KB Article #179395

Converting a gateway from running as root to a non-root user

Problem

Your gateway currently runs as root. You need to convert it to run as a non-root user to meet security requriements.

Resolution

Note: Before running the commands below, replace all occurrences of /PATH/TO with the location where apigateway is installed, e.g. /opt/Axway/apigateway


Create a service S_USER & S_GROUP in Linux.
Use su to become root (e.g. su -)
Define appropriate ulimits for S_USER in /etc/security/limits.conf - https://linux.die.net/man/5/limits.conf

  • Number of open files / nofile (ulimit -n) should be unlimited or numerically as large as possible for the system (100000+)
  • Core (ulimit -c) should be unlimited assuming there is sufficient disk space for cores & disk space monitoring
  • Max processes (ulimit -u) should be 31212.

Change USER=root in all /etc/init.d scripts to the service user, e.g. USER=S_USER


NOTE: If init.d scripts are not used to start the gateway, a script should be created via managedomain. It is important that the API Gateway never be run as root again, otherwise permission errors will occur because the service user cannot access root-owned files created when the gateway was running and then you will have to stop the service, redo the chown and setcap commands below, and restart the service to fix it.


Now run these commands, replacing the items in bold with the correct user or path:


echo "export LD_LIBRARY_PATH=/lib:/lib64:/usr/lib:/usr/lib64" >> /etc/init.d/functions

chown -R S_USER:S_GROUP /PATH/TO/apigateway

setcap 'cap_net_bind_service=+ep cap_sys_rawio+ep' /PATH/TO/apigateway/platform/bin/vshell

cd /etc/ld.so.conf.d/


Note: Skip the steps below for creating the gateway-libs.conf file and running ldconfig if you are running 7.5.3 SP5, 7.6.0 or any later versions, which set rpath on the vshell executable. Refer to the section of the Administrator's Guide entitled "Run API Gateway on privileged ports" for information on running chrpath on those versions to set the library paths.


Create a file named gateway-libs.conf with the following contents, making sure you replace /PATH/TO with the actual path:


/PATH/TO/apigatewayplatform/jre/lib/amd64/server
/PATH/TO/apigatewayplatform/jre/lib/amd64
/PATH/TO/apigatewayplatform/lib/engines
/PATH/TO/apigatewayplatform/lib
/PATH/TO/apigatewayext/lib


Run this command:
ldconfig


Log out from root account and log in as S_USER
Change /PATH/TO and run this to add library locations to jvm.xml in this command:

sed -i -e '/<JVMSettings/a\\n <!-- Set by appliance rpm to allow correct library load after setting CAP_NET_BIND_SERVICE on vshell -->\n <VMArg name="-Djava.library.path=$VDISTDIR/$DISTRIBUTION/jre/lib/amd64/server:$VDISTDIR/$DISTRIBUTION/jre/lib/amd64:$VDISTDIR/$DISTRIBUTION/lib/engines:$VDISTDIR/ext/$DISTRIBUTION/lib:$VDISTDIR/ext/lib:$VDISTDIR/$DISTRIBUTION/jre/lib:system/lib:$VDISTDIR/$DISTRIBUTION/lib"/>' /PATH/TO/apigateway/system/conf/jvm.xml


You should now be able to start the gateway via the init.d script, e.g. service name-of-script start

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.