Run an appserver and nodeagent with a non-root user ID
By default, each base appserver node on Linux and UNIX platforms uses the root user ID to run appserver, nodeagent, and jmsserver processes. You can change this to have all of these processes run using a non-root user id. Using the same non-root user and user group gives the nodeagent process the operating system permissions to start all other server processes.
Note that if global security is enabled, the user registry must not be Local OS, which requires requires the nodeagent to run as root.
Also note that if you are using the WebSphere JMS provider, the user and group must be mqm for the jmsserver to start the message queue. Otherwise, you can use a user and group other than mqm. This example assumes you are using the WebSphere JMS provider.
For the steps that follow, assume that:
- myId is the user to run all servers
- myNode is the node name
- myCell is the cell name
- mqm and mqbrkrs are user groups associated with the WebSphere JMS provider
- myServer is the appserver
- /opt/WebSphere/Appserver is the installation root
To configure a user ID to run the nodeagent and all server processes, complete the following steps:
- Log on as root.
- Create user myId with primary group mqm .
- Add user myId to group mqbrkrs
- Reboot the machine.
- Define the nodeagent to run as a myId process.
Click...
System Administration | Node Agents | nodeagent | Process Definition | Process Execution...and change these values:
Property Value Run As User myId Run As Group mqm UMASK 002
- Define each appserver to run as a myId process. Substitute the name of each server for myServer .
Click...
Servers | appserver | myServer | Process Definition | Process Execution...and change these values:
Property Value Run As User myId Run As Group mqm UMASK 002
- If running the WebSphere JMS provider, define the jmsserver process to run as a myId process.
Click...
JMS Servers | jmsserver (for the node) | Process Definition | Process Execution...and change these values...
Property Value Run As User myId Run As Group mqm UMASK 002
- Save and synchronize.
- Stop all servers, including the myServer and jmsserver servers.
stopserver.sh myServer stopserver.sh jmsserver- Stop the node.
stopnode- If running the WebSphere JMS provider, delete the default queue manager for the appserver.
deletemq.sh myCell myNode jmsserver
- If running the WebSphere JMS provider, create a queue manager and broker for the appserver.
createmq.sh $WAS_HOME myCell myNode jmsserver
- As root, use operating system tools to change file permissions:
chgrp mqm /opt/WebSphere chgrp mqm $WAS_HOME chgrp -R mqm $WAS_HOME/config chgrp -R mqm $WAS_HOME/logs chgrp -R mqm $WAS_HOME/wstemp chgrp -R mqm $WAS_HOME/installedApps chgrp -R mqm $WAS_HOME/temp chgrp -R mqm $WAS_HOME/tranlog chgrp -R mqm $WAS_HOME/cloudscape50 chgrp -R mqm $WAS_HOME/cloudscape51 chgrp -R mqm $WAS_HOME/bin/DefaultDB chmod g+w /opt/WebSphere chmod g+w $WAS_HOME chmod -R g+w $WAS_HOME/config chmod -R g+w $WAS_HOME/logs chmod -R g+w $WAS_HOME/wstemp chmod -R g+w $WAS_HOME/installedApps chmod -R g+w $WAS_HOME/temp chmod -R g+w $WAS_HOME/tranlog chmod -R g+w $WAS_HOME/cloudscape50 chmod -R g+w $WAS_HOME/cloudscape51 chmod -R g+w $WAS_HOME/bin/DefaultDB- Log in as myId .
- From myId, run the startNode command to start the nodeagent process:
startnode- From myId, run the startserver command to start the jmsserver and all appservers:
startserver jmsserver startserver myServer- If running the WebSphere JMS provider, verify that the MQ queue is running:
Run the dspmq command:
dspmqThe name of the queue is WAS_myNode_jmsserver .
Results
One can start an appserver, the jmsserver, and the nodeagent from a non-root user.
Running an appserver with a non-root user ID and the nodeagent as root
Running the deployment manager with a non-root user ID
Configure deployment managers
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.