Idenprotect services not starting
Contents
Introduction
The idenprotect Core Platform and related applications run on Red Hat Enterprise Linux (RHEL) / CentOS 6 and 7 as a service with a specific service name (see below). The services are started with the command
-
systemctl start {service name}
(RHEL 7) -
service {service name} start
(RHEL 6)
Its status can be checked with command
-
systemctl status {service name}
(RHEL 7) -
service {service name} status
(RHEL 6).
Note that not all of the below information will be relevant to all applications.
Service Names
The following service names should be used when running the commands noted in the following sections: -
- idenprotect Core Platform = idenprotect
- idenprotect Authentication Portal = idp
- idenprotect User Portal = userportal
- idenprotect Active Directory Agent = adsync
- idenprotect Service Manager = servicemanager
Known Causes
The following issues can result in a failing idenprotect service:
- NGINX web server is not running. This means that the NGINX service is not running on the same server as the idenprotect application.
- Certificate Authority is not running. The CA can be on a separate server or on the same server as idenprotect Core Platform application, depending on the configuration.
- /opt/idenprotect/idenprotect.jar Java application file does not have execution privileges
- Database is not running or reachable
Usually, if the idenprotect service fails to start, it is caused by either the NGINX web server or CA/Database not being available when starting the idenprotect service. If either prerequisite is missing, the idenprotect service will fail as well.
Resolution
NOTE: all commands must be run as root
or a user with root privileges
Restarting web server
Check the web server status with command
-
systemctl status nginx
(RHEL 7) -
service nginx status
(RHEL 6)
If the command returns anything else than nginx is running...
, start NGINX again with command
-
systemctl start nginx
(RHEL 7) -
service nginx start
(RHEL 6)
If NGINX startup fails, refer to NGINX documentation.
Restarting Certificate Authority
These instructions only apply to the EJBCA Certificate Authority. If you are using a different CA, refer to the manufacturer’s instructions.
Check the EJBCA service status with the command
-
systemctl status ejbca
(RHEL 7) -
service ejbca status
(RHEL 6)
If the command returns anything other than than “Running”, start EJBCA again with the command
-
systemctl start ejbca
(RHEL 7) -
service ejbca start
(RHEL 6)
Check that you can reach the admin console of EJBCA in address https://idenprotect-server-address:8443
. The P12 certificate required for this access is in /etc/idenprotect/superadmin.p12
If EJBCA startup fails, check EJBCA logs in /var/log/ejbca.log
and /var/log/ejbca.err
Fixing idenprotect Java application privileges
If the idenprotect Core Platform Java application file /opt/idenprotect/idenprotect.jar
file is missing execution privileges, attempting to start the idenprotect service will fail with the “Permission denied” error.
Check idenprotect.jar
file privileges with command
ls -la /opt/idenprotect/idenprotect.jar
If you don’t see any execution (x) privileges marked for the JAR file, add them with the command
chmod +x /opt/idenprotect/idenprotect.jar
Then, attempt to restart idenprotect service
-
systemctl start {service name}
(RHEL 7) -
service {service name} start
(RHEL 6)
Restarting network services
If you have recently restarted your Centos server and your database is held on a separate box, you may find that it is not immediately reachable after a restart. If you have previously been able to reach the Database, then you should be able to reach the Database again by restarting the server's network services. This can be done directly on the command line with the following command
service network restart
Starting Database services
If you have installed a Database service other than what has been packaged with our services, unless specifically configured, this may not start up immediately when you restart your Centos server. You will need to start this service manually or configure it in such a way that the services start automatically when the server starts.
Workaround
If all else fails, you can launch the idenprotect Core Platform application directly from the command line with the command
sh /opt/idenprotect/ispa.sh
.
This option runs idenprotect Core Platform as a background Java process which isn’t monitored by the system service daemon.
When started with ispa.sh
, idenprotect Core Platform application can’t be shut down normally with systemctl stop idenprotect
or service idenprotect stop
. Instead, you have to stop it manually by finding the PID of the idenprotect.jar application process, and shutting it down:
ps aux | grep idenprotect
The command should return a line containing a Process ID (PID) for the process which is running idenprotect.jar.
Shut down the process with command
kill -1 <pid>
Unless otherwise specified, all idenprotect application logs are stored in /var/log. Any failing startup attempts will be tracked there.