Running an Application Server from a non-root user and the nodeagent from root
By default, each base WebSphere Application Server node on a Linux and UNIX platform uses the root user to run Application Servers. However, you can use a non-root user to run Application Servers. This task describes how to configure an Application Server to run as non-root while letting the nodeagent process and the jmsserver process run as root.
Overview
If global security is enabled, it is not recommended that the Local OS be used for user registry. In general, using the Local OS user registry requires that all processes run as root. Refer to Local operating system user registries for details.
Overview
Using a non-root user ID to run Application Servers can be done by setting all the Application Servers to run under the same operating system group. If you are running the JMS provider that WebSphere Application Server provides, add the jmsserver server to the mqm group to allow jmsserver to start the message queue. If you are not running jmsserver, you can use a group other than mqm in the following steps.
- Log on to the Application Server system as root.
- Create the was1 user that you can use to run the Application Server.
- Add users root and was1 to the mqm group.
- Log off and back on.
- Log on to the Network Deployment system as root.
- If it is not started, start the deployment manager process with the startManager.sh script from the /bin directory of the installation root:
startManager.sh
- Configure Application Server properties for the root and was1 users. Use the administrative console on the deployment manager to complete the following steps:
- Define the nodeagent to run as a root process.You must define all three properties in the following table. Click System Administration> Node Agents > nodeagent (for the node) > Process Definition > Process Execution and change all of the following values:
Property Value Run As User root Run As Group mqm UMASK 002
- Define each Application Server to run as a was1 process. Substitute the name of each server for server1.You must define all three properties in the following table. Click Servers > Application Servers > server1 > Process Definition > Process Execution and change all of the following values:
Property Value Run As User was1 Run As Group mqm UMASK 002
- If running the JMS provider that WebSphere Application Server provides, define the jmsserver process to run as a root process. You must define all three properties in the following table. Click Servers > JMS Servers > jmsserver (for the node) > Process Definition > Process Execution and change all of the following values:
Property Value Run As User root Run As Group mqm UMASK 002
- Save and synchronize all nodes.
- Log on to the Application Server system as root.
- Ensure that all servers on the Application Server system are stopped, including the server1 and jmsserver processes.Use the stopServer.sh script from the /bin directory of the installation root:
stopServer.sh server1 stopServer.sh jmsserver
- Ensure that the nodeagent process is stopped.Use the stopNode.sh script from the /bin directory of the installation root:
stopNode.sh
- As root, use operating system tools to change file permissions on the Application Server system. The following example assumes that the installation root directory of the WebSphere Application Server is /opt/WebSphere/AppServer:
chgrp mqm /opt/WebSphere chgrp mqm /opt/WebSphere/AppServer chgrp -R mqm /opt/WebSphere/AppServer/config chgrp -R mqm /opt/WebSphere/AppServer/logs chgrp -R mqm /opt/WebSphere/AppServer/properties chgrp -R mqm /opt/WebSphere/AppServer/wstemp chgrp -R mqm /opt/WebSphere/AppServer/installedApps chgrp -R mqm /opt/WebSphere/AppServer/temp chgrp -R mqm /opt/WebSphere/AppServer/tranlog chgrp -R mqm /opt/WebSphere/AppServer/cloudscape chgrp -R mqm /opt/WebSphere/AppServer/bin/DefaultDB chmod g+wr /opt/WebSphere chmod g+wr /opt/WebSphere/AppServer chmod -R g+wr /opt/WebSphere/AppServer/config chmod -R g+wr /opt/WebSphere/AppServer/logs chmod -R g+wr /opt/WebSphere/AppServer/properties chmod -R g+wr /opt/WebSphere/AppServer/wstemp chmod -R g+wr /opt/WebSphere/AppServer/installedApps chmod -R g+wr /opt/WebSphere/AppServer/temp chmod -R g+wr /opt/WebSphere/AppServer/tranlog chmod -R g+wr /opt/WebSphere/AppServer/cloudscape chmod -R g+wr /opt/WebSphere/AppServer/bin/DefaultDB
- Start the nodeagent process from root.Use the startNode.sh script from the /bin directory of the installation root:
startNode.sh
- Start the jmsserver process from root.Use the startServer.sh script from the /bin directory of the installation root:
startServer.sh jmsserver
- Log on to the Application Server system as the was1 user.
- Start all Application Servers from the was1 user. Use the startServer.sh script from the /bin directory of the installation root:
startServer.sh server1
- If you are running the JMS provider that WebSphere Application Server provides, verify that the queue manager is running:Run the dspmq.sh script from the /bin directory of the installation root:
dspmq.shThe name of the queue is WAS_wasnode_jmsserver.
Results
You can start an Application Server from a non-root user and run the nodeagent and jmsserver as root.
Running the deployment manager with a non-root user ID
Running an Application Server and node agent from a non-root user
Managing appservers
Starting servers
Using the administrative console
Managing using command line tools