InfoCenter Home >
6: Administer applications >
6.6.a.1: Running the product servers and consoles as non-root
6.6.a.1: Running the product servers and consoles as non-root
An application server or administrative server can be run using a non-root ID.
The tradeoff is that you must use an LDAP directory for the authentication
mechanism for WebSphere security. You can no longer use the local operating system.
By default, WebSphere servers use a root ID. Use the instructions below to change the ID. The
Java administrative console can be accessed from a non-root ID, provided security permissions
are configured appropriately.
You can run application servers as non-root on UNIX platforms. You cannot run
application servers as non-root on Windows platforms because values for User ID and
Group ID are ignored. On Windows platforms, you must run an application server
using the same user ID as the administrative server.
To run an application server as non-root:
- Start the WebSphere administrative server under the root ID.
- Start the Java administrative console.
- In the tree view, locate and click the application server to display its properties.
- In the Advanced properties, modify the User ID and Group ID to be the user and group
for the application server to "run as."
- In the General properties, modify the standard output and standard error log paths
to refer to directories to which the "run as" identity has access.
- Start the application server, using the new ID.
If WebSphere Application Server global security is enabled, do the following to
run an application server as non-root:
- Determine the non-root user that you would like the application server to "run as."
- Make sure the non-root user has read and write privileges on the
product_installation_root/properties/sas.server.props file.
- Make sure the non-root user has read and write privileges on the
product_installation_root/etc/secbootstrap file.
- Ensure that the application server is stopped.
- Delete the application server temporary files and directories in the
product_installation_root/temp directory.
Ensure the user has read and write privileges on the
product_installation_root/temp directory.
- Start the WebSphere administrative console under the root ID.
- In the Java administrative console tree view, locate and click the application server
to display its properties.
- In the Advanced properties, modify the User ID and Group ID to be the user and group
for the application server to "run as."
- In the General properties, modify the standard output and standard error log paths
to refer to directories to which the "run as" identity has access.
- Ensure that the administrative server "run as" ID has full access and privileges
over the non-root ID that you gave to the application server.
- Start the application server, using the new ID.
- Change permissions to the product installation directories to
allow access to the administrative server when it "runs as" a non-root ID.
Do one of the following:
- Change the bootstrap port of the administrative server to a value greater than or equal to 1024:
- Open the administrative configuration file in a text editor.
- Add the following:
com.ibm.ejs.sm.adminServer.bootstrapPort=2222
where 2222 is just an example of a new port that you might use.
Changing the bootstrap port affects the administrative clients that connect to the server.
See port administration overview for details.
- Start the administrative server, using the new ID.
- Change the ownership of the following directories and files
to the user and group that you would like the console to "run as":
product_installation_root/bin
product_installation_root/properties/sas.client.props
- Make sure the user has permission to access the secured administrative account.
On Solaris, the "ndd" commands in the administrative server startupServer.sh script
need to be commented out unless you are running as root.
If an "ndd" command is being executed by a non-root user, the following error
message will be issued to stdout or stderr:
operation failed, Not owner
The 'ndd' command is for dynamically adjusting certain IP stack parameters.
It attempts to operate on operating system level kernel device settings,
which can only be performed by root. Thus the error message.
The workaround is to either run the administrative server as root or edit
the startupServer.sh script, commenting out the ndd command.
It is still strongly recommended that the changes to the TCP parameters that
the "ndd" command makes be made by root on all machines running the application
server and Web server (in case they are not the same box).
The following problems indicate the need to review the above instructions
to ensure that your configuration is correct for running as non-root.
- The following error message is displayed when to start the administrative
server as non-root on Solaris:
$ ./startupServer.sh operation failed,Not owner
- The following error message is displayed when starting the server as non-root
(bootstrapPort < 1024):
NMSV0011E: Unable to start Bootstrap Server
The most likely cause is that the
bootstrap port is already in use. Ensure that no servers or other processes
are already using the bootstrap server port.
|
|