This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ProxyOps
Contributor
‎2023-04-05 06:04 AM
Jump to solution

Web SmartConsole is not available after R81.10 Upgrade

Hello all,

 

after an management upgrade from R81 to R81.10 we noticed that the Web SmartConsole is not longer working.

We receive the error message: "Web SmartConsole service is not available.".

 

Following the troubleshooting guides linked below had no success:

Troubleshooting SmartConsole Web Components and Extensions (checkpoint.com)

Web SmartConsole Troubleshooting (checkpoint.com)


We did some further troubleshooting and checked the Docker container that is running the Web Smart Console Application:

 
 

cp_docker_ps_a.jpg

The container is stucking in restarting mode. (I wrote this post 2 hours after this screenshot and the container is still stuck in restarting)

Checking the container logs shows the following error:

 

Error reading file EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
node:fs:594
handleErrorFromBinding(ctx);
^

Error: EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
at Object.openSync (node:fs:594:3)
at Object.readFileSync (node:fs:462:35)
at readRelativeFile$1 (file:///app/dist/index.mjs:3736:22)
at readStorageFile$5 (file:///app/dist/index.mjs:3821:9)
at Object.234 (file:///app/dist/index.mjs:3833:18)
at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
at Object.47096 (file:///app/dist/index.mjs:129692:12)
at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
at file:///app/dist/index.mjs:132557:36
at ModuleJob.run (node:internal/modules/esm/module_job:193:25) {
errno: -13,
syscall: 'open',
code: 'EACCES',
path: '/app/storage/crs_MGMT.xml'

 


Looks like a file permission problem inside the docker storage itself. ( I don't know how to troubleshoot docker at all so please dont call me on that).

I digged a litle bit deeper inside and checked the docker setup script "mwc.sh" and found the following line:

 

# Since we use Wylis's Image, the default user in the docker is not root anymore, so we need to set the new user (1000)
# permissions to edit our backend storage
set_permission_to_docker_user(){
	echo "Giving permission to user 1000 for edit WSC storage folder"
	chown -R 1000 "${MWC_BACKEND_STORAGE_DIR}"
}

 

 

I don't know who Wylis is but maybe he reads this forum and can tell why the file permissions are not working correctly anymore.

Maybe somebody has already encountered this problem in the past?

Best regards

 

 

0 Kudos
2 Solutions

Accepted Solutions
Ofir_Calif
Employee
Employee
‎2023-04-09 02:59 AM
Jump to solution

Hi @ProxyOps ,

sorry for the inconvenience.
we are familiar with this issue and working on releasing a new Web SmartConsolewith a fix.
for now, I will send you a new mwc.sh that will solve this issue for you.

Thanks,
Ofir.

View solution in original post

Ofir_Calif
Employee
Employee
‎2023-05-18 10:13 AM
In response to the_rock
Jump to solution

@the_rock @KamilZet @henryd111 Thank you for your feedback.
an SK with the information will be updated soon, I will update here when it will be available.

until then you can follow these steps to fix it:
1) Connect to the command line on the Management Server.
2) Log in to the Expert mode.
3) Check Web SmartConsole version:
3.1) run: cpinfo -y CPUpdates
3.2) Search for: “BUNDLE_WEBCONSOLE_AUTOUPDATE Take: 76”
3.3) if the take is 76 replace the mwc.sh file in $MDS_FWDIR/webconsole with this file (see attached file)
4) Restart Web SmartConsole with this command:
wsc restart
5) In a web browser, connect to Web SmartConsole:
https://<IP Address of Management Server>/smartconsole

View solution in original post

mwc.sh
Preview file
12 KB
20 Replies
the_rock
Legend
Legend
‎2023-04-05 06:52 AM
Jump to solution

Just curious, is it only web smart console or regular one as well? Can you run below from expert mode and send the output please?

Andy

cd $FWDIR/scripts

./cpm_status.sh

api_status

0 Kudos
ProxyOps
Contributor
‎2023-04-05 07:24 AM
In response to the_rock
Jump to solution

Hi Andy,

 

only the Web SmartConsole is effected. The regular console works as expected.

[Expert@Management:0]# ./cpm_status.sh
Check Point Security Management Server is running and ready

 

[Expert@Management:0]# api status

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 8334
CPM Started 8334 Check Point Security Management Server is running and ready
FWM Started 7815
APACHE Started 10914

Port Details:
-------------------
JETTY Internal Port: 53696
JETTY Documentation Internal Port: 51894
APACHE Gaia Port: 443

Profile:
-------------------
Machine profile: Medium env resources profile
CPM heap size: 1280m

 

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

 

0 Kudos
the_rock
Legend
Legend
‎2023-04-05 07:31 AM
In response to ProxyOps
Jump to solution

Gotcha. Yea, those outputs would indicate regular smart console services would be up and running. So, you get exact same issue even after running below step from the sk?

Cause
The required Docker service is not running on the Management Server.

Solution:
Follow these steps:

1) Connect to the command line on the Management Server.
2) Log in to the Expert mode.
3) Restart Web SmartConsole with this command:
$MDS_FWDIR/webconsole/mwc.sh restart
4) In a web browser, connect to Web SmartConsole:
https://<IP Address of Management Server>/smartconsole

0 Kudos
ProxyOps
Contributor
‎2023-04-05 07:37 AM
In response to the_rock
Jump to solution

Yes correct. The problem is still there after running the "mwc.sh restart" command.

 

 

0 Kudos
ProxyOps
Contributor
‎2023-04-05 07:46 AM
In response to the_rock
Jump to solution

Yes I also tried to script already.

 

[Expert@Management:0]# /opt/CPsuite-R81.10/fw1/webconsole/docker_reconf.sh
MWC reconf has been successful
[Expert@Management:0]# /opt/CPsuite-R81.10/fw1/webconsole/mwc.sh -d restart
Stopping WSC services...
No process to kill
Docker daemon is currently running, PID 28475...
stopping mwc container...
mwc
removing mwc container...
mwc
removing mwc image...
Untagged: mwc:latest Deleted: sha256:e519b6a4100d7158e61c1832601e7652a0a1dbb5419a106b93ca0cb114c77d55 Deleted: sha256:33560bf797a37c1ea8c239c6e34a21e78311ee4f6aa796901bb35d2f161f5406 Deleted: sha256:d7ddd7a50b0a9960ddb696be5f467568a36c54d78ce7da6c1c74880ce86bd0e5

WSC services stopped successfully
Starting WSC services...
Copying crs MGMT file to docker storage
Configuring management api
Docker daemon is currently running, PID 28475...

Giving permission to user 1000 for edit WSC storage folder
loading docker image: /opt/CPsuite-R81.10/fw1/webconsole/mwc.tgz
Loaded image: mwc:latest
removing mwc container...
No container to remove
starting container
0c9ee700f8c7726d3f38c4b0d6ca3c0cfead9fe577440a3d16c7cb51bdf1886d
Enable GUI clients
MWC reconf has been successful
WSC services started successfully. Login to https://MY.IP/smartconsole
[Expert@Management:0]# docker logs mwc
Error reading file EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
node:fs:594
  handleErrorFromBinding(ctx);
  ^

Error: EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
    at Object.openSync (node:fs:594:3)
    at Object.readFileSync (node:fs:462:35)
    at readRelativeFile$1 (file:///app/dist/index.mjs:3736:22)
    at readStorageFile$5 (file:///app/dist/index.mjs:3821:9)
    at Object.234 (file:///app/dist/index.mjs:3833:18)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at Object.47096 (file:///app/dist/index.mjs:129692:12)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at file:///app/dist/index.mjs:132557:36
    at ModuleJob.run (node:internal/modules/esm/module_job:193:25) {
  errno: -13,
  syscall: 'open',
  code: 'EACCES',
  path: '/app/storage/crs_MGMT.xml'
}
Error reading file EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
node:fs:594
  handleErrorFromBinding(ctx);
  ^

Error: EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
    at Object.openSync (node:fs:594:3)
    at Object.readFileSync (node:fs:462:35)
    at readRelativeFile$1 (file:///app/dist/index.mjs:3736:22)
    at readStorageFile$5 (file:///app/dist/index.mjs:3821:9)
    at Object.234 (file:///app/dist/index.mjs:3833:18)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at Object.47096 (file:///app/dist/index.mjs:129692:12)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at file:///app/dist/index.mjs:132557:36
    at ModuleJob.run (node:internal/modules/esm/module_job:193:25) {
  errno: -13,
  syscall: 'open',
  code: 'EACCES',
  path: '/app/storage/crs_MGMT.xml'
}
Error reading file EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
node:fs:594
  handleErrorFromBinding(ctx);
  ^

Error: EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
    at Object.openSync (node:fs:594:3)
    at Object.readFileSync (node:fs:462:35)
    at readRelativeFile$1 (file:///app/dist/index.mjs:3736:22)
    at readStorageFile$5 (file:///app/dist/index.mjs:3821:9)
    at Object.234 (file:///app/dist/index.mjs:3833:18)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at Object.47096 (file:///app/dist/index.mjs:129692:12)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at file:///app/dist/index.mjs:132557:36
    at ModuleJob.run (node:internal/modules/esm/module_job:193:25) {
  errno: -13,
  syscall: 'open',
  code: 'EACCES',
  path: '/app/storage/crs_MGMT.xml'
}
Error reading file EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
node:fs:594
  handleErrorFromBinding(ctx);
  ^

Error: EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
    at Object.openSync (node:fs:594:3)
    at Object.readFileSync (node:fs:462:35)
    at readRelativeFile$1 (file:///app/dist/index.mjs:3736:22)
    at readStorageFile$5 (file:///app/dist/index.mjs:3821:9)
    at Object.234 (file:///app/dist/index.mjs:3833:18)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at Object.47096 (file:///app/dist/index.mjs:129692:12)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at file:///app/dist/index.mjs:132557:36
    at ModuleJob.run (node:internal/modules/esm/module_job:193:25) {
  errno: -13,
  syscall: 'open',
  code: 'EACCES',
  path: '/app/storage/crs_MGMT.xml'
}
Error reading file EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
node:fs:594
  handleErrorFromBinding(ctx);
  ^

Error: EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
    at Object.openSync (node:fs:594:3)
    at Object.readFileSync (node:fs:462:35)
    at readRelativeFile$1 (file:///app/dist/index.mjs:3736:22)
    at readStorageFile$5 (file:///app/dist/index.mjs:3821:9)
    at Object.234 (file:///app/dist/index.mjs:3833:18)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at Object.47096 (file:///app/dist/index.mjs:129692:12)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at file:///app/dist/index.mjs:132557:36
    at ModuleJob.run (node:internal/modules/esm/module_job:193:25) {
  errno: -13,
  syscall: 'open',
  code: 'EACCES',
  path: '/app/storage/crs_MGMT.xml'
}
Error reading file EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
node:fs:594
  handleErrorFromBinding(ctx);
  ^

Error: EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
    at Object.openSync (node:fs:594:3)
    at Object.readFileSync (node:fs:462:35)
    at readRelativeFile$1 (file:///app/dist/index.mjs:3736:22)
    at readStorageFile$5 (file:///app/dist/index.mjs:3821:9)
    at Object.234 (file:///app/dist/index.mjs:3833:18)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at Object.47096 (file:///app/dist/index.mjs:129692:12)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at file:///app/dist/index.mjs:132557:36
    at ModuleJob.run (node:internal/modules/esm/module_job:193:25) {
  errno: -13,
  syscall: 'open',
  code: 'EACCES',
  path: '/app/storage/crs_MGMT.xml'
}
Error reading file EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
node:fs:594
  handleErrorFromBinding(ctx);
  ^

Error: EACCES: permission denied, open '/app/storage/crs_MGMT.xml'
    at Object.openSync (node:fs:594:3)
    at Object.readFileSync (node:fs:462:35)
    at readRelativeFile$1 (file:///app/dist/index.mjs:3736:22)
    at readStorageFile$5 (file:///app/dist/index.mjs:3821:9)
    at Object.234 (file:///app/dist/index.mjs:3833:18)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at Object.47096 (file:///app/dist/index.mjs:129692:12)
    at __webpack_require__ (file:///app/dist/index.mjs:132470:41)
    at file:///app/dist/index.mjs:132557:36
    at ModuleJob.run (node:internal/modules/esm/module_job:193:25) {
  errno: -13,
  syscall: 'open',
  code: 'EACCES',
  path: '/app/storage/crs_MGMT.xml'
}
[Expert@Management:0]#

 

0 Kudos
the_rock
Legend
Legend
‎2023-04-05 07:51 AM
In response to ProxyOps
Jump to solution

Happy to send you docker_reconf.sh and mwc.sh files from my working R81.20 lab, though small disclaimer, dont shoot the messenger if something happens : - )

0 Kudos
ProxyOps
Contributor
‎2023-04-05 07:54 AM
In response to the_rock
Jump to solution

Would be awesome if you could send them 🙂 !

I also already compared both .sh files from a working R81 Management with the not working R81.10 Management and they were 1:1 the same files.

0 Kudos
the_rock
Legend
Legend
‎2023-04-05 07:59 AM
In response to ProxyOps
Jump to solution

There ya go, good luck! 🙂

Andy

docker_reconf.sh
Preview file
10 KB
mwc.sh
Preview file
11 KB
the_rock
Legend
Legend
‎2023-04-05 08:10 AM
In response to ProxyOps
Jump to solution

I really hope files I sent you do the trick, let us know. I even gave them highest permissions BEFORE sending them over, just to be sure.

Andy

0 Kudos
ProxyOps
Contributor
‎2023-04-05 08:19 AM
In response to the_rock
Jump to solution

Thank you very much for the files! I compared both files to the r81.10 files and they are exactly the same (done via notepad++ Compare Plugin)

I will take a another fresh look with my Check Point Wizzard and if he also don't find a solution I will contact TAC.


the_rock
Legend
Legend
‎2023-04-05 08:26 AM
In response to ProxyOps
Jump to solution

No worries! I would also use maybe compare it tool just to be positive, but if they are the same, then best I can suggest is try maybe cpstop; cpstart or reboot quick, but if it fails, then TAC support may be needed.

Andy

https://compare-it.en.softonic.com/

0 Kudos
Ofir_Calif
Employee
Employee
‎2023-04-09 02:59 AM
Jump to solution

Hi @ProxyOps ,

sorry for the inconvenience.
we are familiar with this issue and working on releasing a new Web SmartConsolewith a fix.
for now, I will send you a new mwc.sh that will solve this issue for you.

Thanks,
Ofir.

Roadrunner88
Contributor
‎2023-04-11 04:09 AM
In response to Ofir_Calif
Jump to solution

hello, can you send it to me also? Have the same issue

0 Kudos
Ofir_Calif
Employee
Employee
‎2023-04-11 04:44 AM
In response to Roadrunner88
Jump to solution

sure, i sent you a message in private.

0 Kudos
KamilZet
Participant
‎2023-05-18 06:07 AM
In response to Ofir_Calif
Jump to solution

HI, Same on my side, could you also send it to me ? 

p.s. why it cannot be put somehwere and treated as workarround until fix will be avaliable?

0 Kudos
the_rock
Legend
Legend
‎2023-05-18 06:46 AM
In response to KamilZet
Jump to solution

Good point @KamilZet ...hey @Ofir_Calif , just to make it easier for other customers that may encounter this issue, any way SK can be updated with the file that fixes the problem?

Just an idea...

Andy

0 Kudos
Ofir_Calif
Employee
Employee
‎2023-05-18 10:13 AM
In response to the_rock
Jump to solution

@the_rock @KamilZet @henryd111 Thank you for your feedback.
an SK with the information will be updated soon, I will update here when it will be available.

until then you can follow these steps to fix it:
1) Connect to the command line on the Management Server.
2) Log in to the Expert mode.
3) Check Web SmartConsole version:
3.1) run: cpinfo -y CPUpdates
3.2) Search for: “BUNDLE_WEBCONSOLE_AUTOUPDATE Take: 76”
3.3) if the take is 76 replace the mwc.sh file in $MDS_FWDIR/webconsole with this file (see attached file)
4) Restart Web SmartConsole with this command:
wsc restart
5) In a web browser, connect to Web SmartConsole:
https://<IP Address of Management Server>/smartconsole

mwc.sh
Preview file
12 KB
the_rock
Legend
Legend
‎2023-05-18 10:16 AM
In response to Ofir_Calif
Jump to solution

Thats super helpful @Ofir_Calif 

THANK YOU 🙌🙌

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top