Layer7 Privileged Access Management

Expand all | Collapse all

cannot login to selang command line

Jump to Best Answer
  • 1.  cannot login to selang command line

    Posted 04-12-2018 01:28 PM

    Hi Gurus,

     

    I have this error when I login to selang

     

    [root@ts-lin-jenk-app-01 ~]# /opt/infosec/pim/bin/selang
    ERROR: Initialization failed, EXITING!
    (localhost)
    ERROR: Login procedure failed
    ERROR: You are not allowed to administer this site from terminal ts-lin-jenk-app-01.local
    [root@ts-lin-jenk-app-01 ~]#

     

    Any ideas?



  • 2.  Re: cannot login to selang command line
    Best Answer

    Posted 04-12-2018 02:50 PM

    Hi Sergio,

     

    Since this is happening to root, it sounds like you may have changed the hostname or domain of this server after installing PIM. When you first install some default terminal rules are created to allow access, but it does not pay attention to changes to hostname or domain. You should be able to get into selang using the local option when the PIM agent is down. You will need to login using the selang local instance, then change your terminal rules to allow access.

     

    Examples steps:

    Shut down PIM:

    # secons -S

     

    Enter local selang:

    # selang -l

     

    Search for the terminal rules:

    AC> SR TERMINAL *

     

    This will output a list of all terminal rules. Find the rules related to this terminal, exatly as noted in the error you see (ts-lin-jenk-app-01.local).

    Sample:

    Data for TERMINAL 'lutch01-rh7301.ca.com'
    -----------------------------------------------------------
    Defaccess : R
    ACLs :
    Accessor Access
    +devcalc (USER ) W
    +policyfetcher(USER ) W
    root (USER ) R, W
    Audit mode : Failure
    Owner : root (USER )
    Create time : 11-Apr-2018 11:51
    Update time : 11-Apr-2018 11:51
    Updated by : root (USER )

     

    If this doesn't exist you will need to create one, example:

    AC> NR TERMINAL ts-lin-jenk-app-01.local defacc(R) owner(root)

     

    Once this does exist, we can update its ACL to allow the user selang access:

    AC> authorize TERMINAL ts-lin-jenk-app-01.local uid(root) access(r w)

    Note: the user (uid) should already exist in selang, you can search users with: AC> su <uid>

     

    Exist selang and Start PIM services back up:

    # seload

     

    Confirm access by entering normal selang:

    # selang

     

    More info on TERMINAL class:

    https://docops.ca.com/ca-privileged-identity-management/12-8/en/reference/selang-reference-guide/classes-in-the-ac-environment/terminal-class

     

    Hope this helps,

    Christian Lutz

    Support Engineer

    CA Technologies - North America