How To

How do I install OpenAM with Apache Web Policy Agent 4.x on Red Hat Enterprise Linux or CentOS configured with SELinux?

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you want to install OpenAM with Apache™ Web Policy Agent on a Red Hat® Enterprise Linux® (RHEL) or CentOS system configured with SELinux in Enforcing mode. It assumes the Policy Agent is installed on an Apache web server with OpenAM running on Tomcat™ as the web container.

2 readers recommend this article

This article has been archived and is no longer maintained by ForgeRock.

Preparing for a successful install

The following tools are used in this process:

  • SELinux troubleshooting tool - displays all the violations that have been logged to the /var/log/audit/audit.log file along with possible solutions. When SELinux is in Enforcing mode, all configured parameters are enforced and any violations are logged to the /var/log/audit/audit.log file.
  • GUI configuration tool - provides useful utilities for operating and managing SELinux, including restorecon. The restorecon utility enables you to restore a file's default SELinux security contexts.

These are third-party tools that we suggest can be used for troubleshooting but are not supported by ForgeRock.

To prepare for a successful install:

  1. Install these tools using the following terminal command:  yum install setroubleshoot policycoreutils-gui
  2. Enable communication between Apache and Tomcat using the following terminal commands: # setsebool -P httpd_can_network_connect on # setsebool -P httpd_can_network_relay on
  3. Change the default SELinux type context for files in the directory with agent configuration files, such as /opt/web_agent, with the following command if installing the Apache Web Policy Agent: restorecon -v /opt/web_agents/apache22_agent/lib/*
  4. Identify and diagnose any other SELinux issues that may exist on your system using the following command: sealert -b /var/log/audit/audit.log The SELinux Alert Browser is displayed.
  5. Click Troubleshoot to display all the logged alerts along with suggested solutions.
  6. Implement the suggested solutions or similar to resolve all the logged alerts. You can now proceed to install OpenAM and the Apache Web Policy Agent.

You can use -a instead of -b in the sealert command to show a command line equivalent of the SELinux Alert Browser.

See Also

Permission denied when starting Apache Web Policy Agent 4.x on Red Hat Enterprise Linux or CentOS system configured with SELinux

OpenAM Web Policy Agent Release Notes › Limitations

Security-Enhanced Linux User Guide


Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.