Environment
NetIQ Access Manager 4.2
NetIQ Access Gateway Service running on RHEL 7.1
RHEL OS hardened with a umask of 077
NetIQ Access Gateway Service running on RHEL 7.1
RHEL OS hardened with a umask of 077
Situation
Access Manager Admin Console and Identity (IDP) servers installed on Red Hat Enterprise Linux (RHEL) version 7.1, and working fine. Admin wants to add an Access Gateway (AG) service on the same RHEL platform to the NAM setup, where the AG will be placed in the DMZ and fronting the IDP servers. For security purposes, the RHEL OS will be hardened by setting the default umask to 077 (instead of typical umask of 022). After running the install, the AGS console and install logs indicate that the install completed successfully but the AGS does not appear to have imported correctly into the Admin Console. WHen the admin logs into iManager, no AGS is visible.
The install logs show no error, as do the JCC logs from the AG. Checking the catalina.out file on the AG, you can see that the ESP fails to start as it cannot write /var/opt/novell/nam/logs/mag/tomcat/catalina.out - because the log directory is owned by root and not novlwww.
The install logs show no error, as do the JCC logs from the AG. Checking the catalina.out file on the AG, you can see that the ESP fails to start as it cannot write /var/opt/novell/nam/logs/mag/tomcat/catalina.out - because the log directory is owned by root and not novlwww.
Resolution
On a Linux platform hardened with a umask of 077, the following operations need to be performed after an install:
chmod 755 /var/opt/novell/nam
chmod 755 /var/opt/novell/nam/logs
chmod 755 /var/opt/novell/nam/logs/mag
chmod 755 /var/opt/novell/nam/logs/mag/tomcat
chmod 755 /opt/novell/devman/jcc/conf/jcc.keystore
chmod 755 /opt/novell/devman/jcc/conf/keystore_info.xml
chmod -R 755 /opt/novell/devman/jcc/certs/esp
chmod 755 /var/opt/novell/nam
chmod 755 /var/opt/novell/nam/logs
chmod 755 /var/opt/novell/nam/logs/mag
chmod 755 /var/opt/novell/nam/logs/mag/tomcat
chmod 755 /opt/novell/devman/jcc/conf/jcc.keystore
chmod 755 /opt/novell/devman/jcc/conf/keystore_info.xml
chmod -R 755 /opt/novell/devman/jcc/certs/esp
Then restart tomcat and the registration will complete and you can manage the device.