App Server only starts as root

D

dlangschied

Member
Specs: RHEL 5.5 OE 10.1CSP4

I am having an issue starting an app server is anything but root.
I get the following in the admin server log:
[7/16/12 6:07:46 AM] [0] [AdminServer] * UBRemoteObject.startSvcProcess() failure: Cannot start AppServer process: " + UBroker.AS.rtb_AS - NULL (8162)
[7/16/12 6:07:51 AM] [3] [AdminServer] SvcControlCmd.connectToService() failure: Unable to connect to the service process at rmi://TRO1AP00008LNX:20931/rtb_AS(after 2 retries) (8171)
[7/16/12 6:07:55 AM] [3] [AdminServer] SvcControlCmd.connectToService() failure: Unable to connect to the service process at rmi://TRO1AP00008LNX:20931/rtb_AS(after 2 retries) (8171)

The owner is the owner of all directories up to the log file directory. I am not seeing a log file at all. Any ideas?


Thanks!
David Langschied
 
D

dlangschied

Member
It has been some time since this install was performed. How can I determine today whether "yes" was chosen? Is it in the ubroker.properties file?
 
Stefan

Stefan

Well-Known Member
dlangschied said:
Also, if it is not chosen to begin with then does that mean you cannot use authorization?
Click to expand...

No, see ProKB.

Option To Require Authorization On the Command Line
If the administrator accepts the default installation and does not choose to use authorization, authorization can optionally be selected when starting up the AdminServer.
Click to expand...
 
Stefan

Stefan

Well-Known Member
dlangschied said:
It has been some time since this install was performed. How can I determine today whether "yes" was chosen? Is it in the ubroker.properties file?
Click to expand...

Not sure, I do see entries in the admserv.log (the following is with group checking off):

[7/6/12 6:00:48 PM] [3] [Security] Stefan:N:No Group Checking: User is authenticated and authorized (9898)
Click to expand...
 
RealHeavyDude

RealHeavyDude

Well-Known Member
To be honest I am still trying to find out myself in which configuration file this setting is stored. As far as I can tell it can't be found in the ubroker.properties ...

As soon as I have found it I will let you know.

Heavy Regards, RealHeavyDude.
 
D

dlangschied

Member
Sigh! I started Admin Server to require user name and added the username= and password= (from genuserpassword) to NS1 and my_AS and now the name server won't launch. I tried launching as the user that I authorized to do so and "No Dice". Now I am completely hosed. Good thing I tried this on a server that does not use app server for anything!
 
Stefan

Stefan

Well-Known Member
dlangschied said:
Sigh! I started Admin Server to require user name and added the username= and password= (from genuserpassword) to NS1 and my_AS and now the name server won't launch. I tried launching as the user that I authorized to do so and "No Dice". Now I am completely hosed. Good thing I tried this on a server that does not use app server for anything!
Click to expand...

Back to your original issue (cannot start AppServer as a non-root user). Looks a bit like ProKB - are you using environment variables / paths etc that only the root user can access?

The owner is the owner of all directories up to the log file directory.
Click to expand...


What does that mean? The meaning depends on how you have organized your directory structure. Where is your Progress installation located? Where is your AppServer working directory located? Where is java located?

Since you can / could start the AppServer as the root user it could be a lack of rights on any of the above.
 
D

dlangschied

Member
Okay...
I can run the admin server as the user, launch name server as the user, launch the app server as the user (all from Linux login) and it all works. What I cannot do is launch the admin server and name server as root and launch the app server as the user.

The crux of my whole issue is that I am compiling code using the app server. I need the .r to be owned by the user that launches the appserver (not root). However, I can only launch Progress Explorer Tool as root, which in turn launches all of the brokers as root. I suppose that I could simply ensure that all is launched from the server at the command line, but I do not like this outcome.

I know there are people who are doing this, so I tried to add the username and password as indicated in the above mentioned article, but it seems not to work.

Regards,
David
 
D

dlangschied

Member
Okay now I am starting to get mad!

Whatever I start proadsv as, that is the user that launches my app server, I have tried to add an owner to the launch and it does not matter.
If I try to add a user/password to my_AS, it "not responding(12076). If I leave the password blank, then I get "Unable to Start", but it still starts as "root". The user who started the Admin Server.

I do have one thing that may be mucking up the works, but i am unsure if it is a factor. The user is coming from LDAP and is not a user on the system, pursay. Does this mean anything to anybody? Throw me a bone, please!
 
D

dlangschied

Member
A little further. I went to linux and started the admin server as root -admingroup mygrp -requireusername. Not I get user not authorized. This leads me to believe that my suspicions are correct. To that, how does the Admin Server authenticate? Against the /etc/password file? If that is the case, I have a problem. The user does not exist there. If someone know LDAP and can shed some light, I would appreciate it.
 
RealHeavyDude

RealHeavyDude

Well-Known Member
The default is that the all processes started via the Admin Server are running under the account under which the Admin Server is running. Full Stop. That's the way it always has been. But, in the Progress Explorer, for each service, if you expand the broker section in the settings, you will find the "owner section" ( my OpenEdge installation is running in German ... ) where you can define the owner account individually. Nevertheless, you need to be aware, that, if you enabled group checking, that this credentials must belong to the groups that you defined to be allowed to access the Admin Server.

That's why we have introduced a technical account on our Solaris box that can't log into the machine interactively but has root privileges under which everything that is related to Progress runs. That means the databases and AppServers, WebSpeed Brokers, Name Server, Admin Server and all local batch processes are running under that account and all directories which they need access to are owned by that account.

I would never have anything running directly under root on *nix as well as I would not under LocalSystem on any Windoze ...

Heavy Regards, RealHeavyDude.
 
D

dlangschied

Member
This is good info! I agree whole heartily with not running things as root. I was told be the developer of the app that I am using that I need to launch Admin Server as root in order to use Progress Explorer Tool. I was okay with that, but did not want to start my app server as root. I did try to create an owner to login and the admin group, but it did not seem to want to take my password. I found that my compiled code had root as the owner and that was no good. This has been a journey and a half to say the least. When I try to start, I get nothing from Progress Explorer, so I have been trying to start on the server from the command line. I am getting authentication errors. All my users are on LDAP and so they are not in /etc/passwd, nor is the admingroup in /etc/group. I would like to know if it is possible to use these account type or will I have to create accounts on the server directly.

Thanks for your help!
 
RealHeavyDude

RealHeavyDude

Well-Known Member
Unfortunately - AFAIK - the whole Admin Server frame work is not flexible enough to handle LDAP passwords. And, we don't allow anybody to connect with the Progress exploder to our Admin Services on the production boxes. Only in the test environment 1 where each developer is granted a user account on the box, we do allow that. On that development box the technical account under which all Progress related stuff is running is also an interactive user and that we use to connect with the Progress exploder ...

Heavy Regards, RealHeavyDude.
 
You must log in or register to reply here.

Similar threads

Mike
Appserver agent are busy and stuck.
Replies
2
Views
558
Cringer
Cringer
Ryszard Musielak
Resolved [SOLVED] Possible port number conflict - how to change?
Replies
5
Views
1K
Ryszard Musielak
Ryszard Musielak
Mike
Need to find out root cause Please help
Replies
1
Views
529
TomBascom
TomBascom
P
  • Locked
[Progress Communities] [Progress OpenEdge ABL] Forum Post: TDE keystore failure (on replicated environment)
Replies
0
Views
1K
Pieterm
P
C
  • Locked
[Progress Communities] [Progress OpenEdge ABL] Forum Post: FW: Progress Alert and Notification Service Article Alert OpenEdge
Replies
0
Views
787
Community Admin
C
Top