Sun ONE logo      Previous      Contents      Index      Next     

iPlanet Portal Server 3.0 Service Pack 5 Installation Guide

Chapter 7

User Nobody

To configure user nobody on an iPlanet Portal Server server, in the following examples, the server and gateway are installed on the same system. If installing the gateway on a separate system, perform the same steps on that system.

Specifying nobody as the owner of the iPlanet Portal Server files is a special case, as nobody has an impossible resultant (encrypted) password. The user must be root to manipulate and execute files nobody owns.

When the iPlanet Portal Server server is to run as nobody, the server can be configured to listen on port 8080, the default web server port. The LDAP server can also run on the default port 389, and the gateway on the default SSL port 443.

Note

The Netfile and Netfile Lite applications cannot use NFS protocol when running as nobody.

Note

Authentication helpers must be run as root.

When the server component is started or restarted, it must be done as root.

If user nobody was installed in a previous version, and is being upgraded to Service Pack 5, see the "Upgrading User Nobody to Service Pack 5" section.

The following information is included in this procedure:

Installation Examples

When installing the iPlanet Portal Server server, select a non-default install. The following procedures are install examples for both the server and the gateway components.

Installing iPlanet Portal Server 3.0 Server

See the original iPlanet Portal Server Installation Guide 3.0 for more information on installing the iPlanet Portal Server server component.

Tip

Non-default entries are shown in bold text.

# ./ipsinstall

****************************************************************

iPlanet(TM) Portal Server (iPS) (3.0sp5 release)

****************************************************************

Installation log at /var/sadm/install/logs/ipsinstall.18655/install.log

This product will run without a license. However, you must either purchase a Binary Code License from, or accept the terms of a Binary Software Evaluation license with, Sun Microsystems, to legally use this product.

Do you accept? yes/[no] yes

Inspecting system.

Inspecting network.

What is the iPS hostname of this machine? [server1]

What is the subdomain ("." for none)? []

What is the domain? [sesta.com]

What is the ip address of server1.sesta.com? [192.168.01.01]

Inspecting iPS components.

Preparing to install.

Select which component to install:

1) iPlanet(TM) Portal Server

2) iPlanet(TM) Portal Server: Secure Remote Access Pack (Gateway)

3) Exit

Choice? [3] 1

What directory to install in? [/opt]

Will this be an open portal install? y/[n]

Are the servers using SSL protocol? y/[n]

Is this a multiple server install? y/[n]

The primary server will run on server1.sesta.com

On what port will the primary server run? [8080]

What is the root of the profile role tree? [sesta.com]

What is the user for the profile role tree? [root]

On what port will the directory server run? [389]

On what port will the gateways run? [443]

Is this a multiple gateway install? y/[n]

On what hostname will the gateway run? [MyGateway] server1

What is the sub-domain name for server1 ("." for none)? []

What is the domain name for server1? [sesta.com]

Should the gateway(s) use a web proxy? y/[n]

What is the administrator port for the web server? [8088]

A passphrase is needed to manage and install certificates on the gateway

and the server, in the configuration of the web and LDAP servers and to

allow secure communication between the gateways and servers. The passphrase

must match between gateway and server installations.

What is the passphrase (8 chars minimum) :

Re-enter passphrase :

Start after installation completes? [y]/n

Server settings

Installation Directory : /opt

Server List : http://server1.sesta.com:8080

Gateway List : server1.sesta.com:443

Profile Server : http://server1.sesta.com:8080

Profile Role Tree Root : sesta.com

Profile Role Tree User : root

LDAP Port : 389

LDAP Admin Port : 8900

Web Server Admin Port : 8088

Start Server : y

Are these settings correct? [y]/n

Installing server.

Installing SUNWwtsdd...

Installing SUNWwtws...

Installing SUNWwtsvd...

Installing SUNWwtdt...

Installing SUNWwtnm...

Installing SUNWwtnf...

Installing SUNWwtrw...

Installing SUNWwtdoc...

Installing SUNWwtsam...

Installing SUNWwtds...

Starting server.

Installing iPlanet Portal Server 3.0 Gateway

See the original iPlanet Portal Server Installation Guide 3.0 for more information on installing the iPlanet Portal Server gateway.

Tip

Non-default entries are shown in bold text.

Select which component to install:

1) iPlanet(TM) Portal Server

2) iPlanet(TM) Portal Server: Secure Remote Access Pack (Gateway)

3) Exit

Choice? [3] 2

Is the primary server using SSL protocol? y/[n]

Should the local machine be the primary server? [y]/n

The primary server will run on server1.sesta.com

What is the port for the primary server? [8080]

What is the root of the profile role tree? [sesta.com]

What is the user for the root of the profile role tree? [root]

On what hostname will the gateway run? [server1]

What is the sub-domain name for server1 ("." for none)? []

What is the domain name for server1? [sesta.com]

On what port will the gateway run? [443]

Does this gateway have multiple network interfaces? y/[n]

Install firewall? y/[n]

A passphrase is needed to manage and install certificates on the gateway

and the server, in the configuration of the web and LDAP servers and to

allow secure communication between the gateways and servers. The passphrase

must match between gateway and server installations.

What is the passphrase (8 chars minimum) :

Re-enter passphrase :

Start after installation completes? [y]/n

Gateway settings

Installation Directory : /opt

Role Tree Root : sesta.com

Gateway : server1.sesta.com:443

Gateway IP Address : 192.168.01.03

Profile Server : http://server1.sesta.com:8080

Profile Role Tree Root : sesta.com

Profile Role Tree User : root

Install Firewall : n

Start Gateway : y

Are these settings correct? [y]/n

Self-signed certificate for a SSL connection.

What is the name of your organization? [MyCompany] sesta

What is the name of your organizational unit? [MyDivision] florizel

What is the name of your city or locality? [MyCity] santa clara

What is the name of your state or province? [MyState] california

What is the two-letter country code? [us]

Installing gateway.

Installing SUNWwtgwd...

Starting gateway.

Configuring User Nobody on the Server

Perform all steps as root, except as noted.

Note

Install the Service Pack 5 server, gateway, and the third-party products before starting execution of the procedure described below. Failure to do this will result in having to redo some of the install steps.

See the "Clean Installation" chapter for more information on installing Service Pack 5.

After installing the iPlanet Portal Server software do the following:

  1. As root, in a terminal window, do the following:

    2. # chmod 666 /dev/random

  2. Still as root, in a terminal window, change the owner:

    3. # chown -R nobody:nobody /opt/netscape

    # chown -R nobody:nobody /opt/SUNWips

    # chown -R nobody:nobody /etc/opt/SUNWips

    # chown -R nobody:nobody /var/opt/SUNWips

  3. Stop all services for the iPlanet Portal Server server and gateway.

    4. Note

    See "Stopping the Server Component Processes" for information on how to correctly perform these functions.

  4. Edit the following file, to change the localuser to nobody, as shown in bold text:

    5. /opt/netscape/directory4/slapd-servername/config/slapd.conf

    ########################################################################

    # /opt/netscape/directory4/slapd-server1/config/slapd.conf

    # Netscape Directory Server global configuration file

    # Do not modify this file while ns-slapd is running

    ########################################################################

    instancedir "/opt/netscape/directory4/slapd-server1"

    errorlog "/opt/netscape/directory4/slapd-server1/logs/errors"

    errorlog-logging-enabled on

    plugin syntax on "Telephone Syntax"

    "/opt/netscape/directory4/lib/syntax-plugin.so" tel_init

    plugin matchingRule on "Internationalization Plugin"

    "/opt/netscape/directory4/lib/liblcoll.so" orderingRule_init "/opt/netscape/directory4/slapd-server1/config/slapd-collations.conf"

    plugin syntax on "Integer Syntax"

    "/opt/netscape/directory4/lib/syntax-plugin.so" int_init

    plugin syntax on "Distinguished Name Syntax"

    "/opt/netscape/directory4/lib/syntax-plugin.so" dn_init

    plugin syntax on "Case Ignore String Syntax"

    "/opt/netscape/directory4/lib/syntax-plugin.so" cis_init

    plugin syntax on "Case Exact String Syntax"

    "/opt/netscape/directory4/lib/syntax-plugin.so" ces_init

    plugin syntax on "Binary Syntax"

    "/opt/netscape/directory4/lib/syntax-plugin.so" bin_init

    return_exact_case on

    include "/opt/netscape/directory4/slapd-server1/config/slapd.at.conf"

    include "/opt/netscape/directory4/slapd-server1/config/slapd.oc.conf"

    include "/opt/netscape/directory4/slapd-server1/config/ns-schema.conf"

    readonly off

    timelimit 3600

    sizelimit 2000

    lastmod on

    idletimeout 0

    ntsynch off

    ntsynch-port 5009

    ntsynchusessl on

    port 389

    secure-port 636

    maxdescriptors 1024

    schemacheck off

    enquote_sup_oc on

    security off

    localuser nobody

    userat "/opt/netscape/directory4/slapd-server1/config/slapd.user_at.conf"

    useroc "/opt/netscape/directory4/slapd-server1/config/slapd.user_oc.conf"

    accesslog "/opt/netscape/directory4/slapd-server1/logs/access"

  5. Edit the following files to change the User to nobody, as shown in bold text:
  1. If the LDAP Server process is also to run as a user other than root, edit the following file to change the configuration.nsSuiteSpotUser to nobody, as shown in bold text:

    2. /opt/netscape/directory4/admin-serv/config/local.conf

    nsServerID: admin-serv

    userPassword: {SHA}/mZi7HWjvvYwFqgGkIRTOg79/Cc=

    serverRoot: /opt/netscape/directory4

    serverProductName: Administration Server

    serverHostName: server1.sesta.com

    uniqueMember: cn=admin-serv-server1, cn=Netscape Administration Server, cn=Server

    Group, cn=server1.sesta.com, ou=sesta.com, o=NetscapeRoot

    installationTimeStamp: 20000914220659Z

    configuration.nsServerPort: 8900

    configuration.nsSuiteSpotUser: nobody

    configuration.nsServerAddress: 192.168.178.52

    configuration.nsAdminEnableEnduser: on

    configuration.nsAdminEnableDSGW: on

    configuration.nsDirectoryInfoRef: cn=Server Group, cn=server1.sesta.com, ou

    =sesta.com, o=NetscapeRoot

    configuration.nsAdminUsers: admin-serv/config/admpw

    configuration.nsErrorLog: admin-serv/logs/error

    configuration.nsPidLog: admin-serv/logs/pid

    configuration.nsAccessLog: admin-serv/logs/access

    configuration.nsAdminCacheLifetime: 600

    configuration.nsAdminAccessHosts: *.sesta.com

    configuration.nsAdminAccessAddresses: 192.168.178.52

    configuration.nsAdminOneACLDir: adminacl

    configuration.nsDefaultAcceptLanguage: en

    configuration.nsClassname: com.netscape.management.admserv.AdminServer@admserv42

    .jar@cn=admin-serv-server1, cn=Netscape Administration Server, cn=Server Group, cn=server1.sesta.com, ou=sesta.com, o=NetscapeRoot

  2. To set the http and netlet proxies on the server to run as nobody, edit the /etc/opt/SUNWips/platform.conf file, as shown in bold text:
    • ips.httpproxy.user=nobody
    • ips.netletproxy.user=nobody

      • Note

      Instructions for configuring the Netlet Proxy are found in the Release Notes for the iPlanet Portal Server.

      Instructions for "Configuring Restart of the HTTP Proxy" are found in this document.

      # Copyright 03/22/03 Sun Microsystems, Inc. All Rights Reserved.

      # "@(#)platform.conf 1.29 03/03/22 Sun Microsystems"

      #

      ips.defaultDomain=sesta.com

      ips.server.protocol=http

      ips.server.host=server1.sesta.com

      ips.server.port=8080

      ips.profile.host=server1.sesta.com

      ips.gateway.protocol=https

      ips.gateway.host=server1.sesta.com

      ips.gateway.port=443

      ips.virtualhost=server1.sesta.com 192.168.01.01

      ips.naming.url=http://server1.sesta.com:8080/namingservice

      ips.notification.url=http://server1.sesta.com:8080/notificationservice

      ips.daemons=securid radius safeword unix skey

      securidHelper.port=8943

      radiusHelper.port=8944

      safewordHelper.port=8945

      unixHelper.port=8946

      skeyHelper.port=8947

      ips.httpproxy.user=nobody

      ips.netletproxy.user=nobody

      ips.cookie.name=iPlanetPortalServer

      ips.locale=en_US

      ips.debug=error

      ips.version=3.0

      ips.basedir=/opt

      ips.logdelimiter=&&

  3. Start the iPlanet Portal Proxy server. From a terminal window, as root, do the following:

    4. # /opt/SUNWips/bin/ipshttpd stop

    # /opt/SUNWips/bin/ipsnetletd stop

    # /opt/SUNWips/bin/ipshttpd start

    # /opt/SUNWips/bin/ipsnetletd start

Configuring User Nobody on the Gateway

The following steps are for configuring user nobody on the gateway, when the gateway is not installed on the same system as the server.

Note

Install the Service Pack 5 server, gateway, and the third-party products before starting execution of the procedure described below. Failure to do this will result in having to redo some of the install steps.

Note

When the gateway component is started or restarted, it must be done as root.

See the "Clean Installation" chapter for more information on installing Service Pack 5.

After installing the iPlanet Portal Server software do the following on the gateway:

  1. As root, in a terminal window, do the following:

    2. # chmod 666 /dev/random

    # chown -R nobody:nobody /etc/opt/SUNWips

    # chown -R nobody:nobody /var/opt/SUNWips

    # chown -R nobody:nobody /opt/SUNWips

  2. Edit the /etc/opt/SUNWips/platform.conf file, as shown in bold text:

    3. ips.gateway.user=nobody

    # Copyright 03/22/03 Sun Microsystems, Inc. All Rights Reserved.

    # "@(#)platform.conf 1.29 03/03/22 Sun Microsystems"

    #

    ips.defaultDomain=sesta.com

    ips.server.protocol=http

    ips.server.host=server1.sesta.com

    ips.server.port=8080

    ips.profile.host=server1.sesta.com

    ips.gateway.protocol=https

    ips.gateway.host=server1.sesta.com

    ips.gateway.port=443

    ips.virtualhost=server1.sesta.com 192.168.01.01

    ips.naming.url=http://server1.sesta.com:8080/namingservice

    ips.notification.url=http://server1.sesta.com:8080/notificationservice

    ips.daemons=securid radius safeword unix skey

    securidHelper.port=8943

    radiusHelper.port=8944

    safewordHelper.port=8945

    unixHelper.port=8946

    skeyHelper.port=8947

    ips.gateway.user=nobody

    ips.cookie.name=iPlanetPortalServer

    ips.locale=en_US

    ips.debug=error

    ips.version=3.0

    ips.basedir=/opt

    ips.logdelimiter=&&

When the gateway is configured as user nobody, do the following to workaround an invalid session condition when the gateway does a restart:

# chmod 4555 /etc/init.d/ipsgateway

Special Case Configurations

When the iPlanet Portal Server server and gateway are installed on the same system, both the server and gateway must be configured to run as user nobody.

Caution

If you have configured a system to run as user nobody, then later add other packages with the installer, check the ownership of the Portal Server directories to make sure it is still user nobody.

Upgrading User Nobody to Service Pack 5

To upgrade an installation using user nobody from a previous version of the iPlanet Portal Server product to Service Pack 5 requires that all the user names be reset to root for the upgrade to work. Once Service Pack 5 has been installed the user will have to re-configure the server and gateway to run as nobody. Failure to do all these steps may result in loss of data.

The following list is a brief summary of the steps required to upgrade to Service Pack 5:

  1. Stop all services for the iPlanet Portal Server server and gateway.

    2. Note

    See "Stopping the Server Component Processes" for information on how to correctly perform these functions.

  2. If the gateway is installed and running as nobody, do the following:

    3. Edit the gateway /etc/opt/SUNWips/platform.conf file, as shown in bold text:

  1. Edit the following file to change the configuration.nsSuiteSpotUser to root, as shown in bold text:

    2. /opt/netscape/directory4/admin-serv/config/local.conf

    nsServerID: admin-serv

    userPassword: {SHA}/mZi7HWjvvYwFqgGkIRTOg79/Cc=

    serverRoot: /opt/netscape/directory4

    serverProductName: Administration Server

    serverHostName: server1.sesta.com

    uniqueMember: cn=admin-serv-server1, cn=Netscape Administration Server, cn=Server

    Group, cn=server1.sesta.com, ou=sesta.com, o=NetscapeRoot

    installationTimeStamp: 20000914220659Z

    configuration.nsServerPort: 8900

    configuration.nsSuiteSpotUser: root

    configuration.nsServerAddress: 192.168.178.52

    configuration.nsAdminEnableEnduser: on

    configuration.nsAdminEnableDSGW: on

  2. In a terminal window:

    3. # chown -R root:root /etc/opt/SUNWips

    # chown -R root:root /var/opt/SUNWips

    # chown -R root:root /opt/netscape

    # chown -R root:root /opt/SUNWips

  3. Edit the following files:

    4. /opt/netscape/server4/http-servername/config/magnus.conf

    /opt/netscape/server4/https-admserv/config/magnus.conf

    Change the user nobody to the name of the user root, as shown in bold text.

    ServerID https-server1.sesta.com

    ServerName server1.sesta.com

    Port 8080

    LoadObjects obj.conf

    RootObject default

    ErrorLog /opt/netscape/server4/https-server1.sesta.com/logs/errors

    PidLog /opt/netscape/server4/https-server1.sesta.com/logs/pid

    User root

    MtaHost localhost

    DNS off

    Security off

  4. Edit the following files to change the localuser to root, as shown in bold text:

    5. /opt/netscape/directory4/slapd-servername/config/slapd.conf

    return_exact_case on

    include "/opt/netscape/directory4/slapd-server1/config/slapd.at.conf"

    include "/opt/netscape/directory4/slapd-server1/config/slapd.oc.conf"

    include "/opt/netscape/directory4/slapd-server1/config/ns-schema.conf"

    readonly off

    timelimit 3600

    sizelimit 2000

    lastmod on

    idletimeout 0

    ntsynch off

    ntsynch-port 5009

    ntsynchusessl on

    port 389

    secure-port 636

    maxdescriptors 1024

    schemacheck off

    enquote_sup_oc on

    security off

    localuser root

    userat "/opt/netscape/directory4/slapd-server1/config/slapd.user_at.conf"

    useroc "/opt/netscape/directory4/slapd-server1/config/slapd.user_oc.conf"

    accesslog "/opt/netscape/directory4/slapd-server1/logs/access"

  5. Install the Service Pack 5 upgrade. See "Upgrading to Service Pack 5" for the iPlanet Portal Server.
  6. Reconfigure both the server and gateway to run as nobody. See the "Configuring User Nobody on the Server" and "Configuring User Nobody on the Gateway" sections.
  7. Restore all backed up data, create all server instances, and all special configurations.



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.