IBM Support

IJ31007: TWS ON REDHAT 8.2 AND UPPER LEVEL COULD FAILS AT START TIME WITH ERROR AS (SU: CANNOT OPEN SESSION: MODULE IS UNKNOWN).

Direct links to fixes

ReadMe_95_FP4
9.5.0-IBM-IWS-README-FP0004

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • TWS on Redhat 8.2 and upper level could fail at the start
time.

an error like: this one can appear:

root@eu-hws-lnx128
appservertools]# ./startAppServer.sh
 Setting CLI environment
variables....
 IBM Workload Scheduler Environment Successfully
Set !!!
 IBM Workload Automation Environment Successfully Set
!!!
 su: cannot open session: Module is unknown
sudo: error in
/etc/sudo.conf, line 19 while loading plugin "sudoers_policy"

sudo: unable to load /usr/libexec/sudo/sudoers.so:
/lib64/libk5crypto.so.3: symbol EVP_KDF_ctrl version
OPENSSL_1_1_1b not defined in file libcrypto.so.1.1 with link
time reference
 sudo: fatal error, unable to load plugins

The
issue was due to the fact that starting from RedHat 8.2
some
programs like "su" or "ssh" have a dependency from some OpenSSL
modules that are not present in TWS environment. ..this could
generate failure when "su" or "ssh" are called inside different
TWS scripts.

Local fix

  • Workaround:
into tws_env for Linux switch
change to that to:

export LD_LIBRARY_PATH=/usr/lib64:$UNISONHOME/bin:$GSKIT_LIBPATH
:$OPENSSL_LIBPATH:$LD_LIBRARY_PATH:.:$UNISONHOME/ITA/cpa/ita/lib
:$UNISONHOME/CLI/bin
save the file.

Start all TWS/WAS etc..

Problem summary

  •     The problem is due to the fact that openssl libraries on
this RHEL version are at 1.1.1 level (like the ones installed
with IWS), but they have been customized by the vendor, so some
applications (like su or ssh) require them to work.
If these applications load IWS openssl libraries (not having
these customized symbols) the applications don't work.

su is failing because of this error




Feb 5 16:28:29 eu-hws-lnx128 su[2179298]: pam_unix(su:session):
session closed for user root

Feb 5 16:29:19 eu-hws-lnx128 su[2179447]: PAM unable to
dlopen(/usr/lib64/security/pam_unix.so):
/lib64/libk5crypto.so.3: symbol EVP_KDF_ctrl version
OPENSSL_1_1_1b not defined in file libcrypto.so.1.1 with link
time reference

Feb 5 16:29:19 eu-hws-lnx128 su[2179447]: PAM adding faulty
module: /usr/lib64/security/pam_unix.so

Feb 5 16:29:19 eu-hws-lnx128 su[2179447]:
pam_systemd(su:session): Cannot create session: Already running
in a session or user slice




In fact, comparing OS and IWS openssl libraries




[root@eu-hws-lnx128 TWS]# objdump -TC
/usr/lib64/libcrypto.so.1.1 | grep EVP_KDF

0000000000170530 g DF .text 00000000000000f0 OPENSSL_1_1_1b
EVP_KDF_ctrl

0000000000170620 g DF .text 000000000000008e OPENSSL_1_1_1b
EVP_KDF_ctrl_str

00000000001704d0 g DF .text 0000000000000021 OPENSSL_1_1_1b
EVP_KDF_reset

00000000001706b0 g DF .text 0000000000000030 OPENSSL_1_1_1b
EVP_KDF_size

0000000000170500 g DF .text 0000000000000023 OPENSSL_1_1_1b
EVP_KDF_vctrl

00000000001703b0 g DF .text 0000000000000111 OPENSSL_1_1_1b
EVP_KDF_CTX_new_id

0000000000170370 g DF .text 0000000000000031 OPENSSL_1_1_1b
EVP_KDF_CTX_free

00000000001706e0 g DF .text 0000000000000023 OPENSSL_1_1_1b
EVP_KDF_derive

[root@eu-hws-lnx128 TWS]# objdump -TC
/usr/Tivoli/TWS/OpenSSL64/1.1/lib64/libcrypto.so.1.1 | grep
EVP_KDF

[root@eu-hws-lnx128 TWS]#




and it is evident that EVP_KDF_* funtions are missing in IWS
libraries.

The workaround to let agent startup and su and ssh work fine is
to add in tws_env, where LD_LIBRARY_PATH is exported, /usr/lib64
in order to load OS openssl library first.

The fix to let agent and liberty starts without issues is to
properly set LD_LIBRARY_PATH before invoking programs like su.

Problem conclusion

  • The apar will be fixed in 9.5.0.4 and 9.4.0.8.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ31007
    • 

  • Reported component name
    TIV WKLD SCHDL
    • 

  • Reported component ID
    5698WKB95
    • 

  • Reported release
    950
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-02-24
    • 

  • Closed date
    2021-05-27
    • 

  • Last modified date
    2021-05-27
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TIV WKLD SCHDL
    • 

  • Fixed component ID
    5698WKB95
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSGSPN","label":"IBM Workload Scheduler"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"950","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            21 September 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback