IBM Support

DB2 agent startup showing error messages after JRE Upgrade

Technical Blog Post


Abstract

DB2 agent startup showing error messages after JRE Upgrade

Body

In order to fix more recent JRE vulnerabilities, you may need to install on your ITM infrastructure JRE packages like
6.X.X-TIV-ITM_JRE_CANDLEHOME_6.16.41.00 or 6.X.X-TIV-ITM_JRE_CANDLEHOME_7.10.01.00.

After having installed those packages, depending on the permission bits used in the ITMHOME, you might experience some problems starting
ITM agents that uses an userid different than root or not included in itm groups, like for example the db2 agent or the mq agent.

For example, starting the DB2 agent we can see:

[root@itmdb2d01 ~]# /bin/su - db2odm -c "/bin/ksh -c  '/opt/IBM/ITM/bin/itmcmd agent -o db2odm start ud '"  
itmcmd agent        : Sourcing db2profile for user db2odm.  
Processing. Please wait...  
Starting IBM Tivoli Composite Application Manager Agent for DB2 ...  
KCIIN0521E ...Error encountered during product startup.  
...Please check log file, if one exists, and env.config, ud.ini or ud.environment if it exists in /opt/IBM/ITM/config for possible errors.  
KCIIN0198E Unable to start agent. Please, check log file.

Despite of this, the agent is started correctly and it is also able to collect and show data, but the cinfo -r output shows it as not running.

By setting the TRACE_LEVEL to DEBUG_MAX for the execution of the Java program that is invoked when starting the agent, we can figure out the root cause.

   
STDERR: /opt/IBM/ITMDB2/config/ud.sh[16]: /opt/IBM/ITMDB2/tmp/ud.pid:  cannot create [Permission denied]  
   
There is a permission problem that prevented the program from writing the process ID, and so the RunInfo file was not updated.  
Also, due to the code returned by this error, the initialization program terminated with messages KCIIN0521E and KCIIN0198E.  
   
The problem is with folder <ITMHOME>/tmp, that before the JRE patch installation had permission bits 777.  
After installation of the JRE patch, it is changed to 775, so it was missing the Write permission for Others.  
When you start the UD agent, you use the db instance owner userID, and if this is not part of the folder or file group , the error occurs.  

Of course you can quickly fix it by running:
   
chmod o+w <itmhome>/tmp  

 

However if you run in the future another jreupdate.sh, the issue will be regressed again.  
   
There is a permanent solution.
   

As we just said,  the main problem is that /<itmhome>/tmp and likely the whole ITMHOME  
directory tree permissions is set to 777.
It is necessary when you have different agents with different users in the installation.  
Tivoli Monitoring provides the script secureMain to tighten permissions while still supporting stopping and starting different agents with different users in the installation.  
   
This process is documented here:  

https://www.ibm.com/support/knowledgecenter/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/install/secure.htm 
   
The following commands executed as the root user on a Linux system will resolve the  issue for the DB2 agent:
 
groupadd itmusers  
usermod -a -G itmusers root  
usermod -a -G itmusers db2misc  
usermod -a -G itmusers db2odm  
usermod -a -G itmusers db2wsp  
usermod -a -G itmusers db2bpm  
/opt/IBM/ITM/bin/secureMain -g itmusers lock  

   
After running the above commands, you will be able to start any of the DB2 agent instances as well as the OS agent, even after running  
jreupdate for this or any future ITMHOME JRE uplift.  
The same should be done for any user account related to other agents, like for example MQ Agent.

You will not have to run secureMain manually again for the life of the installation.

Hope it helps

 

Tutorials Point

 

Subscribe and follow us for all the latest information directly on your social feeds:

 

 

image

 

image

 

image

 

 

  

Check out all our other posts and updates:

Academy Blogs:https://goo.gl/U7cYYY
Academy Videos:https://goo.gl/TLfMoF
Academy Google+:https://goo.gl/HnTs0w
Academy Twitter :https://goo.gl/AhR8CL


image

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSVJUL","label":"IBM Application Performance Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

UID

ibm11277050