000028076 - SecurID agent 7.1 for Apache 2.2.X on RHEL 5 64 bit: unable to start apache after installing agent  'error while loading shared libraries: libaceclnt.so: cannot open shared object file: No such file or directory'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000028076
Applies ToRedhat 5 64 bit
Apache prepackaged module 2.2.3 ($APACHEHOME=/etc/httpd)
 
IssueSecurID agent 7.1 for Apache 2.2.X on RHEL 5 64 bit: unable to start apache after installing agent, "error while loading shared libraries: libaceclnt.so: cannot open shared object file: No such file or directory"
After installing apache against the prepackaged rpm version of apache that comes with RHEL 5, (2.2.3), apache will not start and the following errors appear in the /etc/httpd/logs/error_log:
Thu Jan 24 15:51:11 2013] [notice] caught SIGTERM, shutting down
rpc_server 18165 started by 18154
AceShutdown try to kill process 18165
acestatus: error while loading shared libraries: libaceclnt.so: cannot open shared object file: No such file or directory
rpc_server 20358 started by 20348
RSALogoffCookieService: error while loading shared libraries: libaceclnt.so: cannot open shared object file: No such file or directory
[Thu Jan 24 15:51:20 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
start child 20359

 
CausePrepackaged RPMs have historically been known to cause certain incompatibilities with the Securid agent.  The agent was qualified with apache when compiled from source, not with the prepackaged modules that come with the RHEL 5 operating system.
Reference:
http://www.emc.com/security/rsa-securid/rsa-authentication-agents/apache-7-1.htm
"Apache versions mentioned here refer to distributions available on www.apache.org. Prepackaged Apache modules available from other sources or vendors can result in incorrect behavior or missing functionality in the RSA agent.:
In this particular use case, the $APACHEHOME is /etc/httpd, therefore when installing the agent, the agent will install to /etc/httpd/rsawebagent. 
The RSA web agent expects to find the lib and bin directories (and their contents) a subordinate to $APACHEHOME, i.e. /etc/httpd/lib and /etc/httpd/bin respectively.  In the use case of the precompiled rpm from RHEL, it is not.  The httpd executable for the rpm version from Red Hat is /usr/sbin, not /usr/local/apache (if --prefix=/usr/local/apache was used when apache was compiled from source), and when looking at an ldd /usr/sbin/httpd, it will search /lib64 and /usr/lib64, thusly be unable to locate or execute calls to libaceclnt.so.

 
ResolutionTo insure 100% compatibility, regardless of RSA apache agent version, apache needs be compiled from source for 100% compatibility., The agent should then be applied to the compiled from source instance of apache.  The agent was not qualified on apache 2.2.3, and there are known issues by using the prepackaged version (for example, new pin mode may not work, throwing a 103 error when the prepackaged version vs compiling from source is used)


In instances where you must use the apache rpm that is bundled with redhad, the following workaround may be used, noting that there may be other issues as the agent was not qualified with the 2.2.3 rpm version from Red Hat after the agent is installed:
Execute these commands as root:
Create a symbolic link to the libaceclnt.so in the /lib64 directory:
cd /lib64
ln -s /etc/httpd/rsawebagent/libaceclnt.so libaceclnt.so
To view the link:
ls -al libaceclnt.so
lrwxrwxrwx 1 root root 36 Jan 24 15:52 libaceclnt.so - /etc/httpd/rsawebagent/libaceclnt.so
See: a51558
Legacy Article IDa60577

Attachments

    Outcomes