Install Cognos Gateway on Linux server using CHROOT

[cwillard]

I am looking for information on installing the Cognos gateway on a Linux server using CHROOT.  We have setup CHROOT, copied all the directories from the server root into the CHROOT, and then installed Cognos.  We are also running Apache from within the CHROOT, have installed Java in it and have updated the JAVA_HOME, LD_LIBRARY_PATH and PATH variables to point to the correct locations in CHROOT.  When we run the cogconfig.sh -s command and it appears to complete correctly but then we find the following error message in the log,

1     ERROR [main] - LogIPFControl::initCAMCrypto() - Cannot create CAM signing session.
CAM-CRP-1114 Unable to find the Certificate Authority self-signed certificate with alias 'ca' in the keystore '/chroot/httpd/etc/httpd/cognos_gateway/configuration/signkeypair/jCAKeystore'.
   at com.cognos.accman.jcam.crypto.misc.KeyStoreReader.getCACertificate(KeyStoreReader.java:590)
   at com.cognos.accman.jcam.crypto.misc.Configuration.isCAKeyPairValid(Configuration.java:1442)
   at com.cognos.accman.jcam.crypto.CAMFactory.initialize(CAMFactory.java:155)
   at com.cognos.indications.LogIPFControl.initCAMCrypto(LogIPFControl.java:526)
   at com.cognos.indications.LogIPFControl.initialize(LogIPFControl.java:147)
   at com.cognos.crconfig.CRConfigConsole.begin(CRConfigConsole.java:68)
   at CRConfig.main(CRConfig.java:201)
2     WARN  [main] - LogIPFControl::initialize() - initCAMCrypto() failed, return false.

When we try to access the assigned URL with get the Cognos Splash screen followed an error message saying it can not connect to the content manager.  We have tested the install outside of CHROOT, and on a different server and it works correctly.

Any information on what we need to do different when using CHROOT would be appreciated.

[Grim]

Is your Java installed inside the CHROOT as well? Did you update the Java with the "Bouncy Castle"?

Update Java Env
http://pic.dhe.ibm.com/infocenter/cbi/v10r2m0/index.jsp?topic=%2Fcom.ibm.swg.ba.cognos.inst_cr_winux.10.2.0.doc%2Ft_inst_jre_stps.html&path%3D0_16_6_4_0

[cwillard]

Java is installed inside CHROOT with Cognos. The bouncy file was copied from the respective Cognos directory to the same directory under the installed Java directory.

[Grim]

Hmmm...
Have you tried turfing the crypto keys and regen'ing them?

If that doesn't work, try an "strace" to see where it might be failing.

[cwillard]

We have tried regenerating the keys after the initial installation and have also tried changing the key local key storage from true to false in the Cogconfig file.  The error is always the same.

Because the install works fine when installed outside CHROOT we are confident it is a permissions issue.  Is there a good resource on the required permissions for installing and running Cognos on Linux? Most of what we have found online touches on it but it does not give a great deal of detail.

We have not tried strace and will investigate that further.

Thanks,
Chris

[Grim]

Found this...
http://danielsnider.wordpress.com/2011/02/02/chroot-tips/

He said he had to copy some files to the chroot. I think the "strace" path would help you to determine the files that it needs. Then you have to identify whether those files are a security risk.

[cwillard]

We determined the issue was caused by the domain name not resolving correctly.  Everything works using IP address.  It appears to be an extension or library that was not included inside CHROOT do to security policies.