Idenprotect services not starting

From iDENprotect Knowledge Base
Jump to: navigation, search

Introduction

The idenprotect Core Platform and related applications run on Red Hat Enterprise Linux (RHEL) / CentOS 6 and 7 as a service with a specific service name (see below). The services are started with the command

  • systemctl start {service name} (RHEL 7)
  • service {service name} start (RHEL 6)

Its status can be checked with command

  • systemctl status {service name} (RHEL 7)
  • service {service name} status (RHEL 6).

Note that not all of the below information will be relevant to all applications.

Service Names

The following service names should be used when running the commands noted in the following sections: -

  • idenprotect Core Platform = idenprotect
  • idenprotect Authentication Portal = idp
  • idenprotect User Portal = userportal
  • idenprotect Active Directory Agent = adsync


Known Causes

The following issues can result in a failing idenprotect service:

  • NGINX web server is not running. This means that the NGINX service is not running on the same server as the idenprotect application.
  • Certificate Authority is not running. The CA can be on a separate server or on the same server as idenprotect Core Platform application, depending on the configuration.
  • /opt/idenprotect/idenprotect.jar Java application file does not have execution privileges
  • Database is not running or reachable

Usually, if the idenprotect service fails to start, it is caused by either the NGINX web server or CA/Database not being available when starting the idenprotect service. If either prerequisite is missing, the idenprotect service will fail as well.


Resolution

NOTE: all commands must be run as root or a user with root privileges

Restarting web server

Check the web server status with command

  • systemctl status nginx (RHEL 7)
  • service nginx status (RHEL 6)

If the command returns anything else than nginx is running..., start NGINX again with command

  • systemctl start nginx (RHEL 7)
  • service nginx start (RHEL 6)

If NGINX startup fails, refer to NGINX documentation.

Restarting Certificate Authority

These instructions only apply to the EJBCA Certificate Authority. If you are using a different CA, refer to the manufacturer’s instructions.

Check the EJBCA service status with the command

  • systemctl status ejbca (RHEL 7)
  • service ejbca status (RHEL 6)

If the command returns anything other than than “Running”, start EJBCA again with the command

  • systemctl start ejbca (RHEL 7)
  • service ejbca start (RHEL 6)

Check that you can reach the admin console of EJBCA in address https://idenprotect-server-address:8443. The P12 certificate required for this access is in /etc/idenprotect/superadmin.p12

If EJBCA startup fails, check EJBCA logs in /var/log/ejbca.log and /var/log/ejbca.err

Fixing idenprotect Java application privileges

If the idenprotect Core Platform Java application file /opt/idenprotect/idenprotect.jar file is missing execution privileges, attempting to start the idenprotect service will fail with the “Permission denied” error.

Check idenprotect.jar file privileges with command

ls -la /opt/idenprotect/idenprotect.jar

If you don’t see any execution (x) privileges marked for the JAR file, add them with the command

chmod +x /opt/idenprotect/idenprotect.jar

Then, attempt to restart idenprotect service

  • systemctl start {service name} (RHEL 7)
  • service {service name} start (RHEL 6)

Restarting network services

If you have recently restarted your Centos server and your database is held on a separate box, you may find that it is not immediately reachable after a restart. If you have previously been able to reach the Database, then you should be able to reach the Database again by restarting the server's network services. This can be done directly on the command line with the following command

service network restart

Starting Database services

If you have installed a Database service other than what has been packaged with our services, unless specifically configured, this may not start up immediately when you restart your Centos server. You will need to start this service manually or configure it in such a way that the services start automatically when the server starts.

Workaround

If all else fails, you can launch the idenprotect Core Platform application directly from the command line with the command

sh /opt/idenprotect/ispa.sh.

This option runs idenprotect Core Platform as a background Java process which isn’t monitored by the system service daemon. When started with ispa.sh, idenprotect Core Platform application can’t be shut down normally with systemctl stop idenprotect or service idenprotect stop. Instead, you have to stop it manually by finding the PID of the idenprotect.jar application process, and shutting it down:

ps aux | grep idenprotect  

The command should return a line containing a Process ID (PID) for the process which is running idenprotect.jar.

Shut down the process with command

kill -1 <pid>


Unless otherwise specified, all idenprotect application logs are stored in /var/log. Any failing startup attempts will be tracked there.