Wednesday, March 19, 2008

Running application servers from a non-root user

By default, each base WebSphere Application Server node on a Linux and UNIX platform uses the root user ID to run all application server processes. However, you can run all application server processes under the same non-root user and user group. This task describes how to run an application server process from a non-root user.

Before you begin

  • If global security is enabled, the user registry must not be Local OS. Using the Local OS user registry requires the Application Server to run as root. Refer to Local operating system user registries for details.
  • If you are running WebSphere Application Server on an AIX or Solaris operating system, and you previously run WebSphere Application Server using the root user ID, you must delete any semaphores and shared memory segments that are held by root other and mqm mqm before you change your configuration to run WebSphere Application Server as non-root user. If semaphores and shared memory segments that are held by root other and mqm mqm exist when you start WebSphere Application Server as non-root user, the Java™ Message Service (JMS) JMSServer might not start.

    To determine if there are semaphores and shared memory segments that are held by root other and mqm mqm, issue the following command:

    ipcs

    If messages, similar to the following messages, are displayed, you have semaphores and shared memory segments that are held by root other and mqm mqm.

    m    131073    0xe4663d62 --rw-rw-rw-   root  other
    m         7         0x0d001334 --rw-rw-rw-   mqm mqm
    ....
    s    262144   0x58000910 --rw-rw-rw-    root   other

    Issue the following command to delete each of these semaphores and shared memory segments before you set up WebSphere Application Server to run as non-root user:

    ipcrm -m  memory_segment_id

    For example, to delete the semaphores and shared memory segments identified in the preceding messages, issue the following commands:

    ipcrm -m 0xe4663d62
    ipcrm -m 0x0d001334
    ipcrm -s 0x58000910

    After you remove the semaphores and shared memory segments, reboot the operating system and then perform the following steps to set up WebSphere Application Server to run as non-root user.

Why and when to perform this task

For the following steps, assume that:
  • was1 is the user ID that you use to run WebSphere Application Server.
  • wasgroupis the primary user group for user was1.
  • mqm is another user group for user was1
  • mqm and mqbrkrs are user groups that are associated with the Java Message Service (JMS) provider that WebSphere Application Server provides.
  • wasnode is the node name.
  • server1 is the Application Server.
  • /opt/WebSphere/Appserver is the installation root.

Steps for this task

  1. Log on to WebSphere Application Server as the root user.
  2. Create the user ID was1 with a primary user group of wasgroup.
    The user ID, was1, is an example. You can name the user something else. The user group, mqm, is one of the required user groups for the JMS provider that WebSphere Application Server provides. Do not change this name.
  3. If you are using the JMS provider that WebSphere Application Server provides, add was1 to groups mqm and mqbrkrs.

    The user group, mqbrkrs, is one of the required user groups for the WebSphere messaging provider. Do not change this name.

    The user group, wasgroup, is an example. You can name this user group something else.

  4. Log off and back on as root.
  5. Start server1 as root.
    Run the startServer.sh script from the /bin directory of the installation root:
    startServer.sh server1
  6. Specify user and group ID values for the Run As User and Run As Group settings for a server:
    1. Start the administrative console.
    2. Go to the Process execution page of the administrative console.
      You must define all three properties in the following table. Click Servers > Application Servers > server1 > Process Definition > Process Execution and change all of the following values:
      Property Value
      Run As User was1
      Run As Group wasgroup
      UMASK 002


    3. Click OK.
    4. Save the configuration.
  7. Stop the Application Server.
    Use the stopServer.sh script from the /bin directory of the installation root:
    stopServer.sh server1
  8. Change file permissions as the root user.
    The following example assumes that the installation root directory of the WebSphere Application Server is /opt/WebSphere/AppServer.

    Note: When you use the chown command to change the owner of JSPs that are already complied and reside in the temp directory, the CPU does not have to continuously recompile these JSP. If you do not issue this command, you should delete the application temp directory to lower CPU usage.

    chown was1:wasgroup /opt/WebSphere/AppServer/temp
    chgrp wasgroup /opt/WebSphere
    chgrp wasgroup /opt/WebSphere/AppServer
    chgrp -R wasgroup /opt/WebSphere/AppServer/config
    chgrp -R wasgroup /opt/WebSphere/AppServer/logs
    chgrp -R wasgroup /opt/WebSphere/AppServer/properties
    chgrp -R wasgroup /opt/WebSphere/AppServer/wstemp
    chgrp -R wasgroup /opt/WebSphere/AppServer/installedApps
    chgrp -R wasgroup /opt/WebSphere/AppServer/temp
    chgrp -R wasgroup /opt/WebSphere/AppServer/tranlog
    chgrp -R wasgroup /opt/WebSphere/AppServer/cloudscape
    chgrp -R wasgroup /opt/WebSphere/AppServer/recoveryLogs
    chgrp -R wasgroup /opt/WebSphere/AppServer/bin/DefaultDB
    chmod g+wr /opt/WebSphere
    chmod g+wr /opt/WebSphere/AppServer
    chmod -R g+wr  /opt/WebSphere/AppServer/config
    chmod -R g+wr /opt/WebSphere/AppServer/logs
    chmod -R g+wr /opt/WebSphere/AppServer/properties
    chmod -R g+wr /opt/WebSphere/AppServer/wstemp
    chmod -R g+wr /opt/WebSphere/AppServer/installedApps
    chmod -R g+wr /opt/WebSphere/AppServer/temp
    chmod -R g+wr /opt/WebSphere/AppServer/tranlog
    chmod -R g+wr /opt/WebSphere/AppServer/cloudscape
    chmod -R g+wr /opt/WebSphere/AppServer/recoveryLogs
    chmod -R g+wr /opt/WebSphere/AppServer/bin/DefaultDB
  9. If you are running the JMS provider that WebSphere Application Server provides, delete the default queue manager for the Application Server.
    Run the deletemq.sh script as root from the /bin directory of the installation root directory. For example, assuming that the node name is wasnode:
    deletemq.sh wasnode wasnode server1
  10. Log on to the Application Server system as was1.
  11. If you are running the JMS provider that WebSphere Application Server provides, create the queue manager and the broker for the JMS provider that WebSphere Application Server provides.
    Run the createmq.sh script as was1 from the /bin directory of the installation root. For example, assuming that the node name is wasnode:
    createmq.sh /opt/WebSphere/AppServer wasnode wasnode server1
  12. Start server1 as was1.
    Run the startServer.sh script from the /bin directory of the installation root:
    startServer.sh server1
  13. If running the JMS provider that WebSphere Application Server provides, verify that the MQ queue is running.
    Run the dspmq command from the /bin directory of the installation root:
    dspmq

    The name of the queue is WAS_wasnode_server1 because the JMS provider that WebSphere Application Server provides is running on server1.

  14. If creating another server with a different user ID, follow this procedure again for the new user ID and server name.

    The two user IDs must share the same group, wasgroup.

Results

You can start an Application Server from a non-root user.
Related tasks
Managing application servers
Starting servers
Using the administrative console

http://publib.boulder.ibm.com/infocenter/wasinfo/v5r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/trun_svr_nonroot.html

Posted by 4gumpa at 8:23 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)