Layer 7 Access Management

Expand all | Collapse all

SSO systemctl service files

  • 1.  SSO systemctl service files

     
    Posted 02-28-2018 08:26 PM

    I'm not sure how many customers have been struggling with getting the SSO components integrated with the RedHat 7 systemctl service.  I finally got the WAM UI working so I wanted to post some working examples of service files for the SSO components.

     

    Disclaimer - These service files are field tested in a clean lab environment.  Mileage may vary depending on your system configuration.  I don't know how much I can help debug your issues, but if you post here, perhaps the rest of the community can help.  If anyone has additions to improve these service files, please share.

     

    SSO Policy Server

    [Unit]
    Description=CA SSO Policy Server
    Requires=network.target

     

    [Service]
    Type=forking
    TimeoutSec=360
    User=${USER}
    ExecStart=${APP_DIR}/start-all
    ExecStop=${APP_DIR}/stop-all
    Restart=on-abort
    SuccessExitStatus=0 1
    [Install]
    WantedBy=multi-user.target

    ********************************************************************8

    SSO WAM UI

    [Unit]
    Description=CA SSO WAM UI
    After=network.target

     

    [Service]
    Type=idle
    Environment=JAVA_HOME=${APP_DIR}/siteminder/adminui/runtime
    Environment=JBOSS_HOME=${APP_DIR}/siteminder/adminui
    Environment="JAVA_OPTS=-Xms1024m -Xmx1024m -XX:MaxPermSize=768m"
    Environment=JBOSS_LOG_DIR=${APP_DIR}/siteminder/adminui/standalone/log
    WorkingDirectory=${APP_DIR}/siteminder/adminui/bin
    ExecStart=${APP_DIR}/siteminder/adminui/bin/standalone.sh
    ExecStop=${APP_DIR}/siteminder/adminui/bin/standalone.sh stop
    User=${USER}
    Group=${GROUP}
    TimeoutStartSec=600
    TimeoutStopSec=600

     

    [Install]
    WantedBy=multi-user.target

    ***********************************************************

    Access Gateway

    [Unit]
    Description=CA Access Gateway
    After=syslog.target network.target

     

    [Service]
    Type=forking

     

    Environment=JAVA_HOME=${JAVA_ROOT}/jre
    Environment=CATALINA_PID=${APP_DIR}/proxy-engine/tmp/sps.pid
    Environment=CATALINA_HOME=${APP_DIR}/Tomcat
    Environment=CATALINA_BASE=${APP_DIR}/Tomcat
    Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
    Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

     

    ExecStart=${APP_DIR}/proxy-engine/sps-ctl start
    ExecStop=${APP_DIR}/proxy-engine/sps-ctl stop

     

    User=${USER}
    Group=${GROUP}
    UMask=0007
    RestartSec=60
    Restart=always

     

    [Install]
    WantedBy=multi-user.target

    *********************************************************

     

    ASF Apache

    [Unit]
    Description=The Apache HTTP Server

     

    [Service]
    Type=forking
    EnvironmentFile=${APP_DIR}/bin/envvars
    PIDFile=${APP_DIR}/logs/httpd.pid
    ExecStart=${APP_DIR}/bin/apachectl start
    ExecReload=${APP_DIR}/bin/apachectl graceful
    ExecStop=${APP_DIR}/bin/apachectl stop
    KillSignal=SIGCONT
    PrivateTmp=true

     


    [Install]
    WantedBy=multi-user.target

    ********************************************************

    JBoss

    [Unit]
    Description=JBoss
    After=syslog.target network.target

     

    [Service]
    Type=idle

     

    Environment=JAVA_HOME=${JAVA_ROOT}
    Environment=JBOSS_HOME=${APP_DIR}/${JBOSS_VER_DIR}
    Environment=JAVA=${JAVA_ROOT}/java/bin/java
    Environment=JBOSS_LOG_DIR=${APP_DIR}/${JBOSS_VER_DIR}/logs
    Environment='JAVA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
    Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'
    ExecStart=${APP_DIR}/${JBOSS_VER_DIR}/bin/standalone.sh
    ExecStop=${APP_DIR}/${JBOSS_VER_DIR}/bin/standalone.sh stop
    User=${USER}
    Group=${GROUP}
    TimeoutStartSec=600
    TimeoutStopSec=600

     

    [Install]
    WantedBy=multi-user.target

    **********************************************************

    Tomcat

    [Unit]
    Description=Apache Tomcat
    After=syslog.target network.target

     

    [Service]
    Type=forking

     

    Environment=JAVA_HOME=${JAVA_ROOT}/jre
    Environment=CATALINA_PID=${APP_DIR}/temp/tomcat.pid
    Environment=CATALINA_HOME=${APP_DIR}
    Environment=CATALINA_BASE=${APP_DIR}
    Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
    Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

     

    ExecStart=${APP_DIR}/bin/startup.sh
    ExecStop=${APP_DIR}/bin/shutdown.sh

     

    User=${USER}
    Group=${GROUP}
    UMask=0007
    RestartSec=10
    Restart=always

     

    [Install]
    WantedBy=multi-user.target



  • 2.  Re: SSO systemctl service files

    Posted 03-01-2018 11:38 AM

    Helpful..Thank you!



  • 3.  Re: SSO systemctl service files

    Posted 03-02-2018 09:26 AM

    Are the ${ENVIRONMENT_VARIABLES} placeholders for where site-specific values should be substituted, or is there a standard config file where these variables could or should be defined?  I hope it's the latter because that would make the wamui.service file more portable.



  • 4.  Re: SSO systemctl service files

     
    Posted 03-02-2018 10:00 AM

    Those are all for site specific values.  I don't know of any way to do what you are suggesting with the service files.



  • 5.  Re: SSO systemctl service files

    Posted 03-02-2018 10:36 AM

    Found this, but the view doesn't seem worth the climb:

     

    execute arbitrary bash code/variable substitution in systemd units · GitHub 



  • 6.  Re: SSO systemctl service files

    Posted 04-02-2018 02:13 PM

    Dave, I had an experience where Tomcat failed to come up on system reboot.  I tracked it down to this element of the tomcat.service file:

     

    ExecStop=/bin/kill -15 $MAINPID

     

    The above command does not delete the PID file.  As a result, if the PID from the prior boot is in use by some other process by the time Tomcat is started by SYSTEMD, the service will fail to start.  I recommend this value for ExecStop since it deletes the PID file on graceful shutdown:

     

    ExecStop=${APP_DIR}/bin/shutdown.sh

     

    The above command also behaves more predictably if it's necessary to restart the Tomcat service without rebooting since it's difficult to predict if/when another process will get created with the PID of the former Tomcat process before Tomcat is started again.



  • 7.  Re: SSO systemctl service files

     
    Posted 04-02-2018 03:44 PM

    Thanks.  The main post has been updated with the corrected service file template. 



  • 8.  Re: SSO systemctl service files

    Posted 09-17-2018 08:13 PM

    Dave, i tried the autostart script for Access Gateway on my LAB 12.6 SP1, the service started fine upon reboot, but there are failures loading ACO. Federation URLs are returning errors.

     

    Affwebservices Log:

     

    [3695/140300638275328][Mon Sep 17 2018 19:06:30][agentcommon][INFO][sm-FedClient-00010] sm-FedClient-00010 (SM_WSB_00004 - The SiteMinder Agent is initializing ..)
    [3695/140300638275328][Mon Sep 17 2018 19:06:30][agentcommon][INFO][sm-FedClient-00010] sm-FedClient-00010 (SM_WSB_00005 - SiteMinder Product Details: PRODUCT_UPDATE=0200 , PRODUCT_NAME=Federation Web Services, PRODUCT_LABEL=2518, PRODUCT_VERSION=12.6.)
    [3695/140300638275328][Mon Sep 17 2018 19:06:30][agentcommon][INFO][sm-FedClient-00010] sm-FedClient-00010 (SM_WSB_00008 - Administration Manager is trying to create configuration for the SiteMinder Agent)
    [3695/140300638275328][Mon Sep 17 2018 19:06:30][agentcommon][INFO][sm-FedClient-00010] sm-FedClient-00010 (SM_WSB_00056 - Creating agent connection using file : /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf)
    [3695/140300638275328][Mon Sep 17 2018 19:06:30][FWSAdministrationManager.java][ERROR][sm-FedClient-00050] sm-FedClient-00050 (Failed to create agent configuration for : /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf)
    [3695/140300638275328][Mon Sep 17 2018 19:06:30][FWSAdministrationManager.java][ERROR][sm-FedClient-00060] sm-FedClient-00060 ()
    [3695/140300638275328][Mon Sep 17 2018 19:06:30][ManageNameIDService.java][INFO][sm-FedClient-01520] sm-FedClient-01520 (NameID Management)

     

     

    Server.log:

     

    [17/Sep/2018:19:06:30-850] [INFO] - Successfully loaded SPS60Agent library
    [17/Sep/2018:19:06:30-869] [INFO] - Initialize: [Agent Configuration = /opt/CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf][Single Process Mode = true][retcode = -1][Initialized = false]
    [17/Sep/2018:19:06:30-869] [FATAL] - [ERROR] Agent for virtual host : default did not initialized properly
    [17/Sep/2018:19:06:30-870] [INFO] - Initialize: [Agent Configuration = /opt/CA/secure-proxy/proxy-engine/conf/webservicesagent/WebAgent.conf][Single Process Mode = true][retcode = -1][Initialized = false]
    [17/Sep/2018:19:06:30-870] [FATAL] - [ERROR] Agent for virtual host : WebServicesAgentVirtualHost did not initialized properly



  • 9.  Re: SSO systemctl service files

    Posted 09-19-2018 10:46 AM

    I increased the RestartSec interval from 10 to 60 in the script and tested the same, Access Gateway process started cleanly with no errors.

     

     



  • 10.  Re: SSO systemctl service files

     
    Posted 09-19-2018 11:18 AM

    Thanks for the info.  I updated the script in the main posting to reflect the new value.



  • 11.  Re: SSO systemctl service files

    Posted 12-12-2018 04:08 PM

    David,

     

    As you know I have been having trouble with the sps.service starting on a RHEL7 VM in the LOD, installed using the SSO (SM) Installation Toolkit. I just tested again using version 3.3.6 (install_toolkit-3.36.tar updated with a change to the check_entropy() function. Following the discussion on this thread and related threads, and searching on Google, I tried one change recommended to move the location of the #!/bin/sh line in the sps-ctl script (/loddisk2/CA/secure-proxy/proxy-engine/sps-ctl) to the first line in the file. That actually worked, to my surprise, because I would have thought that had been updated in SSO 12.8.0 Access Gateway  (GA build). It seems the issue was in the product-supplied script and not in any systemd configuration provided in the Installation Toolkit and in this thread.

     

    Thanks for the help.



  • 12.  Re: SSO systemctl service files

    Posted 04-07-2019 11:00 AM

    In Red Hat 7, you want to add to the policy server service file the following line:

     

    LimitNOFILE=8192

     

    Otherwise, the policy server will start not using the right amount of available file descriptors.



  • 13.  Re: SSO systemctl service files

    Posted 04-07-2019 11:02 AM

    I should add that the "right amount" depends on each environment. But the default value if the LimitNOFILE line is not added (1024) is not sufficient.