Run an Application Server and node agent from a non-root user
Overview
By default, each base Application Server node on a Linux, or UNIX, platform uses the root user ID to run the node agent process and all Application Server processes. However, you can run the node agent and all Application Server processes under the same non-root user and user group. If you do run the node agent process with a non-root user ID, run all Application Server processes that the node agent controls under the same non-root user ID.
If administrative security is enabled, the user account repositories must not be the local operating system. Using the local operating system user registry requires the node agent to run as root.
Using the same non-root user and user group gives the node agent process the operating system permissions to start all other server processes.
Run your appservers and node agent as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of a node agent or appserver. You must restart the node agent and appservers in order for the changes to take effect.
The node agent saves registered server data to the file...
IBMLSDActiveServerList.asl...in the path that is specified by the property...
com.ibm.ws.orb.services.lsd.StoreActiveServerListIf you do not specify a value for this property, the node agent does not save the data. The value you specify for this property must be the complete path location of the IBMLSDActiveServerList.asl file. The CLASSPATH environment variable is not used in locating the path.
If you are running WAS as a non-root user, add IBMLSDActiveServerList.asl to your non-root user file permissions.
If you are using the Tivoli Access Manager to perform authentication or authorization for WAS, it is important to be aware of potential permissions problems.
To configure a user ID to run the node agent and all server processes, complete the following steps.
Procedure
- Log on to the Application Server system as a non-root user.
- Create a new profile.
The servers you create under this profile, including a deployment manager, run as non-root.
- Log off and then log on again.
- If the deployment manager process is not started, start it with the startManager.sh script from the /bin directory of the installation root:
startManager.sh
- Start the console.
- Log on to the Application Server system as the non-root user that corresponds to the new profile you created.
- Run the startNode.sh script from the /bin directory of the installation root to start the node agent:
startnode.sh node1
- Log into the console as the non-root user that corresponds to the new profile you created, and start the appservers.
Results
You can start an appserver and the node agent from the non-root user.
Related tasks
Run an appserver from a non-root user and the node agent from root
Run the deployment manager with a non-root user ID
Manage appservers
Configure deployment managers
Related Reference
manageprofiles command
Related information
Create profiles for non-root users