11 Replies Latest reply: Jul 25, 2011 5:37 PM by keesor RSS

    Unable to start cacaoadm

    806294
      Hi,

      I am trying to setup DSEE7 on Fedora. I am struggling to start cacaoadm. I keep getting below error:

      #./cacaoadm start
      Invalid file permission: [opt/dsee7/ext/cacao_2/etc/opt/sun/cacao2/instances/default/security] [rwxr-xr-x.].
      Problem validating security keys.
      Please regenerate them with cacaoadm create-keys --force
      #

      I ran the above command which ran successfully. When I tried to start the service, igot the same error again. I had tried to manually change the permission on the password file but it did not help.

      Any inputs are appreciated!

      Thanks
      Akshay
        • 1. Re: Unable to start cacaoadm
          handat
          The permission on the files should be rw------
          • 2. Re: Unable to start cacaoadm
            806294
            Here are the file permissions in the security directory:

            $ ll /opt/dsee7/ext/cacao_2/etc/opt/sun/cacao2/instances/default/security
            total 16
            drwxr-xr-x. 2 ak ak 4096 Jun 9 23:19 jsse
            drwxr-xr-x. 5 ak ak 4096 Jun 9 23:19 nss
            -rw-------. 1 ak ak 198 Jun 9 23:19 password
            drwxr-xr-x. 2 ak ak 4096 Jun 9 23:18 snmp
            $

            Should there be a different permission? These are the default permissions after i did a fresh installation and followed all steps again. I also ran the create-keys command but the error persists:

            $ ./cacaoadm start
            Invalid file permission: [opt/dsee7/ext/cacao_2/etc/opt/sun/cacao2/instances/default/security] [rwxr-xr-x.].
            Problem validating security keys.
            Please regenerate them with cacaoadm create-keys --force
            $

            Thanks again
            • 3. Re: Unable to start cacaoadm
              806294
              Also, please note that i am starting the service as user "ak" which has ownership of complete installation.

              -Akshay
              • 4. Re: Unable to start cacaoadm
                Chebrard-Oracle
                Hi.

                The issue is due to the dot at the end of the access rights of the ls output.
                -rw-------. 1 ak ak 198 Jun 9 23:19 password

                cacaoadm is parsing the output of ls and this dot breaks the parsing.

                You may change the parsing of cacaoadm but it may not be sufficient. Fedora is not a supported platform for DSEE.

                Carole.
                • 5. Re: Unable to start cacaoadm
                  806294
                  DSEE experts.. please help! Am still stuck..

                  Thanks
                  • 6. Re: Unable to start cacaoadm
                    Chebrard-Oracle
                    Disabling SELinux should solve your issue.

                    Carole.
                    • 7. Re: Unable to start cacaoadm
                      806294
                      Thanks for the tip but the issue persists :( . I decided to try Ubuntu since this is for test purposes only. Ubuntu did not give me this problem.

                      Regards
                      • 8. Re: Unable to start cacaoadm
                        816523
                        I faced the same problem on Red Hat Enterprise Linux 6.

                        As chebrard wrote on Jun 10, 2011, 12:55 AM, the root source of problem is checking the permission rights of cacao related files. While RHEL 6 has SELinux extension turned on by default, it adds specific permission related stuff to every file on filesystem. User can see this modification to standard POSIX permission rights as dot "." at the end of permission rights string.

                        The hack I used was (also suggested in chebrard's post) modification of parsing permission rights by cacaoadm. It happened by modifying configuration file <ODSEE installation dir>/dsee7/ext/cacao_2/cacao2/private/lib/scripts/global.cfg
                        # diff globals.cfg globals.cfg.orig
                        169c169
                        < CACAO_SECURITY_DIR_RIGTH="rwxr-xr-x."
                        ---
                        -> CACAO_SECURITY_DIR_RIGTH="rwxr-xr-x"
                        176c176
                        < CACAO_PROTECTED_RT_TMP_MOD_STR="rw-------."
                        ---
                        -> CACAO_PROTECTED_RT_TMP_MOD_STR="rw-------"
                        183c183
                        < CACAO_PASSWD_FILE_MOD_STR="rw-------."
                        ---
                        -> CACAO_PASSWD_FILE_MOD_STR="rw-------"
                        186c186
                        < CACAO_SECURITY_SNMP_FILE_MOD_STR="rw-------."
                        ---
                        -> CACAO_SECURITY_SNMP_FILE_MOD_STR="rw-------"
                        I know, kind a lame approach, but sufficient for starting cacaoadm.
                        • 9. Re: Unable to start cacaoadm
                          816523
                          Here is another way how to cope with the problem.
                          This approach is based on disabling SELinux and removing SELinux security context from files checked by cacaoadm script.
                          In this case, no modifications in cacao configuration file is required.

                          1. disable SELinux and reboot system
                          # vi /etc/selinux/config
                          SELINUX=disabled
                          # reboot
                          2. remove security context from files and directories (probably whole directory tree under <ODSEE installation directory>/ext/cacao_2/etc/opt/sun/ )
                          Example
                          # ls -l password
                          -rw-------. 1 root root 198 Jul 11 13:43 password
                          # setfattr -x security.selinux <ODSEE installation directory>/ext/cacao_2/etc/opt/sun/cacao2/instances/default/security/password
                          # ls -l password
                          -rw------- 1 root root 198 Jul 11 13:43 password
                          Note: SELinux must be disabled.
                          • 10. Re: Unable to start cacaoadm
                            816523
                            The last post, I promise.

                            If we need to keep SELinux enabled, we must modify some cacao files. Modification of configuration file is specified in my post above. There we must modify 4 lines.
                            If we are lazy and prefer more "system" approach, it is possible to get expected functionality by only one modification in file <ODSEE installation directory>/ext/cacao_2/cacao2/private/lib/scripts/utils :
                            # diff utils utils.orig
                            819c819
                            < ${LS} -ld $1 2>/dev/null | ${AWK} '{print substr($1,2,9)}'
                            ---
                            .> ${LS} -ld $1 2>/dev/null | ${AWK} '{print substr($1,2)}'
                            Note: Do not forget to reapply modification, if patching cacao in the future.
                            • 11. Re: Unable to start cacaoadm
                              keesor
                              I believe I ran into the same issue on Solaris. I had Oracle Support submit a bug on this, because the link for cacaoadm is wrong, and the permissions on the dsee7/ext/cacao_2/usr/lib/cacao/lib/tools/scripts/ directory are wrong.

                              The bug is:

                              Bug 12752317: ODSEE 11.1.1.3 CACOA LINKS, PERMISSIONS AND SMF INSTALL ISSUE

                              Here is what I have done to work through the issues on a Solaris server with DSEE7 installed in /opt:

                              To fix the cacao link:
                              mv /opt/dsee7/bin/cacaoadm /opt/dsee7/bin/cacaoadm.old

                              ln -s ../ext/cacao_2/usr/lib/cacao/bin/cacaoadm /opt/dsee7/bin/cacaoadm

                              chmod 755 /opt/dsee7/ext/cacao_2/usr/lib/cacao/bin/cacaoadm

                              To fix the permissions issues in the /opt/dsee7/ext/cacao_2/usr/lib/cacao/lib/tools/scripts/ directory:

                              chmod -R 755 /opt/dsee7/ext/cacao_2/usr/lib/cacao/lib/tools/scripts/

                              Hope this helps!