5.3 Configuring the Access Manager Servers to Run as Non-Root Users

During the Access Manager installation, the installer requires that Access Manager run as a root user. If you want administrators who don't have root permissions to perform any administration tasks on Access Manager, you must reconfigure Access Manager to run as a non-root user.

1. Reconfigure Access Manager 1 to run as a non-root user.

2. Reconfigure Access Manager 2 to run as a non-root user.

3. Reconfigure the Web Server Administration Servers to run as non-root users.

You must use a port number higher than 1024. If the Web Server port is below 1024, then even after configuring the Access Manager server to run as a non-root user, you still must start Access Manager Web Server in a root shell.

To Reconfigure Access Manager 1 to Run as a Non-Root User

1. As a root user, log into host AccessManager-1.

2. Stop Access Manager 1.

   # cd /opt/SUNWwbsvr/https-AccessManager-1.example.com/ # ./stop

3. Stop the Web Server administration server.

   # cd /opt/SUNWwbsvr/https-admserv/ # ./stop

4. Change the “runs as” user ID from root to nobody.

   # cd /opt/SUNWwbsvr/ # chown -R nobody:nobody https-AccessManager-1.example.com/* httpacl alias \ /var/opt/SUNWam /etc/opt/SUNWam # rm -rf /tmp/https-*

5. Edit the magnus.conf file.

   It is a good practice to make a backup of this or any other configuration file before making changes to the file.

   # vi https-AccessManager-1.example.com/config/magnus.conf

   Change the User property value from root to nobody.

6. Verify that Access Manager successfully runs as a non-root user.

   1. Log in as a root user to the Access Manager host.

   2. Start the Access Manager server.

      # cd /opt/SUNWwbsvr/https-AccessManager-1.example.com/ # ./start

   3. Confirm that the Web Server start process actually runs as nobody.

      # ps -ef | grep SUNWwbsvr

   4. Start a new browser and go to the Access Manager URL.

      Example: http://AccessManager-1.example.com:1080/amserver/console

      Close the browser if successful.

   5. Log in to the Access Manager console using the following information:

      Username

      amadmin

      Password

      4m4dmin1

      If you can log in successfully, close the browser.

To Reconfigure Access Manager 2 to Run as a Non-Root User

1. As a root user, log into host AccessManager-2.

2. Stop Access Manager 2.

   # cd /opt/SUNWwbsvr/https-AccessManager-2.example.com/ # ./stop

3. Stop the Web Server administration server.

   # cd /opt/SUNWwbsvr/https-admserv/ # ./stop

4. Change the “runs as” user ID from root to nobody.

   # cd /opt/SUNWwbsvr/ # chown -R nobody:nobody https-AccessManager-2.example.cm/* httpacl alias /var/opt/SUNWam /etc/opt/SUNWam # rm -rf /tmp/https-*

5. Edit the magnus.conf file.

   # vi https-AccessManager-2.example.com/config/magnus.conf

   Change the User property value from root to nobody.

6. Verify that Access Manager 2 successfully runs as a non-root user.

   1. As a root user, log into host AccessManager-2.

   2. Start the Access Manager server.

      # cd /opt/SUNWwbsvr/https-AccessManager-2.example.com/ # ./start

   3. Confirm that the Web Server start process actually runs as nobody.

      ps -ef | grep SUNWwbsvr

   4. Start a new browser and go to the Access Manager URL.

      Example: http://AccessManager-2.example.com:1080/amserver/console Close the browser if successful.

   5. Log in to the Access Manager console using the following information:

      Username

      amadmin

      Password

      4m4dmin1

      If you can log in successfully, close the browser.

To Reconfigure the Web Server Administration Servers to Run as Non-Root Users

In this procedure, you reconfigure the administration server for each of the Web Servers that contain Access Manager. Although this is not required, it's a good practice to run the Access Manager Web Servers and their administration servers as the same non-root user ID. This eliminates permissions problems. For example, if the Access Manager Web Server runs as a non-root user, and its administration server runs as a root user, then files created by the administration server may not be readable by the Access Manager Web Server.

1. As a root user, log into host AccessManager-1.

2. Stop the Web Server administration server by issuing the commands:

   # cd /opt/SUNWwbsvr/https-admserv # ./stop

3. Change the “runs as” user ID from root to nobody.

   # cd /opt/SUNWwbsvr/ # chown -R nobody:nobody https-admserv/* httpacl/ alias # rm -rf /tmp/https-admserv

4. Edit the magnus.conf file.

   Make a backup of this file before making changes to the file.

   # vi https-admserv/config/magnus.conf

   Change the User property value from root to nobody.

5. Verify that the Web Server administration server successfully runs as a non–root user.

   1. As a root user, log into host AccessManager-1.

   2. Start the Access Manager server:

      # cd /opt/SUNWwbsvr/https-admserv/

      # ./start

   3. Use ps command to confirm the started Web Server process indeed runs as nobody.

      # ps -ef | grep admserv

6. As a root user, log into host AccessManager-2.

7. Stop the Web Server administration server by issuing the commands:

   # cd /opt/SUNWwbsvr/https-admserv # ./stop

8. Change the “runs as” user ID from root to nobody.

   # cd /opt/SUNWwbsvr/ # chown -R nobody:nobody https-admserv/* httpacl/ alias # rm -rf /tmp/https-admserv

9. Edit the magnus.conf file.

   # vi https-admserv/config/magnus.conf

   Change the User property value from root to nobody.

10. Verify that the Web Server administration server successfully runs as a non–root user.

    1. As a root user, log into host AccessManager-2.

    2. Start the Access Manager server:

       # cd /opt/SUNWwbsvr/https-admserv/

       # ./start

    3. Use ps command to confirm the started Web Server process indeed runs as nobody.

       # ps -ef | grep admserv