Red Hat 7 Apache 2.4 startup fails when SSO Web Agent is installed - fails to load Kerberos module mod_auth_gssapi.so

Document ID : KB000007209
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

After following TEC1340867, you may still see errors while trying to start the web agent.  The errors are detailed below. 

[root@server bin]# apachectl start

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

 

[root@server bin]# systemctl status httpd.service -l

httpd.service - The Apache HTTP Server

   Loaded: loaded (/etc/systemd/system/httpd.service; disabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Thu 2017-06-22 19:58:02 EDT; 16s ago

     Docs: man:httpd(8)

           man:apachectl(8)

  Process: 6202 ExecStopPost=/usr/bin/kdestroy -A (code=exited, status=127)

  Process: 6200 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)

  Process: 6196 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)

  Process: 5646 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)

Main PID: 6196 (code=exited, status=1/FAILURE)

 

Jun 22 19:58:01 server ipa-httpd-kdcproxy[5646]: ipa         : WARNING  Unable to connect to dirsrv: Timeout exceeded

Jun 22 19:58:01 server ipa-httpd-kdcproxy[5646]: ipa         : WARNING  Disabling KDC proxy

Jun 22 19:58:01 server httpd[6196]: httpd: Syntax error on line 62 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.modules.d/10-auth_gssapi.conf: Cannot load modules/mod_auth_gssapi.so into server: /etc/httpd/modules/mod_auth_gssapi.so: symbol gss_mech_iakerb, version gssapi_krb5_2_MIT not defined in file libgssapi_krb5.so.2 with link time reference

Jun 22 19:58:02 server systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE

Jun 22 19:58:02 server kill[6200]: kill: cannot find process ""

Jun 22 19:58:02 server systemd[1]: httpd.service: control process exited, code=exited status=1

Jun 22 19:58:02 server kdestroy[6202]: /usr/bin/kdestroy: relocation error: /usr/bin/kdestroy: symbol krb5_cccol_cursor_new, version krb5_3_MIT not defined in file libkrb5.so.3 with link time reference

Jun 22 19:58:02 server systemd[1]: Failed to start The Apache HTTP Server.

Jun 22 19:58:02 server systemd[1]: Unit httpd.service entered failed state.

Jun 22 19:58:02 server systemd[1]: httpd.service failed.

Environment:
RHEL 7Apache 2.4As recent as Web Agent 12.52 SP1 CR06
Cause:

The cause of the error is due to the system is loading an outdated SSO Web Agent Kerberos module.  The MIT Kerberos module was updated in the newer webagent agent versions. In the older agents (as recent as 12.52 SP1 CR06), the Kerberos module is outdated if you use RedHat7.

Resolution:

Since this is the case, you will need to modify LD_LIBRARY_PATH to include /lib64 in front of the Web Agent paths. This ensures that the Apache/RedHat 7 Kerberos module gets loaded before the Web Agent's module. Again, please reference TEC1340867 for steps on where and how to modify LD_LIBRARY_PATH.

Here is an example of the contents of ”ca_wa_env.sh” which should be included in /etc/sysconfig/httpd. (Bold is effective and others are commented out) 

NETE_WA_ROOT=/opt/CA/webagent 
#export NETE_WA_ROOT 

NETE_WA_PATH=/opt/CA/webagent/bin 
#NETE_WA_PATH=${NETE_WA_ROOT}/bin 
#export NETE_WA_PATH 


CAPKIHOME=/opt/CA/webagent/CAPKI 
#export CAPKIHOME 


LD_LIBRARY_PATH=/lib64:/opt/ca/webagent/bin:/opt/ca/webagent/bin/thirdparty:/opt/CA/SharedComponents/lib:/opt/CA/CAlib:/opt/CA/DSM/caf/lib
#LD_LIBRARY_PATH=${NETE_WA_ROOT}/bin:${NETE_WA_ROOT}/bin/thirdparty:${LD_LIBRARY_PATH} 
#export LD_LIBRARY_PATH 


PATH=/opt/ca/webagent/bin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/CA/SharedComponents/bin:/opt/CA/SharedComponents/ccs/cam/bin:/root/bin 
#PATH=${NETE_WA_PATH}:${PATH} 
#export PATH

 

Additional Information:

TEC1340867 - systemctl and Web Agent startup settings for Red Hat Apache Web Server 2.4.x