21 SERVER   : ** Cannot find or open file /apps/ace601/ace/data/sdlog.db, errno = 13. (43)

09:21:21 SERVER   : ** The server terminated with exit code 2. (800)


09:21:21 APW        ** Cannot find or open file /apps/ace601/ace/data/sdlog.db, errno = 13. (43)


09:21:21 APW        ** Cannot find or open file /apps/ace601/ace/data/sdlog.db, errno = 13. (43)


09:21:21 APW        There is no server for database /apps/ace601/ace/data/sdlog. (1423)


09:21:21 APW        ** The server terminated with exit code 2. (800)


09:21:21 BIW        ** Cannot find or open file /apps/ace601/ace/data/sdlog.db, errno = 13. (43)


09:21:21 BIW        ** Cannot find or open file /apps/ace601/ace/data/sdlog.db, errno = 13. (43)


09:21:21 BIW        There is no server for database /apps/ace601/ace/data/sdlog. (1423)


09:21:21 BIW        ** The server terminated with exit code 2. (800)
A possible cause are wrong file permissions on the files in the ACE server data subdirectory. Usually this is caused by running the ACE/Server as root instead of running it with the dedicated user which was specified at installation time.
The sdinfo command will return that user ID:
FILE OWNERSHIP:                    ace
If you issue an "ls -l" from within the data subdirectory, all files should be owned by the "ace" user. The only exceptions are TACACS related files and the sdace.txt file.
The best way to fix similar issues is to:
- Stop the ACE/Server - make sure all processes are gone
- Run (as root) "./sdsetup -config". Hit enter at all prompts
- su to the user which is meant to run the ACE/Server. In this case: "su - ace"
- Restart the ACE/Server (sdconnect start; aceserver start)
- You can verify with the ps command that all ACE/Server related processes are with the correct userID. On Solaris you would see the following:
{ace} fatboy > ps -ef | grep ace


     ace  4887     1  0 09:33:38 ?        0:00 /apps/ace601/ace/rdbms/bin/_mprshut /apps/ace601/ace/data/sdlog -C APW


     ace  5027     1  0 09:34:16 pts/3    0:00 /apps/ace601/ace/prog/sdradiusd


     ace  4879     1  0 09:33:37 ?        0:00 /apps/ace601/ace/rdbms/bin/_mprshut /apps/ace601/ace/data/sdserv -C APW


     ace  4901     1  0 09:33:40 ?        0:00 /apps/ace601/ace/prog/sdadmind


     ace  5019     1  0 09:33:54 ?        0:00 _aceserver_be


     ace  4850  3664  0 09:33:21 pts/3    0:00 -sh


     ace  4884     1  0 09:33:37 ?        0:00 /apps/ace601/ace/prog/_mprosrv /apps/ace601/ace/data/sdlog -N TCP -S sdlog -pf


     ace  4890     1  0 09:33:38 ?        0:00 /apps/ace601/ace/rdbms/bin/_mprshut /apps/ace601/ace/data/sdlog -C BIW


     ace  4856  4850  0 09:33:25 pts/3    0:00 bash


     ace  5018     1  0 09:33:54 ?        0:01 _aceserver_be


     ace  4897     1  0 09:33:38 ?        0:00 /apps/ace601/ace/prog/logmaintthd


     ace  4876     1  0 09:33:37 ?        0:00 /apps/ace601/ace/prog/_mprosrv /apps/ace601/ace/data/sdserv -N TCP -S sdserv -p


     ace  5001     1  0 09:33:50 ?        0:01 /apps/ace601/ace/prog/_aceserver_fe


     ace  5036  4856  1 09:35:31 pts/3    0:00 ps -ef


     ace  4882     1  0 09:33:37 ?        0:00 /apps/ace601/ace/rdbms/bin/_mprshut /apps/ace601/ace/data/sdserv -C BIW


     ace  4957     1  0 09:33:45 ?        0:00 acesyncd -ReplicaID 0


     ace  5037  4856  0 09:35:31 pts/3    0:00 grep ace
As you can see, all processes are owned by the "ace" user. The only ACE related process which should run as root is the TACACS+ daemon (not shown here).
If you have any startup scripts in place that automatically start the ACE/Server, make sure they will su to the right user ID before starting the ACE/Server.
Please note that if you're running a replica with a user ID other than root, the primary server will not be able to sync the time on the replica. That means you'll have to maintain time accuracy on the replica by other means (like NTP). Please see the "ACE/Server Administrator's guide" for further details.

Legacy Article IDa25410

Attachments

    Outcomes