Oracle® Identity Manager Installation and Configuration Guide for BEA WebLogic Server Release 9.1.0 Part Number E10370-03 |
|
|
View PDF |
Note:
The application might fail to start because of syntax errors in the policy files.Be careful when you edit the policy files. Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:
JAVA_HOME
/jre/bin/policytool
To enable Java 2 Security for Oracle Identity Manager running on BEA WebLogic Server:
Go to the $
BEA_HOME
/user_projects/domains/$OIM_DOMAIN/
directory and open the run script (xlStartWLS.bat
for Windows and xlStartWLS.sh
for UNIX).
Search for JAVA_OPTIONS
and add the following:
-Djava.security.manager -Djava.security.policy=$WL_HOME/server/lib/weblogic.policy -Dbea.home=$BEA_HOME -Dserver.name=$SERVER_NAME -Doim.domain=$BEA_HOME/user_projects/domains/$OIM_DOMAIN
Note:
Remember the following:Change $WL_HOME
to the actual BEA WebLogic Server home directory location.Change $BEA_HOME
to the actual BEA home directory location.Change $SERVER_NAME
to the actual server name of BEA WebLogic Server.Change $OIM_DOMAIN
to the actual domain name where Oracle Identity Manager is deployed.
The following table describes the options:
Option | Description |
---|---|
-Djava.security.manager |
Enables the Java 2 Security manager. |
-Djava.security.policy |
Specifies the policy file to use for Java 2 Security. |
-Dbea.home |
Specifies the root of the WebLogic Server install. Typically it is /opt/bea or c:\bea . |
-Dserver.name |
Specifies the name of the server on which Oracle Identity Manager is installed. Typically it is myserver. |
-Doim.domain |
Specifies the directory of the domain on which Oracle Identity Manager is installed. |
Check if the $WL_HOME
/weblogic81/server/lib/weblogic.policy
file exists. If the file exists, then edit it and add the Java 2 Security permissions specified in the "Policy File"section. If it does not exist, then create it.
After making the changes mentioned in steps 1 through 3, you must restart all the servers.
Policy File
Append the following code at the end of the weblogic.policy
file:
Note:
The instructions to change the code in the policy file are given in comments, which are in bold font.This weblogic.policy
example is for UNIX installation. For Microsoft Windows, ensure that you change the slash (/) character between the directory names to two backslash characters (\\) in every permission java.io.FilePermission
property.
Ensure that you change the multicast IP 231.167.157.106
in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in the xlconfig.xml
file.
// ******************************************* // Default WebLogic Permissions ends // ******************************************* grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; grant codebase "file:${oim.domain}/${server.name}/.internal/-" { permission java.security.AllPermission; }; // ******************************************* // From here, OIM application permission start // ******************************************* // OIM codebase permissions grant codeBase "file:${oim.domain}/XLApplications/WLXellerateFull.ear/-" { // File permissions // Need read,write,delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}/config/-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}/-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}/ConnectorDefaultDirectory/-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}/connectorResources/-", "read,write,delete"; // Read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}/customResources/-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}/GTC/-", "read"; // OIM server codebase requires read permissions on the // deploy directory, the .wlnotdelete directory, the // "applications" folder, the "XLApplications" folder // and the BEA WebLogic Server lib directory // All these permissions are specific to the BEA WebLogic Server. permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; permission java.io.FilePermission "${oim.domain}/${server.name}/.wlnotdelete/-", "read,write,delete"; permission java.io.FilePermission "${oim.domain}/applications/-", "read"; permission java.io.FilePermission "${oim.domain}/XLApplications/-", "read"; permission java.io.FilePermission "http:${/}-", "read"; permission java.io.FilePermission ".${/}http:${/}-", "read"; permission java.io.FilePermission "${bea.home}/weblogic81/server/lib/-", "read"; permission java.io.FilePermission "${oim.domain}/${server.name}/ldap/ldapfiles/-", "read,write"; permission java.io.FilePermission "${oim.domain}/${server.name}/-", "read,write,delete"; // OIM server codebase requires read permissions on the // $JAVA_HOME/lib directory permission java.io.FilePermission "${java.home}/lib/-", "read"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically we allow all permissions on non-privileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.167.157.106", "connect,accept,resolve"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "weblogic.xml.debug", "read"; permission java.util.PropertyPermission "file.encoding", "read"; permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.ext.dirs", "read"; permission java.util.PropertyPermission "java.library.path", "read"; permission java.util.PropertyPermission "sun.boot.class.path", "read"; permission java.util.PropertyPermission "weblogic.*", "read"; // Run time permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs run time permissions to generate and load // classes in the following specified packages. Also access the // declared members of a class. // weblogic.kernelPermission is required by BEA WebLogic Server permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "weblogic.kernelPermission"; permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.c"; permission java.lang.RuntimePermission "accessClassInPackage.sun.io"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.provider"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission java.security.SecurityPermission "insertProvider.SunJCE"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "getProperty.policy.allowSystemProperty"; permission java.security.SecurityPermission "getProperty.login.config.url.1"; permission javax.security.auth.AuthPermission "refreshLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; // Serializable permissions permission java.io.SerializablePermission "enableSubstitution"; }; // You must give the codebase in xlWebApp.war/WEB-INF/classes // the following permissions grant codeBase "file:${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/WEB-INF/classes/-" { permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/styles/-", "read,write"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/images/-", "read,write"; }; // nexaweb-common.jar from WebLogic server/lib is given AllPermissions // The classes in this JAR must be loaded by WebLogic's classloader grant codeBase "file:${bea.home}/weblogic81/server/lib/nexaweb-common.jar" { permission java.security.AllPermission; }; // Permissions for nexaweb-common.jar from OIM_HOME/ext grant codeBase "file:${XL.HomeDir}/ext/nexaweb-common.jar" { permission java.security.AllPermission; }; // Permissions for xlCrypto.jar from $OIM_HOME/lib grant codeBase "file:${XL.HomeDir}/lib/xlCrypto.jar" { permission java.security.SecurityPermission "insertProvider.SunJCE"; permission java.security.SecurityPermission "insertProvider.SUN"; }; // Permissions for xlUtils.jar from $OIM_HOME/lib grant codeBase "file:${XL.HomeDir}/lib/xlUtils.jar" { permission java.io.FilePermission "${bea.home}/weblogic81/server/lib/-", "read"; permission java.io.FilePermission "${java.home}/jre/lib/-", "read"; // Serializable permissions permission java.io.SerializablePermission "enableSubstitution"; }; // Permissions for log4j-1.2.8.jar from $OIM_HOME/ext grant codeBase "file:${XL.HomeDir}/ext/log4j-1.2.8.jar" { permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/xlVO.jar", "read"; }; // Permissions for xlLogger.jar from $OIM_HOME/lib // The Filewatchdog class from this jar file must periodically scan // these directories for updated/new jar files. // We also scan the classes in xlAdapterUtilities.jar by default grant codeBase "file:${XL.HomeDir}/lib/xlLogger.jar" { permission java.io.FilePermission "${XL.HomeDir}/EventHandlers", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty", "read"; permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/lib/xlAdapterUtilities.jar", "read"; }; // Permissions for .wlnotdelete folder grant codeBase "file:${oim.domain}/${server.name}/.wlnotdelete/-" { permission java.security.AllPermission; }; // Nexaweb server codebase permissions grant codeBase "file:${oim.domain}/XLApplications/WLNexaweb.ear/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLNexaweb.ear/-", "read"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; permission java.io.FilePermission "${bea.home}/weblogic81/server/lib/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Property permissions permission java.util.PropertyPermission "weblogic.xml.debug", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; // Run time permissions permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; permission java.lang.RuntimePermission "weblogic.kernelPermission"; permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.c"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}/config/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // Socket permissions permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // Property permissions permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "weblogic.xml.debug", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; // Run time Permissions permission java.lang.RuntimePermission "accessClassInPackage.sun.security.provider"; }; // Minimal permissions are allowed to everyone else grant { // "standard" properties that can be read by anyone permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; permission java.util.PropertyPermission "sun.boot.class.path", "read"; permission java.util.PropertyPermission "weblogic.xml.debug", "read"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; permission java.lang.RuntimePermission "weblogic.kernelPermission"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLNexaweb.ear/-", "read"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; permission java.io.FilePermission "${bea.home}/weblogic81/server/lib/weblogic.jar", "read"; permission java.io.FilePermission "${oim.domain}/${server.name}/.wlnotdelete/-", "read"; permission java.io.FilePermission "${nexaweb.home}/-", "read"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "accessClassInPackage.sun.io"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; };
Note:
The application might fail to start because of syntax errors in the policy files.Be careful when editing the policy files. Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:
JAVA_HOME
/jre/bin/policytool
To enable Java 2 Security for Oracle Identity Manager running on a BEA WebLogic Server cluster:
Go to the $BEA_HOME
/user_projects/domains/$OIM_DOMAIN/
and open the run script (xlStartWLS.bat
for Windows and xlStartWLS.sh
for UNIX).
Add the following:
-Djava.security.manager -Djava.security.policy=$WL_HOME/server/lib/weblogic.policy -Dbea.home=$BEA_HOME -Dserver.name=$SERVER_NAME -Doim.domain=$BEA_HOME/user_projects/domains/$OIM_DOMAIN
Note:
Remember the following:Change $WL_HOME
to the actual BEA WebLogic Server home directory location.Change $BEA_HOME
to the actual BEA home directory location.Change $SERVER_NAME
to the actual first server name on which Oracle Identity Manager is deployed.Change $OIM_DOMAIN
to the actual domain name where Oracle Identity Manager is deployed.
The following table describes the options:
Option | Description |
---|---|
-Djava.security.manager |
Enables the Java 2 Security manager. |
-Djava.security.policy |
Specifies the policy file to use for Java 2 Security. |
-Dbea.home |
Specifies the root of the WebLogic Server installation directory. Typically, it is /opt/bea or c:\bea . |
-Dserver.name |
Specifies the name of the server on which Oracle Identity Manager is installed. Typically, it is myserver . |
-Doim.domain |
Specifies the directory of the domain on which Oracle Identity Manager is installed. |
Check if the $WL_HOME
/weblogic81/server/lib/weblogic.policy
file exists. If the file exists, then edit it and add the Java 2 Security permissions specified in the "Policy File" section. If the file does not exist, then create it.
For each Managed Server in the clustered installation:
In the WebLogic Server Console, expand Servers, select the cluster server node, click the Configuration tab, and then click the Remote Start tab.
Add the following to the Arguments field:
-DXL.HomeDir=$OIM_HOME -Djava.security.auth.login.config=$OIM_HOME\config\authwl.conf -Dlog4j.configuration=file:/$OIM_HOME/config/log.properties -Djava.awt.headless=true -Djava.security.manager -Djava.security.policy==$BEA_HOME/weblogic81/server/lib/weblogic.policy -Dbea.home=$BEA_HOME -Dserver.name=$SERVER_NAME -Doim.domain=$BEA_HOME/user_projects/domains/$OIM_DOMAIN
Note:
Remember the following:Change $OIM_HOME
to the actual Oracle Identity Manager home directory location.
Change $BEA_HOME
to the actual BEA home directory location.
Change $SERVER_NAME
to the actual server name of BEA WebLogic Server.
Change $OIM_DOMAIN
to the actual domain name on which Oracle Identity Manager is deployed.
After making the changes mentioned in steps 1 through 4, you must restart all the servers.
Policy File
The weblogic.policy
file contains the following code:
Note:
The instructions to change the code in the policy file are given in comments, which are in bold font.
This weblogic.policy
example is for UNIX installation. For Microsoft Windows, change the slash (/) character between the directory names to two backslash characters (\\) in every permission java.io.FilePermission
property.
Ensure that you change the multicast IP address 231.116.117.171
in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in the xlconfig.xml
file.
// ******************************************* // Default WebLogic Permissions // ******************************************* // // To use this file you must turn on the Java security manager by // defining java.security.manager and setting the java.security.policy // property to point to the security policy which should be in the lib // directory. // For example: // java -Djava.security.manager // -Djava.security.policy==${/}opt${/}bea${/}weblogic81/server/lib/weblogic.policy // weblogic.Server // // You can edit this file and change the permissions for your // applications or update the codeBase line to point to where your // server is installed. // // You should grant all permissions to classes in // .internal, and .wlnotdelete folders located in your server directory. // You can set // -Duser.domain=<user domain folder> // -Dweblogic.Name=<server name> // command-line properties and use them in your policy file. // For example, the basic grant statements for servers in a user // domain would be: // grant codeBase "file:${user.domain}/${weblogic.Name}/.internal/-" { // permission java.security.AllPermission; // }; // grant codeBase "file:${user.domain}/${weblogic.Name}/.wlnotdelete/-" // { // permission java.security.AllPermission; // }; // // The codeBase location must be a URL, not a file path, // so Windows users beware of backslashes. // // grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/server/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/server/ext/-" { permission java.security.AllPermission; }; grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/samples/server/eval/pointbase/lib/-" { permission java.security.AllPermission; }; // For the petstore demo grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/samples/server/config/petstore/petstoreServer/.internal/-" { permission java.security.AllPermission; }; grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/samples/server/config/petstore/petstoreServer/.wlnotdelete/-" { permission java.security.AllPermission; }; grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/samples/server/config/petstore/-" { permission java.util.PropertyPermission "*", "read"; }; // For the examples grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/samples/server/config/examples/examplesServer/.internal/-" { permission java.security.AllPermission; }; grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/samples/server/config/examples/examplesServer/.wlnotdelete/-" { permission java.security.AllPermission; }; grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/samples/server/config/examples/examplesServer/stage/-" { permission java.util.PropertyPermission "*", "read"; permission java.io.FilePermission "D:${/}wl_cluster${/}bea${/}weblogic81${/}samples${/}server${/}config${/}examples${/}examplesServer${/}ldap", "read,write"; }; grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/samples/server/stage/examples/-" { permission java.io.FilePermission "D:${/}wl_cluster${/}bea${/}weblogic81${/}samples${/}server${/}src${/}examples${/}-", "read"; permission java.io.FilePermission "D:${/}wl_cluster${/}bea${/}weblogic81${/}samples${/}server${/}config${/}examples${/}examplesServer${/}ldap", "read,write"; }; // For the workshop grant codeBase "file:D:${/}wl_cluster${/}bea${/}weblogic81/samples/workshop/-" { permission java.security.AllPermission; }; // These are for the three app types // EJB default permissions grant codebase "file:/weblogic/application/defaults/EJB" { permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; // Web App default permissions grant codebase "file:/weblogic/application/defaults/Web" { permission java.lang.RuntimePermission "loadLibrary"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "WEBLOGIC-APPLICATION-ROOT${/}-", "read,write"; permission java.util.PropertyPermission "*", "read"; }; // Connector default permissions grant codebase "file:/weblogic/application/defaults/Connector" { permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "WEBLOGIC-APPLICATION-ROOT${/}-", "read,write"; permission java.util.PropertyPermission "*", "read"; }; // Standard extensions get all permissions by default grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // default permissions granted to all domains grant { // "standard" properties that can be read by anyone permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; }; grant codeBase "file:${/}opt${/}bea${/}weblogic81/samples/server/eval/pointbase/lib/-" { permission java.security.AllPermission; }; // For the petstore demo grant codeBase "file:${/}opt${/}bea${/}weblogic81/samples/server/config/petstore/petstoreServer/.internal/-" { permission java.security.AllPermission; }; grant codeBase "file:${/}opt${/}bea${/}weblogic81/samples/server/config/petstore/petstoreServer/.wlnotdelete/-" { permission java.security.AllPermission; }; grant codeBase "file:${/}opt${/}bea${/}weblogic81/samples/server/config/petstore/-" { permission java.util.PropertyPermission "*", "read"; }; // For the examples grant codeBase "file:${/}opt${/}bea${/}weblogic81/samples/server/config/examples/examplesServer/.internal/-" { permission java.security.AllPermission; }; grant codeBase "file:${/}opt${/}bea${/}weblogic81/samples/server/config/examples/examplesServer/.wlnotdelete/-" { permission java.security.AllPermission; }; grant codeBase "file:${/}opt${/}bea${/}weblogic81/samples/server/config/examples/examplesServer/stage/-" { permission java.util.PropertyPermission "*", "read"; permission java.io.FilePermission "${/}opt${/}bea${/}weblogic81${/}samples${/}server${/}config${/}examples${/}examplesServer${/}ldap", "read,write"; }; grant codeBase "file:${/}opt${/}bea${/}weblogic81/samples/server/stage/examples/-" { permission java.io.FilePermission "${/}opt${/}bea${/}weblogic81${/}samples${/}server${/}src${/}examples${/}-", "read"; permission java.io.FilePermission "${/}opt${/}bea${/}weblogic81${/}samples${/}server${/}config${/}examples${/}examplesServer${/}ldap", "read,write"; }; // For the workshop grant codeBase "file:${/}opt${/}bea${/}weblogic81/samples/workshop/-" { permission java.security.AllPermission; }; // These are for the three app types // EJB default permissions grant codebase "file:/weblogic/application/defaults/EJB" { permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.util.PropertyPermission "*", "read"; }; // Web App default permissions grant codebase "file:/weblogic/application/defaults/Web" { permission java.lang.RuntimePermission "loadLibrary"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "WEBLOGIC-APPLICATION-ROOT${/}-", "read,write"; permission java.util.PropertyPermission "*", "read"; }; // Connector default permissions grant codebase "file:/weblogic/application/defaults/Connector" { permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "WEBLOGIC-APPLICATION-ROOT${/}-", "read,write"; permission java.util.PropertyPermission "*", "read"; }; // Standard extensions get all permissions by default grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; grant codebase "file:${oim.domain}/${server.name}/.internal/-" { permission java.security.AllPermission; }; // ******************************************* // Default WebLogic Permissions end // ******************************************* // ******************************************* // From here, OIM application permission starts // ******************************************* // OIM codebase permissions grant codeBase "file:${oim.domain}/XLApplications/WLXellerateFull.ear/-" { // File permissions // Need read,write,delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}/config/-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}/-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}/ConnectorDefaultDirectory/-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}/connectorResources/-", "read,write,delete"; // Read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}/customResources/-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}/GTC/-", "read"; // OIM server codebase requires read permissions on the // deploy directory, the .wlnotdelete directory, the // "applications" folder, the "XLApplications" folder // and the WebLogic server lib directory // All these permissions are specific to the weblogic server. permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; permission java.io.FilePermission "${oim.domain}/${server.name}/.wlnotdelete/-", "read,write,delete"; permission java.io.FilePermission "${oim.domain}/applications/-", "read"; permission java.io.FilePermission "${oim.domain}/XLApplications/-", "read"; permission java.io.FilePermission "http:${/}-", "read"; permission java.io.FilePermission ".${/}http:${/}-", "read"; permission java.io.FilePermission "${bea.home}/weblogic81/server/lib/-", "read"; permission java.io.FilePermission "${oim.domain}/${server.name}/ldap/ldapfiles/-", "read,write"; permission java.io.FilePermission "${oim.domain}/${server.name}/-", "read,write,delete"; // OIM server codebase requires read permissions on the // $JAVA_HOME/lib directory permission java.io.FilePermission "${java.home}/lib/-", "read"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically, all permissions are allowed on non-privileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.116.117.171", "connect,accept,resolve"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "weblogic.xml.debug", "read"; permission java.util.PropertyPermission "file.encoding", "read"; permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.ext.dirs", "read"; permission java.util.PropertyPermission "java.library.path", "read"; permission java.util.PropertyPermission "sun.boot.class.path", "read"; permission java.util.PropertyPermission "weblogic.*", "read"; // Run time permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs run time permissions to generate and load // classes in the following specified packages. Also access the // declared members of a class. // weblogic.kernelPermission is required by weblogic permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "weblogic.kernelPermission"; permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.c"; permission java.lang.RuntimePermission "accessClassInPackage.sun.io"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.provider"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission java.security.SecurityPermission "insertProvider.SunJCE"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "getProperty.policy.allowSystemProperty"; permission java.security.SecurityPermission "getProperty.login.config.url.1"; permission javax.security.auth.AuthPermission "refreshLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; // Serializable permissions permission java.io.SerializablePermission "enableSubstitution"; }; // You must give the codebase in xlWebApp.war/WEB-INF/classes // the following permissions grant codeBase "file:${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/WEB-INF/classes/-" { permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/styles/-", "read,write"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/images/-", "read,write"; }; // nexaweb-common.jar from WebLogic server/lib is given AllPermissions // These classes in this jar can be loaded by WebLogic's classloader grant codeBase "file:${bea.home}/weblogic81/server/lib/nexaweb-common.jar" { permission java.security.AllPermission; }; // Permissions for nexaweb-common.jar from OIM_HOME/ext grant codeBase "file:${XL.HomeDir}/ext/nexaweb-common.jar" { permission java.security.AllPermission; }; // Permissions for xlCrypto.jar from $OIM_HOME/lib grant codeBase "file:${XL.HomeDir}/lib/xlCrypto.jar" { permission java.security.SecurityPermission "insertProvider.SunJCE"; permission java.security.SecurityPermission "insertProvider.SUN"; }; // Permissions for xlUtils.jar from $OIM_HOME/lib grant codeBase "file:${XL.HomeDir}/lib/xlUtils.jar" { permission java.io.FilePermission "${bea.home}/weblogic81/server/lib/-", "read"; permission java.io.FilePermission "${java.home}/jre/lib/-", "read"; // Serializable permissions permission java.io.SerializablePermission "enableSubstitution"; }; // Permissions for log4j-1.2.8.jar from $OIM_HOME/ext grant codeBase "file:${XL.HomeDir}/ext/log4j-1.2.8.jar" { permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/xlVO.jar", "read"; }; // Permissions for xlLogger.jar from $OIM_HOME/lib // The Filewatchdog class from this jar file must periodically scan // these directories for updated/new jar files. // We also scan the classes in xlAdapterUtilities.jar by default grant codeBase "file:${XL.HomeDir}/lib/xlLogger.jar" { permission java.io.FilePermission "${XL.HomeDir}/EventHandlers", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty", "read"; permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/lib/xlAdapterUtilities.jar", "read"; }; // Permissions for .wlnotdelete folder grant codeBase "file:${oim.domain}/${server.name}/.wlnotdelete/-" { permission java.security.AllPermission; }; // Nexaweb server codebase permissions grant codeBase "file:${oim.domain}/XLApplications/WLNexaweb.ear/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLNexaweb.ear/-", "read"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; permission java.io.FilePermission "${bea.home}/weblogic81/server/lib/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Property permissions permission java.util.PropertyPermission "weblogic.xml.debug", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; // Run time permissions permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; permission java.lang.RuntimePermission "weblogic.kernelPermission"; permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.c"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}/config/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // Socket permissions permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // Property permissions permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "weblogic.xml.debug", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; // Run time Permissions permission java.lang.RuntimePermission "accessClassInPackage.sun.security.provider"; }; // Minimal permissions are allowed to everyone else grant { // "standard" properties that can be read by anyone // Socket permissions permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; //Change the following IP address to the same value as that of //your WebLogic cluster multicast IP address permission java.net.SocketPermission "237.0.0.1", "connect,accept,resolve"; //Change the following IP address to the same value as that of //the multicast address in the xlConfig.xml file permission java.net.SocketPermission "231.116.117.171", "connect,accept,resolve"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.security.SecurityPermission "getPolicy"; permission java.security.SecurityPermission "setPolicy"; permission java.lang.RuntimePermission "createSecurityManager"; permission java.lang.RuntimePermission "setSecurityManager"; permission java.security.SecurityPermission "getProperty.*"; permission java.security.SecurityPermission "setProperty.*"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.SerializablePermission "enableSubstitution"; permission javax.security.auth.AuthPermission "refreshLoginConfiguration"; permission java.util.logging.LoggingPermission "control"; permission java.security.SecurityPermission "insertProvider.SunJCE"; permission java.security.SecurityPermission "insertProvider.SUN"; permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; permission java.util.PropertyPermission "sun.boot.class.path", "read"; permission java.util.PropertyPermission "weblogic.xml.debug", "read"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; permission java.lang.RuntimePermission "weblogic.kernelPermission"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLNexaweb.ear/-", "read"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; permission java.io.FilePermission "${bea.home}/weblogic81/server/lib/weblogic.jar", "read"; permission java.io.FilePermission "${oim.domain}/${server.name}/.wlnotdelete/-", "read"; permission java.io.FilePermission "${nexaweb.home}/-", "read"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "accessClassInPackage.sun.io"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; };