This section contains the following non-root example:
This example uses Web Server as the web container. If the Web Server administration runtime user is non-root, then the Web Server instance runtime user needs to be the same non-root user. If the Web Server instance is non-root, and if you choose to run Web Server on port 80, then there are two options:
Start Web Server as root. This allows Web Server to attach to a port lower than 1024. Web Serverwill later be able to run as the non-root user configured during installation.
Solaris 10 has a feature that allows a system administrator to assign process privileges for a non-root user, allowing the non-root user to bind to a port lower than 1024. This means there is no need for Web Server to be started as root just to bind at a port number such as 80. For example, to assign process privileges to allow binding to port 80, do the following:
As root, type the following command:
/usr/sbin/usermod –K defaultpriv=basic,net_privaddr webservd |
For other non-root information in this document, see Configuring Product Components With Non-root Identifiers.
This example provides an installation sequence and configuration procedures for allowing Access Manager to run in a web container that is not owned by root.
If your installation plan calls for deploying Access Manager in an instance of Web Server or Application Server that is not owned by the superuser (root), you must install Access Manager in a separate installation session from Directory Server and Web Server or Application Server.
The general steps for creating this installation sequence include the following:
Session 1, Host A: Installing Directory Server
Session 2, Host B: Installing Web Server
Session 3, Host B: Installing Access Manager
If you have already deployed Access Manager in a root-owned instance of Web Server or Application Server, uninstall any copy of Access Manager before following the procedure in this section.
The following high-level tasks are required:
Checking the installation sequence guidelines
Check to see what guidelines apply to this example and make adjustments as needed.
Checking the installation prerequisites
Check to see what tasks you might need to perform for this installation before starting.
Installing Directory Server using the Configure Now type
In the Common Server Settings page, enter the non-root user for System User and non-root group for System Group.
Select port numbers for Directory Server that are higher than 1024 (389 for instance LDAP port and 636 for instance SSL LDAP port).
As the non-root user, starting Directory Server (all processes must be owned by the non-root user)
The following high-level tasks are required:
Checking the installation sequence guidelines
Check to see what guidelines apply to this example and make adjustments as needed.
Checking the installation prerequisites
Check to see what tasks you might need to perform for this installation before starting.
Installing Web Server using the Configure Now type
In the Common Server Settings page, enter the non-root user for System User and non-root group for System Group.
In the Directory Server Instance Creation page, set System User and System Group to non-root user and group.
In the Web Server: Administration page, change the Administration Runtime User ID to the non-root user.
In the Web Server: Default Web Server Instance page:
Change the Runtime UNIX User ID to the non-root user.
Select a value for HTTP Port that is higher than 1024.
As the non-root user, starting the Web Server administration instance and Web Server instance
All processes should be owned by the non-root users.
The following high-level tasks are required:
Installing Access Manager using the Configure Later type
Changing ownership of the following directories from root/other to the non-root user/non-root group:
These shared component directories must be changed because they are configured into the web container classpath by the Access Manager configuration program. All processes should be owned by the non-root users.
Solaris OS: /opt/SUNWma and /etc/opt/SUNWma
Linux: /opt/sun/mobileaccess and /etc/opt/sun/mobileaccess
chown -R nonroot-user:nonroot-group /opt/SUNWma /etc/opt/SUNWma |
Deploying Access Manager
./amconfig -s ./am.non_root_install |
As the non-root user, stopping the Web Server admin instance and Web Server instance
As root, changing the ownership of the Web Server installation directory
chown -R <non-root-user\>:<non-root-group\> WebServer-base |
As the non root-user, starting the Web Server admin instance and Web Server instance