We have installed CA Access Gateway 12.52 SP1 using the root user account
Now, we would like to switch to a user with less privileges. Is it possible and what are the tasks to be completed to avoid issues?
Any reason why you aren't using r12.8 SP2 since r12.52 has already EOL in Feb 2019.
Anyway here's what I would do. Let's say smuser to be used instead of root and the install location is /opt/CA
Make sure the proxy services and any LLAWP processes are stopped.
create "smuser" account with ksh as its default shell
I added the following to the bottom of /home/smuser/.kshrc
# User specific aliases and functions
ulimit -n 40000ulimit -u 40000unset LANG
export JAVA_HOME=/opt/java/jdk1.x.x <- depending on your java versionexport PATH=$JAVA_HOME/bin:$PATH
cd /opt/CA/secure-proxy. ./ca_sps_env.sh
change the ownership of everything in the registry folder (default is /opt/etc/CA)
chown -R smuser:smuser /opt/etc
change the ownership of everything in the secure-proxy home folder
chown -R smuser:smuser /opt/CA
If you use ports numbers that are lower than 1024, you need to enable non-root user to be allowed to bind the process to those low ports. (e.g. 80 and 443). The below command needs to be run as root user or a user with sudo rights to setcap command.
/usr/sbin/setcap CAP_NET_BIND_SERVICE=+eip /opt/CA/secure-proxy/httpd/bin/httpd
The above command needs to be done every time you do a version upgrade when there's a change in the httpd binary. So I usually ask system admin to allow sudo rights to my non-root user to run this command whenever with do quaterly patch.
logout and login as smuser.
start access gateway
if there's any complain of missing .so.1 kinda files, use root user to just copy those "missing" library files from secure-proxy proxy_engine lib folder to the /lib folder and do ldconfig.
Hi Zen_Leow - that is very good recipe for doing this change!!
(in particular use of setcap - it is good to see that proven, I had been aware that setcap could be used this way, and would help running httpd as non-root, but since then had not been in situation where I needed non root install. Generally the prior recommendations I saw were to set the httpd port > 1024 and use iptables to forward 80 and 443 to the new ports - but setcap is the better solution)
When running you might want to consider setting the various limits in :
For the runtime user, so at runtime It's been a while, but something like :
smuser hard nproc 40000
smuser soft nproc 40000
smuser hard nofiles 40000
smuser soft nofiles 40000
should be similar to :
ulimit -n 40000 ulimit -u 40000
I seem to remember some problems with the user not being to set their own limits above some value (maybe the soft limit for the user ?).
Cheers - Mark
You are right about the ulimits centralized file to control all users' limits. In fact, your method is better cos mine is only relevant for systems that has unlimited set as default.
as for the setcap, I forgot to mention it has to be done whenever there's an upgrade that changes the httpd binary. Will edit the post with this info.
Retrieving data ...