Technical Blog Post
Abstract
DB2 agent startup showing error messages after JRE Upgrade
Body
In order to fix more recent JRE vulnerabilities, you may need to install on your ITM infrastructure JRE packages like
6.X.X-TIV-ITM_JRE_CANDLEHOME_6.16.41.00 or 6.X.X-TIV-ITM_JRE_CANDLEHOME_7.10.01.00.
After having installed those packages, depending on the permission bits used in the ITMHOME, you might experience some problems starting
ITM agents that uses an userid different than root or not included in itm groups, like for example the db2 agent or the mq agent.
For example, starting the DB2 agent we can see:
[root@itmdb2d01 ~]# /bin/su - db2odm -c "/bin/ksh -c '/opt/IBM/ITM/bin/itmcmd agent -o db2odm start ud '"
itmcmd agent : Sourcing db2profile for user db2odm.
Processing. Please wait...
Starting IBM Tivoli Composite Application Manager Agent for DB2 ...
KCIIN0521E ...Error encountered during product startup.
...Please check log file, if one exists, and env.config, ud.ini or ud.environment if it exists in /opt/IBM/ITM/config for possible errors.
KCIIN0198E Unable to start agent. Please, check log file.
Despite of this, the agent is started correctly and it is also able to collect and show data, but the cinfo -r output shows it as not running.
By setting the TRACE_LEVEL to DEBUG_MAX for the execution of the Java program that is invoked when starting the agent, we can figure out the root cause.
STDERR: /opt/IBM/ITMDB2/config/ud.sh[16]: /opt/IBM/ITMDB2/tmp/ud.pid: cannot create [Permission denied]
There is a permission problem that prevented the program from writing the process ID, and so the RunInfo file was not updated.
Also, due to the code returned by this error, the initialization program terminated with messages KCIIN0521E and KCIIN0198E.
The problem is with folder <ITMHOME>/tmp, that before the JRE patch installation had permission bits 777.
After installation of the JRE patch, it is changed to 775, so it was missing the Write permission for Others.
When you start the UD agent, you use the db instance owner userID, and if this is not part of the folder or file group , the error occurs.
Of course you can quickly fix it by running:
chmod o+w <itmhome>/tmp
However if you run in the future another jreupdate.sh, the issue will be regressed again.
There is a permanent solution.
As we just said, the main problem is that /<itmhome>/tmp and likely the whole ITMHOME
directory tree permissions is set to 777.
It is necessary when you have different agents with different users in the installation.
Tivoli Monitoring provides the script secureMain to tighten permissions while still supporting stopping and starting different agents with different users in the installation.
This process is documented here:
https://www.ibm.com/support/knowledgecenter/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/install/secure.htm
The following commands executed as the root user on a Linux system will resolve the issue for the DB2 agent:
groupadd itmusers
usermod -a -G itmusers root
usermod -a -G itmusers db2misc
usermod -a -G itmusers db2odm
usermod -a -G itmusers db2wsp
usermod -a -G itmusers db2bpm
/opt/IBM/ITM/bin/secureMain -g itmusers lock
After running the above commands, you will be able to start any of the DB2 agent instances as well as the OS agent, even after running
jreupdate for this or any future ITMHOME JRE uplift.
The same should be done for any user account related to other agents, like for example MQ Agent.
You will not have to run secureMain manually again for the life of the installation.
Hope it helps
Subscribe and follow us for all the latest information directly on your social feeds:
|
|
|
Check out all our other posts and updates: | |
Academy Blogs: | https://goo.gl/U7cYYY |
Academy Videos: | https://goo.gl/TLfMoF |
Academy Google+: | https://goo.gl/HnTs0w |
Academy Twitter : | https://goo.gl/AhR8CL |
UID
ibm11277050