RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Web for Apache
RSA Version/Condition: 7.1
Platform: Red Hat
O/S Version: 5
After installing Apache against the prepackaged rpm version of Apache that comes with RHEL 5 (64-bit); that is, 2.2.3, Apache will not start and the following errors are seen
Unable to start apache after installing agent, "error while loading shared libraries: libaceclnt.so: cannot open shared object file: No such file or directory
The following errors appear in the /etc/httpd/logs/error_log:
Thu Jan 24 15:51:11 2013] [notice] caught SIGTERM, shutting down
rpc_server 18165 started by 18154
AceShutdown try to kill process 18165
acestatus: error while loading shared libraries: libaceclnt.so: cannot open shared object file: No such file or directory
rpc_server 20358 started by 20348
RSALogoffCookieService: error while loading shared libraries: libaceclnt.so: cannot open shared object file: No such file or directory
[Thu Jan 24 15:51:20 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
start child 20359
Prepackaged RPMs have historically been known to cause certain incompatibilities with the Authentication Agent for Web for Apache. The agent was qualified with Apache when compiled from source, not with the prepackaged modules that come with the RHEL 5 operating system.
As documented by RSA:
Apache versions refer to distributions available on www.apache.org
. Prepackaged Apache modules available from other sources or vendors can result in incorrect behavior or missing functionality in the RSA agent.
In this particular use case, the $APACHEHOME is /etc/httpd; therefore when installing the agent, the agent will install to /etc/httpd/rsawebagent.
The Authentication Agent for Web for Apache expects to find the lib and bin directories (and their contents) a subordinate to $APACHEHOME; i. e., /etc/httpd/lib and /etc/httpd/bin respectively. In the use case of the precompiled rpm from Red Hat, it is not. The httpd executable for the rpm version from Red Hat is /usr/sbin, not /usr/local/apache (if --prefix=/usr/local/apache was used when apache was compiled from source), and when looking at an ldd /usr/sbin/httpd, it will search /lib64 and /usr/lib64, thusly be unable to locate or execute calls to libaceclnt.so.
To insure 100% compatibility, regardless of Authentication Agent for Web for Apache version, Apache needs be compiled from source for 100% compatibility., The agent should then be applied to the compiled from source instance of Apache. The agent was not qualified on Apache 2.2.3, and there are known issues by using the prepackaged version (for example, New PIN Mode may not work, throwing a 103 error when the prepackaged version is used as compared to working correctly when compiling from source.
In instances where you must use the Apache rpm that is bundled with Red Hat, the following workaround may be used, noting that there may be other issues as the agent was not qualified with the 2.2.3 rpm version from Red Hat after the agent is installed:
As root, create a symbolic link to the libaceclnt.so in the /lib64 directory:
ln -s /etc/httpd/rsawebagent/libaceclnt.so libaceclnt.so
To view the link:
ls -al libaceclnt.so
lrwxrwxrwx 1 root root 36 Jan 24 15:52 libaceclnt.so - /etc/httpd/rsawebagent/libaceclnt.so
See:000016606 - RH Apache Web Agent - error '103: Response to new PIN Request took too long' exception in new pin mode