PM Proxy installation

MartinOza

 Hi everyone

I can't install PM Proxy.

After installation and running /opt/f-secure/fspms/bin/fspms-config at the end of configuration I've got:

 

[....] Starting fspms (via systemctl): fspms.serviceJob for fspms.service failed because the control process exited with error code.
See "systemctl status fspms.service" and "journalctl -xe" for details.
 failed!

Configuration is complete. You can manage the F-Secure Policy Manager Proxy
manually by typing '/etc/init.d/fspms {start|stop|restart|status}'.
Thank you for using F-Secure product.

 

 

I've tried to run proxy by /etc/init.d/fspms start but:

 

[....] Starting fspms (via systemctl): fspms.serviceJob for fspms.service failed because the control process exited with error code.
See "systemctl status fspms.service" and "journalctl -xe" for details.
 failed!

 

 

systemctl status fspms.service:

 

● fspms.service - LSB: F-Secure Policy Manager Proxy
Loaded: loaded (/etc/init.d/fspms; generated; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2017-11-28 15:10:10 CET; 1min 3s ago
Docs: man:systemd-sysv-generator(8)
Process: 2430 ExecStart=/etc/init.d/fspms start (code=exited, status=1/FAILURE)
Tasks: 49 (limit: 4915)
CGroup: /system.slice/fspms.service
└─2326 /opt/f-secure/fspms/jre/bin/java -server -Xverify:none -Djava.security.egd=fil
e:/dev/./urandom -Djava.io.tmpdir=/var/opt/f-secure/fspms/tmp -Djava.awt.headless=true -Dfspms.l
oggingConfigs=/opt/f-secure/fspms/config -Dfspms.logs=/var/opt/f-secure/fspms/logs -XX:ErrorFile
=/var/opt/f-secure/fspms/logs/hs_err_pid%p.log -DSTOP.PORT=8079 -DSTOP.KEY=secret -Dvertx.disabl
eDnsResolver=true -Dvertx.disableFileCPResolving=true -Dvertx.logger-delegate-factory-class-name
=io.vertx.core.logging.Log4j2LogDelegateFactory -XX:+UseG1GC -XX:+UseMontgomeryMultiplyIntrinsic
-XX:+UseMontgomerySquareIntrinsic -DtlsKeystore=/var/opt/f-secure/fspms/data/fspms.jks -Duser.l
anguage= -Duser.country= -Duser.variant= -Dfspms.previousVersion= -Dfspms.firstInstallationTime=
1511774053000 -Dfspms.installationTime=1511774737000 -Djetty.libsetuid.path=/opt/f-secure/fspms/
lib/ext/libsetuid.so -Djetty.username=fspms -Djetty.groupname=fspms -DhostModulePort=81 -DhostMo
duleHttpsPort=443 -DausRedirectedPort=2380 -DdataPath=/var/opt/f-secure/fspms/data -Dguts2Channe
lsPath=/opt/f-secure/fspms/config/channels.json -DausBasePath=/opt/f-secure/fsaus -DausConfPath=
/etc/opt/f-secure/fsaus/conf -DupstreamPmHost=195.117.156.80 -DupstreamPmPort=443 -DadminPubLoca
tion=/var/opt/f-secure/fspms/data/admin.pub -DreversProxy=true -cp /opt/f-secure/fspms/lib/* com
.fsecure.fspms.PolicyManagerServer
lis 28 15:10:05 proxyfsec systemd[1]: Starting LSB: F-Secure Policy Manager Proxy...
lis 28 15:10:10 proxyfsec fspms[2430]: Starting F-Secure Policy Manager Proxy:......failed.
lis 28 15:10:10 proxyfsec systemd[1]: fspms.service: Control process exited, code=exited
status=1
lis 28 15:10:10 proxyfsec systemd[1]: Failed to start LSB: F-Secure Policy Manager Proxy
.
lis 28 15:10:10 proxyfsec systemd[1]: fspms.service: Unit entered failed state.
lis 28 15:10:10 proxyfsec systemd[1]: fspms.service: Failed with result 'exit-code'.

 

 

In /var/opt/f-secure/fspms/logs/launcher-erro.log there only is:

 

/etc/init.d/fspms:  3:  eval:  -cp: not found

 

 

A_Grinkevitch

Hi MartinOza,

 

Please check fspms-stderrout.log and fspms-webapp-errors.log for exceptions. They might explain the reason… What is the OS version you are running?

 

A_Grinkevitch

BTW, also noticed that you’ve misspelled in reversProxy additional Java argument, it should be specified as reverseProxy. Could you please copy-paste content of fspms.conf, probably it contains obvious reasons…

MartinOza

Thanks for your answer A-Grinkevitch.

 

My OS is Debian 9.2

 

After correcting reverseProxy I run  /opt/f-secure/fspms/bin/fspms-config again:

 

[....] Starting fspms (via systemctl): fspms.serviceJob for fspms.service failed because the control process exited with error code.
See "systemctl status fspms.service" and "journalctl -xe" for details.
 failed!

Configuration is complete. You can manage the F-Secure Policy Manager Proxy
manually by typing '/etc/init.d/fspms {start|stop|restart|status}'.
Thank you for using F-Secure product.

 

systemctl status fspms.service

● fspms.service - LSB: F-Secure Policy Manager Proxy
   Loaded: loaded (/etc/init.d/fspms; generated; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2017-11-30 14:34:17 CET; 6min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 502 ExecStart=/etc/init.d/fspms start (code=exited, status=1/FAILURE)
    Tasks: 46 (limit: 4915)
   CGroup: /system.slice/fspms.service
           └─519 /opt/f-secure/fspms/jre/bin/java -server -Xverify:none -Djava.security.egd=file
:/dev/./urandom -Djava.io.tmpdir=/var/opt/f-secure/fspms/tmp -Djava.awt.headless=true -Dfspms.lo
ggingConfigs=/opt/f-secure/fspms/config -Dfspms.logs=/var/opt/f-secure/fspms/logs -XX:ErrorFile=
/var/opt/f-secure/fspms/logs/hs_err_pid%p.log -DSTOP.PORT=8079 -DSTOP.KEY=secret -Dvertx.disable
DnsResolver=true -Dvertx.disableFileCPResolving=true -Dvertx.logger-delegate-factory-class-name=
io.vertx.core.logging.Log4j2LogDelegateFactory -XX:+UseG1GC -XX:+UseMontgomeryMultiplyIntrinsic
-XX:+UseMontgomerySquareIntrinsic -DtlsKeystore=/var/opt/f-secure/fspms/data/fspms.jks -Duser.la
nguage= -Duser.country= -Duser.variant= -Dfspms.previousVersion= -Dfspms.firstInstallationTime=1
511774053000 -Dfspms.installationTime=1511774737000 -Djetty.libsetuid.path=/opt/f-secure/fspms/l
ib/ext/libsetuid.so -Djetty.username=fspms -Djetty.groupname=fspms -DhostModulePort=81 -DhostMod
uleHttpsPort=443 -DausRedirectedPort=2380 -DdataPath=/var/opt/f-secure/fspms/data -Dguts2Channel
sPath=/opt/f-secure/fspms/config/channels.json -DausBasePath=/opt/f-secure/fsaus -DausConfPath=/
etc/opt/f-secure/fsaus/conf -DupstreamPmHost=195.117.156.80 -DupstreamPmPort=443 -DadminPubLocat
ion=/var/opt/f-secure/fspms/data/admin.pub -DreverseProxy=true -cp /opt/f-secure/fspms/lib/* com
.fsecure.fspms.PolicyManagerServer

lis 30 14:34:11 proxyfsec systemd[1]: Starting LSB: F-Secure Policy Manager Proxy...
lis 30 14:34:17 proxyfsec fspms[502]: Starting F-Secure Policy Manager Proxy:......failed.
lis 30 14:34:17 proxyfsec systemd[1]: fspms.service: Control process exited, code=exited
 status=1
lis 30 14:34:17 proxyfsec systemd[1]: Failed to start LSB: F-Secure Policy Manager Proxy
.
lis 30 14:34:17 proxyfsec systemd[1]: fspms.service: Unit entered failed state.
lis 30 14:34:17 proxyfsec systemd[1]: fspms.service: Failed with result 'exit-code'.

But there is a process of fspms in system and my PM proxy server appeard in 'Import new hosts' in FS Policy Manager Console.

 

 

Here are my fspms-stderrout.log

2017-11-30 14:34:49.792:INFO::main: Logging initialized @37374ms
2017-11-30 14:34:54.858:INFO:cffur.NettyHttpServer:main: Started host interface connector at http://0.0.0.0:81 (native-epoll)
2017-11-30 14:34:54.885:INFO:cffur.NettyHttpServer:main: Started host interface connector at https://0.0.0.0:443 (native-epoll, Netty/TomcatNative [BoringSSL - Static] 2.0.6.Final)
2017-11-30 14:34:54.931:INFO:cffur.ShutdownMonitor:main: Opened stop port at 127.0.0.1:8079 (native-epoll)
2017-11-30 14:34:55.706:INFO:cff.PolicyManagerProxyStarter:main: Started @38091 ms

and first part of fspms-webapp-errors.log file:

30.11.2017 14:34:55,452 ERROR [com.fsecure.fspms.service.dbupdate.DbUpdateFetcher] - Failed to read infopaks
org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:2380 [/127.0.0.1] failed: Połączenie odrzucone (Connection refused)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:158) ~[httpclient-4.5.2.jar:4.5.2]
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) ~[httpclient-4.5.2.jar:4.5.2]
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) ~[httpclient-4.5.2.jar:4.5.2]
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.2.jar:4.5.2]
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) ~[httpclient-4.5.2.jar:4.5.2]
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) ~[httpclient-4.5.2.jar:4.5.2]
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) ~[httpclient-4.5.2.jar:4.5.2]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:117) ~[httpclient-4.5.2.jar:4.5.2]
        at com.fsecure.backweb.client.BackwebClient.readResponse(BackwebClient.java:125) ~[commons-java-backweb-1-SNAPSHOT.jar:17.43.83039 (origin/release/pm-13.00#20b905b9, 1508859824604)]
        at com.fsecure.backweb.client.BackwebClient.initBwClient(BackwebClient.java:96) ~[commons-java-backweb-1-SNAPSHOT.jar:17.43.83039 (origin/release/pm-13.00#20b905b9, 1508859824604)]
        at com.fsecure.fspms.service.dbupdate.DbUpdateFetcher.getUpdatesIfBackwebAvailable(DbUpdateFetcher.java:75) ~[fspms-webapp-1-SNAPSHOT.jar:13.00.83039 (origin/release/pm-13.00#20b905b9, 1508859824604)]
        at com.fsecure.fspms.service.dbupdate.DbUpdateFetcher.getUpdates(DbUpdateFetcher.java:56) ~[fspms-webapp-1-SNAPSHOT.jar:13.00.83039 (origin/release/pm-13.00#20b905b9, 1508859824604)]

 

 

Here is my config:

hostModulePort="81"
hostModuleHttpsPort="443"
adminModulePort="8080"
adminExtensionLocalhostRestricted="true"
webReportingEnabled="false"
webReportingPort="8081"
ausPort="2380"
jettyStopPort="8079"
upstreamPmHost="195.117.156.80"
upstreamPmPort="443"
additional_java_args="-DreverseProxy=true"

 

 

A_Grinkevitch

Ok, it is much better. As I see, Policy Manager Proxy has started successfully, but there is a problem with Automatic Update Server... Let's try to figure out why...

 

First of all, let’s check if AUS is running or not: ps -A | grep bwserver

Next, please check if 32-bit libstdc++6 is installed: dpkg-query -l | grep libstdc

Also please check logs in /var/opt/f-secure/fsaus/log, probably starter.log or log files contain something useful...

 

TIA,

Alexander

MartinOza

ps -A |grep bwserver  shows nothing

 

dpkg-query -l |grep libstdc |grep i386

ii  libstdc++6:i386                  6.3.0-18                     i386         GNU Standard C++ Library v3

There is no log directory in /var/opt/f-secure/fsaus/

 

 

A_Grinkevitch

Ok...

Just in case, let's check if port is free: netstat -anp | grep 2380

Most probably, port is not in use

So please try to change startup scripts a bit so that usually useless output to /dev/null was forwarded to the log file:

\etc\init.d\fspms:

    if [ -f "/sbin/start-stop-daemon" ] ; then
        start-stop-daemon --start --quiet --pidfile ${fsaus_pid_file} --exec ${fsaus_bin} -- -c ${fsaus_conf}/server.cfg >/dev/null 2>&1
    else
        daemon ${fsaus_bin} -c ${fsaus_conf}/server.cfg >/dev/null 2>&1
    fi

change to:

    if [ -f "/sbin/start-stop-daemon" ] ; then
        start-stop-daemon --start --quiet --pidfile ${fsaus_pid_file} --exec ${fsaus_bin} -- -c /etc/opt/f-secure/fsaus/conf/server.cfg >/tmp/log-aus-daemon 2>&1
    else
        daemon ${fsaus_bin} -c /etc/opt/f-secure/fsaus/conf/server.cfg >/tmp/log-aus-daemon 2>&1
    fi

 

 

\opt\f-secure\fsaus\bin\fsaus:

        system ("$fsaus_dir/$fsaus_srv $fsaus_srv_cmdline >/dev/null 2>&1 ");

change to

        system ("$fsaus_dir/$fsaus_srv $fsaus_srv_cmdline >/tmp/log-aus 2>&1 ");

 

Let’s stop and start fspms and check logs… 

 

TIA,

Alexander

MartinOza

 

In /tmp/log-aus there was information that system couldn't locate Time/Local.pm

 

I installed libdatetime-perl and it started working.

 

Thanks for your help Alexander

A_Grinkevitch

Great!

You are always welcome!

 

Alexander