Installing Access Manager to Run as a Non-root User With Application Server

Follow the next procedure to install and configure with Access Manager 7.1 with Sun Java System Application Server Enterprise Edition 8.2 as the web container. This procedure uses appservd as the non-root user in examples.

This procedure runs the Java ES installer twice:

1. You first run the installer with the Configure Now option to install and configure Application Server 8.2.

2. You run the installer with the Configure Later option to install Access Manager 7.1. Then you run the amconfig script to configure the Access Manager 7.1 instance.

For more information about Application Server 8.2, see the following documentation collection:

http://docs.sun.com/coll/1310.3

To Install and Configure Access Manager with Application Server as the Web Container

Before You Begin

Consider these preliminary tasks:

• The non-roon user and group must already exist. See Creating Non-root Users.

• Directory Server must be installed and running. See Installing Sun Java System Directory Server 6.0

1. On the server where you want to install Application Server 8.2 and Access Manager 7.1, log in as or become superuser (root).

2. As superuser (root), install Application Server 8.2 by running the Java ES installer with the Configure Now option.

   When you select Application Server 8.2, the installer automatically selects Message Queue 3.7 UR1.

   Set the installation values as required for your Application Server 8.2 deployment. The specific values that you must set for a non-root user include:

   • On the Specify Installation Directories page, for the Application Server and Application Server Data and Configuration directories, enter values that are beneath the non-root user's home directory. For example, if the non-root user's home directory is /export/home/appservd, the Application Server installation directory would be /export/home/appservd/as.

   • On the Specify Common Server Settings page, enter the non-root user (appservd) for System User and non-root group (appservd) for System Group.

   • On the Application Server Domain Administration Server (1 of 1) page, select port numbers for the Application Server Admin Port, JMX Port, HTTP Port, and HTTPS Port.

   Note: If you are running the Solaris 10 OS, you can use port numbers lower than 1024 by assigning the net_privaddr privilege to the non-root user, as described in Using Port Numbers Lower Than 1024 on Solaris 10 Systems.

3. After the Java ES installer has finished installing Application Server 8.2, as superuser (root), delete the Application Server domain created by the Java ES installer in the following location, depending on your platform:

   • Solaris systems: /export/home/appservd/as/appserver/bin

   • Linux systems: /export/home/appservd/as/bin

   For example, to delete the Application Server 8.2 domain:

   #./asadmin delete-domain --domaindir /asdomains domain1

4. As superuser (root), change the ownership of the Application Server installation directory and the Application Server data and configuration directory to the non-root user and group. For example:

   # chown -R appservd:appservd /export/home/appservd/as /export/home/appservd/as_var/

5. If you plan to use an administration password file in asadmin commands, as superuser (root), create the file.

   The following examples use /tmp/asAdminPWFile as the administration password file name. Specify the passwords in this file as follows:

   • AS_ADMIN_PASSWORD=application-server-admin-password

   • AS_MASTERPASSWORD=master-password

   Caution: The administration password file contains passwords in clear text. Secure this file as appropriate for your deployment.

6. Recreate the Application Server domain as the non-root user:

   1. Change to the non-root user. For example:

      # su - appservd

   2. Change to the /bin directory, depending on your platform:

      Solaris systems: /export/home/appservd/as/appserver/bin

      Linux systems: /export/home/appservd/as/bin

   3. Recreate the deleted domain using the asadmin create-domain command.

      For example:

      ./asadmin create-domain --domaindir /export/home/appservd/as_var/domains 
      --adminport 4949 --adminuser admin --passwordfile /tmp/asAdminPWFile 
      --instanceport 80 --domainproperties domain.jmxPort=86:http.ssl.port=81 
      --savemasterpassword=true domain1
      ... 
      Domain domain1 created.

7. As the non-root user, start the Application Server 8.2 domain that you just created using the asadmin start-domain command. For example:

   ./asadmin start-domain --user admin --passwordfile /tmp/asAdminPWFile domain1

   The Application Server and Message Queue processes should be owned by the non-root user (appservd).

8. To verify that the Application Server 8.2 administration instance is accessible, use the following URL:

   https://fqdn:as-admin-port/

   Where fqdn and as-admin-port specify the fully qualified domain name and admin port number.

9. To verify that the Application Server HTTP port is accessible, use the following URL:

   http://fqdn:8080/

   Where fqdn is the fully qualified domain name.

10. Login as or become superuser (root) and restart the Java ES installer to install Access Manager 7.1.

    On the Choose a Configuration Type page, select the Configure Later option.

11. After the installation finished, as superuser (root), change the ownership of the following directories from root and other to the non-root user (appservd) and non-root group (appservd), depending on your platform:

    • Solaris systems: /opt/SUNWma and /etc/opt/SUNWma

    • Linux systems: /opt/sun/mobileaccess and /etc/opt/sun/mobileaccess

    For example, on Solaris systems:

    # chown -R appservd:appservd /opt/SUNWma /etc/opt/SUNWma

12. As superuser (root), change to the Access Manager /bin directory, depending on your platform:

    • Solaris systems: /opt/SUNWam/bin

    • Linux systems: /opt/sun/identity/bin

13. As superuser (root), make a copy of the amsamplesilent file to use to configure Access Manager 7.1. For example:

    # cp -p amsamplesilent as8nonroot_config

14. As superuser (root), edit the as8nonroot_config file as follows:

    • Set NEW_OWNER to the non-root user (appservd) and NEW_GROUP to the non-root group (appservd).

    • Set the AS81_HOME variable to the parent directory of the Application Server 8.2 /bin directory.

    • Set WEB_CONTAINER=AS8 to specify Application Server 8.2 as the web container. For a description of other Application Server 8.2 variables, see Web Container Configuration Variables.

    • Set other Access Manager 7.1 variables, as required by your deployment. For a description of these variables, see Access Manager Configuration Variables.

15. As superuser (root), run the amconfig script with the edited as8nonroot_config file to deploy Access Manager 7.1. For example:

    # ./amconfig -s ./as8nonroot_config

    If you encounter the question “Do you trust the above certificate [y|n]” during the deployment of the Access Manager web applications, specify “y” and press Enter.

16. As the non-root user, change to the/bin directory. For example:

    Solaris systems: /export/home/appservd/as/appserver/bin

    Linux systems: /export/home/appservd/as/bin

17. As the non-root user, stop the Application Server 8.2 domain and then restart it. For example:

    ./asadmin stop-domain domain1 
    ./asadmin start-domain --user admin --passwordfile /tmp/asAdminPWFile domain1

18. Tto verify that the Access Manager 7.1 Admin Console is accessible, use the following URL:

    http://fqdn:8080/amserver/

    Where fqdn is the fully qualified domain name.