Running an Application Server with a non-root user ID and the nodeagent as root
Use this task to configure an Application Server to run as non-root. By default, WebSphere Application Server on UNIX platforms uses the root user ID to run Application Servers. One can use a non-root user ID to run Application Servers.
If global security is enabled, it is not recommended that the Local OS be used for user registry. In general, using the Local OS user registry requires that all processes run as root. Refer to Local operating system user registries for details.
Using a non-root user ID to run Application Servers can be done by setting all the Application Servers to run under the same operating system group. If running the WebSphere JMS provider, add the jmsserver server to the mqm group to allow jmsserver to start the message queue. If not running jmsserver , you can use a group other than mqm in the following steps:
- Log on as root.
- Create the was1 user ID to be used to run the Application Server.
- Add users root and was1 to the mqm group.
- Reboot the machine.
- Configure Application Server properties for the root and was1 users.
Use the administrative console to complete the following steps:
- Define the nodeagent to run as a root process.
Click System Management > Node Agents > nodeagent (for the node) > Process Definition > Process Execution and change these values:
Property Value Run As User root Run As Group mqm UMASK 002
- Define each Application Server to run as a was1 process. Substitute the name of each server for servername .
Click Servers > Application Servers > servername > Process Definition > Process Execution and change these values:
Property Value Run As User was1 Run As Group mqm UMASK 002
- If running the WebSphere JMS provider, define the jmsserver process to run as a root process.
Click JMS Servers > jmsserver (for the node) > Process Definition > Process Execution and change these values:
Property Value Run As User root Run As Group mqm UMASK 002
- Save and synchronize.
- Stop all servers, including the servername and jmsserver servers.
Use the stopserver command:
stopserver servername stopserver jmsserver- Stop the node.
Use the stopnode command:
stopnode- As root, use operating system tools to change file permissions.
The following examples assume that the WebSphere Application Server installation root directory is $WAS_HOME :
chgrp mqm /opt/WebSphere chgrp mqm $WAS_HOME chgrp -R mqm $WAS_HOME/config chgrp -R mqm $WAS_HOME/logs chgrp -R mqm $WAS_HOME/wstemp chgrp -R mqm $WAS_HOME/installedApps chgrp -R mqm $WAS_HOME/temp chgrp -R mqm $WAS_HOME/tranlog chgrp -R mqm $WAS_HOME/cloudscape50 chgrp -R mqm $WAS_HOME/cloudscape51 chgrp -R mqm $WAS_HOME/bin/DefaultDB chmod g+w /opt/WebSphere chmod g+w $WAS_HOME chmod -R g+w $WAS_HOME/config chmod -R g+w $WAS_HOME/logs chmod -R g+w $WAS_HOME/wstemp chmod -R g+w $WAS_HOME/installedApps chmod -R g+w $WAS_HOME/temp chmod -R g+w $WAS_HOME/tranlog chmod -R g+w $WAS_HOME/cloudscape50 chmod -R g+w $WAS_HOME/cloudscape51 chmod -R g+w $WAS_HOME/bin/DefaultDB- Start the node, the jmsserver, and all Application Servers.
Start the nodeagent and the jmsserver from root. Start each Application Server from the was1 user.
- If running the WebSphere JMS provider, verify that the MQ queue is running.
Run the dspmq command:
dspmqThe name of the queue is WAS_wasnode_jmsserver .
Results
One can start an Application Server from a non-root user.
Running the deployment manager with a non-root user ID
Running an Application Server and nodeagent with a non-root user ID
Managing Application Servers
Start servers
Using the administrative console
Managing using command line tools
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.