Access Gateway Service will not import when installed on hardened OS platform with umask of 077

  • 7017622
  • 20-May-2016
  • 24-May-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Gateway Service running on RHEL 7.1
RHEL OS hardened with a umask of 077

Situation

Access Manager Admin Console and Identity (IDP) servers installed on Red Hat Enterprise Linux (RHEL) version 7.1, and working fine. Admin wants to add an Access Gateway (AG) service on the same RHEL platform to the NAM setup, where the AG will be placed in the DMZ and fronting the IDP servers. For security purposes, the RHEL OS will be hardened by setting the default umask to 077 (instead of typical umask of 022). After running the install, the AGS console and install logs indicate that the install completed successfully but the AGS does not appear to have imported correctly into the Admin Console. WHen the admin logs into iManager, no AGS is visible.

The install logs show no error, as do the JCC logs from the AG. Checking the catalina.out file on the AG, you can see that the ESP fails to start as it cannot write /var/opt/novell/nam/logs/mag/tomcat/catalina.out - because the log directory is owned by root and not novlwww.

Resolution

On a Linux platform hardened with a umask of 077, the following operations need to be performed after an install:

chmod 755 /var/opt/novell/nam
chmod 755 /var/opt/novell/nam/logs
chmod 755 /var/opt/novell/nam/logs/mag
chmod 755 /var/opt/novell/nam/logs/mag/tomcat
chmod 755 /opt/novell/devman/jcc/conf/jcc.keystore
chmod 755 /opt/novell/devman/jcc/conf/keystore_info.xml
chmod -R 755 /opt/novell/devman/jcc/certs/esp

Then restart tomcat and the registration will complete and you can manage the device.