Run an Application Server and node agent from a non-root user
By default, each base Application Server node on a Linux or UNIX platform uses the root user ID to run the node agent process, the jmsserver process, and all Application Server processes. However, you can run the node agent server process, the jmsserver server process, and all Application Server processes under the same non-root user and user group. If you do run the node agent process with a non-root user ID, run the jmsserver process and all Application Server processes that the node agent controls, under the same non-root user ID.
Overview
If global security is enabled, the user registry must not be Local OS. Using the Local OS user registry requires the node agent to run as root. Refer to Local operating system user registries for details.
Overview
Using the same non-root user and user group gives the node agent process the operating system permissions to start all other server processes. If using the JMS provider that WebSphere Application Server provides, the user group must be mqm for the jmsserver to start the message queue. If you are not using the JMS provider that WebSphere Application Server provides, you can specify a user group other than mqm.
Note:
The node agent saves registered server data to the IBMLSDActiveServerList.asl file, in the path that is specified by the com.ibm.ws.orb.services.lsd.StoreActiveServerList property. If you do not specify a value for the com.ibm.ws.orb.services.lsd.StoreActiveServerList property, the node agent does not save the data. The value you specify for this property must be the complete path location of the IBMLSDActiveServerList.asl file. The CLASSPATH environment variable is not used in locating the path.
If you are running WebSphere Application Server as a non-root user, add IBMLSDActiveServerList.asl to your non-root user file permissions.
For the steps that follow, assume that:
- wasadmin is the user to run all servers
- wasnode is the node name
- wascell is the cell name
- mqm and mqbrkrs are user groups associated with the JMS provider that WAS provides
- server1 is the Application Server
- /opt/WebSphere/Appserver is the installation root for the base node
- jmsserver exists because you are using the JMS provider that WAS provides
To configure a user ID to run the node agent process and all server processes, complete the following steps.
Steps for this task
- Log on to the Application Server system as root.
- Create user wasadmin with primary group mqm.
Also add user wasadmin to group mqbrkrs if you are running the JMS provider that WAS provides.
- Log off and back on.
- Log on to the Network Deployment system as root.
- If the deployment manager process is not started, start it with the startManager.sh script from the /bin directory of the installation root:
startManager.sh
- Start the administrative console.
- Define the nodeagent to run as a wasadmin process using the administrative console of the deployment manager.
You must define all three properties in the following table. Click...
System Administration | Node Agents | nodeagent (for the node) | Process Definition | Process Execution
...and change all of the following values:
Property Value Run As User wasadmin Run As Group mqm UMASK 002 Make sure that the node agent is running if you are going to change the value specified for either the Run As Group or Run As User property. If the value for either of these properties is changed while the node agent is not running, the Deployment Manager can not push the changes to the node.
- Define each Application Server to run as a wasadmin process.
Substitute the name of each server for server1.
You must define all three properties in the following table. Click...
Servers | Application Servers | server1 | Process Definition | Process Execution
and change all of the following values:
Property Value Run As User wasadmin Run As Group mqm UMASK 002 - If you are running the JMS provider that WebSphere Application
Server provides, define the jmsserver process to run as a wasadmin process.
You must define all three properties in the following table. Click JMS Servers > jmsserver (for the node) > Process Definition > Process Execution and change all of the following values:
Property Value Run As User wasadmin Run As Group mqm UMASK 002 - Save and synchronize all nodes.
- Log on to the Application Server system as root.
- Ensure that all servers are stopped, including the server1 and jmsserver processes.
Use the stopServer.sh script from the /bin directory of the installation root:
stopServer.sh server1 stopServer.sh jmsserver
- Stop the node agent.
Use the stopNode.sh script from the /bin directory of the installation root:
stopNode.sh
- If you are running the JMS provider that
WebSphere Application Server provides, delete the default queue manager for
the Application Server.
Run the deletemq.sh script as root from the /bin directory of the installation root:
deletemq.sh wascell wasnode jmsserver
![[V5.1 and later]](../../v51x.gif)
As root, use operating system
tools to change file permissions on Linux and UNIX platforms:
chgrp mqm /opt/WebSphere chgrp mqm /opt/WebSphere/AppServer chgrp -R mqm /opt/WebSphere/AppServer/config chgrp -R mqm /opt/WebSphere/AppServer/logs chgrp -R mqm /opt/WebSphere/AppServer/properties chgrp -R mqm /opt/WebSphere/AppServer/wstemp chgrp -R mqm /opt/WebSphere/AppServer/installedApps chgrp -R mqm /opt/WebSphere/AppServer/temp chgrp -R mqm /opt/WebSphere/AppServer/tranlog chgrp -R mqm /opt/WebSphere/AppServer/cloudscape chgrp -R mqm /opt/WebSphere/AppServer/bin/DefaultDB chmod g+wr /opt/WebSphere chmod g+wr /opt/WebSphere/AppServer chmod -R g+wr /opt/WebSphere/AppServer/config chmod -R g+wr /opt/WebSphere/AppServer/logs chmod -R g+wr /opt/WebSphere/AppServer/properties chmod -R g+wr /opt/WebSphere/AppServer/wstemp chmod -R g+wr /opt/WebSphere/AppServer/installedApps chmod -R g+wr /opt/WebSphere/AppServer/temp chmod -R g+wr /opt/WebSphere/AppServer/tranlog chmod -R g+wr /opt/WebSphere/AppServer/cloudscape chmod -R g+wr /opt/WebSphere/AppServer/bin/DefaultDB
- Log in as wasadmin on the appserver system.
- If you are running the JMS provider that WebSphere Application Server provides, create the queue manager and broker for the Application Server.
Run the createmq.sh script as wasadmin from the /bin directory of the installation root:
createmq.sh /opt/WebSphere/AppServer wascell wasnode jmsserver
- Start the node agent.
Use the startNode.sh script from the /bin directory of the installation root:
startNode.sh
- From wasadmin, run the startServer.sh script from
the /bin directory of the installation root to start the JMS server
and all Application Servers:
startServer.sh jmsserver startServer.sh server1
- If you are running the JMS provider that WebSphere Application Server provides, verify that the MQ queue is running.
As user wasadmin, run the dspmq.sh script from the /bin directory of the installation root:
dspmq.sh
The name of the queue is WAS_wasnode_jmsserver.
Results
You can start an Application Server, the jmsserver, and the nodeagent from a non-root user.
Running an Application Server from a non-root user and the nodeagent from root
Running the deployment manager with a non-root user ID
Configuring deployment managers