Sun N1 Service Provisioning System 5.1 Installation Guide

Configuring the JVM Security Policy

Each N1 Service Provisioning System 5.1 application has a Java Virtual Machine (JVM) security policy file located in lib/security/rox.policy. This file specifies the permissions assigned to the application. As installed, the policy file allows the application to connect to and accept connections from any host. If you are using the CLI Client with SSH, change the policy file to restrict the connection to only the localhost.

The following line in the lib/security/rox.policy file grants these permissions.


permission java.net.SocketPermission "*", "connect,accept,listen";

If you want to restrict the network access abilities of the application, delete this line and add more restrictive permissions.

The host parameter for SocketPermission is as follows:


host = hostname|IPaddress :portrange

hostname is the host name of the machine. IPaddress is the IP address of the machine. portrange is the following:


portrange = portnumber | -portnumber | portnumber-[portnumber]  

For more information about the syntax for the security policy file, see http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html and click on the Policy File Syntax link.

ProcedureHow to Configure the JVM Policy for the Master Server

Steps
  1. Edit the lib/security/rox.policy file.

  2. Delete the line that allows the application to connect to or accept connections from all hosts.

  3. Add the following lines to give the application permission selectively.


    permission java.net.SocketPermission "localhost:localport", "accept"; 
    permission java.net.SocketPermission "localhost:dbport", "connect"; 
    permission java.net.SocketPermission "<domain>:httpport", "connect"; 
    permission java.net.SocketPermission "ipAddress1:port1", "connect"; 
    permission java.net.SocketPermission "ipAddress2:port2", "connect"; ...  
    • localport is the port that the CLI Client uses to connect to the Master Server. The first line restricts the Master Server to allow CLI Clients to connect only locally or through ssh-proxy.

    • dbport is the port number for the Postgres database server.

    • domain is the domain of the hosts that are to be allowed to connect to the browser interface. httpport is the port number the browser interface.

    • ipAddress1:port1 and ipAddress2:port2 are the IP address and port numbers of the Remote Agents or Local Distributors that are connected directly to the Master Server.

ProcedureHow to Configure the JVM Policy for the Remote Agent

Steps
  1. Edit the lib/security/rox.policy file.

  2. Delete the line that allows the application to connect to or accept connections from all hosts.

  3. Add the following line to give the application permission.


    permission java.net.SocketPermission "ipAddress", "accept";

    ipAddress is the IP address of the Local Distributor or the Master Server to which this Remote Agent is connected.

Adding Permissions to Connect to a Host

If you plan to execute plans containing steps that require network access, such as urltest, you might want to add permissions for this Remote Agent to connect to a particular host.

ProcedureHow to Configure the JVM Policy for the Local Distributor

Steps
  1. Edit the lib/security/rox.policy file.

  2. Delete the line that allows the application to connect to or accept connections from all hosts.

  3. Add the following lines to give the application permission selectively.


    permission java.net.SocketPermission "ipAddress", "accept"; 
    permission java.net.SocketPermission "ipAddress1:port1", "connect"; 
    permission java.net.SocketPermission "ipAddress2:port2", "connect"; ...  
    • ipAddress is the IP address of the Local Distributor or Master Server that is the parent of this Local Distributor.

    • ipAddress1:port1 and ipAddress2:port2 are the IP address and port numbers of the Remote Agents or Local Distributors for which this Local Distributor is the parent.