Running an Application Server from a non-root user ID and the nodeagent from root

By default, each base WebSphere Application Server node on a Linux and UNIX platform uses the root user to run Application Servers. However, you can use a non-root user ID to run Application Servers. However, that ID must be part of the primary group. This task describes how to configure an Application Server to run from a non-root user ID while letting the nodeagent process and the jmsserver process run as root.

Before you begin

If global security is enabled, it is not recommended that the Local OS be used for user registry. In general, using the Local OS user registry requires that all processes run as root. Refer to Local operating system user registries for details.

Why and when to perform this task

Using a non-root user ID to run Application Servers can be done by setting all the Application Servers to run under the same operating system group. If you are running the JMS provider that WebSphere Application Server provides, add the jmsserver server to the mqm group to allow jmsserver to start the message queue. If you are not running jmsserver, you can use a group other than mqm in the following steps.

Steps for this task

  1. Log on to the Application Server system as root.
  2. Create the was1 user that you can use to run the Application Server.
  3. Add user was1 to the primary group
  4. Add user root to the mqm group.
  5. Log off and back on.
  6. Log on to the Network Deployment system as root.
  7. If it is not started, start the deployment manager process with the startManager.sh script from the /bin directory of the installation root:
    startManager.sh
  8. Configure Application Server properties for the root and was1 users.
    Use the administrative console on the deployment manager to complete the following steps:
    1. Define the nodeagent to run as a root process.
      You must define all three properties in the following table. Click System Administration> Node Agents > nodeagent (for the node) > Process Definition > Process Execution and change all of the following values:
      Property Value
      Run As User root
      Run As Group mqm
      UMASK 002


    2. Define each Application Server to run as a was1 process. Substitute the name of each server for server1.
      You must define all three properties in the following table. Click Servers > Application Servers > server1 > Process Definition > Process Execution and change all of the following values:
      Property Value
      Run As User was1
      Run As Group mqm
      UMASK 002


    3. If running the JMS provider that WebSphere Application Server provides, define the jmsserver process to run as a root process.
      You must define all three properties in the following table. Click Servers > JMS Servers > jmsserver (for the node) > Process Definition > Process Execution and change all of the following values:
      Property Value
      Run As User root
      Run As Group mqm
      UMASK 002


    4. Save and synchronize all nodes.
  9. Log on to the Application Server system as root.
  10. Ensure that all servers on the Application Server system are stopped, including the server1 and jmsserver processes.
    Use the stopServer.sh script from the /bin directory of the installation root:
    
    stopServer.sh server1
    stopServer.sh jmsserver
  11. Ensure that the nodeagent process is stopped.
    Use the stopNode.sh script from the /bin directory of the installation root:
    stopNode.sh
  12. [Version 5.0.2]As root, use operating system tools to change file permissions on the Application Server system.
    The following example assumes that the installation root directory of the WebSphere Application Server is /opt/WebSphere/AppServer.

    Note: When you use the chown command to change the owner of JSPs that are already complied and reside in the temp directory, the CPU does not have to continuously recompile these JSP. If you do not issue this command, you should delete the application temp directory to lower CPU usage.

    chown root:mqm /opt/WebSphere/AppServer/temp
    chgrp mqm /opt/WebSphere
    chgrp mqm /opt/WebSphere/AppServer
    chgrp -R mqm /opt/WebSphere/AppServer/config
    chgrp -R mqm /opt/WebSphere/AppServer/logs
    chgrp -R mqm /opt/WebSphere/AppServer/properties
    chgrp -R mqm /opt/WebSphere/AppServer/wstemp
    chgrp -R mqm /opt/WebSphere/AppServer/installedApps
    chgrp -R mqm /opt/WebSphere/AppServer/temp
    chgrp -R mqm /opt/WebSphere/AppServer/tranlog
    chgrp -R mqm /opt/WebSphere/AppServer/cloudscape
    chgrp -R mqm /opt/WebSphere/AppServer/bin/DefaultDB
    chmod g+wr /opt/WebSphere
    chmod g+wr /opt/WebSphere/AppServer
    chmod -R g+wr  /opt/WebSphere/AppServer/config
    chmod -R g+wr /opt/WebSphere/AppServer/logs
    chmod -R g+wr /opt/WebSphere/AppServer/properties
    chmod -R g+wr /opt/WebSphere/AppServer/wstemp
    chmod -R g+wr /opt/WebSphere/AppServer/installedApps
    chmod -R g+wr /opt/WebSphere/AppServer/temp
    chmod -R g+wr /opt/WebSphere/AppServer/tranlog
    chmod -R g+wr /opt/WebSphere/AppServer/cloudscape
    chmod -R g+wr /opt/WebSphere/AppServer/bin/DefaultDB
    
  13. Start the nodeagent process from root.
    Use the startNode.sh script from the /bin directory of the installation root:
    startNode.sh
  14. Start the jmsserver process from root.
    Use the startServer.sh script from the /bin directory of the installation root:
    startServer.sh jmsserver
  15. Log on to the Application Server system as the was1 user.
  16. Start all Application Servers from the was1 user.
    Use the startServer.sh script from the /bin directory of the installation root:
    startServer.sh server1
  17. If you are running the JMS provider that WebSphere Application Server provides, verify that the queue manager is running:
    Run the dspmq.sh script from the /bin directory of the installation root:
    dspmq.sh

    The name of the queue is WAS_wasnode_jmsserver.

Results

You can start an Application Server from a non-root user and run the nodeagent and jmsserver as root.

Related tasks
Running the deployment manager with a non-root user ID
Running an Application Server and node agent from a non-root user
Managing application servers
Starting servers
Using the administrative console
Managing using command line tools



Searchable topic ID:   trun_svr_msg_nonroot
Last updated: Jun 21, 2007 4:55:42 PM CDT    WebSphere Application Server Network Deployment, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/trun_svr_msg_nonroot.html

Library | Support | Terms of Use | Feedback