DCO on Red Hat installation: user rights permissions

Valentin_Kozlov · ‎2020-08-25

Hi Team!

We have a customer with DCO installed on Red Hat Linux.

I have an issue with ETL database creation. When I tried to create new database, I got "Internal error during add,see logs" message.

In the server.log file I see lines (some info truncated):

INFO Scheduling action 'UPDATE ACCESS FILES' with info: ''

ERROR Could not build session factory: org.postgresql.util.PSQLException: FATAL: pg_hba.conf rejects connection for host

WARN Did not get valid session in first try. Trying again: java.lang.IllegalStateException: Cannot open session on null session factory for: com.apc.etl.model

ERROR EJB Invocating failed on component ETLSessionHelper for method public abstract org.hibernate.Session com.apc.etl.model.ISessionHelper.openSession(com.apc.etl.model.ETLConfig): javax.ejb.EJBTransactionRolledbackException: Cannot open session on null session factory for

INFO An exception occured while checking and creating the necessary database. Please make sure database and etl-configuration is setup correctly

WARN SQL Error : 0, SQLState: null

ERROR IJ031070: transaction cannot proceeded: STATUS_MARKED_ROLLBACK

ERROR WFLYEJB0034: EJB Invocation failed on component userPersistenceHandlerImpl for method abstract com.apc.product.services.users.ModifiableUser com.apc.product.services.users.UserPersistenceHandler.getUserByName(java.lang.String,boolean): javax.ejb.EJBTransactionRolledbackException: could not prepare statement.

I suppose this is happens because of strict security requirements and dco platform user have no enough permissions to make changes on the system.

Could you advice what permissions are needed for users used by DCO in operation system and what we need to do to get fully operational system?

Thank you in advance!

Valentin_Kozlov · ‎2020-08-31

Hi Greg!

Logs are attached.

See Answer In Context

gsterling · ‎2020-08-25

Hello Valentin

Are you able to share the etl.log and server.log files from the DCO server?

Which version of DCO are they running?

DCO is running correctly (i.e. the customer is not having difficulty saving changes and so on)?

Are they able to complete a task like create a DCO backup?

If DCO is installed correctly it normally has the permissions it needs to complete tasks like this. They might break for example of the /etc/sudoers file was not properly set to allow the DCO services proper root access when needed.

When creating an ETL database, the database itself is created along with the user credentials allowed to access it.

Regards

Greg Sterling

Valentin_Kozlov · ‎2020-08-25

Hi Greg!

This is the same customer which have desktop client performance issues I wrote about.

They use DCO 8.3.2. I'm not sure if DCO running totally right because application status is Down. In fact application is running but with some issues like that or sensor placement described in my another post.

Backup tasks performs correctly. I will try to get log files and attach it.

Do we have info what permissions should be granted?

At least we need to check sudoers file and add DCOjboss and DCOplat users? Any additional permissions?

There are strong security requirements and everything that is not allowed is prohibited. I need to inform customer's administrators what we need.

gsterling · ‎2020-08-25

Yes, if the application status is down then some investigation is needed as something is wrong somewhere.

This is the requirements page for RH 7.x

https://helpcenter.ecostruxureit.com/hc/en-us/articles/360037365473-Installing-ITA-on-Red-Hat-Enterp...

Pay particular attention to this section as the "sudoers" part it critical.

Note: If special configuration has been done, ensure the sudoers file /etc/sudoers includes the following lines before installing or upgrading:

## Allow root to run any commands anywhere
root    ALL=(ALL)     ALL
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

If, for security reasons, you do not want to enable one or both of the above lines, contact Technical Support for a list of changes needed for the installation to proceed. For optimum support, supply your sudoers configuration in your support request.

Changes to the system

The following system changes are applied during installation of the IT Advisor software.

ITA will install the listed packages* if not already installed.
*You can get a list of dependent packages for Red Hat Enterprise Linux installation through your local Schneider Electric contact.
Firewalld rules are set to ITA default locked down settings.
The SNMPd configuration is replaced with a ITA configuration to provide SNMP status for the ITA services.
The NTP configuration is changed to use default RHEL NTP servers. This can be changed afterwards through the server management interface (Webmin).
The PostgreSQL configuration is replaced and certificates for the database get generated during install.
The Keepalived configuration is replaced.
SELinux is enabled.
CTRL+ALT+DELETE reboot is disabled.
Root login and UseDNS in SSH is disabled.
TCP Keepalive settings are modified.
Kernel shared memory, huge pages and network memory settings are modified.
The sudo configuration was changed, adding sudo permissions to operations-platform and dcojboss user, removing requiretty parameter.
logrotate has been configured to handle ITA and PostgreSQL logs.
Loading kernel module ip_vs and ip_vs_rr.
The Apache configuration is modified.
The Webmin configuration is modified, disabling unused modules and changing security configuration.
Enabling PostgreSQL start at boot.
Maximum number of files has been increased to 100000 for JBoss (dcojboss) and root users.
Sudoers rules have been added for the dcojboss user to allow creation of ETL databases.

Valentin_Kozlov · ‎2020-08-26

Hi Gents!

Here is logs attached.

I tried to change hb_pga.conf manually and set "allow all" string:

host all all 0.0.0.0/0 md5

After that I was able to add new ETL database.

Could you advice if changing sudoers file should be enough or this is just a first step to investigation?

What other steps could be performed?

gsterling · ‎2020-08-28

Hello Valentin.

There are lots of errors in the server.log file which is consistent with the problems you logged regarding the inability to create the ETL database as it appears at some point there were problems connecting to the postgres database.

Is there a chance we can get a full set of log files from this server so we can view the postgres logs as well as the original cause of the problem may be there.

Regards

Greg Sterling

Valentin_Kozlov · ‎2020-08-31

Hi Greg!

Logs are attached.

gsterling · ‎2020-09-01

Hello Valentin

It does appear something occurred which caused DCO/ITA to have problems communicating with the database which appears to have contributed to the problem you noticed when trying to create the ETL database.

The postgres-debug.log you send was real recent, is there a debug log on the customers server which has log entries from the August 17th to 19th timeframe?

Regards

Greg Sterling