By default, the root user ID is used to run all application server
processes on a Linux and UNIX platform. However, you can run all application
server processes under the same non-root user and user group. This task describes
how to run an application server process from a non-root user.
Before you begin
If global
security is enabled, the user registry must not be Local OS. Using the Local
OS user registry requires the node agent to run as root.
If
you are using the Tivoli Access Manager to perform authentication or authorization
for WebSphere Application Server, it is important to be aware of potential
permissions problems.
When WebSphere Application Server is run as a UNIX user, it
can only access files owned by its primary group. If it tries to access files
by its secondary group, a java.io.FileNotFoundException: will occur because
the file access permissions do not allow this type of access.
About this task
Run your application servers as non-root when you no longer want
to use root authority. For security or administrative reasons, you may want
to change to non-root user IDs. Perform this task at any time to change the
permissions of an application server. You must restart the application server
in order for the changes to take effect.
If
your application server is part of a cell, see Running an application server from a non-root user and the node agent
from root
or Running an Application Server and node agent from a non-root user
.
For
the following steps, assume that:
- was1 is the user to run the application server
- wasgroup is the primary user group for user was1
- wasnode is the node name
- server1 is the application server
- /opt/IBM/WebSphere/AppServer is the installation
root
- nodeProfile1 is the profile name.
To configure an application server to run as non-root, complete
the following steps.
Procedure
- Log on to the application server system as
the root user.
- Create the user ID was1 with a primary user
group of wasgroup. The user ID, was1, is an example. You can name
the user something else.
- Log off and log back on as root.
- Start server1 as root. Run the startServer script
from the /bin directory of the installation root.
- Specify user and group ID values for the Run
As User and Run As Group settings for a server:
- Start the administrative console.
- Go to the Process execution page of the administrative console.
You must define all three properties in the following table. In the
administrative console, click Servers > Application Servers > server,
and then under Server Infrastructure, click Java and Process Management
> Process Definition > Process Execution, and change all of the following
values:
Property |
Value |
Run As User |
was1 |
Run As Group |
wasgroup |
UMASK |
002 The value 002 means
the files the process creates are writable by the group and by others as defined
on the Linux or UNIX platforms.
|
- Click OK.
- Save the configuration.
- Stop the application server. Run
the stopServer script from the /bin directory
of the installation root.
- Change file permissions as the root user.
The following example assumes that the installation root directory
for WebSphere Application Server is /opt/IBM/WebSphere/AppServer:
chgrp wasgroup /opt/IBM/WebSphere
chgrp wasgroup /opt/IBM/WebSphere/AppServer
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles/profile name
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/logs
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/properties
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/temp
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/cloudscape
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/bin
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/java
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/lib
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/installedChannels
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles/profile name/installedFilters
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/etc/
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/classes
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/systemApps
chmod g+wr /opt/IBM/WebSphere
chmod g+wr /opt/IBM/WebSphere/AppServer
chmod -R g+wr /opt/IBM/WebSphere/AppServer/profiles
chmod -R g+rw /opt/IBM/WebSphere/AppServer/profiles/profile name
chmod -R g+wr /opt/IBM/WebSphere/AppServer/logs
chmod -R g+wr /opt/IBM/WebSphere/AppServer/properties
chmod -R g+wr /opt/IBM/WebSphere/AppServer/temp
chmod -R g+wr /opt/IBM/WebSphere/AppServer/cloudscape
chmod -R g+r /opt/IBM/WebSphere/AppServer/bin
chmod -R g+r /opt/IBM/WebSphere/AppServer/java
chmod -R g+r /opt/IBM/WebSphere/AppServer/lib
chmod -R g+rw /opt/IBM/WebSphere/AppServer/installedChannels
chmod -R g+rw /opt/IBM/WebSphere/AppServer/profiles/profile name/installedFilters
chmod -R g+rw /opt/IBM/WebSphere/AppServer/etc/
chmod -R g+rw /opt/IBM/WebSphere/AppServer/classes
chmod -R g+rw /opt/IBM/WebSphere/AppServer/systemApps
- Log on to the application server system as user was1.
- Start server1 as was1. Run the startServer script
from the /bin directory of the installation root.
- If creating another server with a different
user ID, follow this procedure again for the new user ID and server name.
The two user IDs must share the same group, wasgroup.
Results
You can start an application server from a non-root user.