Configuring WebSphere Application Server for non-root administration (Linux, UNIX)

By default, the IBM® WebSphere® Application Server runs as root. However, it can also be run by using a non-root user ID. The following instructions describe the steps required to configure and set appropriate file system permissions for WebSphere Application Server to run as a non-root user ID.

You must rerun the post-installation steps (go to Running post-installation commands to enable non-root administration (Linux, UNIX)) after either of the following actions:

  • You install any add-on components to the services tier. Certain installations might have changed permissions.
  • If you restarted any of the application servers as the root user and you want to start them again as the non-root user. Certain files might now have root ownership and must be changed.
    Important: Do not start IBM WebSphere Application Server as root after you configured it for non-root administration. Starting IBM WebSphere Application Server as root after you configured it for non-root administration might affect the successful execution of certain IBM InfoSphere Information Server operations. If a root startup was done, be sure to stop IBM WebSphere Application Server, rerun the post-installation steps, and restart IBM WebSphere Application Server as the non-root administrator before doing any further IBM InfoSphere Information Server operations. For a non-clustered configuration, always use MetadataServer.sh as the non-root user to start and stop the application server, when configured for non-root administration. Using MetadataServer.sh assures the appropriate non-root operation.
Restrictions
  • If you are using the local operating system as the user registry, WebSphere Application Server must be run as root. WebSphere Application Server must be run as root in this case, because of system permissions that are required for credential checking.
  • If the IBM InfoSphere Information Server services tier is configured to use PAM authentication and a local operating system PAM module is used in the PAM configuration, such as the /etc/passwd and /etc/group files, then WebSphere Application Server must be run as root. When a local operating system PAM module is not configured, WebSphere Application Server can be run as non-root as long as the non-root user has read permission on the configured files.
  • If a front-end web server is running on a managed node of the cluster, you must ensure that the web server directory is owned by the non-root user. For more information, see (Cluster environment) Changing ownership of the web server directory and plugin-cfg.xml.
  • The task of starting and stopping WebSphere Application Server must be designated to one non-root user only. If you are using MetadataServer.sh, this restriction does not apply.
  • Avoid assigning the dsadm user to manage WebSphere Application Server. Using the dsadm user to manage WebSphere Application Server might cause overwrite issues for the InfoSphere Information Server environment settings. The non-root user selected for running WebSphere must not source dsenv.