By default, each base WebSphere Application Server server on a Linux and UNIX platform uses the root user ID to run all application server processes. However, you can run all application server processes under the same non-root user and user group. This task describes how to run an application server process from a non-root user.
Before you begin
If global security is enabled, the user registry must not be Local OS. Using the Local OS user registry requires the application server to run as root. Refer to Local operating system user registries for details.If you are using the Tivoli Access Manager (TAM) to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems. For more information, see Tivoli Access Manager JACC provider configuration.
When WebSphere Application Server is run as a UNIX user, it can only access files owned by its primary group. If it tries to access files by its secondary group, a java.io.FileNotFoundException: will occur because the file access permissions do not allow this type of access.
Why and when to perform this task
Run your application servers as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of an application server. You must restart the application server in order for the changes to take effect.For information about creating a profile, see wasprofile command.
To configure an application server to run as non-root, complete the following steps.
Steps for this task
startServer.sh server1
Property | Value |
---|---|
Run As User | was1 |
Run As Group | wasgroup |
UMASK | 022 The value 022 means the files the process creates are writable by the group and by others as defined on the Linux or UNIX platforms. |
stopServer.sh server1
chgrp wasgroup /opt/WebSphere chgrp wasgroup /opt/WebSphere/AppServer chgrp -R wasgroup /opt/WebSphere/AppServer/cloudscape chgrp -R wasgroup /opt/WebSphere/AppServer/profiles/nodeProfile1 chmod g+wr /opt/WebSphere chmod g+wr /opt/WebSphere/AppServer chmod -R g+wr /opt/WebSphere/AppServer/cloudscape chmod -R g+wr /opt/WebSphere/AppServer/recoveryLogs chmod -R g+wr /opt/WebSphere/AppServer/profiles/nodeProfile1
startServer.sh server1
The two user IDs must share the same group, wasgroup.
Result
You can start an application server from a non-root user.