WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIXHP-UXLinuxSolarisWindows

Running an application server from a non-root user and the node agent from root

By default, each base WebSphere Application Server node on a Linux and UNIX platform uses the root user to run application servers. However, you can use a non-root user to run application servers. This task describes how to configure an application server to run as non-root while letting the node agent process run as root.

Before you begin

If global security is enabled, it is not recommended that the Local OS be used for user registry. In general, using the Local OS user registry requires that all processes run as root. Refer to Local operating system user registries for details. If you are attempting to run an Application Server as root in WebSphere Application Server Version 6 when you previously used a non-root user ID on Linux and UNIX platforms in Version 5.x, see Migrating a previously non-root configuration to root.

Why and when to perform this task

Using a non-root user ID to run application servers can be done by setting all the application servers to run under the same operating system group. Run your application servers as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of an application server. You must restart the application servers in order for the changes to take effect.
Note: If you are using the Tivoli Access Manager (TAM) to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems. For more information, see Tivoli Access Manager JACC provider configuration.

Steps for this task

  1. Log on to the application server system as root.
  2. Create the was1 user and wasgroup group that you can use to run the application server. If you will be using peer recovery with your transaction logs on a shared system (such as NAS), between two or more machines, create users and groups with the same identification numbers on all machines participating in peer recovery. This ensures that the non-root users and groups match across machines.
  3. Add users root and was1 to the wasgroup group.
  4. Log off and back on.
  5. Log on to the Network Deployment system as root.
  6. If it is not started, start the deployment manager process with the startManager.sh script from the /bin directory of the installation root:
    startManager.sh
  7. Configure application server properties for the root and was1 users. Use the administrative console on the deployment manager to complete the following steps:
    1. Define the node agent to run as a root process. You must define all three properties in the following table. Click System Administration> Node agents > nodeagent (for the node) Server Infrastructure > Java and Process Management > Process Definition > Process Execution and change all of the following values:
      Property Value
      Run As User root
      Run As Group wasgroup
      UMASK 002
    2. Define each application server to run as a was1 process. Substitute the name of each server for server1. You must define all three properties in the following table. Click Servers > Application Servers > server1 > Server Infrastructure > Java and Process Management > Process Definition > Process Execution and change all of the following values:
      Property Value
      Run As User was1
      Run As Group wasgroup
      UMASK 002

      The value 022 means the files the process creates are writable by the group and by others as defined on the Linux or UNIX platforms.

    3. Save and synchronize all nodes.
  8. Log on to the application server system as root.
  9. Ensure that all servers on the application server system are stopped, including the server1 process. Use the stopServer.sh script from the /bin directory of the installation root:
    
    stopServer.sh server1 -user userID -password password
    
  10. Ensure that the node agent process is stopped. Use the stopNode.sh script from the /bin directory of the installation root:
    stopNode.sh -user userID -password password
  11. As root, use operating system tools to change the following file permissions on the application server system:
    
    chgrp wasgroup /opt/WebSphere
    chgrp wasgroup /opt/WebSphere/AppServer
    chgrp -R wasgroup  /opt/WebSphere/AppServer/cloudscape
    chgrp -R wasgroup  /opt/WebSphere/AppServer/profiles/nodeProfile1
    chmod g+wr  /opt/WebSphere
    chmod g+wr  /opt/WebSphere/AppServer
    chmod -R g+wr  /opt/WebSphere/AppServer/cloudscape
    chmod -R g+wr  /opt/WebSphere/AppServer/profiles/nodeProfile1
    
  12. Start the node agent process from root. Use the startNode.sh script from the /bin directory of the installation root:
    startNode.sh
  13. Log on to the application server system as the was1 user.
  14. Start all application servers from the was1 user. Use the startServer.sh script from the /bin directory of the installation root:
    startServer.sh server1

Result

You can start an application server from a non-root user and run the node agent as root.



Related tasks
Running the deployment manager with a non-root user ID
Running an Application Server and node agent from a non-root user
Starting servers
Using the administrative console
Using command line tools

Task topic    

Terms of Use | Feedback

Last updated: Mar 17, 2005 4:28:29 AM CST
http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/trun_svr_msg_nonroot.html

© Copyright IBM Corporation 2004, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)