HCL Docs supports non-root configuration for the shared data folder.
Before you begin
When the WebSphere® Application Server process is started by a non-root user, the shared
data folder must be configured as non-root. Ensure that HCL Docs and the Document Format Conversion server have permission to
access the shared data folder that is defined in each properties file. Important:
Make sure that the non-root users for
the NFS server and NFS client (
Linux™) share a UID or GID. If not, you must use the
adduser -u user-id user-name
command to
add users that share a user ID or group ID.
Procedure
- Configure the NFS server (Linux™) as follows:
- Confirm that a non-root user and related home directory
exist.
For example, the non-root user is named nonroot.
- Assume that you want to point the folder at /local/home/nonroot/data/shared.
- Make sure that the following directory grants non-root
users read, write, and run permissions:
- /local/home/nonroot/data/shared
- /etc/exports
- /var/lock/subsys
- /var/run
- Add the NFS export item to /etc/exports file, for example: /local/home/nonroot/data/shared *(insecure,rw,async,no_root_squash)
- Ask root users to grant sudo permissions for the NFS
service command:
- Log in with root user credentials.
- In the shell window, type visudo.
- Add the grant command line to the end of file as follows:
nonroot hostname=/etc/rc.d/init.d/nfslock,/etc/rc.d/init.d/nfs,/etc/rc.d/init.d/portmap
Where nonroot is the non-root user name and hostname is the short local host name.
The command
path is the abstract path of the user and host names: portmap,nfslock,nfs
.
- Save the sudo file and exit.
- Start NFS services with the non-root user.
For example:
- sudo /etc/rc.d/init.d/portmap start
- sudo /etc/rc.d/init.d/nfslock start
- sudo /etc/rc.d/init.d/nfs start
- If the NFS client is also on Linux™, configure it as follows:
- Confirm that a non-root user and related home directory
exist.
For example, the non-root user is named nonroot.
- Assume that you want to point the folder at /local/home/nonroot/data/shared.
- Make sure that the following directory grants non-root
users read, write, and run permissions:
- /local/home/nonroot/data/shared
- /etc/fstab
- /var/lock/subsys
- /var/run
- Ask root users to grant sudo permissions for the NFS
service command:
- Log in with root user
- In the shell window, type visudo.
- Add the grant command line to the end of file as follows:
nonroot hostname=/etc/rc.d/init.d/portmap,/bin/mount,/bin/umount
Where nonroot is the non-root user name and hostname is the short local host name.
The command
path is the abstract path of the user and host names: portmap,mount,nmount
- Save the sudo file and exit.
- Mount the NFS server with the non-root user.
For example:
- sudo /etc/rc.d/init.d/protmap start
- sudo /bin/mount -t nfs -o sec=sys,bg,soft,retry=1,timeo=60,actimeo=0,nfsvers=3
[nfs server hostname]:/local/home/nonroot/data/shared /local/home/nonroot/data/shared
Note: The first occurrence of /local/home/nonroot/data/shared is the folder path of the NFS server. The second occurrence is local
folder path of NFS client.
- If the NFS client is on Windows™, configure it as follows:
- Confirm that a standard user (non-administrator) exists.
For example, the non-administrator user is named nonadmin.
- As the administrative user, install the NFS service
with Administrator permission by running the following command:
servermanagercmd.exe -install FS-NFS-Services
- As the administrative user, in the registry key, add
two DWORD values, AnonymousUid and AnonymousGid, to this location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ClientForNFS\CurrentVersion\Default.
Make the settings for these values the same as for the
values of the NFS server user's ID, in decimal.
- Restart the NFS client service with as follows:
nfsadmin client stop
nfsadmin client start
Note:
- On Windows™, you can manually mount the NFS server by
using the command:
mount -o acdirmin=0 mtype=soft retry=10 timeout=6 casesensitive=yes anon
[nfs server hostname]:/local/home/nonroot/data/shared y:
- On Windows™, when you
define the shared data server in cfg.properties, you can type the ip address or server domain name, like as follows: conversion_shared_data_server = 9.181.137.167.
- There are several ways to grant the non-root user read, write,
and run permissions. One way is to change the group of the target
directory to the non-root group and then grant the group the permissions
for example:
chgrp -R <non-root_user_group> <app_server_root>
chmod -R g+wrx <app_server_root>
Where <non-root_user_group>
is a user group that contains the non-root user account and <app_server_root>
is the target directory.