InfoCenter Home >
6: Administer applications >
6.6.a.1: Running the product servers and consoles as non-root
6.6.a.1: Running the product servers and consoles as non-root
Any application server or administrative server can be run using a non-root ID.
The tradeoff is that you must use an LDAP directory for the authentication
mechanism for WebSphere security. You can no longer use the local operating system.
By default, WebSphere servers use a root ID. Use the instructions below to change the ID. The
Java administrative console can be accessed from a non-root ID, provided security permissions
are configured appropriately.
- Start the WebSphere administrative server under the root ID.
- Start the Java administrative console.
- In the tree view, locate and click the application server to display its properties.
- In the Advanced properties, modify the User ID and Group ID to be the user and group
for the application server to "run as."
- In the General properties, modify the standard output and standard error log paths
to refer to directories to which the "run as" identity has access.
- Remove any temporary files that were created by previous executions of the application
server when it was "run as" the previous user ID. The files are of the form:
/tmp/.asXXXXX
where XXXXX is a communications queue name used by WebSphere Application Server, such as
/tmp/.asibmappserve1
- Start the application server, using the new ID.
- Change permissions to the product installation directories to
allow access to the administrative server when it "runs as" a non-root ID.
Do one of the following:
- Remove any temporary files that were created by previous executions of the application
server when it was "run as" the previous user ID. The files are of the form:
/tmp/.asXXXXX
where XXXXX is a communications queue name used by WebSphere Application Server, such as
/tmp/.asibmappserve1
- Change the bootstrap port of the administrative server to a value greater than or equal to 1024:
- Open the administrative configuration file in a text editor.
- Add the following:
com.ibm.ejs.sm.adminServer.bootstrapPort=2222
where 2222 is just an example of a new port that you might use.
Changing the bootstrap port affects the administrative clients that connect to the server.
See the port administrative overview for details.
While you are in admin.config, you might want
to configure the administrative server to run in the background as non-root.
- Start the administrative server, using the new ID.
- Change the ownership of the following directories and files
to the user and group that you would like the console to "run as":
product_installation_root/bin
product_installation_root/properties/sas.client.props
- Make sure the user has permission to access the secured administrative account.
On Solaris, the "ndd" commands in the administrative server startupServer.sh script
need to be commented out unless you are running as root.
If an "ndd" command is being executed by a non-root user, the following error
message will be issued to stdout or stderr:
operation failed, Not owner
The 'ndd' command is for dynamically adjusting certain IP stack parameters.
It attempts to operate on operating system level kernel device settings,
which can only be performed by root. Thus the error message.
The workaround is to either run the administrative server as root or edit
the startupServer.sh script, commenting out the ndd command.
It is still strongly recommended that the changes to the TCP parameters that
the "ndd" command makes be made by root on all machines running the application
server and Web server (in case they are not the same box).
The following problems indicate the need to review the above instructions
to ensure that your configuration is correct for running as non-root.
- When running a servlet, the following message is displayed in the Web browser:
Server internal error
Then the following message is displayed in your_server-stderr.log:
open_unix_domain_server_socket_listener - bind/listen: The socket name
isalready in use.
com.ibm.servlet.engine.oselistener.outofproc.ServerQueueException:EError:
create_server 2
- The following error message is displayed when to start the administrative
server as non-root on Solaris:
$ ./startupServer.sh operation failed,Not owner
The administrative and application servers must be running as root if:
- You are using the thin servlet redirector configuration
On UNIX-based systems, a secured Java console must be operated
using a root ID when the authentication mechanism for WebSphere
security is the operating system. If using an LDAP directory service,
the console can be run as non-root.
|
|