Chapter 9 Configuring Access Manager to Run as a Non-root User

In a typical deployment, Sun Java^TM System Access Manager runs as superuser (root). In some deployments, however, you might want Access Manager to run as a non-root user. This chapter describes how to install and configure Access Manager 7.1 to run as a non-root user, including these tasks:

• Creating Non-root Users

• Installing Sun Java System Directory Server 6.0

• Installing Access Manager to Run as a Non-root User With Web Server 7.0

• Installing Access Manager to Run as a Non-root User With Application Server

Creating Non-root Users

As superuser (root), create the non-root users and groups, if they do not already exist, that you want to run Directory Server and the Access Manager web container. The examples in this chapter use the following non-root users and groups:

• Directory Server: dirservd in the dirservd group

• Web Server: webservd in the webservd group

• Application Server: appservd in the appservd group

Using Port Numbers Lower Than 1024 on Solaris 10 Systems

On Solaris 10 systems, you can allow a non-root user to use port numbers lower than 1024, by adding the net_privaddr privilege to the user. The net_privaddr privilege allows a process to bind to a privileged port number (1-1023). Thus, on Solaris 10 systems, the dirservd user can start Directory Server on port 389, or the webservd user can start Web Server on port 80.

For example, the following commands add this privilege to the non-root users:

# useradd -c "Directory Server reserved UID" -d / dirservd
# groupadd dirservd
# usermod -G dirservd dirservd
# usermod -K defaultpriv=basic,net_privaddr dirservd

# useradd -c "Web Server reserved UID" -d / webservd
# groupadd webservd
# usermod -G webservd webservd
# usermod -K defaultpriv=basic,net_privaddr webservd

# useradd -c "Applicaion Server reserved UID" -d / appservd
# groupadd appservd
# usermod -G appservd appservd
# usermod -K defaultpriv=basic,net_privaddr appservd

Note: The net_privaddr privilege applies only to Solaris 10 systems. It does not apply to earlier versions of the Solaris OS or to Linux systems.

Installing Sun Java System Directory Server 6.0

Follow the next procedure to install Sun Java System Directory Server Enterprise Edition 6.0 to run as a non-root user. This procedure uses dirservd as the non-root user.

If you prefer, you can also use an existing Directory Server, running either as root or a non-root user.

For more information about Directory Server 6.0, see the following documentation collection:

http://docs.sun.com/coll/1224.1

To Install Directory Server Enterprise Edition 6.0

1. On the server where you want to install Directory Server, log in as or become superuser (root).

2. As superuser (root), install Directory Server Enterprise Edition 6.0 by running the Java ES installer with the Configure Now option.

   Set the installation values as required for your Directory Server deployment. The specific values that you must set for a non-root user include:

   • On the Specify Common Server Settings page, enter the non-root user (dirservd) for System User and non-root group (dirservd) for System Group.

   • On the Directory Server: Specify Instance Creation Information page, specify port numbers for the Directory Instance Port and the Directory Instance SSL Port.

     Note: If you are running the Solaris 10 OS, you can use port numbers lower than 1024 by assigning the net_privaddr privilege to the non-root user, as described in Using Port Numbers Lower Than 1024 on Solaris 10 Systems.

3. After the Java ES installer has finished, login as or become the non-root user and start the Directory Server instance. For example:

   > cd /opt/SUNWdsee/ds6/bin
   > ./dsadm start /var/opt/SUNWdsee/DS-instance
   

   All Directory Server processes should be owned by the non-root user (dirservd).

Installing Access Manager to Run as a Non-root User With Web Server 7.0

Follow the next procedure to install and configure Access Manager 7.1 with Sun Java System Web Server Enterprise Edition 7.0 as the web container. This procedure uses webservd as the non-root user in examples.

This procedure runs the Java ES installer twice:

1. You first run the installer with the Configure Now option to install and configure Web Server 7.0.

2. You run the installer with the Configure Later option to install Access Manager 7.1. Then you run the amconfig script to configure the Access Manager 7.1 instance.

For more information about Web Server 7.0, see the following documentation collection:

http://docs.sun.com/coll/1308.3

To Install and Configure Access Manager with Web Server 7.0 as the Web Container

Before You Begin

Consider these preliminary tasks:

• The non-roon user and group must already exist. See Creating Non-root Users.

• Directory Server must be installed and running. See Installing Sun Java System Directory Server 6.0.

1. On the server where you want to install Web Server 7.0 and Access Manager 7.1, log in as or become superuser (root).

2. As superuser (root), install Web Server 7.0 by running the Java ES installer with the Configure Now option.

   Set the installation values as required for your Web Server 7.0 deployment. The specific values that you must set for a non-root user include:

   • On the Specify Common Server Settings page, specify the non-root user (webservd) for System User and non-root group (webservd) for System Group.

   • On the Web Server: Specify Administration Server Settings page, change the Runtime User ID to the non-root user (webservd).

   • On the Web Server: Specify Instance Settings page, change the Runtime UNIX User ID to the non-root user (webservd)

3. After the Java ES installer has finished installing Web Server 7.0, login as or become the non-root user (webservd).

4. Start the Web Server 7.0 administration server and the Web Server instance using the startserv script.

   Note: In the current release, if you try to start the Web Server instance using the wadm start-instance command, the command returns an error.

   All processes should be owned by the non-root user (webservd).

5. Login as or become superuser (root) and restart the Java ES installer to install Access Manager 7.1.

   On the Choose a Configuration Type page, select the Configure Later option.

6. After the Java ES installer has finished, depending on your platform, change the ownership of the following directories from root and other to the non-root user (webservd) and non-root group (webservd):

   • Solaris systems: /opt/SUNWma and /etc/opt/SUNWma

   • Linux systems: /opt/sun/mobileaccess and /etc/opt/sun/mobileaccess

   For example, on Solaris systems:

   # chown -R webservd:webservd /opt/SUNWma /etc/opt/SUNWma

7. As superuser (root), change to the Access Manager 7.1 /bin directory, depending on your platform:

   • Solaris systems: /opt/SUNWam/bin

   • Linux systems: /opt/sun/identity/bin

8. As superuser (root), make a copy of the amsamplesilent file to use to configure Access Manager 7.1. For example:

   # cp -p amsamplesilent ws7nonroot_config

9. As superuser (root), edit the ws7nonroot_config file to configure Access Manager 7.1 with Web Server 7.0 as the web container:

   • Set the NEW_OWNER variable to the non-root user (webservd) and the NEW_GROUP variable to the non-root group (webservd).

   • Set WEB_CONTAINER=WS to specify Web Server 7.0 as the web container. For a description of other Web Server 7.0 variables, see Web Container Configuration Variables.

   • Set other Access Manager 7.1 variables, as required by your deployment. For a description of these variables, see Access Manager Configuration Variables.

10. As superuser (root), run the amconfig script with the edited ws7nonroot_config file to configure Access Manager 7.1.

    For example, on Solaris systems:

    # cd /opt/SUNWam/bin 
    # ./amconfig -s ./ws7nonroot_config

11. Access the Web Server 7.0 Administration Console in a browser and login as the Web Server administrator.

12. Select the instance on which you deployed Access Manager 7.1 and click Manage.

Installing Access Manager to Run as a Non-root User With Application Server

Follow the next procedure to install and configure with Access Manager 7.1 with Sun Java System Application Server Enterprise Edition 8.2 as the web container. This procedure uses appservd as the non-root user in examples.

This procedure runs the Java ES installer twice:

1. You first run the installer with the Configure Now option to install and configure Application Server 8.2.

2. You run the installer with the Configure Later option to install Access Manager 7.1. Then you run the amconfig script to configure the Access Manager 7.1 instance.

For more information about Application Server 8.2, see the following documentation collection:

http://docs.sun.com/coll/1310.3

To Install and Configure Access Manager with Application Server as the Web Container

Before You Begin

Consider these preliminary tasks:

• The non-roon user and group must already exist. See Creating Non-root Users.

• Directory Server must be installed and running. See Installing Sun Java System Directory Server 6.0

1. On the server where you want to install Application Server 8.2 and Access Manager 7.1, log in as or become superuser (root).

2. As superuser (root), install Application Server 8.2 by running the Java ES installer with the Configure Now option.

   When you select Application Server 8.2, the installer automatically selects Message Queue 3.7 UR1.

   Set the installation values as required for your Application Server 8.2 deployment. The specific values that you must set for a non-root user include:

   • On the Specify Installation Directories page, for the Application Server and Application Server Data and Configuration directories, enter values that are beneath the non-root user's home directory. For example, if the non-root user's home directory is /export/home/appservd, the Application Server installation directory would be /export/home/appservd/as.

   • On the Specify Common Server Settings page, enter the non-root user (appservd) for System User and non-root group (appservd) for System Group.

   • On the Application Server Domain Administration Server (1 of 1) page, select port numbers for the Application Server Admin Port, JMX Port, HTTP Port, and HTTPS Port.

   Note: If you are running the Solaris 10 OS, you can use port numbers lower than 1024 by assigning the net_privaddr privilege to the non-root user, as described in Using Port Numbers Lower Than 1024 on Solaris 10 Systems.

3. After the Java ES installer has finished installing Application Server 8.2, as superuser (root), delete the Application Server domain created by the Java ES installer in the following location, depending on your platform:

   • Solaris systems: /export/home/appservd/as/appserver/bin

   • Linux systems: /export/home/appservd/as/bin

   For example, to delete the Application Server 8.2 domain:

   #./asadmin delete-domain --domaindir /asdomains domain1

4. As superuser (root), change the ownership of the Application Server installation directory and the Application Server data and configuration directory to the non-root user and group. For example:

   # chown -R appservd:appservd /export/home/appservd/as /export/home/appservd/as_var/

5. If you plan to use an administration password file in asadmin commands, as superuser (root), create the file.

   The following examples use /tmp/asAdminPWFile as the administration password file name. Specify the passwords in this file as follows:

   • AS_ADMIN_PASSWORD=application-server-admin-password

   • AS_MASTERPASSWORD=master-password

   Caution: The administration password file contains passwords in clear text. Secure this file as appropriate for your deployment.

6. Recreate the Application Server domain as the non-root user:

   1. Change to the non-root user. For example:

      # su - appservd

   2. Change to the /bin directory, depending on your platform:

      Solaris systems: /export/home/appservd/as/appserver/bin

      Linux systems: /export/home/appservd/as/bin

   3. Recreate the deleted domain using the asadmin create-domain command.

      For example:

      ./asadmin create-domain --domaindir /export/home/appservd/as_var/domains 
      --adminport 4949 --adminuser admin --passwordfile /tmp/asAdminPWFile 
      --instanceport 80 --domainproperties domain.jmxPort=86:http.ssl.port=81 
      --savemasterpassword=true domain1
      ... 
      Domain domain1 created.

7. As the non-root user, start the Application Server 8.2 domain that you just created using the asadmin start-domain command. For example:

   ./asadmin start-domain --user admin --passwordfile /tmp/asAdminPWFile domain1

   The Application Server and Message Queue processes should be owned by the non-root user (appservd).

8. To verify that the Application Server 8.2 administration instance is accessible, use the following URL:

   https://fqdn:as-admin-port/

   Where fqdn and as-admin-port specify the fully qualified domain name and admin port number.

9. To verify that the Application Server HTTP port is accessible, use the following URL:

   http://fqdn:8080/

   Where fqdn is the fully qualified domain name.

10. Login as or become superuser (root) and restart the Java ES installer to install Access Manager 7.1.

    On the Choose a Configuration Type page, select the Configure Later option.

11. After the installation finished, as superuser (root), change the ownership of the following directories from root and other to the non-root user (appservd) and non-root group (appservd), depending on your platform:

    • Solaris systems: /opt/SUNWma and /etc/opt/SUNWma

    • Linux systems: /opt/sun/mobileaccess and /etc/opt/sun/mobileaccess

    For example, on Solaris systems:

    # chown -R appservd:appservd /opt/SUNWma /etc/opt/SUNWma

12. As superuser (root), change to the Access Manager /bin directory, depending on your platform:

    • Solaris systems: /opt/SUNWam/bin

    • Linux systems: /opt/sun/identity/bin

13. As superuser (root), make a copy of the amsamplesilent file to use to configure Access Manager 7.1. For example:

    # cp -p amsamplesilent as8nonroot_config

14. As superuser (root), edit the as8nonroot_config file as follows:

    • Set NEW_OWNER to the non-root user (appservd) and NEW_GROUP to the non-root group (appservd).

    • Set the AS81_HOME variable to the parent directory of the Application Server 8.2 /bin directory.

    • Set WEB_CONTAINER=AS8 to specify Application Server 8.2 as the web container. For a description of other Application Server 8.2 variables, see Web Container Configuration Variables.

    • Set other Access Manager 7.1 variables, as required by your deployment. For a description of these variables, see Access Manager Configuration Variables.

15. As superuser (root), run the amconfig script with the edited as8nonroot_config file to deploy Access Manager 7.1. For example:

    # ./amconfig -s ./as8nonroot_config

    If you encounter the question “Do you trust the above certificate [y|n]” during the deployment of the Access Manager web applications, specify “y” and press Enter.

16. As the non-root user, change to the/bin directory. For example:

    Solaris systems: /export/home/appservd/as/appserver/bin

    Linux systems: /export/home/appservd/as/bin

17. As the non-root user, stop the Application Server 8.2 domain and then restart it. For example:

    ./asadmin stop-domain domain1 
    ./asadmin start-domain --user admin --passwordfile /tmp/asAdminPWFile domain1

18. Tto verify that the Access Manager 7.1 Admin Console is accessible, use the following URL:

    http://fqdn:8080/amserver/

    Where fqdn is the fully qualified domain name.