Oracle MVA

Tales from a Jack of all trades

running a WLS domain as a different user

leave a comment »

When you’re creating a WebLogic environment you have to think about separation of privileges. Technical administrators should have different privileges than functional administrators, developers have even other privileges. All this requires some additional configuration while creating a WebLogic domain. Installing WLS and creating a domain is a pretty straight forward process that is widely documented by now. separating privileges is not.

For this document, the following is assumed:
– Oracle Fusion Middleware (i.e. WebLogic) has been installed with user oracle
– User oracle has primary group dba and UMASK 022 (which is exactly alike the Oracle documentation)
– The middleware home (MW_HOME) is /u01/app/oracle/middleware
– All lines starting with “#” assume actions by root
– All lines starting with a username followed by a “$” assume actions performed by the user preceding the “$”

Before a domain is created, first setup a new group and user with will be “owner” of the domain. In this example the group will be called domgrp1 and the user will be called domusr1:

# groupadd domgrp1
# useradd -g domgrp1 -G dba -s /bin/bash -m -c "Domain Owner for dom1" domusr1

As you can see, the user has a secondary group: dba. Membership of this group is needed to allow read-access to the MW_HOME. Next to read access, certain directories and/or files have to be made writable:

oracle$ chmod g+w ${MW_HOME}/logs
oracle$ touch ${MW_HOME}/domain-registry.xml
oracle$ chmod g+w ${MW_HOME}/domain-registry.xml
oracle$ touch ${MW_HOME}/common/nodemanager/
oracle$ chmod g+w ${MW_HOME}/wlserver_10.3/common/nodemanager/
oracle$ chmod g+w ${MW_HOME}/wlserver_10.3/server/lib
oracle$ chmod g+w ${MW_HOME}/wlserver_10.3/server/lib/*.jks
oracle$ chmod g+w ${MW_HOME}/oracle_common/sysman
oracle$ find ${MW_HOME}/oracle_common/modules -type d -exec chmod g+rx {} \;
oracle$ find ${MW_HOME}/oracle_common/modules -type f -name "*" -exec chmod g+r {} \;

Now everything is setup and a domain can be created using the domain user:

domusr1$ ${MW_HOME}/oracle_common/common/bin/

I prefer to locate the domains and applications outside of the $MW_HOME, i.e. /u01/app/user_projects . After the domain has been created, start the domain as the domain owner and you are all set. Users that need access to the domain need to have the domgrp1 group as secondary group.

If you forgot to setup umask before running, or if you cannot run with umask 022 for some reason, you need to setup privileges on the /u01/app/user_projects manually. I trust you are able to setup privileges on files and directories properly. Just to give a hint:

domusr1$ chmod g+rx /u01/app/user_projects/domains/${domain}
domusr1$ chmod g+rx /u01/app/user_projects/domains/${domain}/servers
domusr1$ chmod g+rx /u01/app/user_projects/domains/${domain}/servers/${servername}
domusr1$ chmod g+rx /u01/app/user_projects/domains/${domain}/servers/${servername}/logs

And setup a sticky bit on logfiles:

domusr1$ chmod g+s /u01/app/user_projects/domains/${domain}/servers/${servername}/logs

The next phase is to create users in the WLS console with the corresponding privileges. (or even better, put these users in some LDAP).

Hope this helps…


Written by Jacco H. Landlust

October 20, 2010 at 2:59 pm

Posted in Weblogic

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: