Using a Non-Root Userid to Run V3.5 and V4.0 releases on Unix® Platforms

Technote (FAQ)
Problem
Is it possible to run WebSphere® Application Server V3.5 and V4.0 releases using a non-root userid on Unix platforms?
Solution
Any application server, the administrative server, and the administrative console can be run using a non-root user on Unix platforms. These processes can be run as non-root on V3.02.2 and all releases V3.5 and V4.0

If you are running as non-root in the foreground, apply Part I. If you are running as non-root in the background, you need to apply the fix in Part II.

Part I

To run an Application Server as a non-root user:

    1. Start the Administrative Server as root.
    2. Change the User ID and Group ID to the <user:group> for the Application Server to run-as on the Advanced Tab of the Application Server,
    3. Change the Standard output and Standard Error path location to a directory for which the run-as user has write permission on the General Tab of the Application Server,
    4. Remove any temporary files that may have been created by previous executions of the Application Server when it was run as a user other than the one that is going to be used now. Look for files in this form:
      /tmp/.asxxxxx
      where, the xxxxx is a communications queue name used by WebSphere Application Server.
      For example:
      /tmp/.asibmappserve1
      /tmp/.asibmoselink1
    5. The Application Server is now ready to be started.
To run the Administrative Server as a non-root user
    1. Change permissions on the install directories to allow the Administrative Server, "running-as" a non-root user, access. There are two options for granting the permissions:

      Option One
      Change the owner of all files and directories in the Application Server install directory to the <user:group> that you desire to "run-as."

      Option Two
      Change owner of the following files and directories to the <user:group> that you desire to "run-as."
      $WAS_HOME/logs/*
      $WAS_HOME/properties/*
      $WAS_HOME/tranlog/*
      $WAS_HOME/temp/*
      $WAS_HOME/bin/admin.config
    2. Remove any temporary files that may have been created by previous executions of the Application Server when it was run as a user other than the one that is going to be used now. These files will be in this form:
      /tmp/.asxxxxx
      where, the xxxxx is a communications queue name used by WebSphere.
      For example:
      /tmp/.asibmappserve1
      /tmp/.asibmoselink1
    3. The bootstrap port value must be 1024 or greater. To override the default value of 900, update the $WAS_HOME/bin/admin.config file and add the following property to specify a new port:
      com.ibm.ejs.sm.adminServer.bootstrapPort=2222
    4. The Administrative Server is now ready to be started with the <user:group> that has been configured.
To run the Administrative Console as a non-root user
    1. Change permissions to the following install directories to allow the Administrative Client, "running-as" a non-root user, access:
      1. Change owner of the following directory to the <user:group> that you desire to "run-as"
        $WAS_HOME/bin
      2. Change owner of the following file to the <user:group> that you desire to "run-as"
        $WAS_HOME/properties/sas.client.props
    2. The Administrative Console is now ready to be started with the <user:group> that has been configured.
      If you configure the administrative server to run on a bootstrap port other than the default value of 900, you need to specify the new port value when starting the admin client. The command is:
      adminclient.sh <hostname><port>

    A Security Consideration

    If WebSphere Security is to be used when running the administrative server as a non-root user, then the Local Operating System cannot be used as the Authentication Mechanism. Instead, use Lightweight Third-Party Authentication (LTPA) with a Lightweight Directory Access Protocol (LDAP) directory server.


PART II

Follow these steps to run WebSphere Application Server in the background as a non-root user:

Change the process priority for the application server:

    1. In the Administrative Console, click the Topology tab and select your Application Server (For Example Default Server)

    2. On the right panel, choose the ADVANCED tab

    3. Scroll down to the PROCESS PRIORITY and change this from 20 to 28 for AIX®, and from 20 to 24 for Solaris®

    4. Click Apply

    How to use:

    Add the parameter com.ibm.ejs.sm.adminServer.processPriority to
    admin.config and give it the value of the Java™ process priority you
    want to assign to the administrative server. A value of 28 is recommended
    for AIX and 24 for Solaris.

    Keep in mind that we are referring to an operating system process priority here and
    not a Java thread priority. For further details about Java thread priorities, see documentation on the Java class java.lang.Thread.

Restart the administrative server after these changes have been applied











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Servlet Engine/Web Container
Operating system(s): AIX, Solaris, UNIX
Software version: 3.5, 4.0
Software edition: Standard, Advanced
Reference #: 1005677
IBM Group: Software Group
Modified date: 2004-03-08