Run application servers from a non-root user

By default, the root user ID is used to run all application server processes on a Linux and UNIX platform. However, you can run all application server processes under the same non-root user and user group. This task describes how to run an application server process from a non-root user.

 

Before you begin

If global security is enabled, the user registry must not be Local OS. Using the Local OS user registry requires the node agent to run as root.

If you are using the Tivoli Access Manager to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems.

[AIX HP-UX Solaris] When WAS is run as a UNIX user, it can only access files owned by its primary group. If it tries to access files by its secondary group, a java.io.FileNotFoundException: will occur because the file access permissions do not allow this type of access.

 

About this task

Run your application servers as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of an application server. You must restart the application server in order for the changes to take effect.

If your application server is part of a cell, see Run an application server from a non-root user and the node agent from root or Run an Application Server and node agent from a non-root user .

For the following steps, assume that:

To configure an application server to run as non-root, complete the following steps.

 

Procedure

  1. Log on to the application server system as the root user.
  2. Create the user ID was1 with a primary user group of wasgroup. The user ID, was1, is an example. You can name the user something else.
  3. Log off and log back on as root.
  4. Start server1 as root. Run the startServer script from the /bin directory of the installation root.
  5. Specify user and group ID values for the Run As User and Run As Group settings for a server:

    1. Start the administrative console.
    2. Go to the Process execution page of the administrative console. You must define all three properties in the following table. In the administrative console, click Servers > Application Servers > server, and then under Server Infrastructure, click Java and Process Management > Process Definition > Process Execution, and change all of the following values:
      Property Value
      Run As User was1
      Run As Group wasgroup
      UMASK 002

      The value 002 means the files the process creates are writable by the group and by others as defined on the Linux or UNIX platforms.

    3. Click OK.
    4. Save the configuration.
  6. Stop the application server. Run the stopServer script from the /bin directory of the installation root.
  7. Change file permissions as the root user. The following example assumes that the installation root directory for WAS is /opt/IBM/WebSphere/AppServer:
    chgrp wasgroup /opt/IBM/WebSphere
    chgrp wasgroup /opt/IBM/WebSphere/AppServer
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles/profile name
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/logs
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/properties
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/temp
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/cloudscape
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/bin
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/java
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/lib
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/installedChannels
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles/profile name/installedFilters
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/etc/
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/classes
    chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/systemApps
    
    chmod g+wr /opt/IBM/WebSphere
    chmod g+wr /opt/IBM/WebSphere/AppServer
    chmod -R g+wr /opt/IBM/WebSphere/AppServer/profiles
    chmod -R g+rw /opt/IBM/WebSphere/AppServer/profiles/profile name
    chmod -R g+wr /opt/IBM/WebSphere/AppServer/logs
    chmod -R g+wr /opt/IBM/WebSphere/AppServer/properties
    chmod -R g+wr /opt/IBM/WebSphere/AppServer/temp
    chmod -R g+wr /opt/IBM/WebSphere/AppServer/cloudscape
    chmod -R g+r /opt/IBM/WebSphere/AppServer/bin
    chmod -R g+r /opt/IBM/WebSphere/AppServer/java
    chmod -R g+r /opt/IBM/WebSphere/AppServer/lib
    chmod -R g+rw /opt/IBM/WebSphere/AppServer/installedChannels
    chmod -R g+rw /opt/IBM/WebSphere/AppServer/profiles/profile name/installedFilters
    chmod -R g+rw /opt/IBM/WebSphere/AppServer/etc/
    chmod -R g+rw /opt/IBM/WebSphere/AppServer/classes
    chmod -R g+rw /opt/IBM/WebSphere/AppServer/systemApps
  8. Log on to the application server system as user was1.
  9. Start server1 as was1. Run the startServer script from the /bin directory of the installation root.
  10. If creating another server with a different user ID, follow this procedure again for the new user ID and server name.

    The two user IDs must share the same group, wasgroup.

 

Results

You can start an application server from a non-root user.