A DSA on Windows is failing to start. There is an error message "Unable to open file 'dir/file.ext' : Permission denied" in the trace log.

Document ID : KB000055133
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

DSA is failing to start and produces an error message in its trace log as follows:
? 20070808.154527.625 ERROR : Syntax Error: Line 33 in C:\Program Files\CA\eTrust
Directory\dxserver\config\servers\democorp.dxi near ';'
Unable to open file '../access/democorp.dxc' : Permission denied.

Solution

The trace log error indicates that the file democorp.dxc in %DXHOME%\config\access has incorrect permissions. This means that the DSA could not open the file, which prevented the DSA from reading its configuration.

To fix this:

  1. Locate the file using Windows Explorer.
  2. Right-click the file and view the file properties.
  3. Select the Security tab.
  4. Click the Advanced button towards the bottom of the prompt.
  5. Select the option "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here."
    This option forces the file to inherit the permissions from its parent directory. This directory is created when CA Directory is installed, and its required permissions are set at that point and at any point SHOULD NOT BE CHANGED.
  6. Start the DSA. The configuration file now has the correct permissions, so the DSA should start without problems.

More Details about This Problem

This problem occurs when a configuration file is manually created in a directory with incorrect permissions. On Windows, new files usually automatically inherit the permissions of the parent directory. When the file is moved to its subsequent folder, the file retains its permissions.

Steps to avoid this situation:

  • Where possible, use the CA Directory tools to create configuration files. The tools set the correct file permissions.
  • If it is necessary to manually create a configuration file, it should be created inside the directory that it will reside and be used by CA Directory. This ensures that the file inherits the correct permissions from the directory.

CA Directory DSAs require that configuration files have at least the following standard group permissions on a file under a %DXHOME%\config subtree:

  • Administrators (Full Control)
  • Authenticated Users (Read & Execute, Read)
  • Server Operators (Modify, Read & Execute, Read, Write)
  • SYSTEM (Full Control)