Layer 7 Access Management

Tech Tip : CA Single Sign-On : Policy server cant connect locally on ports 44441-44444

  • 1.  Tech Tip : CA Single Sign-On : Policy server cant connect locally on ports 44441-44444

    Posted 05-07-2019 02:51 AM

    Issue:

     

    We're running a Policy Server and when we try to reach its ports using
    telnet from range 44441 to 44444 and from a Web Agent machine, we get
    the error "Connection refused". Could you help us to make the ports
    available ?

    Environment:

     

    Policy Server 12.8 on RedHat 7;

     

    Cause:

     

    On the Policy Server machine,

     

    - Disable temporarly SELinux :

     

    # setenforce 0

     

    How can I Disable SELinux in CentOS 7/6 and Fedora 18-24
    https://www.tecmint.com/disable-selinux-temporarily-permanently-in-centos-rhel-fedora/

     

    - Disable temporarly firewall :

     

    # iptables -F

     

    - Verify that SELinux is disable

     

    Run command

     

    # getenforce

     

    It should gives

     

    disabled

     

    Run command

     

    # iptables -L

     

    It should gives :

     

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

     

    Start the Policy Server and try to reach the Policy Server ports.

    Resolution:

     

    Modifying iptables (Firewall) rules and applying SELinux configuration
    as per documentation made the Policy Server ports availables.

     

    Additional Information:

     

    (Optional) Add Exceptions to Security–Enhanced Linux (SELinux)

    https://docops.ca.com/ca-single-sign-on/12-8/en/installing/install-a-policy-server/install-policy-server-on-unix/run-the-installer

     

    The command for the Firewall and SELinux are temporary settings. To
    prevent the issue to re-occur, you may want to disable Firewall and
    SELinux permanently :

     

    SELinux

     

    Configure Security–Enhanced Linux (SELinux) to Work with CA Single Sign-On
    Follow these steps:

     

    Access the /etc/selinux/config file.

     

    Run the following command to check the current status:

    sestatus

     

    If SELinux is set to enforcing, change the status to either permissive

    or disabled.

     

    SELINUX=permissive

     

    or

     

    SELINUX=disabled

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/installing/install-a-policy-server/install-policy-server-on-unix/run-the-installer

     

    KB : KB000131795