Installing IBM Security Guardium Key Lifecycle Manager on Linux systems as a non-root user

You can install IBM Security Guardium Key Lifecycle Manager as a non-root user on Linux® operating system. Non-root installation of IBM Security Guardium Key Lifecycle Manager installs both Db2 and WebSphere Application Server Liberty as a non-root user.

Before you begin

  • Configure WebSphere Liberty, and other ports to be greater than 1024. For example, 1180. You cannot use privileged ports (ports < 1024).
  • Ensure that the non-root user belongs to a non-root primary group. The non-root user must have a primary group other than guests, admins, users, and local.
  • See Non-root Db2® installation.

About this task

Before you install IBM Security Guardium Key Lifecycle Manager on Linux systems as a non-root user, review the best practices information in the Non-root installation of IBM Security Guardium Key Lifecycle Manager on Linux systems topic.

Procedure

  1. Ensure that your target environment meets the IBM Security Guardium Key Lifecycle Manager installation prerequisites. See Preinstallation tasks.
  2. Create a non-root User ID. Ensure that the User ID has a primary group other than guests, admins, users, and local.
  3. Skip running Prerequisite Scanner by creating sklmInstall.properties file in the /tmp directory with the following property.
    SKIP_PREREQ=true
  4. Go to the directory of your installation package and open disk1.
    For example, download_path/disk1.
  5. Open a command line window and run launchpad.sh.
  6. Specify the Db2 configuration parameters. See Db2 configuration during non-root installation.
  7. Specify the WebSphere Liberty configuration parameters.
  8. After the IBM Security Guardium Key Lifecycle Manager installation process is complete, open the command line window.
  9. Stop WebSphere Liberty and Db2.
    Note: Ensure that you perform this step as the non-root user that you created in step 2.
    Run the following command to stop WebSphere Liberty:
    cd WAS_HOME/bin
    ./stopServer.sh
    Run the following command to load the Db2 profile:
    . ${DB_INST_HOME}/sqllib/db2profile
    For example:
    . /home/klmdb42/sqllib/db2profile
    Run the following command to stop Db2:
    cd ~/sqllib/adm
    ./db2stop
  10. Open a new shell and run the following command under /home/username/gklm421properties/scripts.
    Non-root Db2 installation requires root access to configure Db2 instance with a specific port number and service name.
    sudo nonrootconfig.sh DB_INST_HOME DB_INST_NAME PORT DB_USER DB_PASSWORD WAS_HOME IS_AD_USER
    For example:
    sudo nonrootconfig.sh /home/testuser testuser 50100 testuser mydbpwd /home/testuser/IBM/WebSphere/Liberty Yes
    Where,

    DB_INST_HOME is the directory that contains the Db2 database instance. For example, /home/testuser.

    DB_INST_NAME is the Db2 instance name. For example, testuser.

    PORT is the Db2 service listening port. For example, 50100.

    DB_USER is the Db2 username. For example, testuser.

    DB_PASSWORD is the Db2 password. For example, mydbpwd.

    WAS_HOME is the WebSphere Liberty home directory. For example, /home/testuser/IBM/WebSphere/Liberty.

    IS_AD_USER is a flag that indicates whether the user installing IBM Security Guardium Key Lifecycle Manager is an Active Directory (AD) user. Possible values are No or Yes.

    When you run the script, you are prompted to provide password for the Db2 user name to continue with installation.
  11. Restart WebSphere Liberty.
    Note: Ensure that you perform this step as the non-root user that you created in step 2.
    cd WAS_HOME/bin
    ./startServer.sh

What to do next

  • In the SKLM_HOME/config/SKLMConfig.properties file, update the TLS port number to be greater than 1024 by using the graphical user interface or the REST interface. For example,
    TransportListener.ssl.port=1441
  • Restart the IBM Security Guardium Key Lifecycle Manager server.

    After the installation, you must log in as a non-root user to start or stop IBM Security Guardium Key Lifecycle Manager server and Db2 server.