WebSphere Application Server Network Deployment, Version 6.0.x   Operating Systems: AIX, HP-UX, Linux, Solaris, Windows
             [TIP: Focusing the table of contents and search results]

Running an application server from a non-root user and the node agent from root

By default, each base WebSphere Application Server node on a Linux and UNIX platform uses the root user to run application servers. However, you can use a non-root user to run application servers. This task describes how to configure an application server to run as non-root while letting the node agent process run as root.

Before you begin

If global security is enabled, it is not recommended that the Local OS be used for user registry. In general, using the Local OS user registry requires that all processes run as root. Refer to Local operating system user registries for details. If you are attempting to run an application server as root in WebSphere Application Server Version 6.x when you previously used a non-root user ID on Linux and UNIX platforms in Version 5.x, see Migrating a previously non-root configuration to root .

About this task

Using a non-root user ID to run application servers can be done by setting all the application servers to run under the same operating system group. Run your application servers as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of an application server. You must restart the application servers in order for the changes to take effect.
Important: If you are using the Tivoli Access Manager to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems. For more information, see Tivoli Access Manager JACC provider configuration .

Procedure

  1. Log on to the Application Server system as root.
  2. Create the was1 user and the wasgroup group that you can use to run the application server. If you will be using peer recovery with your transaction logs on a shared system (such as NAS), between two or more machines, create users and groups with the same identification numbers on all machines participating in peer recovery. This ensures that the non-root users and groups match across machines.
  3. Add users root, and was1 to the wasgroup group.
  4. Log off and back on.
  5. Log on to the Network Deployment system as root.
  6. Start the deployment manager if it is not already running.

    Use the startManager script from the /bin directory of the installation root.

  7. Configure application server properties for the root, and the was1 users. Use the administrative console on the deployment manager to complete the following steps:
    1. Define the node agent to run as a root process. You must define all three properties in the following table. Click System Administration> Node agents > node_agent, and then under Server Infrastructure, click Java and Process Management > Process Definition > Process Execution, and change all of the following values:
      Property Value
      Run As User root
      Run As Group wasgroup
      UMASK 002
    2. Define each application server to run as a was1 process. Substitute the name of each server for server1. You must define all three properties in the following table. Click Servers > Application Servers > server1, and then under Server Infrastructure, click Java and Process Management > Process Definition > Process Execution, and change all of the following values:
      Property Value
      Run As User was1
      Run As Group wasgroup
      UMASK 002

      The value 002 means the files the process creates are writable by the group and by others as defined on the Linux or UNIX platforms.

    3. Save and synchronize all nodes.
  8. Log on to the Application Server system as root.
  9. Ensure that all servers on the Application Server system are stopped, including the server1 process. Use the stopServer script from the /bin directory of the installation root:
    stopServer_command server1 -user userID -password password
    
  10. Ensure that the node agent process is stopped. Use the stopNode script from the /bin directory of the installation root:
    stopNode_command -user userID -password password
  11. As root, use operating system tools to change file permissions on the Application Server system files the node agent accesses.
    For example, you might need to issue some of the following commands:
    chgrp wasgroup /opt/WebSphere
    chgrp wasgroup /opt/WebSphere/AppServer
    chgrp -R wasgroup  /opt/WebSphere/AppServer/profiles
    chgrp -R wasgroup  /opt/WebSphere/AppServer/cloudscape
    chgrp -R wasgroup  /opt/WebSphere/AppServer/profiles/nodeProfile1
    chgrp -R wasgroup  /opt/WebSphere/AppServer/profiles/nodeProfile1/installedFilters
    
    chmod g+wr  /opt/WebSphere
    chmod g+wr  /opt/WebSphere/AppServer
    chmod -R g+wr  /opt/WebSphere/AppServer/profiles
    chmod -R g+wr  /opt/WebSphere/AppServer/cloudscape
    chmod -R g+wr  /opt/WebSphere/AppServer/profiles/nodeProfile1
    chmod -R g+wr  /opt/WebSphere/AppServer/profiles/nodeProfile1/installedFilters
    
  12. Start the node agent process from root. Use the startNode script from the /bin directory of the installation root:
  13. Log on to the Application Server system as the was1 user.
  14. Start all application servers from the was1 user. Use the startServer script from the /bin directory of the installation root:

Results

You can start an application server from a non-root user and run the node agent as root.



Related tasks
Running the deployment manager with a non-root user ID
Running an Application Server and node agent from a non-root user
Starting an application server
Using the administrative console
Using command line tools
Managing application servers
Task topic    

Terms of Use | Feedback

Last updated: Mar 8, 2007 8:14:28 PM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/trun_svr_msg_nonroot.html

© Copyright IBM Corporation 2004, 2006. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)