Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84796members
354246posts

DCO on Red Hat installation: user rights permissions

EcoStruxure IT forum

A support forum for Data Center Operation, Data Center Expert, and EcoStruxure IT product users to share knowledge on installation, configuration, and general product use.

Valentin_Kozlov
Lieutenant Lieutenant
Lieutenant
0 Likes
7
3420

DCO on Red Hat installation: user rights permissions

Hi Team!

 

We have a customer with DCO installed on Red Hat Linux.

 

 

I have an issue with ETL database creation. When I tried to create new database, I got "Internal error during add,see logs" message.

 

In the server.log file I see lines (some info truncated):

 

INFO  Scheduling action 'UPDATE ACCESS FILES' with info: ''

 

ERROR Could not build session factory: org.postgresql.util.PSQLException: FATAL: pg_hba.conf rejects connection for host

 

WARN Did not get valid session in first try. Trying again: java.lang.IllegalStateException: Cannot open session on null session factory for: com.apc.etl.model

 

ERROR EJB Invocating failed on component ETLSessionHelper for method public abstract org.hibernate.Session com.apc.etl.model.ISessionHelper.openSession(com.apc.etl.model.ETLConfig): javax.ejb.EJBTransactionRolledbackException: Cannot open session on null session factory for

 

INFO An exception occured while checking and creating the necessary database. Please make sure database and etl-configuration is setup correctly

 

WARN SQL Error : 0, SQLState: null

 

ERROR IJ031070: transaction cannot proceeded: STATUS_MARKED_ROLLBACK

 

ERROR WFLYEJB0034: EJB Invocation failed on component userPersistenceHandlerImpl for method abstract com.apc.product.services.users.ModifiableUser com.apc.product.services.users.UserPersistenceHandler.getUserByName(java.lang.String,boolean): javax.ejb.EJBTransactionRolledbackException: could not prepare statement.

 

 

I suppose this is happens because of strict security requirements and dco platform user have no enough permissions to make changes on the system.

 

Could you advice what permissions are needed for users used by DCO in operation system and what we need to do to get fully operational system?

 

Thank you in advance!

Tags (1)
7 Replies 7
gsterling
Commander Commander
Commander
0 Likes
6
3409

Re: DCO on Red Hat installation: user rights permissions

Hello Valentin

 

Are you able to share the etl.log and server.log files from the DCO server?

 

Which version of DCO are they running?

DCO is running correctly (i.e. the customer is not having difficulty saving changes and so on)?

Are they able to complete a task like create a DCO backup?

 

If DCO is installed correctly it normally has the permissions it needs to complete tasks like this. They might break for example of the /etc/sudoers file was not properly set to allow the DCO services proper root access when needed.

 

When creating an ETL database, the database itself is created along with the user credentials allowed to access it.

 

Regards

 

Greg Sterling

Tags (1)
Valentin_Kozlov
Lieutenant Lieutenant
Lieutenant
0 Likes
5
3406

Re: DCO on Red Hat installation: user rights permissions

Hi Greg!

 

This is the same customer which have desktop client performance issues I wrote about.

 

They use DCO 8.3.2. I'm not sure if DCO running totally right because application status is Down. In fact application is running but with some issues like that or sensor placement described in my another post.

 

Backup tasks performs correctly. I will try to get log files and attach it.

 

Do we have info what permissions should be granted?

 

At least we need to check sudoers file and add DCOjboss and DCOplat users? Any additional permissions?

 

There are strong security requirements and everything that is not allowed is prohibited. I need to inform customer's administrators what we need.

 

 

Tags (1)
gsterling
Commander Commander
Commander
0 Likes
4
3398

Re: DCO on Red Hat installation: user rights permissions

Yes, if the application status is down then some investigation is needed as something is wrong somewhere.

 

This is the requirements page for RH 7.x

https://helpcenter.ecostruxureit.com/hc/en-us/articles/360037365473-Installing-ITA-on-Red-Hat-Enterp...

 

Pay particular attention to this section as the "sudoers" part it critical.

 

Note: If special configuration has been done, ensure the sudoers file /etc/sudoers includes the following lines before installing or upgrading: 

## Allow root to run any commands anywhere
root    ALL=(ALL)     ALL
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

If, for security reasons, you do not want to enable one or both of the above lines, contact Technical Support for a list of changes needed for the installation to proceed. For optimum support, supply your sudoers configuration in your support request.

Changes to the system

The following system changes are applied during installation of the IT Advisor software.

  • ITA will install the listed packages* if not already installed. 
    *You can get a list of dependent packages for Red Hat Enterprise Linux installation through your local Schneider Electric contact. 
  • Firewalld rules are set to ITA default locked down settings.
  • The SNMPd configuration is replaced with a ITA configuration to provide SNMP status for the ITA services.
  • The NTP configuration is changed to use default RHEL NTP servers. This can be changed afterwards through the server management interface (Webmin).
  • The PostgreSQL configuration is replaced and certificates for the database get generated during install.
  • The Keepalived configuration is replaced.
  • SELinux is enabled.
  • CTRL+ALT+DELETE reboot is disabled.
  • Root login and UseDNS in SSH is disabled.
  • TCP Keepalive settings are modified.
  • Kernel shared memory, huge pages and network memory settings are modified.
  • The sudo configuration was changed, adding sudo permissions to operations-platform and dcojboss user, removing requiretty parameter.
  • logrotate has been configured to handle ITA and PostgreSQL logs.
  • Loading kernel module ip_vs and ip_vs_rr.
  • The Apache configuration is modified.
  • The Webmin configuration is modified, disabling unused modules and changing security configuration.
  • Enabling PostgreSQL start at boot.
  • Maximum number of files has been increased to 100000 for JBoss (dcojboss) and root users.
  • Sudoers rules have been added for the dcojboss user to allow creation of ETL databases.
Tags (1)
Valentin_Kozlov
Lieutenant Lieutenant
Lieutenant
0 Likes
3
3365

Re: DCO on Red Hat installation: user rights permissions

Hi Gents!

 

Here is logs attached.

 

I tried to change hb_pga.conf manually and set "allow all" string:

host all all 0.0.0.0/0 md5

 

After that I was able to add new ETL database.

 

Could you advice if changing sudoers file should be enough or this is just a first step to investigation?

What other steps could be performed?

Attachments
Tags (1)
gsterling
Commander Commander
Commander
0 Likes
2
3314

Re: DCO on Red Hat installation: user rights permissions

Hello Valentin.

 

There are lots of errors in the server.log file which is consistent with the problems you logged regarding the inability to create the ETL database as it appears at some point there were problems connecting to the postgres database.

 

Is there a chance we can get a full set of log files from this server so we can view the postgres logs as well as the original cause of the problem may be there.

 

Regards

 

Greg Sterling

Tags (1)
Valentin_Kozlov
Lieutenant Lieutenant
Lieutenant
0 Likes
1
3313

Re: DCO on Red Hat installation: user rights permissions

Hi Greg!

 

Logs are attached.

Attachments
Tags (1)
gsterling
Commander Commander
Commander
0 Likes
0
3316

Re: DCO on Red Hat installation: user rights permissions

Hello Valentin

 

It does appear something occurred which caused DCO/ITA to have problems communicating with the database which appears to have contributed to the problem you noticed when trying to create the ETL database.

 

The postgres-debug.log you send was real recent, is there a debug log on the customers server which has log entries from the August 17th to 19th timeframe?

 

Regards

 

Greg Sterling

Tags (1)