Run an application server from a non-root user and the node agent from root

By default, each base WAS node on a Linux and UNIX platform uses the root user to run application servers. However, use a non-root user to run application servers. This task describes how to configure an application server to run as non-root while letting the node agent process run as root.

 

Before you begin

If global security is enabled, it is not recommended that the Local OS be used for user registry. In general, using the Local OS user registry requires that all processes run as root. Refer to Local operating system user registries for details. If you are attempting to run an Application Server as root in WAS V6 when you previously used a non-root user ID on Linux and UNIX platforms in V5.x, see Migrating a previously non-root configuration to root.

 

Overview

Using a non-root user ID to run application servers can be done by setting all the application servers to run under the same operating system group. Run your application servers as non-root when you no longer want to use root authority. For security or administrative reasons, you may want to change to non-root user IDs. Perform this task at any time to change the permissions of an application server. You must restart the application servers in order for the changes to take effect.

Note: If you are using the Tivoli Access Manager (TAM) to perform authentication or authorization for WebSphere Application Server, it is important to be aware of potential permissions problems. For more information, see Tivoli Access Manager JACC provider configuration.

 

Procedure

  1. Log on to the application server system as root.

  2. Create the was1 user and wasgroup group that use to run the application server. If you will be using peer recovery with your transaction logs on a shared system (such as NAS), between two or more machines, create users and groups with the same identification numbers on all machines participating in peer recovery. This ensures that the non-root users and groups match across machines.

  3. Add users root and was1 to the wasgroup group.

  4. Log off and back on.

  5. Log on to the Network Deployment system as root.

  6. If it is not started, start the deployment manager process with the startManager.sh script from the /bin directory of the installation root:

    startManager.sh
    

  7. Configure application server properties for the root and was1 users. Use the administrative console on the deployment manager to complete the following steps:

    1. Define the node agent to run as a root process. You must define all three properties in the following table. Click System Administration> Node agents > nodeagent (for the node) Server Infrastructure > Java and Process Management > Process Definition > Process Execution and change all of the following values:

      Property Value
      Run As User root
      Run As Group wasgroup
      UMASK 002

    2. Define each application server to run as a was1 process. Substitute the name of each server for server1. You must define all three properties in the following table. Click Servers > Application Servers > server1 > Server Infrastructure > Java and Process Management > Process Definition > Process Execution and change all of the following values:

      Property Value
      Run As User was1
      Run As Group wasgroup
      UMASK 002

    3. Save and synchronize all nodes.

  8. Log on to the application server system as root.

  9. Ensure that all servers on the application server system are stopped, including the server1 process. Use the stopServer.sh script from the /bin directory of the installation root

    stopServer.sh server1 -user userID -password password
    
    

  10. Ensure that the node agent process is stopped. Use the stopNode.sh script from the /bin directory of the installation root

    stopNode.sh -user userID -password password
    

  11. As root, use operating system tools to change the following file permissions on the application server system:

    chgrp wasgroup /opt/WebSphere chgrp wasgroup /opt/WebSphere/AppServer
    chgrp -R wasgroup  /opt/WebSphere/AppServer/cloudscape
    chgrp -R wasgroup  /opt/WebSphere/AppServer/profiles/nodeProfile1
    chmod g+wr  /opt/WebSphere chmod g+wr  /opt/WebSphere/AppServer
    chmod -R g+wr  /opt/WebSphere/AppServer/cloudscape
    chmod -R g+wr  /opt/WebSphere/AppServer/profiles/nodeProfile1
    
    

  12. Start the node agent process from root. Use the startNode.sh script from the /bin directory of the installation root

    startNode.sh
    

  13. Log on to the application server system as the was1 user.

  14. Start all application servers from the was1 user. Use the startServer.sh script from the /bin directory of the installation root

    startServer.sh server1
    

 

Result

We can start an application server from a non-root user and run the node agent as root.


 

Related Tasks


Run the deployment manager with a non-root user ID
Run an Application Server and node agent from a non-root user
Starting servers
Using the administrative console
Using command line tools