By default, each base WebSphere Application Server node on a Linux
and UNIX platform uses the root user to run application servers. However,
you can use a non-root user to run application servers. This task describes
how to configure an application server to run as non-root while letting the
node agent process run as root.
Before you begin
If global security is enabled, it is not recommended
that the Local OS be used for user registry. In general, using the Local OS
user registry requires that all processes run as root. Refer to Local operating system user registries
for details. If you are attempting
to run an application server as root in WebSphere Application Server Version
6.x when you previously used a non-root user ID on Linux and UNIX platforms
in Version 5.x, see Migrating a previously non-root configuration to root
.
About this task
Using a non-root user ID to run application servers can be done by
setting all the application servers to run under the same operating system
group. Run your application servers as non-root when you no longer want to
use root authority. For security or administrative reasons, you may want to
change to non-root user IDs. Perform this task at any time to change the permissions
of an application server. You must restart the application servers in order
for the changes to take effect.
Important: If you are using the
Tivoli Access Manager to perform authentication or authorization for WebSphere
Application Server, it is important to be aware of potential permissions problems.
For more information, see
Tivoli Access Manager JACC provider configuration
.
Procedure
- Log on to the Application Server system as
root.
- Create the was1 user and the wasgroup group
that you can use to run the application server. If you will be using peer
recovery with your transaction logs on a shared system (such as NAS), between
two or more machines, create users and groups with the same identification
numbers on all machines participating in peer recovery. This ensures that
the non-root users and groups match across machines.
- Add users root, and was1 to the wasgroup group.
- Log off and back on.
- Log on to the Network Deployment system as root.
- Start the deployment manager if it is not already running.
Use the startManager script from the /bin directory
of the installation root.
- Configure application server properties for
the root, and the was1 users. Use the administrative console on
the deployment manager to complete the following steps:
- Define the node agent to run as a root process. You
must define all three properties in the following table. Click System Administration>
Node agents > node_agent, and then under Server Infrastructure,
click Java and Process Management > Process Definition > Process Execution,
and change all of the following values:
Property |
Value |
Run As User |
root |
Run As Group |
wasgroup |
UMASK |
002 |
- Define each application server to run as a was1 process. Substitute
the name of each server for server1. You must define all three
properties in the following table. Click Servers > Application Servers
> server1, and then under Server Infrastructure, click Java and Process
Management > Process Definition > Process Execution, and change all of
the following values:
Property |
Value |
Run As User |
was1 |
Run As Group |
wasgroup |
UMASK |
002 The value 002 means
the files the process creates are writable by the group and by others as defined
on the Linux or UNIX platforms.
|
- Save and synchronize all nodes.
- Log on to the Application Server system as
root.
- Ensure that all servers on the Application Server system are stopped,
including the server1 process. Use the stopServer script
from the /bin directory of the installation root:
stopServer_command server1 -user userID -password password
- Ensure that the node agent process is stopped.
Use the stopNode script from the /bin directory
of the installation root:
stopNode_command -user userID -password password
- As root, use operating system tools to change
file permissions on the Application Server system files the node agent accesses.
For example, you might need to issue some
of the following commands:
chgrp wasgroup /opt/WebSphere
chgrp wasgroup /opt/WebSphere/AppServer
chgrp -R wasgroup /opt/WebSphere/AppServer/profiles
chgrp -R wasgroup /opt/WebSphere/AppServer/cloudscape
chgrp -R wasgroup /opt/WebSphere/AppServer/profiles/nodeProfile1
chgrp -R wasgroup /opt/WebSphere/AppServer/profiles/nodeProfile1/installedFilters
chmod g+wr /opt/WebSphere
chmod g+wr /opt/WebSphere/AppServer
chmod -R g+wr /opt/WebSphere/AppServer/profiles
chmod -R g+wr /opt/WebSphere/AppServer/cloudscape
chmod -R g+wr /opt/WebSphere/AppServer/profiles/nodeProfile1
chmod -R g+wr /opt/WebSphere/AppServer/profiles/nodeProfile1/installedFilters
- Start the node agent process from root. Use the startNode script
from the /bin directory of the installation root:
- Log on to the Application Server system as
the was1 user.
- Start all application servers from the was1
user. Use the startServer script from the /bin directory
of the installation root:
Results
You can start an application server from a non-root user and run the
node agent as root.