| Sun ONE Portal Server 6.1 Installation Guide |
Chapter 3
Post Installation ConfigurationThis chapter includes optional post installation tasks for:
Configuring the Sun ONE Portal Server to Run as User Non-RootPerform all steps as superuser, except as noted. After installing the Sun™ ONE Portal Server software, do the following use the following procedures to configure the Sun ONE Portal Server to run as user non-root.
Note
Configuring the Sun ONE Portal Server to run as user non-root is only intended for Sun ONE Portal Server running on the web server.
Shortening the WAIT State for TCP Ports
Shorten the length of time for the TCP’s driver’s close wait interval, which is normally set for 240000 ms (4 minutes). If an application exits abnormally, it could leave the port in a WAIT state and you have to wait 4 minutes in order to retry what you were doing. To reduce the length of the interval:
- Retrieve the current setting by typing:
# ndd -get /dev/tcp tcp_time_wait_interval
- Set the value to 10 seconds by typing:
# ndd -set /dev/tcp tcp_time_wait_interval 10000
This setting remains in effect until the next reboot. To make this a permanent change, edit the /etc/rc2.d/S69inet file to shorten the time length.
Reconfiguring the Sun ONE Portal Server Installation
Code Example 3-2 magnus.conf File Sample
#ServerRoot /opt/SUNWam/servers/https-admserv
NetsiteRoot /opt/SUNWam/servers
ServerID https-admserv
ServerName siroe.sun.com
ErrorLog /opt/SUNWam/servers/https-admserv/logs/errors
PidLog /opt/SUNWam/servers/https-admserv/logs/pid
User Userid
AdminUsers /opt/SUNWam/servers/https-admserv/config/admpw
MtaHost localhost
DNS off
Security off
ClientLanguage en
AdminLanguage en
DefaultLanguage en
RqThrottle 128
TempDir /tmp/https-admserv-1b510d01
...
#ServerRoot /opt/SUNWam/servers/https-admserv
NetsiteRoot /opt/SUNWam/servers
ServerID https-admserv
- Edit /usr/ldap/slapd-hostname/config/dse.ldif file. Change nsslapd-localuser: root to nsslapd-localuser: Userid as shown (in bold) in the following example:
Code Example 3-3 dse.ldif File Sample
...
dn: cn=config
cn: config
objectClass: top
objectClass: extensibleObject
objectClass: nsslapdConfig
nsslapd-accesslog-logging-enabled: on
nsslapd-accesslog: /usr/ldap/slapd-siroe/logs/access
nsslapd-accesslog-maxlogsperdir: 10
nsslapd-accesslog-maxlogsize: 100
nsslapd-accesslog-logrotationtime: 1
nsslapd-accesslog-logrotationtimeunit: day
nsslapd-enquote-sup-oc: off
nsslapd-localhost: siroe.sun.com
nsslapd-schemacheck: on
nsslapd-rewrite-rfc1274: off
nsslapd-return-exact-case: on
nsslapd-port: 389
nsslapd-localuser: Userid
nsslapd-errorlog: /usr/ldap/slapd-siroe/logs/errors
nsslapd-errorlog-logging-enabled: on
nsslapd-errorlog-maxlogsperdir: 2
nsslapd-errorlog-maxlogsize: 100
nsslapd-errorlog-logrotationtime: 1
...
- Edit /usr/ldap/admin-serv/config/local.conf file. Change configuration.nsSuiteSpotUser: root to configuration.nsSuiteSpotUser: Userid as shown in the following sample local.conf file:
Code Example 3-4 local.conf File Sample
...
configuration.objectClass: nsConfig
configuration.objectClass: nsAdminConfig
configuration.objectClass: nsAdminObject
configuration.objectClass: nsDirectoryInfo
configuration.objectClass: top
configuration.nsServerPort: 8900
configuration.nsSuiteSpotUser: Userid
configuration.nsAdminEnableEnduser: on
configuration.nsAdminEnableDSGW: on
...
Code Example 3-5 magnus.conf File Sample
NetsiteRoot /usr/ldap
ServerID admin-serv
ServerName siroe.sun.com
ErrorLog /usr/ldap/admin-serv/logs/error
PidLog /usr/ldap/admin-serv/logs/pid
User Userid
AdminUsers /usr/ldap/admin-serv/config/admpw
MtaHost localhost
DNS on
Security off
ClientLanguage en
AdminLanguage en
DefaultLanguage en
RqThrottle 128
TempDir /usr/ldap/admin-serv/tmp
Code Example 3-6 desktopconfig.properties File Sample
# Copyright 2001 Sun Microsystems, Inc. All rights reserved.
# PROPRIETARY/CONFIDENTIAL. Use of this product is subject to license terms.
#
#########################
# Desktop Configuration #
#########################
#
# Log level
#
logLevel=message
#
# Perf (log) level
#
perfLevel=off
#
...
- Change the ownership of the following directories from root to Userid:UserGroup. That is, enter:
- chown -R Userid:UserGroup /etc/opt/SUNWps
- chown -R Userid:UserGroup /etc/opt/SUNWam
- chown -R Userid:UserGroup /usr/ldap
- chown -R Userid:UserGroup /tmp/https*
- chown -R Userid:UserGroup /opt/SUNWam
- chown -R Userid:UserGroup /opt/SUNWps
- chown -R Userid:UserGroup /usr/java1.3.1_06
- chown -R Userid:UserGroup /var/opt/SUNWam
- chown -R Userid:UserGroup /var/opt/SUNWps
- chown -R Userid:UserGroup /var/sadm/pkg/SUNWamsvc
- chown -R Userid:UserGroup /var/sadm/pkg/SUNWamws
- chown -R Userid:UserGroup /var/sadm/pkg/SUNWamds
- chown -R Userid:UserGroup /var/sadm/pkg/SUNWps
- Edit /etc/init.d/amserver at line 386. Place a # before the check_root_user method call as shown in the following example:
Code Example 3-7 amserver File Sample
#!/bin/sh
# PROPRIETARY/CONFIDENTIAL/...
BASE=/opt
DIRBASE=/usr
LDAPDIR=/usr/ldap
PRODUCTDIR=SUNWam
PACKAGEDIR=$BASE/${PRODUCTDIR}
WEBAPPDIR=$BASE/${PRODUCTDIR}/web-apps
SERVICEAPPSDIR=$WEBAPPDIR/services
AGENTAPPSDIR=$WEBAPPDIR/agent
PLATFORMCONFDIR=$PACKAGEDIR/lib
PLATFORMCONF=${PLATFORMCONFDIR}/AMConfig.properties
PLATFORMBINDIR=${PACKAGEDIR}/bin
WTPASSFILE=${PACKAGEDIR}/config/.wtpass
check_root_user () {
...skipping
}
# check_root_user
...
- Restart the directory server as the non-root user.
- Run /etc/init.d/amserver stop.
A non-root user can run ${BASEDIR}/SUNWam/bin/amserver stop.
- Ensure that all of the processes are stopped.
To verify, type:
ps -ef | grep SUNWam
ps -ef | grep DSBaseDir
- Kill of any processes that did not get shutdown. As root enter:
/usr/ldap/stop-admin
Launching Sun ONE Portal Server
Configuring the Sun ONE Portal Server to Run as User NobodySpecifying nobody as the owner of the Sun ONE Portal Server files is a special case, as nobody has an impossible resultant (encrypted) password. The user must be root to manipulate and execute files nobody owns.
When the Sun ONE Portal Server is set up to run as nobody, the server can be configured to listen on port 8080, the default web server port. The LDAP server can also run on the default port 389.
Note
Configuring the Sun ONE Portal Server to run as user nobody is only intended for Sun ONE Portal Server running on the web server.
Perform all steps as root, except as noted. After installing the Sun ONE Portal Server software, do the following:
Shortening the WAIT State for TCP Ports
Shorten the length of time for the TCP’s driver’s close wait interval, which is normally set for 240000 ms (4 minutes). This is because, if an application exits abnormally it could leave the port in a WAIT state and then you have to wait 4 minutes in order to retry what you were doing.
- Retrieve the current setting by entering:
# ndd -get /dev/tcp tcp_time_wait_interval
- Set the value to ten seconds by entering:
# ndd -set /dev/tcp tcp_time_wait_interval 10000
This setting will remain in effect until the next reboot. To make this a permanent solution, edit the /etc/rc2.d/S69inet file to shorten the time length.
Reconfiguring the Sun ONE Portal Server Installation
Code Example 3-8 magnus.conf File Sample
#ServerRoot /opt/SUNWam/servers/https-siroe.sun.com
ServerID https-siroe.sun.com
ServerName siroe.sun.com
ErrorLog /opt/SUNWam/servers/https-siroe.sun.com/logs/errors
PidLog /opt/SUNWam/servers/https-siroe.sun.com/logs/pid
User nobody
MtaHost localhost
DNS off
Security off
ClientLanguage en
AdminLanguage en
DefaultLanguage en
RqThrottle 1024
StackSize 131072
...
Code Example 3-9 magnus.conf File Sample
#ServerRoot /opt/SUNWam/servers/https-admserv
NetsiteRoot /opt/SUNWam/servers
ServerID https-admserv
ServerName siroe.sun.com
ErrorLog /opt/SUNWam/servers/https-admserv/logs/errors
PidLog /opt/SUNWam/servers/https-admserv/logs/pid
User nobody
AdminUsers /opt/SUNWam/servers/https-admserv/config/admpw
MtaHost localhost
DNS off
Security off
ClientLanguage en
AdminLanguage en
DefaultLanguage en
RqThrottle 128
TempDir /tmp/https-admserv-1b510d01
...
Code Example 3-10 dse.ldif File Sample
...
dn: cn=config
cn: config
objectClass: top
objectClass: extensibleObject
objectClass: nsslapdConfig
nsslapd-accesslog-logging-enabled: on
nsslapd-accesslog: /usr/ldap/slapd-siroe/logs/access
nsslapd-accesslog-maxlogsperdir: 10
nsslapd-accesslog-maxlogsize: 100
nsslapd-accesslog-logrotationtime: 1
nsslapd-accesslog-logrotationtimeunit: day
nsslapd-enquote-sup-oc: off
nsslapd-localhost: siroe.sun.com
nsslapd-schemacheck: on
nsslapd-rewrite-rfc1274: off
nsslapd-return-exact-case: on
nsslapd-port: 389
nsslapd-localuser: nobody
nsslapd-errorlog: /usr/ldap/slapd-siroe/logs/errors
nsslapd-errorlog-logging-enabled: on
nsslapd-errorlog-maxlogsperdir: 2
nsslapd-errorlog-maxlogsize: 100
nsslapd-errorlog-logrotationtime: 1
...
Code Example 3-11 local.conf File Sample
...
configuration.objectClass: nsConfig
configuration.objectClass: nsAdminConfig
configuration.objectClass: nsAdminObject
configuration.objectClass: nsDirectoryInfo
configuration.objectClass: top
configuration.nsServerPort: 8900
configuration.nsSuiteSpotUser: nobody
configuration.nsAdminEnableEnduser: on
configuration.nsAdminEnableDSGW: on
...
Code Example 3-12 magnus.conf File Sample
NetsiteRoot /usr/ldap
ServerID admin-serv
ServerName siroe.sun.com
ErrorLog /usr/ldap/admin-serv/logs/error
PidLog /usr/ldap/admin-serv/logs/pid
User nobody
AdminUsers /usr/ldap/admin-serv/config/admpw
MtaHost localhost
DNS on
Security off
ClientLanguage en
AdminLanguage en
DefaultLanguage en
RqThrottle 128
TempDir /usr/ldap/admin-serv/tmp
Code Example 3-13 desktopconfig.properties File Sample
# Copyright 2001 Sun Microsystems, Inc. All rights reserved.
# PROPRIETARY/CONFIDENTIAL. Use of this product is subject to license terms.
#
#########################
# Desktop Configuration #
#########################
#
# Log level
#
logLevel=message
#
# Perf (log) level
#
perfLevel=off
#
...
- Change the ownership of the following directories from root to nobody:nobody. That is, enter:
- chown -R nobody:nobody /etc/opt/SUNWps
- chown -R nobody:nobody /etc/opt/SUNWam
- chown -R nobody:nobody /usr/ldap
- chown -R nobody:nobody /tmp/https*
- chown -R nobody:nobody /opt/SUNWam
- chown -R nobody:nobody /opt/SUNWps
- chown -R nobody:nobody /usr/java1.3.1_06
- chown -R nobody:nobody /var/opt/SUNWam
- chown -R nobody:nobody /var/opt/SUNWps
- chown -R nobody:nobody /var/sadm/pkg/SUNWamsvc
- chown -R nobody:nobody /var/sadm/pkg/SUNWamws
- chown -R nobody:nobody /var/sadm/pkg/SUNWamds
- chown -R nobody:nobody /var/sadm/pkg/SUNWps
- Edit /etc/init.d/amserver at line 386. Place a # before the check_root_user method call as shown in the following example:
Code Example 3-14 amserver File Sample
#!/bin/sh
# PROPRIETARY/CONFIDENTIAL/...
BASE=/opt
DIRBASE=/usr
LDAPDIR=/usr/ldap
PRODUCTDIR=SUNWam
PACKAGEDIR=$BASE/${PRODUCTDIR}
WEBAPPDIR=$BASE/${PRODUCTDIR}/web-apps
SERVICEAPPSDIR=$WEBAPPDIR/services
AGENTAPPSDIR=$WEBAPPDIR/agent
PLATFORMCONFDIR=$PACKAGEDIR/lib
PLATFORMCONF=${PLATFORMCONFDIR}/AMConfig.properties
PLATFORMBINDIR=${PACKAGEDIR}/bin
WTPASSFILE=${PACKAGEDIR}/config/.wtpass
check_root_user () {
...skipping
}
# check_root_user
...
Launching Sun ONE Portal Server
Creating and Deleting Instances of the ServerAn instance is a server that listens on a particular port, bound to either one or more IP addresses. For the Sun ONE Portal Server, an instance corresponds to a web server process listening on a port and running a single JVM. Follow the instructions in this section to create multiple instances of the server.
- Log in to the server running the Sun ONE Portal Server: User Interface node.
- Become superuser and change directories to S1PSBaseDir/SUNWps/bin.
- Enter ./multiserverinstance for interactive installation
You will be prompted for the instance nickname, port number, and Identity Server password for the new instance of the server. The instance name should only contain alphanumeric characters (no dots).
Note
Instance creation using the multiserverinstance command is only supported on Sun ONE Web Server.
If you create any additional server instances and you want to run them as non-root or nobody, comment out the following lines for each instance at ISBaseDir/SUNWam/bin/amserver.instance-nickname
if [ ‘$ID | $AWK ’{print $1}’‘ != "uid=0(root)" ]; then
$ECHO "You must be root user. $BELL_CHAR"
exit 1
fi
To delete an instance:
Where to Go Next?This section includes information on the following:
Validating Sun ONE Portal Server Installation
To ensure that the installation of the Sun ONE Portal Server was successful, start the server and check that the processes run and listen correctly.
- Check that all the Sun ONE Portal Server processes run correctly. That is, enter:
- The Sun™ ONE Web Server must run on port 80 (by default).
# pgrep ns-httpd
This command returns multiple process IDs since the Sun ONE Portal Server uses multiple web server instances.
- Check that the Sun ONE Web Server listens on port 80 (by default).
# netstat -an | grep LISTEN | grep “*\*\.80\>”
This command returns a single line that shows that there is an open socket that listens on port 80.
- The Sun™ ONE Directory Server must run.
# pgrep ns-slapd
This command returns a single process ID of the Sun ONE Directory Server.
- The doUnix helper must be running on port 8946.
Accessing the Sun ONE Portal Server Administration Console and Desktop
Use the following procedures to validate that the Sun ONE Portal Server installation was successful.
To Access the Sun ONE Identity Server Administration Console
To Access the Sample Desktop
For the default organization you enter during the install, the software sets up the desktop service, creates the template, creates and assigns a desktop policy to users of that organization. You can either create a user in the organization to log on or use anonymous login without having to create a user.
Configuring Sun ONE Portal Server With a Gateway to Trust Sun ONE Identity Server
When using the Sun™ ONE Portal Server with the gateway, the gateway Certificate Authority (CA) certificate must be added to the Sun ONE Portal Server trusted CA list, regardless of whether the Sun ONE Portal Server is running in HTTP or HTTPs mode.
When a user session time out or user session logout action happens, the Sun ONE Identity Server sends a session notification to the gateway. Even when the Sun ONE Identity Server is running in HTTP mode, it will act as an SSL client using HttpsURLConnection to send the notification. Since it is connecting to an SSL server (the gateway), it should have the gateway CA certificate as part of the Trusted CA list or it should have an option to allow self signed certificate.
To create HttpsURLConnection, the Java Virtual Machine (JVM™) property -Djava.protocol.handler.pkgs needs to be set.
If Sun ONE Portal Server is running on the Sun ONE Web Server, this property is correctly set to -Djava.protocol.handler.pkgs by default. The Sun ONE Identity Server com.iplanet.services.comm package has the implementation of HttpsURLConnection and it provides an option to add the flag com.iplanet.am.jssproxy.trustAllServerCerts=true to accept self-signed certificates from any SSL server.
The -Djava.protocol.handler.pkgs is not set by default for the Sun ONE Application Server, WebLogic and WebSphere. The HttpsURLConnection implementation for supported application servers must use their own default handler (this could be JSSE or custom SSL implementation).
Administering the Portal Server
In order to configure Secure Socket Layer (SSL), see Chapter 12 of the Sun ONE Portal Server 6.1 Administrator’s Guide, “Managing the Sun ONE Portal Server System.”
In order to manage multiple installation of the portal server user interface nodes, see Chapter 12 of the Sun ONE Portal Server 6.1 Administrator’s Guide.
