Before you can deploy the Sun OpenSSO Enterprise opensso.war file, one of the following web containers must be installed, running, and configured on the host server. This chapter describes the considerations and deployment tasks (if any) for these web containers:
For more information, see also the Web Containers Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.
Use the following table to plan your OpenSSO Enterprise web container deployment and configuration. For more detailed information, click the link for a each web container.
Table 2–1 OpenSSO Enterprise Web Containers
Web Container and Supported Versions |
Required JVM Options |
Required Java Permissions |
OpenSSO Enterprise Pre-Deployment Tasks |
---|---|---|---|
Sun Java System Application Server 9.1 Update 1 and Update 2 |
Yes |
Yes, if Java Security Manager is enabled: server.policy |
Yes |
Yes |
Yes, if Java Security Manager is enabled: server.policy |
Yes |
|
Yes |
No |
Yes |
|
Yes |
Yes, if Java Security Manager is enabled: catalina.policy |
Yes |
|
Yes |
Yes, if Java Security Manager is enabled: weblogic.policy |
Yes |
|
Yes |
Yes, if Java Security Manager is enabled: weblogic.policy |
Yes |
|
Yes |
Yes, if Security Manager for OC4J is enabled : java2.policy |
No |
|
Yes |
Yes, if Java Security Manager is enabled: server.policy |
Yes |
|
Yes |
Yes, if Java Security Manager is enabled: geronimo.policy |
Yes |
|
Yes |
Yes, if Java Security Manager is enabled: server.policy |
Yes |
Download location: http://www.oracle.com/technetwork/indexes/downloads/index.html
For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.
In the Application Server 9.1 domain where you plan to deploy OpenSSO Enterprise server, change the following JVM options either using the Application Server admin console or command-line utility:
Change -Xmx512m to -Xmx1024m.
If the -client jvm-option is set, change it to -server.
If the Java Security Manager is enabled:
Set the following JVM option:
-Dcom.sun.enterprise.server.ss.ASQuickStartup=false
Add the security permissions to the server.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.
GlassFish site: https://glassfish.dev.java.net/
For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.
Download locations:
GlassFish V2 UR1: https://glassfish.dev.java.net/downloads/v2ur1-b09d.html
GlassFish V2 UR2: https://glassfish.dev.java.net/downloads/v2ur2-b04.html
In the GlassFish domain where you plan to deploy OpenSSO Enterprise server, change the following JVM options either using the GlassFish administration console or by editing the domain.xml file:
Change -client to -server.
Change -Xmx512m to -Xmx1024m.
If the Java Security Manager is enabled:
Set the following JVM option:
-Dcom.sun.enterprise.server.ss.ASQuickStartup=false
Add the security permissions to the server.policy file, as described in Adding Security Permissions For a Web Container.
After you edit the file, restart the web container.
For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.
Download location: http://www.oracle.com/technetwork/indexes/downloads/index.html
OpenSSO Enterprise supports Web Server 7.0 Update 3 only. Web Server 7.0 Update 1 and Web Server 7.0 Update 2 are not supported.
Web Server 7.0 Update 3 Documentation Center in the following collection: http://docs.sun.com/coll/1653.3
Using the Web Server 7.0 administration console or CLI, set the JVM heap size option from the default -Xms128M -Xmx256M to -Xms256M -Xmx512M.
OpenSSO Enterprise supports Tomcat 5.5.27 or 6.0.x.
For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.
Add the security permissions to the catalina.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.
For general information about Apache Tomcat, see http://tomcat.apache.org/.
Set the -Xmx JVM option to -Xmx1024m.
Add the -Dcom.iplanet.am.cookie.c66Encode=true JVM option to the JAVA_OPTS variable in the Tomcat catalina.sh or catalina.bat script. For example, for catalina.sh:
if [ -r "$CATALINA_HOME"/bin/tomcat-juli.jar ]; then JAVA_OPTS="$JAVA_OPTS -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Dcom.iplanet.am.cookie.c66Encode=true"
After you deploy OpenSSO Enterprise on Tomcat, use the ssoadm utility to set the cookie encoding property to true. For example:
# ./ssoadm update-server-cfg \ -s http://openssohost.example.com:8080/opensso -u amadmin -f pwfile \ -a com.iplanet.am.cookie.encode=true
In this example, pwfile contains the password for amadmin.
For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.
Set the MaxPermSize JVM option to a minimum value of 256 MB. For example:
-XX:MaxPermSize=256M
If the Java Security Manager is enabled, add the security permissions to the weblogic.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.
See the following issues in the OpenSSO Enterprise 8.0 Release Notes:
For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.
For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.
Set the MaxPermSize JVM option to a minimum value of 256 MB. For example:
-XX:MaxPermSize=256M
If the Java Security Manager is enabled, add the security permissions to the weblogic.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.
See the following issues in the OpenSSO Enterprise 8.0 Release Notes:
Oracle Application Server 10g version 10.1.3.x is supported.
For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.
Oracle site: http://www.oracle.com/technology/products/database/oracle10g
If the Security Manager for Oracle Containers for Java EE (OC4J) is enabled with the JVM option -Djava.security.manager, append the permissions shown in Example 2–6 to the ORACLE_HOME/j2ee/home/config/java2.policy file.
WebSphere Application Server 6.1 is supported on Solaris, Linux, Windows, and IBM AIX 5.3 systems.
If the Java Security Manager is enabled, add the security permissions to the server.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.
Add the genericJvmArguments using the WebSphere Admin Console or by editing the server.xml file:
Open the following file:
install_root/IBM/WebSphere/AppServer/profiles/AppSrv01/ config/cells/cell/nodes/node/servers/server/server.xml
Find the jvmEntries element.
Add the following genericJvmArguments and save the file:
genericJvmArguments="-DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE"
Restart WebSphere 6.1 Application Server.
If the Java Security Manager is enabled, add the security permissions to the server.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.
The OpenSSO Enterprise JSP files require JDK 1.5 (or later), but on WebSphere Application Server 6.1, the JDK source level for JSP files is set to JDK 1.3 by default.
To reset the JDK source level on WebSphere Application Server 6.1:
Open the WEB-INF/ibm-web-ext.xmi file.
JSP engine configuration parameters are stored either in a web module's configuration directory or in a web module's binaries directory in the WEB-INF/ibm-web-ext.xmi file:
Configuration directory. For example:
{WAS_ROOT}/profiles/profilename/config/cells/cellname/applications/ enterpriseappname/deployments/deployedname/webmodulename/
Binaries directory, if an application was deployed into WebSphere Application Server with the flag “Use Binary Configuration” flag set to true. For example:
{WAS_ROOT}/profiles/profilename/installedApps/nodename/ enterpriseappname/webmodulename/
Delete the compileWithAssert parameter by either deleting the statement from the file or enclosing the statement with comment tags (<!-- ... –->).
Add the jdkSourceLevel parameter with the value of 15. For example:
<jspAttributes xmi:id="JSPAttribute_1" name="jdkSourceLevel" value="15"/>
Note: The integer (_1) in JSPAttribute_1 must be unique within the file.
Save the ibm-web-ext.xmi file.
Restart WebSphere Application Server for the new value to take effect.
For more information about the jdkSourceLevel parameter as well as other JSP engine configuration parameters, see:
The setup script in ssoAdminTools.zip installs the utilities and scripts. For information, see Chapter 6, Installing the OpenSSO Enterprise Utilities and Scripts.
Before you run the setup script to install the utilities and scripts, modify the setup script. Before -cp ... in the last line, insert:
-D"amCryptoDescriptor.provider=IBMJCE" -D"amKeyGenDescriptor.provider=IBMJCE"
Before you run ssoadm, add the following items to the ssoadm script:
Add xalan.jar to the classpath after openfedlib.jar. For example:
${TOOLS_HOME}/lib/xalan.jar
Add the following items before com.sun.identity.cli.CommandManager:
-D"amKeyGenDescriptor.provider=IBMJCE" -D"amCryptoDescriptor.provider=IBMJCE"
Before you run ampassword, add the following items to the ampassword script before com.iplanet.services.ldap.ServerConfigMgr:
-D"amCryptoDescriptor.provider=IBMJCE" -D"amKeyGenDescriptor.provider=IBMJCE"
OpenSSO Enterprise server supports Geronimo Application Server 2.1.1 with Tomcat on Solaris systems only.
Modify the /geronimo-tomcat6-jee5-2.0.2/bin/geronimo.sh file by adding -X:MaxPermSize=512M, as shown in the following start block:
elif [ "$1" = "start" ] ; then shift touch "$GERONIMO_OUT" $START_OS_CMD "$_RUNJAVA" $JAVA_OPTS $GERONIMO_OPTS \ $JAVA_AGENT_OPTS \ -Dorg.apache.geronimo.base.dir="$GERONIMO_BASE" \ -Djava.endorsed.dirs="$ENDORSED_DIRS" \ -Djava.io.tmpdir="$GERONIMO_TMPDIR" \ -XX:MaxPermSize=512M \ -jar "$GERONIMO_HOME"/bin/server.jar $LONG_OPT "$@" \ >> $GERONIMO_OUT 2>&1 & echo "" echo "Geronimo started in background. PID: $!" if [ ! -z "$GERONIMO_PID" ]; then echo $! > $GERONIMO_PID fi
Provide a deployment plan file either inside or outside of the opensso.war file. If placed inside the opensso.war file, name the plan geronimo-web.xml and place the file in WEB-INF directory. If placed outside of the WAR file, the plan file can be named otherwise. Here is a sample plan file:
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.2"> <environment> <moduleId> <groupId>sun</groupId> <artifactId>opensso</artifactId> <version>8.0</version> <type>war</type> </moduleId> </environment> <context-root>/opensso1</context-root> </web-app>
In the above example, the WAR file is deployed at:
geronimo-tomcat6-jee5-2.0.2/repository/sun/opensso/8.0/opensso-8.0.war
The web application is deployed at protocol://server:port/opensso1. You can change the deployment plan depending on your deployment scenario.
Related Information:
Geronimo console URL: protocol://server:8080/console/portal/welcome
Default user name and password: system/manager
To start the Geronimo server:/geronimo-tomcat6-jee5-2.0.2/bin/geronimo.sh start
To stop the Geronimo server: /geronimo-tomcat6-jee5-2.0.2/bin/geronimo.sh stop
OpenSSO Enterprise server supports the Single Archive or Exploded Deployment on JBoss Application Server 4.x.
For information see http://www.jboss.com/.
See also Examples: Deploying OpenSSO Enterprise on JBoss Application Server.
For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.
If you are using the Security Token Service (STS), set the MaxPermSize JVM option to a minimum value of 128 MB. For example:
-XX:MaxPermSize=128M
If the Java Security Manager is enabled for a web container, add the security permissions to the to the appropriate security policy file:
OpenSSO Enterprise Security Permissions for IBM WebSphere Application Server 6.1
OpenSSO Enterprise Security Permissions for JBoss Application Server
OpenSSO Enterprise Security Permissions for Oracle Application Server
OpenSSO Enterprise Security Permissions for Geronimo Application Server
The security policy file depends on the web container:
server.policy for most web containers. See Adding OpenSSO Enterprise Security Permissions.
weblogic.policy for WebLogic Server. See OpenSSO Enterprise Security Permissions for WebLogic Server.
java2.policy for Oracle Application Server. See OpenSSO Enterprise Security Permissions for Oracle Application Server.
geronimo.policy for Geronimo Application Server 2.1.1. See OpenSSO Enterprise Security Permissions for Geronimo Application Server.
Before you modify the security policy file, backup the existing file.
After you add the security permissions, restart the web container.
These security permissions apply to Sun Java System Application Server 9.1 Update 1 and Update 2, and GlassFish Application Server V2 UR1 and UR2.
Add these permissions to the server.policy file.
grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; permission java.security.SecurityPermission "getProperty.ocsp.*"; };
Add the following permissions to the Apache Tomcat catalina.policy file.
grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission javax.management.MBeanPermission "*" , "*" ; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; permission java.security.SecurityPermission "getProperty.ocsp.*"; };
Add these permissions to the weblogic.policy file.
grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; permission javax.management.MBeanPermission "*", "queryMBeans"; permission java.lang.RuntimePermission "setContextClassLoader"; };
Add these permissions to the server.policy file.
grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; permission java.security.SecurityPermission "getProperty.ocsp.*"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "setIO"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "stopThread"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "readFileDescriptor"; permission java.lang.RuntimePermission "writeFileDescriptor"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "defineClassInPackage.*"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "*", "read,write"; permission com.ibm.oti.shared.SharedClassPermission "*", "read,write"; permission com.ibm.websphere.security.WebSphereRuntimePermission "getSSLConfig", "read,write,execute,delete"; };
Add these permissions to the server.policy file.
grant { permission java.net.SocketPermission "*", "connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; };
Add these permissions to the java2.policy file.
grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly"; };
Create a new security policy file named geronimo.policy in the following directory:
geronimo_home/bin
Add the security permissions in the geronimo.policy file, as shown in Example 2–7.
In the geronimo.sh script, add following two lines under the start block:
-Djava.security.manager \ -Djava.security.policy=geronimo.policy \
For example, the start block will look like:
elif [ "$1" = "start" ] ; then shift touch "$GERONIMO_OUT" $START_OS_CMD "$_RUNJAVA" $JAVA_OPTS $GERONIMO_OPTS \ $JAVA_AGENT_OPTS \ -Dorg.apache.geronimo.base.dir="$GERONIMO_BASE" \ -Djava.endorsed.dirs="$ENDORSED_DIRS" \ -Djava.ext.dirs="$EXT_DIRS" \ -Djava.io.tmpdir="$GERONIMO_TMPDIR" \ -Djava.security.manager \ -Djava.security.policy=geronimo.policy \ -XX:MaxPermSize=512M \ -jar "$GERONIMO_HOME"/bin/server.jar $LONG_OPT "$@" \ $GERONIMO_OUT 2>&1 & echo "" echo "Geronimo started in background. PID: $!" if [ ! -z "$GERONIMO_PID" ]; then echo $! > $GERONIMO_PID fi
Restart Geronimo Application Server.
// ---------------------------------------------------------------------------- // Permissions for Geronimo Application Server // ---------------------------------------------------------------------------- // Geronimo gets all permissions grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${org.apache.geronimo.base.dir}/repository/-" { permission java.security.AllPermission; }; grant { permission java.lang.RuntimePermission "shutdownHooks"; permission java.lang.RuntimePermission "getenv.*"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "createSecurityManager"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.security.auth.AuthPermission "setReadOnly"; permission java.security.SecurityPermission "setPolicy"; permission java.security.SecurityPermission "getPolicy"; permission java.security.SecurityPermission "createAccessControlContext"; permission java.security.SecurityPermission "getProperty.package.definition"; permission java.security.SecurityPermission "setProperty.package.definition"; permission java.security.SecurityPermission "getProperty.package.access"; permission java.security.SecurityPermission "setProperty.package.access"; permission org.apache.geronimo.security.GeronimoSecurityPermission "getContext"; permission org.apache.geronimo.security.GeronimoSecurityPermission "setContext"; permission org.apache.geronimo.security.GeronimoSecurityPermission "configure"; permission java.util.PropertyPermission "Xorg.apache.geronimo.gbean.NoProxy", "read"; permission java.util.PropertyPermission "Xorg.apache.geronimo.kernel.config.Marshaler", "read"; }; grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission javax.management.MBeanPermission "*" , "*" ; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; permission java.security.SecurityPermission "getProperty.ocsp.*"; };