Use the PolicyTool utility to update policy files.
Before you begin
Java™ 2 security uses
several policy files to determine the granted permission for each Java program. The Java Development Kit provides the
PolicyTool tool
to edit these policy files. This tool is recommended for editing any
policy file to verify the syntax of its contents. Syntax errors in
the policy file cause an AccessControlException exception when the
application runs, including the server start. Identifying the cause
of this exception is not easy because the user might not be familiar
with the resource that has an access violation. Be careful when you
edit these policy files.
See Java 2 security policy files for the list
of available policy files.
![[z/OS]](../images/ngzos.gif)
To use the
PolicyTool utility with WebSphere® Application Server
for z/OS®, choose one of the
following two options:
- Copy the policy files to another platform such as Microsoft Windows and
modify the files. To use this option, you must issue the FTP command
to transfer the files to the other platform, invoke the PolicyTool,
and transfer the updated files back to the z/OS system in binary mode.
- Invoke the PolicyTool that is supplied with the Software
Development Kit (SDK) installed on your z/OS system.
You must install either
the client or plug-ins component of WebSphere Application Server on a workstation
in order to access the PolicyTool. It is not currently supported
on the iSeries server.
Procedure
Invoke the PolicyTool that is supplied
with the Software Development Kit (SDK) installed on your z/OS system. - Export the display to an Xwindows-enabled device. For example, in Open MVS™ (OMVS),
type export DISPLAY=<IP_address_of_the_Xwindows_device>:0.0
- Enable the z/OS system
to access the display of the Xwindows-enabled device. For
example, on AIX® systems, type xhost
+ address_of_the_MVS_system.
- Convert the policy file to the Extended Binary Coded
Decimal Interchange Code (EBCDIC) format.
- Invoke the PolicyTool on OMVS by typing $JAVA_HOME/policytool. The JAVA_HOME variable represents the directory in which
the SDK is installed.
Map a drive to the operating system
to navigate the directory tree to the policy file.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
Start the PolicyTool. ![[Windows]](../images/windows.gif)
For example, you can enter the following
command at a Windows command
prompt:
%{was.install.root}/java/jre/bin/policytool
The PolicyTool window opens. The tool looks
for the java.policy file in your home directory. If it does
not exist, an error message displays.
Click OK.
- Click File > Open.
- Navigate the directory tree in the Open window to
pick up the policy file that you need to update. After
selecting the policy file, click Open. The code base entries
are listed in the window.
- Create or modify the code base entry.
- Modify the existing code base entry by double-clicking
the code base, or click the code base and click Edit Policy Entry. The Policy Entry window opens with the permission list defined
for the selected code base.
- Create a new code base entry by clicking Add Policy
Entry.
The Policy Entry window opens. At the code
base column, enter the code base information as a URL format.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
![[z/OS]](../images/ngzos.gif)
For example, you can enter:
app_server_root/InstalledApps/testcase.ear
where
the
app_server_root variable represents your installation
location.
![[IBM i]](../images/iseries.gif)
For example, you can enter:
profile_root/InstalledApps/testcase.ear
- Modify or add the permission specification.
- Modify the permission specification by double-clicking
the entry that you want to modify, or by selecting the permission
and clicking Edit Permission. The Permissions window
opens with the selected permission information.
- Add a new permission by clicking Add Permission. The Permissions window opens. In the Permissions window are
four rows for Permission, Target Name, Actions, and Signed By.
- Select the permission from the Permission list. The selected
permission displays. After a permission is selected, the Target Name,
Actions, and Signed By fields automatically show the valid choices
or they enable text input in the text input area.
- Select Target Name from the list, or enter the
target name in the text input area.
- Select Actions from the list.
- Input Signed By if it is needed.
Important: The Signed By keyword is not supported in the following
policy files: app.policy, spi.policy, library.policy, was.policy,
and filter.policy files. However, the Signed By keyword is
supported in the following policy files: #java.policy, server.policy,
and client.policy files. The Java Authentication
and Authorization Service (JAAS) is not supported in the app.policy, spi.policy, library.policy, was.policy,
and filter.policy files. However, the JAAS principal keyword
is supported in a JAAS policy file when it is specified by the java.security.auth.policy Java virtual machine (JVM) system
property.
- Click OK to close the Permissions window. Modified
permission entries of the specified code base display.
- Click Done to close the window. Modified code base
entries are listed. Repeat the previous steps until you complete editing.
- Click File > Save after you finish editing
the file.
Convert the
policy file back from the EBCDIC format to the ASCII format.
Results
A policy file is updated. If any policy files need editing,
use the
PolicyTool utility. Do not edit the policy file manually.
Syntax errors in the policy files can potentially cause application
servers or enterprise applications to not start or function incorrectly.
For the changes in the updated policy file to take effect, restart
the Java processes.