Solution
The setup for security of the oprocmgr is done in the oprocmgr.conf which has following entries:<IfModule mod_oprocmgr.c> Listen %port% ProcNode myhostname.mydomain %port% <VirtualHost _default_:%port%> <IfDefine SSL> SSLEngine off </IfDefine> Port %port% <Location /> Order Deny,Allow Deny from all Allow from localhost Allow from myhostname Allow from myhostname.mydomain </Location> <Location /oprocmgr-service> SetHandler oprocmgr-service </Location> <Location /oprocmgr-status> SetHandler oprocmgr-status </Location> </VirtualHost> </IfModule>The thing to look at here is the client address referenced in the access_log file. See that in above case this shows:
while we expect to seemyhostname.myotherdomain - - [..] "GET /....
Since the myhostname.myotherdomain is not in the list of allowed locations a HTTP-403 response is passed back and the oprocmgr is not able to monitor the Jserv.myhostname.mydomain - - [..] "GET /....
The simple solution here is to add myhostname.myotherdomain to the list of allowed locations. This makes that the Jserv can be started properly and will prevent further outage of the environment. However this may disguise the real root cause here.
A different host-name than expected is being used and requires further investigation. Previous reports of this error indicate that the network setup is the area to investigate here. Below 2 scenario's are discussed which raise this error and which may assist in finding out what goes wrong exactly.
Scenario 1)
The myhostname.myotherdomain is referenced before myhostname.mydomain in the /etc/hosts file, like
or11.22.33.44 myhostname.myotherdomain myhostname.mydomain myhostname
For the /GET /oprocmgr-service?cmd.. call the first reference found for the ip-address in the /etc/hosts is used. So make sure that the myhostname.mydomain is found first to prevent the HTTP-403 error, like for example11.22.33.44 myhostname.myotherdomain 11.22.33.44 myhostname.mydomain myhostname
11.22.33.44 myhostname.mydomain myhostname.myotherdomain myhostname
Scenario 2)
The host file looks OK but is not used. The host-name is provided by DNS and this returns a different host-name then expected. This can for example be the case when the server is setup for 2 domains and the default domain returned is myhostname.myotherdomain.
The file used to check when the /etc/host is used is the /etc/nsswitch.conf. Verify this file is available and has the following entry:
This setting defines that first /etc/hosts is used and after this DNS. When dns is set before files the /etc/hosts is only used when no value is returned by DNS. If the /etc/nsswitch.conf is not available the DNS is used and /etc/hosts is not used at all.#hosts: db files nisplus nis dns hosts: files dns
For performance reasons it's advised to use the /etc/hosts instead of DNS, so check network documentation on how to create the /etc/nsswitch.conf file.
Notes:
- The example uses a different domain-name returned causing the problem. But be aware that problem can also be with the host-name.
- The 2 scenario's mentioned here may not be the only ones causing this error. So work with a network administrator to do further diagnostics to find out where the 'incorrect' reference is coming from when the above suggestions do not clarify the root cause.
No comments:
Post a Comment