Run application servers from a non-root user

Run application servers from a non-root user

By default, the root user ID is used to run all application server processes on a Linux and UNIX platform. However, we can run all application server processes under the same non-root user and user group. This task describes how to run an application server process from a non-root user.

Before you begin
If global security is enabled, the user registry must not be Local OS. Using the Local OS user registry requires the node agent to run as root.
If you are using the Tivoli Access Manager to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems.
When WAS is run as a UNIX user, it can only access files owned by its primary group. If it tries to access files by its secondary group, a java.io.FileNotFoundException: will occur because the file access permissions do not allow this type of access.

About this task
Run your application servers as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of an application server. You must restart the application server in order for the changes to take effect.
If your application server is part of a cell, see Run an application server from a non-root user and the node agent from root or Run an Application Server and node agent from a non-root user .
For the following steps, assume that:

was1 is the user to run the application server

wasgroup is the primary user group for user was1

wasnode is the node name

server1 is the application server

/opt/IBM/WebSphere/AppServer is the installation root

nodeProfile1 is the profile name.

To configure an application server to run as non-root, complete the following steps.

Procedure
Log on to the application server system as the root user.

Create the user ID was1 with a primary user group of wasgroup. The user ID, was1, is an example. We can name the user something else.

Log off and log back on as root.

Start server1 as root. Run the startServer script from the /bin directory of the installation root.

Specify user and group ID values for the Run As User and Run As Group settings for a server:

Start the administrative console.

Go to the Process execution page of the administrative console. You must define all three properties in the following table. In the administrative console, click Servers > Application Servers > server, and then under Server Infrastructure, click Java and Process Management > Process Definition > Process Execution, and change all of the following values:

Property Value

Run As User was1
Run As Group wasgroup
UMASK 002
The value 002 means the files the process creates are writable by the group and by others as defined on the Linux or UNIX platforms.

Click OK.

Save the configuration.

Stop the application server. Run the stopServer script from the /bin directory of the installation root.
Change file permissions as the root user. The following example assumes that the installation root directory for WAS is /opt/IBM/WebSphere/AppServer:
chgrp wasgroup /opt/IBM/WebSphere
chgrp wasgroup /opt/IBM/WebSphere/AppServer
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles/profile name
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/logs
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/properties
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/temp
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/cloudscape
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/bin
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/java
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/lib
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/installedChannels
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/profiles/profile name/installedFilters
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/etc/
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/classes
chgrp -R wasgroup /opt/IBM/WebSphere/AppServer/systemApps

chmod g+wr /opt/IBM/WebSphere
chmod g+wr /opt/IBM/WebSphere/AppServer
chmod -R g+wr /opt/IBM/WebSphere/AppServer/profiles
chmod -R g+rw /opt/IBM/WebSphere/AppServer/profiles/profile name
chmod -R g+wr /opt/IBM/WebSphere/AppServer/logs
chmod -R g+wr /opt/IBM/WebSphere/AppServer/properties
chmod -R g+wr /opt/IBM/WebSphere/AppServer/temp
chmod -R g+wr /opt/IBM/WebSphere/AppServer/cloudscape
chmod -R g+r /opt/IBM/WebSphere/AppServer/bin
chmod -R g+r /opt/IBM/WebSphere/AppServer/java
chmod -R g+r /opt/IBM/WebSphere/AppServer/lib
chmod -R g+rw /opt/IBM/WebSphere/AppServer/installedChannels
chmod -R g+rw /opt/IBM/WebSphere/AppServer/profiles/profile name/installedFilters
chmod -R g+rw /opt/IBM/WebSphere/AppServer/etc/
chmod -R g+rw /opt/IBM/WebSphere/AppServer/classes
chmod -R g+rw /opt/IBM/WebSphere/AppServer/systemApps
Log on to the application server system as user was1.

Start server1 as was1. Run the startServer script from the /bin directory of the installation root.

If creating another server with a different user ID, follow this procedure again for the new user ID and server name.
The two user IDs must share the same group, wasgroup.
Results
We can start an application server from a non-root user.

Related concepts
Local operating system user registries
Related tasks
Starting an application server Using the administrative console Manage application servers
Related reference
startServer command stopServer command Process execution settings wasprofile command Tivoli Access Manager JACC provider configuration

Property	Value
Run As User	was1
Run As Group	wasgroup
UMASK	002 The value 002 means the files the process creates are writable by the group and by others as defined on the Linux or UNIX platforms.