test

Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

Chapter 2 Deploying the OpenSSO Enterprise Web Container

Before you can deploy the Sun OpenSSO Enterprise opensso.war file, one of the following web containers must be installed, running, and configured on the host server. This chapter describes the considerations and deployment tasks (if any) for these web containers:

For more information, see also the Web Containers Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.

Planning Your OpenSSO Enterprise Web Container Deployment

Use the following table to plan your OpenSSO Enterprise web container deployment and configuration. For more detailed information, click the link for a each web container.

Table 2–1 OpenSSO Enterprise Web Containers

Web Container and Supported Versions 

Required JVM Options 

Required Java Permissions 

OpenSSO Enterprise Pre-Deployment Tasks 

Sun Java System Application Server 9.1 Update 1 and Update 2

Yes 

Yes, if Java Security Manager is enabled: server.policy

Yes 

GlassFish Application Server V2 UR1 and UR2

Yes 

Yes, if Java Security Manager is enabled: server.policy

Yes 

Sun Java System Web Server 7.0 Update 3

Yes 

No 

Yes 

Apache Tomcat 5.5.27 and 6.0.x

Yes 

Yes, if Java Security Manager is enabled: catalina.policy

Yes 

Oracle WebLogic Server 9.2 MP2

Yes 

Yes, if Java Security Manager is enabled: weblogic.policy

Yes 

Oracle WebLogic Server 10

Yes 

Yes, if Java Security Manager is enabled: weblogic.policy

Yes 

Oracle Application Server 10g

Yes 

Yes, if Security Manager for OC4J is enabled : java2.policy

No 

IBM WebSphere Application Server 6.1

Yes 

Yes, if Java Security Manager is enabled: server.policy

Yes 

Apache Geronimo Application Server 2.1.1

Yes 

Yes, if Java Security Manager is enabled: geronimo.policy

Yes 

JBoss Application Server 4.x

Yes 

Yes, if Java Security Manager is enabled: server.policy

Yes 

Sun Java System Application Server 9.1 Update 1 and Update 2

Download location: http://www.oracle.com/technetwork/indexes/downloads/index.html

For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.

OpenSSO Enterprise Pre-Deployment Tasks

  1. In the Application Server 9.1 domain where you plan to deploy OpenSSO Enterprise server, change the following JVM options either using the Application Server admin console or command-line utility:

    • Change -Xmx512m to -Xmx1024m.

    • If the -client jvm-option is set, change it to -server.

  2. If the Java Security Manager is enabled:

    • Set the following JVM option:

      -Dcom.sun.enterprise.server.ss.ASQuickStartup=false

    • Add the security permissions to the server.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.

GlassFish Application Server V2 UR1 and UR2

GlassFish site: https://glassfish.dev.java.net/

For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.

Download locations:

OpenSSO Enterprise Pre-Deployment Tasks

  1. In the GlassFish domain where you plan to deploy OpenSSO Enterprise server, change the following JVM options either using the GlassFish administration console or by editing the domain.xml file:

    • Change -client to -server.

    • Change -Xmx512m to -Xmx1024m.

  2. If the Java Security Manager is enabled:

    • Set the following JVM option:

      -Dcom.sun.enterprise.server.ss.ASQuickStartup=false

    • Add the security permissions to the server.policy file, as described in Adding Security Permissions For a Web Container.

      After you edit the file, restart the web container.

Sun Java System Web Server 7.0 Update 3

For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.

Download location: http://www.oracle.com/technetwork/indexes/downloads/index.html

OpenSSO Enterprise supports Web Server 7.0 Update 3 only. Web Server 7.0 Update 1 and Web Server 7.0 Update 2 are not supported.

Web Server 7.0 Update 3 Documentation Center in the following collection: http://docs.sun.com/coll/1653.3

OpenSSO Enterprise Pre-Deployment Tasks

Using the Web Server 7.0 administration console or CLI, set the JVM heap size option from the default -Xms128M -Xmx256M to -Xms256M -Xmx512M.

Apache Tomcat 5.5.27 and 6.0.x

OpenSSO Enterprise supports Tomcat 5.5.27 or 6.0.x.

For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.

Add the security permissions to the catalina.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.

For general information about Apache Tomcat, see http://tomcat.apache.org/.

OpenSSO Enterprise Pre-Deployment Tasks

  1. Set the -Xmx JVM option to -Xmx1024m.

  2. Add the -Dcom.iplanet.am.cookie.c66Encode=true JVM option to the JAVA_OPTS variable in the Tomcat catalina.sh or catalina.bat script. For example, for catalina.sh:

    if [ -r "$CATALINA_HOME"/bin/tomcat-juli.jar ]; then
JAVA_OPTS="$JAVA_OPTS
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Dcom.iplanet.am.cookie.c66Encode=true"

OpenSSO Enterprise Post-Deployment Tasks

After you deploy OpenSSO Enterprise on Tomcat, use the ssoadm utility to set the cookie encoding property to true. For example:

# ./ssoadm update-server-cfg \
-s http://openssohost.example.com:8080/opensso -u amadmin -f pwfile \
-a com.iplanet.am.cookie.encode=true

In this example, pwfile contains the password for amadmin.

Oracle WebLogic Server 9.2 MP2

For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.

OpenSSO Enterprise Pre-Deployment Tasks

  1. Set the MaxPermSize JVM option to a minimum value of 256 MB. For example:

    -XX:MaxPermSize=256M

  2. If the Java Security Manager is enabled, add the security permissions to the weblogic.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.

  3. See the following issues in the OpenSSO Enterprise 8.0 Release Notes:

Oracle WebLogic Server 10

For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.

OpenSSO Enterprise Pre-Deployment Tasks

For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.

  1. Set the MaxPermSize JVM option to a minimum value of 256 MB. For example:

    -XX:MaxPermSize=256M

  2. If the Java Security Manager is enabled, add the security permissions to the weblogic.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.

  3. See the following issues in the OpenSSO Enterprise 8.0 Release Notes:

Oracle Application Server 10g

Oracle Application Server 10g version 10.1.3.x is supported.

For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.

Oracle site: http://www.oracle.com/technology/products/database/oracle10g

OpenSSO Enterprise Pre-Deployment Tasks

If the Security Manager for Oracle Containers for Java EE (OC4J) is enabled with the JVM option -Djava.security.manager, append the permissions shown in Example 2–6 to the ORACLE_HOME/j2ee/home/config/java2.policy file.

IBM WebSphere Application Server 6.1

WebSphere Application Server 6.1 is supported on Solaris, Linux, Windows, and IBM AIX 5.3 systems.

If the Java Security Manager is enabled, add the security permissions to the server.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.

OpenSSO Enterprise Pre-Deployment Tasks

Adding GenericJvmArguments

Add the genericJvmArguments using the WebSphere Admin Console or by editing the server.xml file:

  1. Open the following file:

    install_root/IBM/WebSphere/AppServer/profiles/AppSrv01/
config/cells/cell/nodes/node/servers/server/server.xml

  2. Find the jvmEntries element.

  3. Add the following genericJvmArguments and save the file:

    genericJvmArguments="-DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE"

  4. Restart WebSphere 6.1 Application Server.

Adding Security Permissions

If the Java Security Manager is enabled, add the security permissions to the server.policy file, as described in Adding Security Permissions For a Web Container. After you edit the file, restart the web container.

Running the JSP Compiler

The OpenSSO Enterprise JSP files require JDK 1.5 (or later), but on WebSphere Application Server 6.1, the JDK source level for JSP files is set to JDK 1.3 by default.

To reset the JDK source level on WebSphere Application Server 6.1:

  1. Open the WEB-INF/ibm-web-ext.xmi file.

    JSP engine configuration parameters are stored either in a web module's configuration directory or in a web module's binaries directory in the WEB-INF/ibm-web-ext.xmi file:

    • Configuration directory. For example:

      {WAS_ROOT}/profiles/profilename/config/cells/cellname/applications/ enterpriseappname/deployments/deployedname/webmodulename/

    • Binaries directory, if an application was deployed into WebSphere Application Server with the flag “Use Binary Configuration” flag set to true. For example:

      {WAS_ROOT}/profiles/profilename/installedApps/nodename/ enterpriseappname/webmodulename/

  2. Delete the compileWithAssert parameter by either deleting the statement from the file or enclosing the statement with comment tags (<!-- ... –->).

  3. Add the jdkSourceLevel parameter with the value of 15. For example:

    <jspAttributes xmi:id="JSPAttribute_1" name="jdkSourceLevel" value="15"/>

    Note: The integer (_1) in JSPAttribute_1 must be unique within the file.

  4. Save the ibm-web-ext.xmi file.

  5. Restart WebSphere Application Server for the new value to take effect.

For more information about the jdkSourceLevel parameter as well as other JSP engine configuration parameters, see:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.doc/info/ae/ae/rweb_jspengine.html

Post-Deployment Tasks

Using the ssoadm and ampassword Utilities

    The setup script in ssoAdminTools.zip installs the utilities and scripts. For information, see Chapter 6, Installing the OpenSSO Enterprise Utilities and Scripts.

  1. Before you run the setup script to install the utilities and scripts, modify the setup script. Before -cp ... in the last line, insert:

    -D"amCryptoDescriptor.provider=IBMJCE" -D"amKeyGenDescriptor.provider=IBMJCE"

  2. Before you run ssoadm, add the following items to the ssoadm script:

    • Add xalan.jar to the classpath after openfedlib.jar. For example:

      ${TOOLS_HOME}/lib/xalan.jar

    • Add the following items before com.sun.identity.cli.CommandManager:

      -D"amKeyGenDescriptor.provider=IBMJCE" -D"amCryptoDescriptor.provider=IBMJCE"

  3. Before you run ampassword, add the following items to the ampassword script before com.iplanet.services.ldap.ServerConfigMgr:

    -D"amCryptoDescriptor.provider=IBMJCE" -D"amKeyGenDescriptor.provider=IBMJCE"

Apache Geronimo Application Server 2.1.1

OpenSSO Enterprise server supports Geronimo Application Server 2.1.1 with Tomcat on Solaris systems only.

OpenSSO Enterprise Pre-Deployment Tasks

  1. Modify the /geronimo-tomcat6-jee5-2.0.2/bin/geronimo.sh file by adding -X:MaxPermSize=512M, as shown in the following start block:

    elif [ "$1" = "start" ] ; then 
shift
touch "$GERONIMO_OUT" 
$START_OS_CMD "$_RUNJAVA" $JAVA_OPTS $GERONIMO_OPTS \ 
$JAVA_AGENT_OPTS \ 
-Dorg.apache.geronimo.base.dir="$GERONIMO_BASE" \ 
-Djava.endorsed.dirs="$ENDORSED_DIRS" \ 
-Djava.io.tmpdir="$GERONIMO_TMPDIR" \ 
-XX:MaxPermSize=512M \ 
-jar "$GERONIMO_HOME"/bin/server.jar $LONG_OPT "$@" \
>> $GERONIMO_OUT 2>&1 & 
echo "" echo "Geronimo started in background. PID: $!" 
if [ ! -z "$GERONIMO_PID" ]; then echo $! > $GERONIMO_PID 
fi

  2. Provide a deployment plan file either inside or outside of the opensso.war file. If placed inside the opensso.war file, name the plan geronimo-web.xml and place the file in WEB-INF directory. If placed outside of the WAR file, the plan file can be named otherwise. Here is a sample plan file:

    <?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.2">
<environment>
<moduleId>
<groupId>sun</groupId>
<artifactId>opensso</artifactId>
<version>8.0</version>
<type>war</type>
</moduleId>
</environment>
<context-root>/opensso1</context-root>
</web-app>

    In the above example, the WAR file is deployed at:

    geronimo-tomcat6-jee5-2.0.2/repository/sun/opensso/8.0/opensso-8.0.war

    The web application is deployed at protocol://server:port/opensso1. You can change the deployment plan depending on your deployment scenario.

Related Information:

JBoss Application Server 4.x

OpenSSO Enterprise server supports the Single Archive or Exploded Deployment on JBoss Application Server 4.x.

For information see http://www.jboss.com/.

See also Examples: Deploying OpenSSO Enterprise on JBoss Application Server.

For the platforms that are supported for this web container, see Platforms Supported For OpenSSO Enterprise 8.0 in Sun OpenSSO Enterprise 8.0 Release Notes.

OpenSSO Enterprise Pre-Deployment Tasks

If you are using the Security Token Service (STS), set the MaxPermSize JVM option to a minimum value of 128 MB. For example:

-XX:MaxPermSize=128M

Adding Security Permissions For a Web Container

If the Java Security Manager is enabled for a web container, add the security permissions to the to the appropriate security policy file:

The security policy file depends on the web container:

Caution – Caution –

Before you modify the security policy file, backup the existing file.

After you add the security permissions, restart the web container.

Adding OpenSSO Enterprise Security Permissions

These security permissions apply to Sun Java System Application Server 9.1 Update 1 and Update 2, and GlassFish Application Server V2 UR1 and UR2.

Add these permissions to the server.policy file.

Example 2–1 OpenSSO Enterprise Security Permissions

grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
permission java.net.NetPermission "getProxySelector";
permission java.security.SecurityPermission "getProperty.authconfigprovider.factory";
permission java.security.SecurityPermission "setProperty.authconfigprovider.factory";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission java.security.SecurityPermission "insertProvider.XMLDSig";
permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
permission java.security.SecurityPermission "getProperty.ocsp.*";
};

OpenSSO Enterprise Security Permissions for Apache Tomcat

Add the following permissions to the Apache Tomcat catalina.policy file.

Example 2–2 OpenSSO Enterprise Security Permissions for Apache Tomcat

grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission javax.management.MBeanPermission "*" , "*" ;
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory",
"write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
permission java.net.NetPermission "getProxySelector";
permission java.security.SecurityPermission
"getProperty.authconfigprovider.factory";
permission java.security.SecurityPermission
"setProperty.authconfigprovider.factory";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission java.security.SecurityPermission "insertProvider.XMLDSig";
permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
permission java.security.SecurityPermission "getProperty.ocsp.*";
};

OpenSSO Enterprise Security Permissions for WebLogic Server

Add these permissions to the weblogic.policy file.

Example 2–3 OpenSSO Enterprise Security Permissions for the WebLogic Server weblogic.policy File

grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
permission java.net.NetPermission "getProxySelector";
permission java.security.SecurityPermission "getProperty.authconfigprovider.factory";
permission java.security.SecurityPermission "setProperty.authconfigprovider.factory";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission java.security.SecurityPermission "insertProvider.XMLDSig";
permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
permission javax.management.MBeanPermission "*", "queryMBeans";
permission java.lang.RuntimePermission "setContextClassLoader";
};

OpenSSO Enterprise Security Permissions for IBM WebSphere Application Server 6.1

Add these permissions to the server.policy file.

Example 2–4 OpenSSO Enterprise Security Permissions for IBM WebSphere Application Server 6.1

grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
permission java.net.NetPermission "getProxySelector";
permission java.security.SecurityPermission "getProperty.authconfigprovider.factory";
permission java.security.SecurityPermission "setProperty.authconfigprovider.factory";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission java.security.SecurityPermission "insertProvider.XMLDSig";
permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
permission java.security.SecurityPermission "getProperty.ocsp.*";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "stopThread";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "readFileDescriptor";
permission java.lang.RuntimePermission "writeFileDescriptor";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "defineClassInPackage.*";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "*", "read,write";
permission com.ibm.oti.shared.SharedClassPermission "*", "read,write";
permission com.ibm.websphere.security.WebSphereRuntimePermission "getSSLConfig",
"read,write,execute,delete";
};

OpenSSO Enterprise Security Permissions for JBoss Application Server

Add these permissions to the server.policy file.

Example 2–5 OpenSSO Enterprise Security Permissions for JBoss Application Server

grant {
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
permission java.net.NetPermission "getProxySelector";
permission java.security.SecurityPermission "getProperty.authconfigprovider.factory";
permission java.security.SecurityPermission "setProperty.authconfigprovider.factory";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission java.security.SecurityPermission "insertProvider.XMLDSig";
permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
};

OpenSSO Enterprise Security Permissions for Oracle Application Server

Add these permissions to the java2.policy file.

Example 2–6 OpenSSO Enterprise Security Permissions For the Oracle java2.policy File

grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory",
"write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
permission java.net.NetPermission "getProxySelector";
permission java.security.SecurityPermission
"getProperty.authconfigprovider.factory";
permission java.security.SecurityPermission
"setProperty.authconfigprovider.factory";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission java.security.SecurityPermission "insertProvider.XMLDSig";
permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly";
};

OpenSSO Enterprise Security Permissions for Geronimo Application Server

ProcedureTo Enable the Java Security Manager for Geronimo Application Server

  1. Create a new security policy file named geronimo.policy in the following directory:

    geronimo_home/bin

    Add the security permissions in the geronimo.policy file, as shown in Example 2–7.

  2. In the geronimo.sh script, add following two lines under the start block:

    -Djava.security.manager \
-Djava.security.policy=geronimo.policy \

    For example, the start block will look like:

    elif [ "$1" = "start" ] ; then
  shift
  touch "$GERONIMO_OUT"
  $START_OS_CMD "$_RUNJAVA" $JAVA_OPTS $GERONIMO_OPTS \
    $JAVA_AGENT_OPTS \
    -Dorg.apache.geronimo.base.dir="$GERONIMO_BASE" \
    -Djava.endorsed.dirs="$ENDORSED_DIRS" \
    -Djava.ext.dirs="$EXT_DIRS" \
    -Djava.io.tmpdir="$GERONIMO_TMPDIR" \
    -Djava.security.manager \
    -Djava.security.policy=geronimo.policy \
    -XX:MaxPermSize=512M \
    -jar "$GERONIMO_HOME"/bin/server.jar $LONG_OPT "$@" \
       $GERONIMO_OUT 2>&1 &
    echo ""
    echo "Geronimo started in background. PID: $!"
    if [ ! -z "$GERONIMO_PID" ]; then
      echo $! > $GERONIMO_PID
    fi

  3. Restart Geronimo Application Server.

Example 2–7 OpenSSO Enterprise Security Permissions for Geronimo Application Server

// ----------------------------------------------------------------------------
// Permissions for Geronimo Application Server
// ----------------------------------------------------------------------------
// Geronimo gets all permissions
grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
permission java.security.AllPermission;
};

grant codeBase "file:${org.apache.geronimo.base.dir}/repository/-" {
permission java.security.AllPermission;
};

grant {
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getenv.*";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createSecurityManager";

permission javax.management.MBeanServerPermission "findMBeanServer";
permission javax.security.auth.AuthPermission "setReadOnly";
permission java.security.SecurityPermission "setPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "createAccessControlContext";
permission java.security.SecurityPermission "getProperty.package.definition";
permission java.security.SecurityPermission "setProperty.package.definition";
permission java.security.SecurityPermission "getProperty.package.access";
permission java.security.SecurityPermission "setProperty.package.access";
permission org.apache.geronimo.security.GeronimoSecurityPermission "getContext";
permission org.apache.geronimo.security.GeronimoSecurityPermission "setContext";
permission org.apache.geronimo.security.GeronimoSecurityPermission "configure";

permission java.util.PropertyPermission "Xorg.apache.geronimo.gbean.NoProxy", "read";
permission java.util.PropertyPermission "Xorg.apache.geronimo.kernel.config.Marshaler", "read";
};

grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission javax.management.MBeanPermission "*" , "*" ;
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
permission java.net.NetPermission "getProxySelector";
permission java.security.SecurityPermission "getProperty.authconfigprovider.factory";
permission java.security.SecurityPermission "setProperty.authconfigprovider.factory";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission java.security.SecurityPermission "insertProvider.XMLDSig";
permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
permission java.security.SecurityPermission "getProperty.ocsp.*";
};