Oracle® Identity Manager Installation and Configuration Guide for JBoss Application Server Release 9.1.0 Part Number E10369-04 |
|
|
View PDF |
Note:
The application might fail to start because of syntax errors in the policy files.Be careful when you edit the policy files. Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:
JAVA_HOME
/jre/bin/policytool
To enable Java 2 Security for Oracle Identity Manager:
Go to the $JBOSS_HOME
/bin/
directory and open the run script (run.bat
for Windows and run.sh
for UNIX) as follows:
Search for JAVA_OPTS
and add the following JVM option after -Dprogram.name=%PROGNAME%
:
-Djava.security.manager -Djava.security.policy= $JBOSS_HOME/server/default/conf/server.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.server.home.dir=$JBOSS_HOME/server/default
Note:
Change$JBOSS_HOME
to the actual JBoss Application Server directory location.The following table explains the options.
Option | Description |
---|---|
-Djava.security.manager |
Enables the Java 2 Security manager. |
-Djava.security.policy |
Specifies the policy file that is to be used for Java 2 Security. |
-Djboss.home.dir |
Specifies the value of the JBoss Application Server installation. |
-Djboss.server.home.dir |
Specifies the location of the JBoss Application Server configuration where Oracle Identity Manager is installed. |
Go to the JBOSS_HOME
/server/default/conf
directory and modify the server.policy
file by copying the Java 2 Security permissions from the Policy File.
Note:
If theserver.policy
file does not exist, you have to create it.Policy File
The server.policy
file consists of the following code:
Note:
The instructions to change the code in the policy file are given in comments, which are in bold font.This server.policy example is for Windows installation, for UNIX ensure to change \\ between the directories name to / in every permission java.io.FilePermission
property.
Ensure that you change the multicast IP 231.165.168.131
in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in xlconfig.xml
.
// Oracle Identity Manager Java2 security policy file // Use -Djava.security.policy=server.policy // and -Djboss.home.dir=c:/jboss // and -Djboss.server.home.dir=c:/jboss/server/default // ******************************************* // Java code and extensions // ******************************************* // Trust java extensions grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // ******************************************* // Java code and extensions ends // ******************************************* // ******************************************* // JBoss Application Server code // ******************************************* // Trust core JBoss Application Server code grant codeBase "file:${jboss.home.dir}/bin/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.home.dir}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/lib/-" { permission java.security.AllPermission; }; // ******************************************* // JBoss Application Server code ends // ******************************************* // ******************************************* // JBoss Application Server deployed applications // ******************************************* // Grant all permissions to the default applications deployed on // JBoss Application Server. Please change the list depending on whether // you are deploying on a single or clustered JBoss Application Server //install. // ---------------------------------------------- grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-aop.deployer/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-bean.deployer/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jms/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/http-invoker.sar/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jbossweb-tomcat55.sar/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ws4ee.sar/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jmx-console.war/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/management/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/uuid-key-generator.sar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ha-local-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ha-xa-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-local-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-xa-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/mail-ra.rar" { permission java.security.AllPermission; }; // ******************************************* // JBoss Application Server deployed applications ends // ******************************************* // ****************************************************************** // From here, Oracle Identity Manager application permissions start // ****************************************************************** // Grant All permissions to nexaweb commons jar file to be loaded from // $JBOSS_HOME/default/lib/ grant codeBase "file:${jboss.server.home.dir}/lib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${jboss.server.home.dir}/deploy/XellerateFull.ear" { // File permissions // Need read,write,delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter Java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\connectorResources\\-", "read,write,delete"; // Need to read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\customResources\\-", "read"; // Need to read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the jboss "tmp" folder, the OIM deploy // directory and the jboss server "lib" folder. permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read"; permission java.io.FilePermission "${jboss.server.home.dir}\\deploy\\XellerateFull.ear\\-", "read,write"; permission java.io.FilePermission "${jboss.server.home.dir}\\lib\\-", "read"; // OIM server invokes the Java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically we allow all permissions on non-privileged sockets // The multicast address should be the same as the one in // xlconfig.xml for Javagroups communication permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.165.168.131", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Run-time permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs run-time permissions to generate and load // classes in the packages specified below. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // The following run-time permissions are JBoss specific and will // differ between appservers. OIM server needs ability to see // current thread caller and credentials, and set the 'Run As' // role. permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setRunAsRole"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // Secure Sockets Layer (SSL) permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; }; // Nexaweb server codebase permissions grant codeBase "file:${jboss.server.home.dir}/deploy/Nexaweb.ear" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Run-time permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader, and so on permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*:1024-", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; }; // Minimal permissions are allowed to everyone else grant { permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read,write"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read,write"; permission java.lang.RuntimePermission "modifyThreadGroup"; };
Note:
To reflect the changes in the code and apply Java 2 Security, you must restart the server.