Run appservers from a non-root user

 

+

Search Tips   |   Advanced Search

 

Overview

By default, the root user ID is used to run all appserver processes on a Linux and UNIX platform. However, you can run all application server processes under the same non-root user and user group. This task describes how to run an appserver process from a non-root user.

If administrative security is enabled, the user account repositories must not be the local operating system. Using the local operating system user registry requires the node agent to run as root.

If you are using the Tivoli Access Manager to perform authentication or authorization for WAS, it is important to be aware of potential permissions problems.

[AIX HP-UX Solaris] When WAS is run as a UNIX user, it can only access files owned by its primary group. If it tries to access files by its secondary group, a java.io.FileNotFoundException: will occur because the file access permissions do not allow this type of access.

Run your appservers as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of an appserver. You must restart the appserver in order for the changes to take effect.

If your appserver is part of a cell, see...

 

Procedure

  1. Log on to the Application Server system as a non-root user.

  2. Create a new profile.

    The servers you create under this profile, including a deployment manager, run as non-root.

  3. Log off and log back on as root.

  4. Specify user and group ID values for the and Run As Group settings for a server:

    1. Start the console.

    2. Go to the Process execution page of the console.

      You must define all three properties in the following table. In the console, click...

      Servers | Application Servers | server | Server Infrastructure | Java and Process Management | Process Definition | Process Execution

      ...and change all of the following values...

      Property Value
      Run As User youruser
      Run As Group yourgroup
      UMASK 002

      Files created by process are writable by the group and by others.

    3. Click OK.

    4. Save the configuration.

  5. Log on to the appserver system as user youruser.

  6. Log on to the Application Server system as the non-root user that corresponds to the new profile you created.

 

Results

You can start an appserver from a non-root user.

 

Related concepts

Local operating system registries

 

Related tasks

Start an appserver
Use the console
Manage appservers

 

Related Reference

startServer command
stopServer command
Process execution settings
manageprofiles command
Tivoli Access Manager JACC provider configuration

 

Related information

Create profiles for non-root users