Symantec Access Management

  • 1.  SPS installed as root

    Posted Mar 14, 2019 09:57 AM

    We have installed CA Access Gateway 12.52 SP1 using the root user account

    Now, we would like to switch to a user with less privileges. Is it possible and what are the tasks to be completed to avoid issues?

     

    KR,

    Gabriele



  • 2.  Re: SPS installed as root
    Best Answer

    Posted Apr 05, 2019 04:59 PM

    Hi Gabriele,

     

    Any reason why you aren't using r12.8 SP2 since r12.52 has already EOL in Feb 2019.

     

    Anyway here's what I would do. Let's say smuser to be used instead of root and the install location is /opt/CA

     

    Make sure the proxy services and any LLAWP processes are stopped.

     

    create "smuser" account with ksh as its default shell

     

    I added the following to the bottom of /home/smuser/.kshrc

     

    # User specific aliases and functions

    ulimit -n 40000
    ulimit -u 40000
    unset LANG

    export JAVA_HOME=/opt/java/jdk1.x.x <- depending on your java version
    export PATH=$JAVA_HOME/bin:$PATH

    cd /opt/CA/secure-proxy
    . ./ca_sps_env.sh

     

    change the ownership of everything in the registry folder (default is /opt/etc/CA)

    chown -R smuser:smuser /opt/etc

     

    change the ownership of everything in the secure-proxy home folder

    chown -R smuser:smuser /opt/CA

     

    If you use ports numbers that are lower than 1024, you need to enable non-root user to be allowed to bind the process to those low ports. (e.g. 80 and 443). The below command needs to be run as root user or a user with sudo rights to setcap command.

    /usr/sbin/setcap CAP_NET_BIND_SERVICE=+eip /opt/CA/secure-proxy/httpd/bin/httpd

     

    ---Edit---

    The above command needs to be done every time you do a version upgrade when there's a change in the httpd binary. So I usually ask system admin to allow sudo rights to my non-root user to run this command whenever with do quaterly patch.

    ---End Edit---

     

    logout and login as smuser.

     

    start access gateway

     

    if there's any complain of missing .so.1 kinda files, use root user to just copy those "missing" library files from secure-proxy proxy_engine lib folder to the /lib folder and do ldconfig.

     

    Best Regards,

    Zen



  • 3.  Re: SPS installed as root

    Broadcom Employee
    Posted Apr 06, 2019 12:02 AM

    Hi Zen_Leow - that is very good recipe for doing this change!!

     (in particular use of setcap - it is good to see that proven, I had been aware that setcap could be used this way, and would help running httpd as non-root, but since then had not been in situation where I needed non root install.  Generally the prior recommendations I saw were to set the httpd port > 1024  and use iptables to forward 80 and 443 to the new ports - but setcap is the better solution)

     

     

    When running you might want to consider setting the various limits in : 

         /etc/security/limits.conf

     

    For the runtime user, so at runtime   It's been a while, but something like : 

       smuser hard nproc 40000

       smuser soft nproc 40000

       smuser hard nofiles 40000

       smuser soft nofiles 40000

     

    should be similar to : 

       ulimit -n 40000
       ulimit -u 40000

     

     

    I seem to remember some problems with the user not being to set their own limits above some value (maybe the soft limit for the user ?). 

     

    Cheers - Mark

     



  • 4.  Re: SPS installed as root

    Posted Apr 06, 2019 09:45 AM

    Hi Mark,

     

    You are right about the ulimits centralized file to control all users' limits. In fact, your method is better cos mine is only relevant for systems that has unlimited set as default.

     

    as for the setcap, I forgot to mention it has to be done whenever there's an upgrade that changes the httpd binary. Will edit the post with this info.

     

    regards,

    Zen