Run an Application Server and node agent from a non-root user
By default, each base Application Server node on a Linux, UNIX, or z/OS platform uses the root user ID to run the node agent process and all Application Server processes. However, one can run the node agent and all Application Server processes under the same non-root user and user group. If you do run the node agent process with a non-root user ID, run all Application Server processes that the node agent controls under the same non-root user ID.
Before you begin
If global security is enabled, the user registry must not be Local OS. Using the Local OS user registry requires the node agent to run as root.
Overview
Using the same non-root user and user group gives the node agent process the operating system permissions to start all other server processes.Run your application servers and node agent as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of a node agent or application server. You must restart the node agent and application servers in order for the changes to take effect.
Note: The node agent saves registered server data to the IBMLSDActiveServerList.asl file, in the path that is specified by the property...
com.ibm.ws.orb.services.lsd.StoreActiveServerListIf you do not specify a value for this property, the node agent does not save the data. The value you specify for this property must be the complete path location of the IBMLSDActiveServerList.asl file. The CLASSPATH environment variable is not used in locating the path.
If you are running WAS as a non-root user, add IBMLSDActiveServerList.asl to your non-root user file permissions.
Note: If you are using the Tivoli Access Manager (TAM) to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems.
For the steps that follow, assume that:
wasadmin User to run all servers wasnode Node name wascell Cell name server1 Application Server /opt/WebSphere/AppServer Installation root for the base node wasgroup Group that will run all servers, with wasadmin as a member wp_profile Profile name
Note: For information about creating a profile, see wasprofile command.
To configure a user ID to run the node agent and all server processes, complete the following steps.
Procedure
- Log on to the Application Server system as root.
- Create user wasadmin with primary group wasgroup.
If you will be using peer recovery with your transaction logs on a shared system (such as NAS) between two or more machines, you will need to create a user and group with the same identification numbers on all machines participating in peer recovery. This will ensure that the non-root users and groups match across machines.
- Log off and back on.
- Log on to the Network Deployment system as root.
- If the deployment manager process is not started, start it with the startManager.sh script from the /bin directory of the installation root:
startManager.sh- Start the administrative console.
- Define the node agent to run as a wasadmin process using the administrative console of the deployment manager.
You must define all three properties in the following table. Click...
System Administration | Node agents | nodeagent | Server Infrastructure | Java and Process Management | Process Definition | Process Execution...and change all of the following values...
Property Value Run As User wasadmin Run As Group wasgroup UMASK 022 Verify the node agent is running if you are going to change the value specified for either the Run As Group or Run As User property. If the value for either of these properties is changed while the node agent is not running, the Deployment Manager can not push the changes to the node.
- Define each Application Server to run as a wasadmin process. Substitute the name of each server for server1. You must define all three properties in the following table. Click...
Servers | Application Servers | server1 | Server Infrastructure | Java and Process Management | Process Execution...and change all of the following values...
Property Value Run As User wasadmin Run As Group wasgroup UMASK 022 - Save and synchronize all nodes. Stop all changed application servers and the node agent from the administrative console.
- Log on to the Application Server system as root.
- Ensure that all servers and the node agent are stopped.
- As root, use operating system tools to change file permissions on Linux and UNIX platforms:
chgrp wasgroup /opt/WebSphere chgrp wasgroup /opt/WebSphere/AppServer chgrp -R wasgroup /opt/WebSphere/AppServer/cloudscape chgrp -R wasgroup /opt/WebSphere/AppServer/profiles/wp_profile chmod g+wr /opt/WebSphere chmod g+wr /opt/WebSphere/AppServer chmod -R g+wr /opt/WebSphere/AppServer/cloudscape chmod -R g+wr /opt/WebSphere/AppServer/profiles/wp_profile- Log in as wasadmin on the Application Server system.
- From wasadmin, run the startNode.sh script from the /bin directory of the installation root to start the node agent:
startnode.sh node1- Log into the administrative console and start the application servers.
Result
We can start an application server and the node agent from a non-root user.
Related Tasks
Run an application server from a non-root user and the node agent from root
Run the deployment manager with a non-root user ID