Run application servers from a non-root user
By default, the root user ID is used to run all application server processes on a Linux and UNIX platform. However, you can run all application server processes under the same non-root user and user group. This task describes how to run an application server process from a non-root user.
Before you begin
If global security is enabled, the user registry must not be Local OS. Using the Local OS user registry requires the node agent to run as root.
If you are using the Tivoli Access Manager to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems.
When WAS is run as a UNIX user, it can only access files owned by its primary group. If it tries to access files by its secondary group, a java.io.FileNotFoundException: will occur because the file access permissions do not allow this type of access.
About this taskRun your application servers as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of an application server. You must restart the application server in order for the changes to take effect.
If your application server is part of a cell, see Run an application server from a non-root user and the node agent from root or Run an Application Server and node agent from a non-root user .
For the following steps, assume that:
- was1 is the user to run the application server
- wasgroup is the primary user group for user was1
- wasnode is the node name
- server1 is the application server
- /opt/IBM/WebSphere/AppServer is the installation root
- nodeProfile1 is the profile name.
To configure an application server to run as non-root, complete the following steps.
- Log on to the application server system as the root user.
- Create the user ID was1 with a primary user group of wasgroup. The user ID, was1, is an example. You can name the user something else.
- Log off and log back on as root.
- Start server1 as root. Run the startServer script from the /bin directory of the installation root.
- Specify user and group ID values for the Run As User and Run As Group settings for a server:
- Start the administrative console.
- Go to the Process execution page of the administrative console. You must define all three properties in the following table. In the administrative console, click Servers > Application Servers > server, and then under Server Infrastructure, click Java and Process Management > Process Definition > Process Execution, and change all of the following values:
Property Value Run As User was1 Run As Group wasgroup UMASK 002
The value 002 means the files the process creates are writable by the group and by others as defined on the Linux or UNIX platforms.
- Click OK.
- Save the configuration.
- Stop the application server. Run the stopServer script from the /bin directory of the installation root.
- Change file permissions as the root user. The following example assumes that the installation root directory for WAS is /opt/IBM/WebSphere/AppServer:chgrp wasgroup /opt/IBM/WebSphere chgrp wasgroup /opt/IBM/WebSphere/AppServer chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles/profile name chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/logs chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/properties chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/temp chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/cloudscape chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/bin chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/java chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/lib chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/installedChannels chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles/profile name/installedFilters chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/etc/ chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/classes chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/systemApps chmod g+wr /opt/IBM/WebSphere chmod g+wr /opt/IBM/WebSphere/AppServer chmod -R g+wr /opt/IBM/WebSphere/AppServer/profiles chmod -R g+rw /opt/IBM/WebSphere/AppServer/profiles/profile name chmod -R g+wr /opt/IBM/WebSphere/AppServer/logs chmod -R g+wr /opt/IBM/WebSphere/AppServer/properties chmod -R g+wr /opt/IBM/WebSphere/AppServer/temp chmod -R g+wr /opt/IBM/WebSphere/AppServer/cloudscape chmod -R g+r /opt/IBM/WebSphere/AppServer/bin chmod -R g+r /opt/IBM/WebSphere/AppServer/java chmod -R g+r /opt/IBM/WebSphere/AppServer/lib chmod -R g+rw /opt/IBM/WebSphere/AppServer/installedChannels chmod -R g+rw /opt/IBM/WebSphere/AppServer/profiles/profile name/installedFilters chmod -R g+rw /opt/IBM/WebSphere/AppServer/etc/ chmod -R g+rw /opt/IBM/WebSphere/AppServer/classes chmod -R g+rw /opt/IBM/WebSphere/AppServer/systemApps
- Log on to the application server system as user was1.
- Start server1 as was1. Run the startServer script from the /bin directory of the installation root.
- If creating another server with a different user ID, follow this procedure again for the new user ID and server name.
The two user IDs must share the same group, wasgroup.
ResultsYou can start an application server from a non-root user.