How can  I safely convert a root websphere install to nonroot  install. Also should the user be local OS user or can I use an account i in the LDAP directory to run Websphere if the OS is mapped to LDAP authetication. The OS is linux and WAS version is 8.5.5

Thanks in Advancce !

Please look at this

https://www.ibm.com/support/knowledgecenter/SSAW57_7.0.0/com.ibm.websphere.installation.nd.doc/info/ae/ae/cins_nonroot.html
 

Peter Treese

Global Systems Practice Architect - IBM Global Alliance, Center of Excellence

Does anyone have an actual answer to the question?  I have been asking that one for a couple years and have even filled out RFE for the product.

Your link points to a WAS ND 7.0 article and the question was about 8.5.5. Also the article has no reference to converting an installation.  A real answer would have been nice since it was featured on an IMWUC email.

If you need direct documentation for WAS 8.5, please see if this meets your needs

https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.installation.base.doc/ae/tpro_manage_nonroot.html?lang=en

Peter Treese

Global Systems Practice Architect - IBM Global Alliance, Center of Excellence

Thanks for the current documentation.  That is however the workaround to run as a non root since I started using WebSphere v5.  However it still does not answer my question and it requires due dilligence with every subsequent patch or interim fix.  Since version 7 there has been the ability to install the installation manager as a non root user.  If you initially install as a root user there is no way to convert that installation to a non root user.  I have tried to account for every file and config to convcert the installation manager to a non root user and have had an ESR open on the issue and have had no success changing the installation manager to a non root user after its initial install.  My issue is I have 38 servers installed as a non root user and 2 (installed by a junior tech who did not use userinst) that are installed as root and I would like to convert those to run the installation manager as a non root user.

you accomplish this is a few steps.  let's say you want to convert it to run as wasadmin <or what ever> (for the purpose of commands I'll use wasadmin).

If your tied to an ldap, Make sure you have wasadmin in ldap.  If not, make sure you've added wasadmin to your linux users and add a group such as wasgrp)

stop all running processes for WAS.  ./stopServer.sh <serverName>  and if dmgr ./stopManager.sh

cd to the directory one down from where you installed WAS.  (i.e. /opt/IBM/WebSphere) you'd go to /opt/IBM

there are two commands that run to give ownership and permissions for your directory.

   chown -R wasadmin:wasgrp /WebSphere   (this changes all WebSphere recursively to the wasadmin user and wasgrp ownership)

   Then you have to make sure the permissions are done:  chmod -R 755 /WebSphere  (this makes everything run by owner and read properly)  Depending on your version of linux you may need to use chmod with a 4th number)  the important thing is that your permissions and file ownership should all now fall under your new wasadmin and wasgrp.

once that's done you must sudo to the wasadmin user to start the environments always from now on.

After updates/upgrades you'll always have to run the chown and chmod when done.

The environment should now run as non root.   If you want to do the same for IHS it's the same process except for if your running security the ports are lower than what the env allows at 80/443 so the steps vary a little please let me know if your doing that too.   Good luck and let me know if you need further assistance.

Regards,

Rene'

You did not specify that detail in your original question. However, regarding iim. When you install as userinst it puts files and repository and registry in different location and on install as root it puts them in another. When my jr made that mistake the only way I was able to resolve it was to uninstall and reinstall. I had him do it so he’d learn and it took him 2 days. IBM does not support the switch because the registry gets corrupted. I’ve tried. Your fortunate you only have 2 to fix. He’ll never make that mistake again. I suggest you use a response file for all going forward to keep them consistent and incorporate the user id check in the file so it won’t run if it’s root user.

From: Shawn Overs [mailto:applicationserver-ws@lists.imwuc.org]
Sent: Wednesday, March 23, 2016 8:12 AM
To: ApplicationServer-ws@lists.imwuc.org
Subject: [ApplicationServer-ws] - RE: Websphere installation


Thanks for the current documentation. That is however the workaround to run as a non root since I started using WebSphere v5. However it still does not answer my question and it requires due dilligence with every subsequent patch or interim fix. Since version 7 there has been the ability to install the installation manager as a non root user. If you initially install as a root user there is no way to convert that installation to a non root user. I have tried to account for every file and config to convcert the installation manager to a non root user and have had an ESR open on the issue and have had no success changing the installation manager to a non root user after its initial install. My issue is I have 38 servers installed as a non root user and 2 (installed by a junior tech who did not use userinst) that are installed as root and I would like to convert those to run the installation manager as a non root user.

-----End Original Message-----

Thanks everyone for the detailed explanation.

I do have few questions 1) Is it a good practice to use an ID in LDAP to install WebSphere, given the host can use LDAP IDs.

2) What  should I consider when  trying to implement the same non-root concept for IHS when it is running default ports of 80/443 ?

Thanks All Again

>> 2) What  should I consider when  trying to implement the same non-root concept for IHS when it is running default ports of 80/443

On linux you will need to run the following command as root to give the non root user priveleges to start the web server on ports below 1024

setcap cap_net_bind_service=+ep [PATH to httpd binary]

ie

setcap cap_net_bind_service=+ep /opt/IBM/WebSphere/HTTPServer/bin/httpd

 

FYI - you will need to run the setcap command every time the file is touched.

     ie: patching, chmod, chown.  Even if you go to the bin directory and run the command "touch httpd" it will wipe out the setcap directive and it will have to be set again.
 
In Reply to Shawn Overs:

>> 2) What  should I consider when  trying to implement the same non-root concept for IHS when it is running default ports of 80/443

On linux you will need to run the following command as root to give the non root user priveleges to start the web server on ports below 1024

setcap cap_net_bind_service=+ep [PATH to httpd binary]

ie

setcap cap_net_bind_service=+ep /opt/IBM/WebSphere/HTTPServer/bin/httpd

 

Thanks Shawn, I will keep in mind.