Highlighted
Absent Member.
Absent Member.
856 views

Checkpoint OPSEC SmartConnector on RHEL 7.2

I am trying to install an OPSEC connector onto a RHEL 7.2 host and have come up against a lack of 32-bit support.

Install the 64-bit 7.3 Connector ok but of course there is no Checkpoint option to select (understand CheckPoint only provides support for 32-bit OPSEC). Install the 32-bit 7.3 Connector and get the following,

[root@abc bin]# ./runagentsetup.sh

Assuming ARCSIGHT_HOME: /opt/arcsight/connectors/checkpoint_10/current

Assuming JAVA_HOME: /opt/arcsight/connectors/checkpoint_10/current/jre

ArcSight Agent Setup starting...

Error occurred during initialization of VM

java/lang/NoClassDefFoundError: java/lang/Object

[root@abc bin]#

There is no 32 bit version of RHEL7. Many libraries have a 32 bit version but to install i686 packages, you would need to specify that, otherwise yum presumes x86_64. When dependency handling, yum will grab i686 packages.

Has anyone overcome this and can provide a list of required 32-bit packages to install to get the 32-bit connector working ?

Labels (1)
0 Likes
15 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

Hi Derek,

See here -   - Page 33.

Hope it helps

Lar

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

Hi Lar

Thanks but I don't see that these apply in this instance. Have set the LD_LIBRARY_PATH but no difference.

The problem occurs on running runagentsetup.sh which is of course ./arcsight agentsetup.

Run any combination of ./arcsight <script> you get the same error.

I suspect it's because I need to install a .i686 or 32-bit version of the Java JDK?

[root@abc /]# yum list |grep java

abrt-java-connector.x86_64       1.0.6-9.el7             rhel-7-server-eus-rpms

java-1.6.0-openjdk.x86_64        1:1.6.0.39-1.13.11.0.el7_2

java-1.6.0-openjdk-devel.x86_64  1:1.6.0.39-1.13.11.0.el7_2

java-1.7.0-openjdk.x86_64        1:1.7.0.101-2.6.6.1.el7_2

java-1.7.0-openjdk-devel.x86_64  1:1.7.0.101-2.6.6.1.el7_2

java-1.7.0-openjdk-headless.x86_64

java-1.8.0-openjdk.x86_64        1:1.8.0.91-0.b14.el7_2  rhel-7-server-eus-rpms

java-1.8.0-openjdk-debug.x86_64  1:1.8.0.77-0.b03.el7_2  rhel-7-server-eus-rpms

java-1.8.0-openjdk-devel.x86_64  1:1.8.0.91-0.b14.el7_2  rhel-7-server-eus-rpms

java-1.8.0-openjdk-headless.x86_64

java-1.8.0-openjdk-headless-debug.x86_64

java-atk-wrapper.i686            0.30.4-5.el7            rhel-7-server-eus-rpms

java-atk-wrapper.x86_64          0.30.4-5.el7            rhel-7-server-eus-rpms

Before I start installing things like java-1.8.0-openjdk-1.8.0.91-3.b14.el6_8.i686.rpm, I am interested to know if anyone has been in same situation and can provide a minimum list of the required packages. I am not in a position to blanket install i686 support.

Or I may have the wrong idea...

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

Hi Derek

Thanks for the response. I will test this shortly in my lab, however before I setup, can you confirm that you have completed the steps from guide:

From Page 11 /12 ->

Installing PAM Package for CentOS and RHEL OS []

Thanks and best regards,

Lar

0 Likes
Highlighted
Valued Contributor.
Valued Contributor.

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

Hi,

Just an idea:

check the package unzip is installed on the RHEL (It is missing in CentOS 7.2 minimal).

The java is packaged with the SmartConnector, but needs to be unzipped.

br

William

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

Hi,

In the configuration guide there is a point regarding the PAM. PAM is normally installed in any system but the libpam.so.0 is not (at least the x86 version)

So try to install libpam.so.0 (yum install libpam.so.0)

This will install all the dependencies (in x86 versions) that need which some of them are very crucial (the InstallMedia Repository which I used in this example it is just the official RHEL 7.2 DVD)

===============================================================================================================================================================================================

Package                                            Arch                                 Version                                            Repository                                    Size

===============================================================================================================================================================================================

Installing:

pam                                                i686                                 1.1.8-12.el7_1.1                                   InstallMedia                                 712 k

Installing for dependencies:

audit-libs                                         i686                                 2.4.1-5.el7                                        InstallMedia                                  80 k

cracklib                                           i686                                 2.9.0-11.el7                                       InstallMedia                                  79 k

glibc                                              i686                                 2.17-105.el7                                       InstallMedia                                 4.2 M

libdb                                              i686                                 5.3.21-19.el7                                      InstallMedia                                 730 k

libgcc                                             i686                                 4.8.5-4.el7                                        InstallMedia                                 103 k

libselinux                                         i686                                 2.2.2-6.el7                                        InstallMedia                                 144 k

libstdc++                                          i686                                 4.8.5-4.el7                                        InstallMedia                                 311 k

nss-softokn-freebl                                 i686                                 3.16.2.3-13.el7_1                                  InstallMedia                                 187 k

pcre                                               i686                                 8.32-15.el7                                        InstallMedia                                 415 k

xz-libs                                            i686                                 5.1.2-12alpha.el7                                  InstallMedia                                 107 k

zlib                                               i686                                 1.2.7-15.el7                                       InstallMedia                                  90 k

Transaction Summary

===============================================================================================================================================================================================

Install  1 Package (+11 Dependent packages)

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

So we now have the following installed,

pam.i686                        1.1.8-12.el7_1.1        @rhel-7-server-eus-rpms

pam.x86_64                      1.1.8-12.el7_1.1        @rhel-7-server-eus-rpms

mod_authnz_pam.x86_64            0.9.3-5.el7_2          rhel-7-server-eus-rpms

nss-pam-ldapd.i686              0.8.13-8.el7            rhel-7-server-eus-rpms

nss-pam-ldapd.x86_64            0.8.13-8.el7            rhel-7-server-eus-rpms

pam-devel.i686                  1.1.8-12.el7_1.1        rhel-7-server-eus-rpms

pam-devel.x86_64                1.1.8-12.el7_1.1        rhel-7-server-eus-rpms

pam_krb5.i686                    2.4.8-4.el7            rhel-7-server-eus-rpms

pam_krb5.x86_64                  2.4.8-4.el7            rhel-7-server-eus-rpms

pam_pkcs11.i686                  0.6.2-24.el7            rhel-7-server-eus-rpms

pam_pkcs11.x86_64                0.6.2-24.el7            rhel-7-server-eus-rpms

A yum install libpam.so.0 resulted in the following,

Installed:

  pam.i686 0:1.1.8-12.el7_1.1

Dependency Installed:

  audit-libs.i686 0:2.4.1-5.el7 cracklib.i686 0:2.9.0-11.el7 libdb.i686 0:5.3.21-19.el7 libgcc.i686 0:4.8.5-4.el7 libselinux.i686 0:2.2.2-6.el7 libstdc++.i686 0:4.8.5-4.el7 pcre.i686 0:8.32-15.el7_2.1 xz-libs.i686 0:5.1.2-12alpha.el7

  zlib.i686 0:1.2.7-15.el7

Dependency Updated:

  pcre.x86_64 0:8.32-15.el7_2.1

And I do have unzip installed

unzip.x86_64                    6.0-15.el7              @rhel-7-server-eus-rpms

I have removed the connector directory, and 'relaid' from ArcSight-7.3.0.7886.0-Connector-Linux.bin

I get a slightly different error now,

[root@abc bin]# ./runagentsetup.sh

Assuming ARCSIGHT_HOME: /opt/arcsight/connectors/checkpoint_10/current

Assuming JAVA_HOME: /opt/arcsight/connectors/checkpoint_10/current/jre

ArcSight Agent Setup starting...

Error: missing `server' JVM at `/opt/arcsight/connectors/checkpoint_10/current/jre/lib/i386/server/libjvm.so'.

Please install or use the JRE or JDK that contains these missing components.

The file exists, but the jre directory tree has taken on a strange UID/GID

[root@abc server]# ll /opt/arcsight/connectors/checkpoint_10/current/

total 268

drwxrwxr-x. 2 root root     29 Sep 20 14:59 agentdata

-rwxrwxr-x. 1 root root 125451 Sep 20 14:59 agents-7.3.0.7886.0-common.xml

-rwx------. 1 root root 110661 Sep 20 14:59 agents-7.3.0.7886.0-linux.xml

-rwx------. 1 root root   9622 Sep 20 14:59 agents-7.3.0.7886.0-unix.xml

drwx------. 7 root root   4096 Sep 20 14:59 bin

drwxrwxr-x. 7 root root   4096 Sep 20 14:59 config

drwxrwxr-x. 5 root root     61 Sep 20 14:59 i18n

drwxrwxr-x. 5  10  143   4096 Apr  1 09:15 jre

drwxrwxr-x. 4 root root     46 Sep 20 14:59 lib

drwxrwxr-x. 3 root root     28 Sep 20 14:59 logs

drwxrwxr-x. 2 root root     29 Sep 20 14:59 run

drwxrwxr-x. 3 root root     26 Sep 20 14:59 system

drwxrwxr-x. 2 root root   4096 Sep 20 15:00 UninstallerData

drwxrwxr-x. 3 root root     26 Sep 20 14:59 user

-rwxrwxr-x. 1 root root      5 Sep 20 14:59 version.txt

I correct this with chown -R root:root /opt/arcsight/connectors/checkpoint_10/current/jre

[root@abc bin]# ll /opt/arcsight/connectors/checkpoint_10/current/jre/lib/i386/server/

total 12580

lrwxrwxrwx. 1 root root       13 Jun  8 22:22 libjsig.so -> ../libjsig.so

-rwxrwxr-x. 1 root root 12876601 Apr  1 09:15 libjvm.so

-rwxrwxr-x. 1 root root     1423 Apr  1 09:15 Xusage.txt

[root@nppslxdc11 connectors]# getfacl /opt/arcsight/connectors/checkpoint_10/current/jre/lib/i386/server/libjvm.so

getfacl: Removing leading '/' from absolute path names

# file: opt/arcsight/connectors/checkpoint_10/current/jre/lib/i386/server/libjvm.so

# owner: root

# group: root

user::rwx

group::rwx

other::r-x

However still get same error,

[root@abc bin]# ./runagentsetup.sh

Assuming ARCSIGHT_HOME: /opt/arcsight/connectors/checkpoint_10/current

Assuming JAVA_HOME: /opt/arcsight/connectors/checkpoint_10/current/jre

ArcSight Agent Setup starting...

Error: missing `server' JVM at `/opt/arcsight/connectors/checkpoint_10/current/jre/lib/i386/server/libjvm.so'.

Please install or use the JRE or JDK that contains these missing components.

I still only have the 64-bit JDK installed, and I also note that SELinux is enforcing which I'd normally disable.

[root@abc connectors]# getenforce

Enforcing

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

Hmm for me it is working perfect and permissions are the same in "jre" directory. I would suggest to install again the connector.

[root@rhel-test-72 bin]# ./runagentsetup.sh

\

Assuming ARCSIGHT_HOME: /opt/ArcSightSmartConnectors/opsec_724_01/current

Assuming JAVA_HOME: /opt/ArcSightSmartConnectors/opsec_724_01/current/jre

ArcSight Agent Setup starting...

Connector Setup Wizard starting in mode [CONSOLE]

[Tue Sep 20 20:59:11 CEST 2016] [INFO ] Checking for a running instance of connector...

[Tue Sep 20 20:59:13 CEST 2016] [INFO ] Starting up connector...

Connector Setup

---------------

--------------------------------------------------------------------------------

What would you like to do?

0-      Add a Connector

1-      Enable FIPS mode

2-      Enable remote management

Please select an option: [Add a Connector] [0..2/cancel] :cancel

ERROR: \cancel is not a valid option. Please select an option between  0 and 2

What would you like to do?

0-      Add a Connector

1-      Enable FIPS mode

2-      Enable remote management

Please select an option: [Add a Connector] [0..2/cancel] :^C[Tue Sep 20 21:01:09 CEST 2016] [INFO ] Shutting Down Agent Framework Version [7.2.4.7831.0]

Shutting down Agent Modules now...

Shutting down Agent Setup Wizard...done.

Also the java packages are more or less the same. I don't believe that the differences play significant role

[root@rhel-test-72 current]# yum list |grep java

abrt-java-connector.x86_64              1.0.6-9.el7                InstallMedia

java-1.6.0-openjdk.x86_64               1:1.6.0.36-1.13.8.1.el7_1  InstallMedia

java-1.6.0-openjdk-devel.x86_64         1:1.6.0.36-1.13.8.1.el7_1  InstallMedia

java-1.7.0-openjdk.x86_64               1:1.7.0.91-2.6.2.3.el7     InstallMedia

java-1.7.0-openjdk-devel.x86_64         1:1.7.0.91-2.6.2.3.el7     InstallMedia

java-1.7.0-openjdk-headless.x86_64      1:1.7.0.91-2.6.2.3.el7     InstallMedia

java-1.8.0-openjdk.x86_64               1:1.8.0.65-3.b17.el7       InstallMedia

java-1.8.0-openjdk-debug.x86_64         1:1.8.0.65-3.b17.el7       InstallMedia

java-1.8.0-openjdk-devel.x86_64         1:1.8.0.65-3.b17.el7       InstallMedia

java-1.8.0-openjdk-headless.x86_64      1:1.8.0.65-3.b17.el7       InstallMedia

java-1.8.0-openjdk-headless-debug.x86_64

java-atk-wrapper.i686                   0.30.4-5.el7               InstallMedia

java-atk-wrapper.x86_64                 0.30.4-5.el7               InstallMedia

javamail.noarch                         1.4.6-8.el7                InstallMedia

javapackages-tools.noarch               3.4.1-11.el7               InstallMedia

javassist.noarch                        3.16.1-10.el7              InstallMedia

libguestfs-java.x86_64                  1:1.28.1-1.55.el7          InstallMedia

libvirt-java.noarch                     0.4.9-4.el7                InstallMedia

libvirt-java-devel.noarch               0.4.9-4.el7                InstallMedia

mysql-connector-java.noarch             1:5.1.25-3.el7             InstallMedia

nuxwdog-client-java.x86_64              1.0.3-2.el7                InstallMedia

python-javapackages.noarch              3.4.1-11.el7               InstallMedia

system-switch-java.noarch               1.1.5-11.el7               InstallMedia

tzdata-java.noarch                      2015g-1.el7                InstallMedia

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

This morning I have,

  • disabled SELinux

[root@abc bin]# getenforce

Disabled

  • and installed ArcSight-7.2.4.7831.0-Connector-Linux.bin, noting success with the version above.

The install completes with no error (as did ArcSight-7.3.0.7886.0-Connector-Linux.bin). The install log is attached.

And yet still,

[root@abc bin]# ./runagentsetup.sh

Assuming ARCSIGHT_HOME: /opt/arcsight/connectors/checkpoint_10/current

Assuming JAVA_HOME: /opt/arcsight/connectors/checkpoint_10/current/jre

ArcSight Agent Setup starting...

Error: missing `server' JVM at `/opt/arcsight/connectors/checkpoint_10/current/jre/lib/i386/server/libjvm.so'.

Please install or use the JRE or JDK that contains these missing components.

[root@abc bin]# /opt/arcsight/connectors/checkpoint_10/current/jre/bin/java

Error: missing `server' JVM at `/opt/arcsight/connectors/checkpoint_10/current/jre/lib/i386/server/libjvm.so'.

Please install or use the JRE or JDK that contains these missing components.

At this point I am starting to scratch my head as possible causes. Have tried various LD_LIBRARY_PATH settings, linking the libjvm.so to /usr/lib etc.

Something I had not pointed out is that this host is also the working ESM. I'm aware this is not ideal, I'm in a spot for available space and this was to be a temporary solution.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

I was able to build and get this working on a lab Centos7.2 today so have something to compare with.

The RHEL7.2 host I am having trouble on has more than required by way of base install.

%packages

@base

@compat-libraries

@core

@development

@web-server

kexec-tools

That and prerequisite libs (more for 6.x) are installed.

[root@abc ~]# yum list glibc

Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager

Installed Packages

glibc.i686

glibc.x86_64

[root@abc ~]# yum list libXext

Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager

Installed Packages

libXext.i686

libXext.x86_64

[root@abc ~]# yum list libXrender

Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager

Installed Packages

libXrender.i686

libXrender.x86_64

[root@abc ~]# yum list libXtst

Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager

Installed Packages

libXtst.i686

libXtst.x86_64

[root@abc ~]# yum install libz.so.1

Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager

Package zlib-1.2.7-15.el7.i686 already installed and latest version

Yet still,

# ./runagentsetup.sh

Assuming ARCSIGHT_HOME: /opt/arcsight/connectors/checkpoint_10/current

Assuming JAVA_HOME: /opt/arcsight/connectors/checkpoint_10/current/jre

ArcSight Agent Setup starting...

Error: missing `server' JVM at `/opt/arcsight/connectors/checkpoint_10/current/jre/lib/i386/server/libjvm.so'.

Please install or use the JRE or JDK that contains these missing components.

Thanks everyone who has chipped in. Unless any other ideas I will move on.

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

Can you try to use a shorter path to install the connector just for test?

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Checkpoint OPSEC SmartConnector on RHEL 7.2

Unfortunately have had to park this and move on, so may not get to the bottom of it.

I wonder if something on the host had been changed. Always best to start from a fresh build that you know.

Thanks everyone for helping.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.