Configuring Linux To Run a Servlet Container as Non-Root
Running a servlet container without Apache that needs to bind to ports < 1024 but still run as a non-root user usually requires special setup (instructions for Debian and Ubuntu). Some containers include tools to assist with this, or another option is to rely on port mapping.
One caution regarding this approach is that it will cause your IdP to fail if the port mapping software is stopped. Normally dropping a firewall doesn't prevent existing services from running, but this approach changes that situation. You should take care that any administrative staff are well aware of this change.
- Linux kernel that support iptables and nat
- IP address and ports numbers of servlet listeners
For non-Red Hat Linux installations modify /etc/rc.d/rc.local to include the following lines:
For Red Hat Linux installations using iptables (Red Hat 6 and earlier by default) modify the nat section of the /etc/sysconfig/iptables to include the following lines:
Note the changes are only the addition of the DNAT lines in the nat section.
For Red Hat Linux installations using firewalld (Red Hat 7 and later by default, unless you specifically switched back to iptables), issue the following commands as root:
- Add iptables rules to non-Red Hat Linux installations by running the iptables commands by hand.
- Restart iptables on Red Hat with the /etc/init.d/iptables script.