Top 10 frequently asked questions about a non-root user in WebSphere Application Server

Body

Here are the most commonly asked questions about running IBM WebSphere Application Server as a non-root user. Its applicable for a WebSphere Application Server V6.0 profile and later.

Introduction:
It is a common practice to run the application server as a non-root user. Most of the WebSphere Application Server users install and run the application server as a non-root user only. There are no restrictions on how you protect your resource. You can set the permission of the file as you like, but there are some key and common factor needs to be followed when you run your server as a non-root user. Before we go in to most common frequently asked questions (FAQ), it is important to understand basic keywords to run WebSphere Application Server as non-root user.

• umask:
  The default umask value in WebSphere Application Server is 022. This value means that any files, such as configuration files or log files that are created by the process, a user can read/write/execute while group and others can only read. It is only necessary to change the umask value if the non-default is required.
   
• runAsUser:
  This value specifies the user that the process runs as. This user ID must be defined to the security system.
   
• runAsGroup:
  This value specifies the group that the process is a member of and runs as.

The runAsUser and runAsGroup values are only used when the server is launched as root. If the server is launched as non-root, the values are not used. These values can be changed in Integrated Solution Console (ISC). To change them, select Servers > Server Types > WebSphere application servers > server_name. Then, in the Server Infrastructure section, click Java and process management > Process execution

1. Can multiple non-root users manage a profile?
We recommend a single user ID be used to manage a single profile, whether it is a deployment manager profile or an application server profile. However, we do not restrict that all profiles in a cell be all root or all non-root. That is, a deployment manager (dmgr) profile might be running as root, while a node profile may be running as non-root, or vice versa. Furthermore, a different user ID might be used for each profile in the cell. This applies regardless of whether global security is enabled.
 

2. Can I run a node agent as a root user and an application server as non root user?
You can do it, but it is not recommended. The recommended solution is to always run the entire profile as a single, non-root user.
If you decide to use a node agent as root and application servers as non-root, then you need to make sure all the files and folders can be accessed by both the root user and the non-root user.
 

3. Can multiple servers start with multiple users in the same profile? In other words, can I start server1 as user1 and server2 as user2 in the same profile?
No, it is not recommended. You might be able to do it if all of the users belong to the same group and the group has read/write and execute permission for the bin directory. It is almost like giving 775 permission to the entire profile directory. Again, it is up to you to run your environment the way you want, but it is your responsibility to fix the permission issue.

In case you want to start the node agent and the application server as a different non-root user, it is not supported. If a server has a different user ID than the user ID of the node agent, then the node agent cannot execute any server task and it will fail due to operating system restrictions. The only case where this situation is supported is running the node agent as root (see question 2).
 

4. My server fails to start due to permission issue. I did not make any change to my environment and did not change the file permission. What could be the issue?
You did not make changes to your environment. However, WebSphere Application Server makes changes to the temp file and the configuration files. During the synchronization operation, it creates temp files in the dmgr_profile_root/config/temp directory. To refresh the cache entries, it updates the OSGI configuration files in the profile_root/config or profile_root/temp directories. The temp files are owned by the user who invokes the startServer process. If the RunAsUser is different than the user who started the server, the server might fail to start.

Example: The deployment manager RunAsUser is set to user1, but you are starting the deployment manager server as a root user. During start up, the root creates files under the config/temp location with root permission. In the runtime, user1 does not have access to those files and fails with a Permission Denied exception.
In this case, change the permission of entire profile directory so that is it owned by the non-root user or find the problematic file/directory and change the permission back to the non-root user.
 

5. Can I create a profile using user X and start the server as user Y?
No. User Y might not have permission to access the files that were created by user X. You will run into problems due to permission issues with the reading and writing of files that belong to another user. The server will fail to start with a "Permission denied" exception.
 

6. Do I need to set RunAsUser and RunAsGroup under the Java process definition in order to run my server as non-root user?
No. It is not required to set RunAsUser and RunAsGroup. More over, it is not recommended to set the RunAsUser and RunAsGroup. You can start the servers as the same user that created the profile or as a root user without any issue.

Note: When the RunAsUSer is not set, whomever starts the server process is the owner of the process.

 

7. What is the recommend and best way to run my server as non-root user?
Use one non-root user per profile. Refer to question 1 and 2 for details.
 

8. I applied an interim fix as a root user, but my profile directory and files are owned by a non-root user (no RunAsUser). Now my server fails to start and I see an ADMU3011E exception. What do I do?
You might see this problem in version 6.0, 6.1 and 7.0. Its recommended that you apply the interim fix as the same user that installed the product. As explained in question 4, some cache entries are not updated. Review the following link to resolve the issue:
http://www.ibm.com/support/docview.wss?uid=swg21244631

Note: Starting with V8.0, Installation Manager does not allow you to upgrade the product as different user.

9. I applied an interim fix or fix pack as a root user, but RunAsUser is set to non-root user. Now, my server fails to start and I see an ADMU3011E exception. What do I do?
You might encounter this issue starting with V8.0. This issue happens when you start the server for the very first time as a root user after applying the interim fix or fix pack. Because you configured RunAsUser, the non-root user does not have permissions to the files that are created by the root during the start up process. It happens only for the first time after an interim fix or fix pack is installed. Review the following link for more information:
http://www.ibm.com/support/docview.wss?uid=swg21682292
 

10. A non-root user cannot start the server. It fails to start with InvalidUsernameException message. What do I do?
Review the following link for more information:
http://www.ibm.com/support/docview.wss?uid=swg21254149

Conclusion:
You know your environment better than anyone. The golden rule is set to 1 user per profile. However, you can set it differently based on your business need. When you set it differently, make sure other users can also read and execute all of the files under the profiles directory.

faq-questions-help-support (modified) credit: (cc) Some rights reserved by geralt