Any application server, the
administrative server, and the administrative console can be run using a
non-root user on Unix platforms. These processes can be run as non-root on
V3.02.2 and all releases V3.5 and V4.0
If you are running as non-root in the foreground,
apply Part I. If you are running as non-root in the background, you need
to apply the fix in Part II.
Part I
To run an Application Server as a non-root
user:
- Start the Administrative Server as root.
- Change the User
ID and Group
ID to the <user:group> for the
Application Server to run-as on the Advanced Tab
of the Application Server,
- Change the Standard
output and Standard Error path location to
a directory for which the run-as
user has write permission on the General Tab of the Application
Server,
- Remove any temporary files that may have been
created by previous executions of the Application Server when it was run
as a user other than the one that is going to be used now. Look for files
in this form:
/tmp/.asxxxxx
where, the xxxxx is a communications queue name used by WebSphere
Application Server.
For example:
/tmp/.asibmappserve1
/tmp/.asibmoselink1
- The Application Server is now ready to be
started.
To run the Administrative Server as a non-root
user
- Change permissions on the install directories to
allow the Administrative Server, "running-as" a non-root user, access.
There are two options for granting the permissions:
Option One
Change the owner of all files and directories in the Application Server
install directory to the <user:group> that you desire to "run-as."
Option Two
Change owner of the following files and directories to the
<user:group> that you desire to "run-as."
$WAS_HOME/logs/*
$WAS_HOME/properties/*
$WAS_HOME/tranlog/*
$WAS_HOME/temp/*
$WAS_HOME/bin/admin.config
- Remove any temporary files that may have been
created by previous executions of the Application Server when it was run
as a user other than the one that is going to be used now. These files
will be in this form:
/tmp/.asxxxxx
where, the xxxxx is a communications queue name used by WebSphere.
For example:
/tmp/.asibmappserve1
/tmp/.asibmoselink1
- The bootstrap port value must be 1024 or greater.
To override the default value of 900, update the $WAS_HOME/bin/admin.config file
and add the following property to specify a new port:
com.ibm.ejs.sm.adminServer.bootstrapPort=2222
- The Administrative Server is now ready to be
started with the <user:group> that has been configured.
To run the Administrative Console as a non-root
user
- Change permissions to the following install
directories to allow the Administrative Client, "running-as" a non-root
user, access:
- Change owner of the following directory to the
<user:group> that you desire to "run-as"
$WAS_HOME/bin
- Change owner of the following file to the
<user:group> that you desire to "run-as"
$WAS_HOME/properties/sas.client.props
- The Administrative Console is now ready to be
started with the <user:group> that has been configured.
If you configure the
administrative server to run on a bootstrap port other than the default
value of 900, you need to specify the new port value when starting the
admin client. The command is:
adminclient.sh <hostname> <port>
A Security Consideration
If WebSphere Security is to be used when running the
administrative server as a non-root user, then the Local Operating System cannot
be used as the Authentication Mechanism. Instead, use Lightweight
Third-Party Authentication (LTPA) with a Lightweight Directory Access
Protocol (LDAP) directory server.
PART II
Follow these steps to run WebSphere Application
Server in the background as a non-root user:
Change the process priority for the application
server:
- In the Administrative Console, click the
Topology tab and
select your Application Server (For Example Default Server)
- On the right panel, choose the ADVANCED tab
- Scroll down to the PROCESS PRIORITY and change
this from 20 to 28 for AIX®, and from 20 to 24 for Solaris®
- Click Apply
How to use:
Add the parameter com.ibm.ejs.sm.adminServer.processPriority to
admin.config and give it the value of the Java™
process priority you
want to assign to the administrative server. A value
of 28 is recommended
for AIX and 24 for Solaris.
Keep in mind that we are referring to an operating
system process priority here and
not a Java thread priority. For further details about
Java thread priorities, see documentation on the Java class
java.lang.Thread.
Restart the administrative server after these
changes have been applied |