WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIXHP-UXLinuxSolarisWindows

Running application servers from a non-root user

By default, each base WebSphere Application Server node uses the root user ID to run all application server processes. However, you can run all application server processes under the same non-root user and user group. This task describes how to run an application server process from a non-root user.

Before you begin

If global security is enabled, the user registry must not be Local OS. Using the Local OS user registry requires the application server to run as root. Refer to Local operating system user registries for details.

If you are using the Tivoli Access Manager (TAM) to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems. For more information, see Tivoli Access Manager JACC provider configuration.

When WebSphere Application Server is run as a UNIX user, it can only access files owned by its primary group. If it tries to access files by its secondary group, a java.io.FileNotFoundException: will occur because the file access permissions do not allow this type of access.

Why and when to perform this task

Run your application servers as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of an application server. You must restart the application server in order for the changes to take effect.

If your application server is part of a cell, see Running an application server from a non-root user and the node agent from root or Running an Application Server and node agent from a non-root user

.
Note:
For the following steps, assume that:
  • was1 is the user to run the application server
  • wasgroup is the primary user group for user was1
  • wasnode is the node name
  • server1 is the application server
  • /opt/WebSphere/AppServer is the installation root
  • nodeProfile1 is the profile name.
Note: For information about creating a profile, see wasprofile command.

To configure an application server to run as non-root, complete the following steps.

Steps for this task

  1. Log on to the application server system as the root user.
  2. Create the user ID was1 with a primary user group of wasgroup. The user ID, was1, is an example. You can name the user something else.
  3. Log off and back on as root.
  4. Start server1 as root. Run the startServer.sh script from the /bin directory of the installation root:
    startServer.sh server1
  5. Specify user and group ID values for the Run As User and Run As Group settings for a server:
    1. Start the administrative console.
    2. Go to the Process execution page of the administrative console. You must define all three properties in the following table. Click Servers > Application Servers > server1 > Server Infrastructure > Java and Process Management > Process Execution and change all of the following values:
      Property Value
      Run As User was1
      Run As Group wasgroup
      UMASK 022

      The value 022 means the files the process creates are writable by the group and by others as defined on the Linux or UNIX platforms.

    3. Click OK.
    4. Save the configuration.
  6. Stop the application server. Use the stopServer.sh script from the /bin directory of the installation root:
    stopServer.sh server1
  7. Change file permissions as the root user. The following example assumes that the installation root directory for WebSphere Application Server is /opt/WebSphere/AppServer:
    
    chgrp wasgroup /opt/WebSphere
    chgrp wasgroup /opt/WebSphere/AppServer
    chgrp -R wasgroup /opt/WebSphere/AppServer/cloudscape
    chgrp -R wasgroup /opt/WebSphere/AppServer/profiles/nodeProfile1
    chmod g+wr /opt/WebSphere
    chmod g+wr /opt/WebSphere/AppServer
    chmod -R g+wr /opt/WebSphere/AppServer/cloudscape
    chmod -R g+wr /opt/WebSphere/AppServer/recoveryLogs
    chmod -R g+wr /opt/WebSphere/AppServer/profiles/nodeProfile1
    
  8. Log on to the application server system as was1.
  9. Start server1 as was1. Run the startServer.sh script from the /bin directory of the installation root:
    startServer.sh server1
  10. If creating another server with a different user ID, follow this procedure again for the new user ID and server name.

    The two user IDs must share the same group, wasgroup.

Result

You can start an application server from a non-root user.



Related tasks
Starting servers
Using the administrative console

Task topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/trun_svr_nonroot.html

© Copyright IBM Corporation 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)