Symantec Access Management

Hi all,

Running CA SPS version 12.52 sp1 cr04 on Redhat Enterprise Linux 6.7.

Ran into an issue today at client site binding on port 543 for the Tomcat proxyUI app https listen port. I enabled the 3 sections in the server.conf for the https port and TLSv1 protocol version and created the encrypted password file in the Tomcat properties directory with the password encrypt shell script from the $spshome/bin directory. This is working well, the Java keystore is loading successfully with the signed certificate and trusted root chain loaded.

During SPS installation I selected to start Tomcat with an spsAdmin nologin Linux service account. The docOps does make reference that this can not be root user. Here is where I am running into the problem with Linux not allowing the bind of ports under 1024 with users not root. If I set the port in the server.conf to 1543 all is well, the bind occurs and I can successfully use the proxyUI app over https.

Anyone had luck getting the bind to occur on 543 as non root user (especially with the confusing language in the docOps stating the tomcat user can't be root, I attached a screen shot of the docOps wording) I should note , Apache portion of SPS is having no issue binding to 80 and 443 and I am st the sps-ctl startssl as root.

Thanks all for the assistance!

Adam

Adam

The way I do it is use non root user across the board on SPS. Then use non default ports across the board. The SSL termination could be on SPS or fronted LB.

Is there a reason we cannot change 543 to something else. I doubt 543 is a standard port, it anyways is a non standard port.

Hey Hubert,

Thank you for the reply. No you are right changing it to 1543 does work and the SSL works fine for proxyUI app. I guess I was more curious if others were getting it to work binding to the default 543 as non root user.

Am I misreading the docOps that says the tomcat user can't be root and you must create it, but the default port the installer chooses is 543. Seems if you follow that like I did it will never start 543. Apache portion of SPS does start fine and I bind to 80 and 443. No problem with 1543, I will work with that, thanks for the reply!

Adam

Hi Adam

Port numbers < 1000 are considered privledged ports on unix, and only root can listen on them.  This is to stop normal users from doing a Listen:80 or 443 or :22 to pretend they are a system service.   I am assuming that may be the reason you can't listen on :543 

Obviously for linux it's a common problem: 

Apache a a lot of services start as root, do a Listen on :443 / :80 as root and the suid to another user id.   Tomcat doesn’t have that option.  

This seems to describe new setcap capability that can allow : 

Is there a way for non-root processes to bind to "privileged" ports on Linux? - Stack Overflow 

 
    setcap 'cap_net_bind_service=+ep' /path/to/program
 
 

And these were some other ways arround it :

Running network services as a non-root user. 

One way is to use iptables to forward :543 -> localhost:1543  

But If you are able to use a port > 1000 that will end up as the simplest solution. 

Cheers - Mark

PS: It is much better to run SPS as a non root user, particularly in production setup.   But I must admint I have run tomcat user a root for SPS previosuly in some test setups. 

----
Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success

Thank you Mark for following up on this one for me! 

I will need to play around with setcap in the lab to see how it behaves, I do appreciate the suggestion.

Hope all is well with you,

Adam