WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIXHP-UXLinuxSolarisWindows

Running an Application Server and node agent from a non-root user

By default, each base Application Server node on a Linux, UNIX, or z/OS platform uses the root user ID to run the node agent process and all Application Server processes. However, you can run the node agent and all Application Server processes under the same non-root user and user group. If you do run the node agent process with a non-root user ID, you must run all Application Server processes that the node agent controls under the same non-root user ID.

Before you begin

If global security is enabled, the user registry must not be Local OS. Using the Local OS user registry requires the node agent to run as root. Refer to Local operating system user registries for details.

Why and when to perform this task

Using the same non-root user and user group gives the node agent process the operating system permissions to start all other server processes.

Run your application servers and node agent as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of a node agent or application server. You must restart the node agent and application servers in order for the changes to take effect.

Note: The node agent saves registered server data to the IBMLSDActiveServerList.asl file, in the path that is specified by the com.ibm.ws.orb.services.lsd.StoreActiveServerList property. If you do not specify a value for the com.ibm.ws.orb.services.lsd.StoreActiveServerList property, the node agent does not save the data. The value you specify for this property must be the complete path location of the IBMLSDActiveServerList.asl file. The CLASSPATH environment variable is not used in locating the path.

If you are running WebSphere Application Server as a non-root user, add IBMLSDActiveServerList.asl to your non-root user file permissions.

Note: If you are using the Tivoli Access Manager (TAM) to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems. For more information, see Tivoli Access Manager JACC provider configuration.
For the steps that follow, assume that:
  • wasadmin is the user to run all servers
  • wasnode is the node name
  • wascell is the cell name
  • server1 is the Application Server
  • /opt/WebSphere/AppServer is the installation root for the base node
  • wasgroup is the group that will run all servers, with wasadmin as a member
  • nodeProfile1 is the profile name
Note: For information about creating a profile, see wasprofile command.

To configure a user ID to run the node agent and all server processes, complete the following steps.

Steps for this task

  1. Log on to the Application Server system as root.
  2. Create user wasadmin with primary group wasgroup. If you will be using peer recovery with your transaction logs on a shared system (such as NAS) between two or more machines, you will need to create a user and group with the same identification numbers on all machines participating in peer recovery. This will ensure that the non-root users and groups match across machines.
  3. Log off and back on.
  4. Log on to the Network Deployment system as root.
  5. If the deployment manager process is not started, start it with the startManager.sh script from the /bin directory of the installation root:
    startManager.sh
  6. Start the administrative console.
  7. Define the node agent to run as a wasadmin process using the administrative console of the deployment manager. You must define all three properties in the following table. Click System Administration > Node agents > nodeagent (for the node) Server Infrastructure > Java and Process Management > Process Definition > Process Execution and change all of the following values:
    Property Value
    Run As User wasadmin
    Run As Group wasgroup
    UMASK 022

    The value 022 means the files the process creates are writable by the group and by others as defined on the Linux or UNIX platforms.

    Note: Make sure that the node agent is running if you are going to change the value specified for either the Run As Group or Run As User property. If the value for either of these properties is changed while the node agent is not running, the Deployment Manager can not push the changes to the node.
  8. Define each Application Server to run as a wasadmin process. Substitute the name of each server for server1. You must define all three properties in the following table. Click Servers > Application Servers > server1 > Server Infrastructure > Java and Process Management > Process Execution and change all of the following values:
    Property Value
    Run As User wasadmin
    Run As Group wasgroup
    UMASK 022
  9. Save and synchronize all nodes. Stop all changed application servers and the node agent from the administrative console.
  10. Log on to the Application Server system as root.
  11. Ensure that all servers and the node agent are stopped.
  12. As root, use operating system tools to change file permissions on Linux and UNIX platforms:
    
    chgrp wasgroup /opt/WebSphere
    chgrp wasgroup /opt/WebSphere/AppServer
    chgrp -R wasgroup /opt/WebSphere/AppServer/cloudscape
    chgrp -R wasgroup /opt/WebSphere/AppServer/profiles/nodeProfile1
    chmod g+wr /opt/WebSphere
    chmod g+wr /opt/WebSphere/AppServer
    chmod -R g+wr /opt/WebSphere/AppServer/cloudscape
    chmod -R g+wr /opt/WebSphere/AppServer/profiles/nodeProfile1
    
  13. Log in as wasadmin on the Application Server system.
  14. From wasadmin, run the startNode.sh script from the /bin directory of the installation root to start the node agent:
    startnode.sh node1
    
  15. Log into the administrative console and start the application servers.

Result

You can start an application server and the node agent from a non-root user.



Related tasks
Running an application server from a non-root user and the node agent from root
Running the deployment manager with a non-root user ID

Task topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/trun_nodeagent_nonroot.html

© Copyright IBM Corporation 2003, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)