Written by In this blog example, we will explore expanding the ability of Virtual Appliances to use X11 programs where possible instead of requiring a 2nd server to host the solutions’ client tools.
We will review how to enable the following client tools: CX (Symantec IM Connector Xpress), WF Designer (Symantec Workflow Designer), Wildfly/JBOSS Management UI, Jxplorer (LDAP Management UI), and Apache Directory Studio (LDAP Management UI). Note there is no java version for the Symantec Identity Manager GUI (32bit VC++ client)
Challenge:
The Symantec Identity Suite Virtual Appliance is locked down from updating libraries as the ‘root’ user and the default login service ID of ‘config’ does not have access to the package installer, e.g. yum.
The Symantec Identity Suite Virtual Appliance like other tools, have an enhancement request process to add new functionality. While we wait for this to be delivered, we can address these gaps ourselves with knowledge of what X11 functionality is required to be enabled with the limited resources we have available to ourselves.
To first identify what drivers may be needed, we can use the Linux OS “strace” command to capture which files are “open” or “openat” and used by the programs.
Example for tracing the files/drivers for Java (Oracle or AdoptOpenJDK) jconsole program:
STRACE
Using “strace -e trace=open,openat /opt/CA/java/bin/policytool” we can see the files that were found ” = 3″ versus those not found “= -1 ENOENT (No such file or directory)”. Some files are required for Centos 8 Stream and others for Centos 6.4
Using this iterative process above will help to identify either the primary file used or a supporting file required to start and use the UI version of the program.
We can use both Java jconsole or policytool to help identify the drivers required. There may be a different of drivers version or additional ones require for the OS of the virtual appliances.
Trace Example with Java Policytool program and compare between Centos 8 Stream (openat) and Centos 6.4 (open)
Now that we have a process to help identify the drivers required, we can walk through the challenges and the value statement.
First challenge for X11 access, is the DISPLAY environment variable must be defined. Otherwise we will see this error message: “No X11 DISPLAY variable“
To address this challenge, we could manually set this value every time, but why not use our bash shell to manage this.
DISPLAY OS Variable
Add the below two (2) lines to config’s .bash_profile
DISPLAY=$(who -m | gawk -F'(' '{ print $2}' | gawk -F')' '{print $1}'):0.0;export DISPLAY
env | grep DISPLAYOur DISPLAY variable will now be updated every time we log into the vApp with the config userID.
We should now see this:
When using the “strace” method, we may see that we have a file on the OS, but it is reporting it as not found due to an internal dependency.
Example for policytool, we can see that the file libXext.so.6 (or link) is not referenced correctly.
If we search the OS of the vApp, we can find this file (and its link) with no issue.
The file libXext.so.6 (or libXext.so.6.4.0) requires a supporting file of libX11.so.6 (libX11.so.6.3.0). As we search for these files, we can now start collecting them from nonVapp OS servers (that do have access to package updates), and make them available to the ‘config’ userID via scp/rsync.
On another server, that has these file (same OS release), find and copy these files.
After we have identified all the required files that are missing from the vApp r14.3 (Centos 6.4) or r14.4 (Centos 8 Stream), we can package them up for the ‘config’ userID and scp/rsync them to the vApp.
Soft Links
Before we use these files, we may need to validate that the soft-links are properly defined. If you have any issues, use strace to help identify the missing soft-link to the real file.
LD_LIBRARY_PATH
LD_LIBRARY_PATH is the OS variable we will use to redirect the libraries files (x86/x64) for the ‘config’ userID. Again edit the config’s .bash_profile and ensure the following lines exist:
#### ANA - Add X11 process & supporting libraries to vApp r14.3 config service ID ####
DISPLAY=$(who -m | gawk -F'(' '{ print $2}' | gawk -F')' '{print $1}'):0.0;export DISPLAY
env | grep -i DISPLAY
LD_LIBRARY_PATH=/tmp/x11_libraries_for_centos6_vapp143/usr/lib64:/tmp/x11_libraries_for_centos6_vapp143/usr/lib;export LD_LIBRARY_PATH
env | grep -i LD_LIBRARY_PATH
#### ANA - Add X11 process & supporting libraries to vApp config service ID ####
OR
#### ANA - Add X11 process & supporting libraries to vApp r14.4 config service ID ####
DISPLAY=$(who -m | gawk -F'(' '{ print $2}' | gawk -F')' '{print $1}'):0.0;export DISPLAY
env | grep -i DISPLAY
LD_LIBRARY_PATH=/tmp/x11_for_centos8_for_vapp144/usr/lib64:/tmp/x11_for_centos8_for_vapp144/usr/lib;export LD_LIBRARY_PATH
env | grep -i LD_LIBRARY_PATH
#### ANA - Add X11 process & supporting libraries to vApp config service ID ####
We should now see the following upon login:
Summary Page of X11 Functionality for vApp r14.3cp2 (Centos 6.4)
Centos 6.4 OS Files required for X11 functionality
/tmp/x11_libraries_for_centos6_vapp143/usr/lib64: -rwxr-xr-x 1 config config 62176 Jun 18 15:04 libXi.so.6.1.0 -rwxr-xr-x 1 config config 38272 Jun 18 15:04 libXrender.so.1.3.0 -rwxr-xr-x 1 config config 21952 Jun 18 15:04 libXtst.so.6.1.0 -rwxrwxr-x 1 config config 74336 Jun 18 15:04 libXext.so.6.4.0 -rwxr-xr-x 1 config config 1297928 Jun 18 15:04 libX11.so.6.3.0 lrwxrwxrwx 1 config config 14 Jun 18 15:05 libXi.so.6 -> libXi.so.6.1.0 lrwxrwxrwx 1 config config 16 Jun 18 15:03 libXtst.so.6 -> libXtst.so.6.1.0 lrwxrwxrwx 1 config config 19 Jun 18 15:01 libXrender.so.1 -> libXrender.so.1.3.0 lrwxrwxrwx 1 config config 15 Jun 18 14:52 libX11.so.6 -> libX11.so.6.3.0 lrwxrwxrwx 1 config config 16 Jun 18 14:14 libXext.so.6 -> libXext.so.6.4.0 /tmp/x11_libraries_for_centos6_vapp143/usr/lib: -rwxr-xr-x 1 config config 59180 Jun 18 15:04 libXi.so.6.1.0 -rwxr-xr-x 1 config config 20044 Jun 18 15:04 libXtst.so.6.1.0 -rwxrwxr-x 1 config config 68588 Jun 18 15:04 libXext.so.6.4.0 -rwxr-xr-x 1 config config 1279168 Jun 18 15:04 libX11.so.6.3.0 lrwxrwxrwx 1 config config 14 Jun 18 15:05 libXi.so.6 -> libXi.so.6.1.0 lrwxrwxrwx 1 config config 16 Jun 18 15:03 libXtst.so.6 -> libXtst.so.6.1.0 lrwxrwxrwx 1 config config 15 Jun 18 14:52 libX11.so.6 -> libX11.so.6.3.0 lrwxrwxrwx 1 config config 16 Jun 18 14:14 libXext.so.6 -> libXext.so.6.4.0
Summary Page of X11 Functionality for vApp r14.4 (Centos 8 Stream)
Centos 8 Stream’s OS Files required for X11 functionality
/tmp/x11_for_centos8_for_vapp144/usr/lib64: -rwxrwxr-x 1 config config 170208 Jun 18 17:34 libxcb.so.1.1.0 -rwxr-xr-x 1 config config 49256 Jun 18 17:34 libXrender.so.1.3.0 -rwxr-xr-x 1 config config 29104 Jun 18 17:34 libXtst.so.6.1.0 -rwxr-xr-x 1 config config 80728 Jun 18 17:34 libXext.so.6.4.0 -rwxr-xr-x 1 config config 70720 Jun 18 17:34 libXi.so.6.1.0 -rwxr-xr-x 1 config config 1343952 Jun 18 17:34 libX11.so.6.3.0 -rwxr-xr-x 1 config config 16352 Jun 18 17:34 libXau.so.6.0.0 lrwxrwxrwx 1 config config 15 Jun 18 17:35 libXau.so.6 -> libXau.so.6.0.0 lrwxrwxrwx 1 config config 15 Jun 18 17:33 libxcb.so.1 -> libxcb.so.1.1.0 lrwxrwxrwx 1 config config 14 Jun 18 17:32 libXi.so.6 -> libXi.so.6.1.0 lrwxrwxrwx 1 config config 16 Jun 18 17:31 libXtst.so.6 -> libXtst.so.6.1.0 lrwxrwxrwx 1 config config 19 Jun 18 17:30 libXrender.so.1 -> libXrender.so.1.3.0 lrwxrwxrwx 1 config config 15 Jun 18 17:28 libX11.so.6 -> libX11.so.6.3.0 lrwxrwxrwx 1 config config 16 Jun 18 17:27 libXext.so.6 -> libXext.so.6.4.0 /tmp/x11_for_centos8_for_vapp144/usr/lib: -rwxrwxr-x 1 config config 181952 Jun 18 17:34 libxcb.so.1.1.0 -rwxr-xr-x 1 config config 78200 Jun 18 17:34 libXi.so.6.1.0 -rwxr-xr-x 1 config config 87788 Jun 18 17:34 libXext.so.6.4.0 -rwxr-xr-x 1 config config 15700 Jun 18 17:34 libXau.so.6.0.0 -rwxr-xr-x 1 config config 1411660 Jun 18 17:34 libX11.so.6.3.0 lrwxrwxrwx 1 config config 15 Jun 18 17:28 libX11.so.6 -> libX11.so.6.3.0 lrwxrwxrwx 1 config config 16 Jun 18 17:27 libXext.so.6 -> libXext.so.6.4.0
Final Value Statement – X11 UI on vApp
Jxplorer
Script to add jxplorer on the vApp (if you have internet access to the vApp). This script will maintain the configuration file “connections.txt” where hostname/ports/userDN are stored for Jxplorer.
#!/bin/bash
##############################################
# Name: add_jxplorer.sh
# Goal: Add Jxplorer (jar) to vApp r14.4 (Centos 8 Stream) with X11 enabled
# Ref: http://jxplorer.org/downloads/users.html
# ANA 2021
##############################################
cd
mkdir -p jxplorer;cd jxplorer
find . -type f -not -name 'connections.txt' -delete
curl -OL https://netactuate.dl.sourceforge.net/project/jxplorer/jxplorer/version%203.3.1.2/jxplorer-3.3.1.2-linux-installer.run
chmod 555 jxplorer-3.3.1.2-linux-installer.run; ./jxplorer-3.3.1.2-linux-installer.run --unattendedmodeui minimal --mode unattended
pwd
./jxplorer.sh >/dev/null &
echo "Done"
Wildfly / JBoss CLI X11 UI
Use for managing the standalone-full-ha.xml file via jboss-cli.sh scripts and to update values.
Ensure you have created a management user credential to access the running Wildfly/JBoss release.
config@vapp14401 VAPP-14.4.0 (192.168.2.210):~ > sudo /opt/CA/wildfly-idm/bin/add-user.sh -m -u jboss-admin -p Password01! Added user 'jboss-admin' to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-users.properties' Added user 'jboss-admin' to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-users.properties' config@vapp14401 VAPP-14.4.0 (192.168.2.210):~ > config@vapp14401 VAPP-14.4.0 (192.168.2.210):~ > /opt/CA/wildfly-idm/bin/jboss-cli.sh --connect --user=jboss-admin --password=Password01! --gui
Next Steps
We can use the X11 functionality for the IM Workpoint Designer tool, the Connector Xpress (CX) UI tool, and any other tools, e.g. Symantec Layer7 Management UI (manager.jar)
Side Note:
The IM Workpoint Designer tool and other tools have been removed from the vApp r14.4 IAMSuite samples.
Installed IAMSuite tools only under config service ID, to determine if there is any value. Do not see any X11 client applications under this installed component.
Workpoint Designer
Extract the workpoint designer from the standalone deployment tools to a media folder.
Update the shell script files to be executable, replace the localhost entry for another host alias that will resolve to an IP address that the IM solution with Workpoint is actively listening to. Then run the designer from the virtual appliance.
config@vapp14401 VAPP-14.4.0 (192.168.2.210):~/media > unzip CA-IG_WorkpointDesigner.zip > /dev/null config@vapp14401 VAPP-14.4.0 (192.168.2.210):~/media > cd CA-IG_WorkpointDesigner/Workpoint/WorkPointDesigner/bin/ config@vapp14401 VAPP-14.4.0 (192.168.2.210):~/media/CA-IG_WorkpointDesigner/Workpoint/WorkPointDesigner/bin > chmod 555 *.sh config@vapp14401 VAPP-14.4.0 (192.168.2.210):~/media/CA-IG_WorkpointDesigner/Workpoint/WorkPointDesigner/bin > cp -r -p ../conf/workpoint-client.properties ../conf/workpoint-client.properties.org config@vapp14401 VAPP-14.4.0 (192.168.2.210):~/media/CA-IG_WorkpointDesigner/Workpoint/WorkPointDesigner/bin > sed -i 's|localhost|caim-srv|g' ../conf/workpoint-client.properties config@vapp14401 VAPP-14.4.0 (192.168.2.210):~/media/CA-IG_WorkpointDesigner/Workpoint/WorkPointDesigner/bin > ./Designer.sh
Reduce the complexity of the library paths for EJB and reduce it within the bin/init.sh file:
EJB_CLASSPATH=../lib/:../lib/axis/:../rcm/*
Why? We noted path issues that certain file name versions were NOT updated in the referenced init.sh and rcmClassPath.sh, so we now just directly reference the library folders instead.
Also, set the JBOSS_HOME to point to IG wildfly folder. [Note: This works for Wildfly 8 and 15]
If you are unsure if you are missing ANY Java libraries, use the -verbose:class switch in Designer.sh file to showcase EVERY jar file loaded. This will be very verbose but helpful.
If we need help to find a class within a jar file, we can use find with unzip and grep to find the class by a string value. Save the below bash shell as find_jar.sh and execute it with the class string you want.
#!/bin/bash
printf "Searching JARs for string '${1}'...\n"
find . -iname '*.jar' -printf "unzip -c %p | grep -iq '${1}' && echo %p\n" | sh
Connector Xpress
Connector Xpress only has a MS Windows installer, but we can still use this component on Linux OS. Install the CX UI on MS Windows, then zip up the installed folder with all sub-folders. Copy this compress file over to a media folder for the ‘config’ userID and extract the file.
Review the startup file of “ConnectorXpress.bat” and we will create a version for Linux OS. Copy the last line with the conxp.jar file to a new bash script file. Update the file path from MS Windows format, to Linux OS format.
We can now use CX UI from the vApp.
