InfoCenter Home >
6: Administer applications >
6.6.a.1: Running the product servers and consoles as non-root

6.6.a.1: Running the product servers and consoles as non-root

An application server or administrative server can be run using a non-root ID. The tradeoff is that you must use an LDAP directory for the authentication mechanism for WebSphere security. You can no longer use the local operating system.

By default, WebSphere servers use a root ID. Use the instructions below to change the ID. The Java administrative console can be accessed from a non-root ID, provided security permissions are configured appropriately.

Running application servers as non-root

You can run application servers as non-root on UNIX platforms. You cannot run application servers as non-root on Windows platforms because values for User ID and Group ID are ignored. On Windows platforms, you must run an application server using the same user ID as the administrative server.

To run an application server as non-root:

  1. Start the WebSphere administrative server under the root ID.
  2. Start the Java administrative console.
  3. In the tree view, locate and click the application server to display its properties.
  4. In the Advanced properties, modify the User ID and Group ID to be the user and group for the application server to "run as."
  5. In the General properties, modify the standard output and standard error log paths to refer to directories to which the "run as" identity has access.
  6. Start the application server, using the new ID.

If WebSphere Application Server global security is enabled, do the following to run an application server as non-root:

  1. Determine the non-root user that you would like the application server to "run as."
  2. Make sure the non-root user has read and write privileges on the product_installation_root/properties/sas.server.props file.
  3. Make sure the non-root user has read and write privileges on the product_installation_root/etc/secbootstrap file.
  4. Ensure that the application server is stopped.
  5. Delete the application server temporary files and directories in the product_installation_root/temp directory. Ensure the user has read and write privileges on the product_installation_root/temp directory.
  6. Start the WebSphere administrative console under the root ID.
  7. In the Java administrative console tree view, locate and click the application server to display its properties.
  8. In the Advanced properties, modify the User ID and Group ID to be the user and group for the application server to "run as."
  9. In the General properties, modify the standard output and standard error log paths to refer to directories to which the "run as" identity has access.
  10. Ensure that the administrative server "run as" ID has full access and privileges over the non-root ID that you gave to the application server.
  11. Start the application server, using the new ID.

Running administrative servers as non-root

  1. Change permissions to the product installation directories to allow access to the administrative server when it "runs as" a non-root ID. Do one of the following:
  2. Change the bootstrap port of the administrative server to a value greater than or equal to 1024:
    1. Open the administrative configuration file in a text editor.
    2. Add the following:
      com.ibm.ejs.sm.adminServer.bootstrapPort=2222
      
      where 2222 is just an example of a new port that you might use.

      Changing the bootstrap port affects the administrative clients that connect to the server. See port administration overview for details.

  3. Start the administrative server, using the new ID.

Running Java administrative consoles as non-root

  1. Change the ownership of the following directories and files to the user and group that you would like the console to "run as":
    product_installation_root/bin
    product_installation_root/properties/sas.client.props
    
  2. Make sure the user has permission to access the secured administrative account.

What you should know about running as non-root on Solaris: ndd

On Solaris, the "ndd" commands in the administrative server startupServer.sh script need to be commented out unless you are running as root.

If an "ndd" command is being executed by a non-root user, the following error message will be issued to stdout or stderr:

operation failed, Not owner

The 'ndd' command is for dynamically adjusting certain IP stack parameters. It attempts to operate on operating system level kernel device settings, which can only be performed by root. Thus the error message.

The workaround is to either run the administrative server as root or edit the startupServer.sh script, commenting out the ndd command.

It is still strongly recommended that the changes to the TCP parameters that the "ndd" command makes be made by root on all machines running the application server and Web server (in case they are not the same box).

Problems and symptoms based on running as non-root incorrectly

The following problems indicate the need to review the above instructions to ensure that your configuration is correct for running as non-root.

  • The following error message is displayed when to start the administrative server as non-root on Solaris:
    $ ./startupServer.sh operation failed,Not owner
    
  • The following error message is displayed when starting the server as non-root (bootstrapPort < 1024):
    NMSV0011E: Unable to start Bootstrap Server
    

    The most likely cause is that the bootstrap port is already in use. Ensure that no servers or other processes are already using the bootstrap server port.

Go to previous article: Administering network configurations (overview) Go to next article: Starting and stopping servers

 

 
Go to previous article: Administering network configurations (overview) Go to next article: Starting and stopping servers