Run an application server from a non-root user and the node agent from root
By default, each base WAS node on a Linux and UNIX platform uses the root user to run application servers. However, use a non-root user to run application servers. This task describes how to configure an application server to run as non-root while letting the node agent process run as root.
Before you beginIf global security is enabled, it is not recommended that the Local OS be used for user registry. In general, using the Local OS user registry requires that all processes run as root. Refer to Local operating system user registries for details. If you are attempting to run an Application Server as root in WAS V6 when you previously used a non-root user ID on Linux and UNIX platforms in V5.x, see Migrating a previously non-root configuration to root.
OverviewUsing a non-root user ID to run application servers can be done by setting all the application servers to run under the same operating system group. Run your application servers as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of an application server. You must restart the application servers in order for the changes to take effect.
Note: If you are using the Tivoli Access Manager (TAM) to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems. For more information, see Tivoli Access Manager JACC provider configuration.
- Log on to the application server system as root.
- Create the was1 user and wasgroup group that use to run the application server. If you will be using peer recovery with your transaction logs on a shared system (such as NAS), between two or more machines, create users and groups with the same identification numbers on all machines participating in peer recovery. This ensures that the non-root users and groups match across machines.
- Add users root and was1 to the wasgroup group.
- Log off and back on.
- Log on to the Network Deployment system as root.
- If it is not started, start the deployment manager process with the startManager.sh script from the /bin directory of the installation root:startManager.sh
- Configure application server properties for the root and was1 users. Use the administrative console on the deployment manager to complete the following steps:
- Define the node agent to run as a root process. You must define all three properties in the following table. Click System Administration> Node agents > nodeagent (for the node) Server Infrastructure > Java and Process Management > Process Definition > Process Execution and change all of the following values:
Property Value Run As User root Run As Group wasgroup UMASK 002
- Define each application server to run as a was1 process. Substitute the name of each server for server1. You must define all three properties in the following table. Click Servers > Application Servers > server1 > Server Infrastructure > Java and Process Management > Process Definition > Process Execution and change all of the following values:
Property Value Run As User was1 Run As Group wasgroup UMASK 002
- Save and synchronize all nodes.
- Log on to the application server system as root.
- Ensure that all servers on the application server system are stopped, including the server1 process. Use the stopServer.sh script from the /bin directory of the installation rootstopServer.sh server1 -user userID -password password
- Ensure that the node agent process is stopped. Use the stopNode.sh script from the /bin directory of the installation rootstopNode.sh -user userID -password password
- As root, use operating system tools to change the following file permissions on the application server system:chgrp wasgroup /opt/WebSphere chgrp wasgroup /opt/WebSphere/AppServer chgrp -R wasgroup /opt/WebSphere/AppServer/cloudscape chgrp -R wasgroup /opt/WebSphere/AppServer/profiles/nodeProfile1 chmod g+wr /opt/WebSphere chmod g+wr /opt/WebSphere/AppServer chmod -R g+wr /opt/WebSphere/AppServer/cloudscape chmod -R g+wr /opt/WebSphere/AppServer/profiles/nodeProfile1
- Start the node agent process from root. Use the startNode.sh script from the /bin directory of the installation rootstartNode.sh
- Log on to the application server system as the was1 user.
- Start all application servers from the was1 user. Use the startServer.sh script from the /bin directory of the installation rootstartServer.sh server1
ResultYou can start an application server from a non-root user and run the node agent as root.
Run the deployment manager with a non-root user ID
Run an Application Server and node agent from a non-root user
Using the administrative console
Using command line tools
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.
Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.