InfoCenter Home >
6: Administer applications >
6.6.a.1: Running the product servers and consoles as non-root

6.6.a.1: Running the product servers and consoles as non-root

Any application server or administrative server can be run using a non-root ID. The tradeoff is that you must use an LDAP directory for the authentication mechanism for WebSphere security. You can no longer use the local operating system.

By default, WebSphere servers use a root ID. Use the instructions below to change the ID. The Java administrative console can be accessed from a non-root ID, provided security permissions are configured appropriately.

Running application servers as non-root

  1. Start the WebSphere administrative server under the root ID.
  2. Start the Java administrative console.
  3. In the tree view, locate and click the application server to display its properties.
  4. In the Advanced properties, modify the User ID and Group ID to be the user and group for the application server to "run as."
  5. In the General properties, modify the standard output and standard error log paths to refer to directories to which the "run as" identity has access.
  6. Remove any temporary files that were created by previous executions of the application server when it was "run as" the previous user ID. The files are of the form:
    /tmp/.asXXXXX
    where XXXXX is a communications queue name used by WebSphere Application Server, such as /tmp/.asibmappserve1
  7. Start the application server, using the new ID.

Running administrative servers as non-root

  1. Change permissions to the product installation directories to allow access to the administrative server when it "runs as" a non-root ID. Do one of the following:
  2. Remove any temporary files that were created by previous executions of the application server when it was "run as" the previous user ID. The files are of the form:
    /tmp/.asXXXXX
    where XXXXX is a communications queue name used by WebSphere Application Server, such as /tmp/.asibmappserve1
  3. Change the bootstrap port of the administrative server to a value greater than or equal to 1024:
    1. Open the administrative configuration file in a text editor.
    2. Add the following:
      com.ibm.ejs.sm.adminServer.bootstrapPort=2222
      where 2222 is just an example of a new port that you might use.

    Changing the bootstrap port affects the administrative clients that connect to the server. See the port administrative overview for details.

      While you are in admin.config, you might want to configure the administrative server to run in the background as non-root.

  4. Start the administrative server, using the new ID.

Running Java administrative consoles as non-root

  1. Change the ownership of the following directories and files to the user and group that you would like the console to "run as":
    product_installation_root/bin
    product_installation_root/properties/sas.client.props
    
  2. Make sure the user has permission to access the secured administrative account.

What you should know about running as non-root on Solaris: ndd

On Solaris, the "ndd" commands in the administrative server startupServer.sh script need to be commented out unless you are running as root.

If an "ndd" command is being executed by a non-root user, the following error message will be issued to stdout or stderr:

operation failed, Not owner

The 'ndd' command is for dynamically adjusting certain IP stack parameters. It attempts to operate on operating system level kernel device settings, which can only be performed by root. Thus the error message.

The workaround is to either run the administrative server as root or edit the startupServer.sh script, commenting out the ndd command.

It is still strongly recommended that the changes to the TCP parameters that the "ndd" command makes be made by root on all machines running the application server and Web server (in case they are not the same box).

Effects on other components and configurations

Before changing an ID, consider the implications on other components. For example, the following are the necessary steps to configure the thin servlet redirector

  • Make sure the bootstrapPort call in iiopredirector.xml reflects the new value, rather than default value of 900.
  • If using the thin servlet redirector, you will have configured a shell script for generating the plug-in configuration on the Web server machine. To this file, add a statement specifying the name service port:
    1. Open the file in a text editor.
    2. Locate the java command at the bottom of the file. It begins:
      java com.ibm.servlet.engine.oselistener.systemsmgmt.StandalonePluginCfg ... 

      Notice the java command has some arguments, each of which starts with a dash ("-").
    3. Add the following argument to the end of the command:
      -nameServicePort xxxx
      where xxxx is the same number you specified as the bootstrapPort in the above OSE configuration procedure.

Problems and symptoms based on running as non-root incorrectly

The following problems indicate the need to review the above instructions to ensure that your configuration is correct for running as non-root.

  • When running a servlet, the following message is displayed in the Web browser:
    Server internal error
    

    Then the following message is displayed in your_server-stderr.log:

    open_unix_domain_server_socket_listener - bind/listen: The socket name
    isalready in use.
    com.ibm.servlet.engine.oselistener.outofproc.ServerQueueException:EError:
    create_server 2
    
  • The following error message is displayed when to start the administrative server as non-root on Solaris:
    $ ./startupServer.sh operation failed,Not owner
    

Cases in which you must run the server as root

The administrative and application servers must be running as root if:

  • You are using the thin servlet redirector configuration

On UNIX-based systems, a secured Java console must be operated using a root ID when the authentication mechanism for WebSphere security is the operating system. If using an LDAP directory service, the console can be run as non-root.

Go to previous article: Administering network configurations Go to next article: Starting and stopping servers

 

 
Go to previous article: Administering network configurations Go to next article: Starting and stopping servers