Sun Identity Manager 8.1 Installation

ProcedureTo Set Permissions on the Application Server

  1. Add the following lines to the server.policy file for the domain in which Identity Manager is installed (located in ApplicationServerHome/domains/domainName/config). Note that the ${waveset.home} variable must be expanded in the server.policy file.


    grant {
    permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission com.waveset.repository.test.testConcurrentLocking "read";
    permission java.net.SocketPermission "*", "connect,resolve";
    permission java.io.FilePermission "*", "read";
    permission java.util.PropertyPermission "*", "read,write";
    };
    grant codeBase "file:${waveset.home}/-" {
    permission java.util.PropertyPermission "waveset.home", "read,write";
    permission java.util.PropertyPermission "security.provider", "read,write";
    permission java.io.FilePermission "${waveset.home}${/} *", "read,write,execute";
    permission java.io.FilePermission "${waveset.home}/help/index/-",
    "read,write,execute,delete";
    permission java.io.FilePermission "$(java.io.tmpdir)$(/)*", "read,write,delete";
    permission java.util.PropertyPermission "*", "read,write";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
    permission java.net.SocketPermission "*", "connect,resolve";
    };

    If you want to deploy Sun Identity Manager Service Provider, add the following permissions to the above server.policy file entries.


    grant {
    permission java.lang.RuntimePermission "shutdownHooks";
    permission java.io.FilePermission "${waveset.home}/WEB-INF/spe/config/spe.tld", "read";
    };

    Note –

    If you fail to update the old server.policy file with the above, and try to use the search engine, lock files may be created in the index directory that cannot be removed by the container. This always causes queries to hang, even if the server.policy file is subsequently updated.

    For example, the contents of the help/index/docs directory should contain these five files:


    AL
    MF
    p1.dict
    p1.fields
    p1.post

    In addition to the above, there may be two lock files:


    AL.lock
    MF.lock

    These must be deleted manually. Once these are removed (and the server.policy file updated correctly), search queries will work as expected.


    If you want to run with trace set to write to a file, you will need to add the following additional permissions to the server.policy file.


    grant {
      permission java.io.FilePermission "/var/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/
    idm/config/trace1.log", "read,write";
      permission java.io.FilePermission "$(java.io.tmpdir)$(/)*", "read,write,delete";
      permission java.util.PropertyPermission "trace.file", "read";
      permission java.util.PropertyPermission "trace.destination", "read";
       permission java.util.PropertyPermission "trace.enabled", "read";
    };

    where FilePermission is the actual path of the trace file. Adjust the path to the output file as needed.

  2. Restart the application server.

  3. To verify setup, log in to Identity Manager. You can do this within the Admin Console by clicking the Launch button on the “idm” line of the Web Applications folder.