Idenprotect services not starting

From idenprotect Knowledge Base
Jump to: navigation, search

Introduction

The iDENprotectserver and related applications run on Red Hat Enterprise Linux (RHEL) / CentOS 6 and 7 as a service with a specific service name (see below). The services are started with command

  • systemctl start {service name} (RHEL 7)
  • service {service name} start (RHEL 6)

Its status can be checked with command

  • systemctl status {service name} (RHEL 7)
  • service {service name} status (RHEL 6).

Note that not all of the below information will be relevant to all applications.

Service Names

The following service names should be used when running the commands noted in the following sections: -

  • iDENprotectserver = idenprotect
  • iDENprotect Identity Provider = idp
  • iDENprotect User Portal = userportal
  • iDENprotect AD Agent = adsync


Known Causes

The following issues can result in a failing iDENprotect service:

  • NGINX web server is not running. This means that the NGINX service is not running on the same server as the iDENprotect application.
  • Certificate Authority is not running. The CA can be on a separate server or on the same server as iDENprotectserver application, depending on the configuration.
  • /opt/idenprotect/idenprotect.jar Java application file does not have execution privileges
  • Database is not running or reachable

Usually, if the iDENprotect service fails to start, it is caused by either the NGINX web server or CA/Database not being available when starting the iDENprotect service. If either prerequisite is missing, the iDENprotect service will fail as well.


Resolution

NOTE: all commands must be run as root or a user with root privileges

Restarting web server

Check the web server status with command

  • systemctl status nginx (RHEL 7)
  • service nginx status (RHEL 6)

If the command returns anything else than nginx is running..., start NGINX again with command

  • systemctl start nginx (RHEL 7)
  • service nginx start (RHEL 6)

If NGINX startup fails, refer to NGINX documentation.

Restarting Certificate Authority

These instructions only apply to the EJBCA Certificate Authority. If you are using a different CA, refer to the manufacturer’s instructions.

Check the EJBCA service status with command

  • systemctl status ejbca (RHEL 7)
  • service ejbca status (RHEL 6)

If the command returns anything other than than “Running”, start EJBCA again with command

  • systemctl start ejbca (RHEL 7)
  • service ejbca start (RHEL 6)

Check that you can reach the admin console of EJBCA in address https://idenprotect-server-address:8443. The P12 certificate required for this access is in /etc/idenprotect/superadmin.p12

If EJBCA startup fails, check EJBCA logs in /var/log/ejbca.log and /var/log/ejbca.err

Fixing iDENprotect Java application privileges

If the iDENprotectserver Java application file /opt/idenprotect/idenprotect.jar file is missing execution privileges, attempting to start the iDENprotect service will fail with the “Permission denied” error.

Check idenprotect.jar file privileges with command

ls -la /opt/idenprotect/idenprotect.jar

If you don’t see any execution (x) privileges marked for the JAR file, add them with the command

chmod +x /opt/idenprotect/idenprotect.jar

Then, attempt to restart iDENprotect service

  • systemctl start {service name} (RHEL 7)
  • service {service name} start (RHEL 6)

Workaround

If all else fails, you can launch iDENprotectserver application directly from the command line with command

sh /opt/idenprotect/ispa.sh.

This option runs iDENprotectserver as a background Java process which isn’t monitored by the system service daemon. When started with ispa.sh, iDENprotectserver application can’t be shut down normally with systemctl stop idenprotect or service idenprotect stop. Instead, you have to stop it manually by finding the PID of the idenprotect.jar application process, and shutting it down:

ps aux | grep idenprotect  

The command should return a line containing a Process ID (PID) for the process which is running idenprotect.jar.

Shut down the process with command

kill -1 <pid>


Unless otherwise specified, all iDENprotect application logs are stored in /var/log. Any failing startup attempts will be tracked there.