With Version 4.0 FixPak 2, WebSphere Application Server provides the Java 2 Security Manager configuration option. At this time, the option only protects resources accessed using java.net.NetPermission or java.net.SocketPermission.
This file covers the following:
To run applications with Java 2 Security Manager enabled, all WebSphere code must be granted java.security.AllPermission. Also, you must grant the following permissions to all applications (the following list is incomplete):
permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "setIO"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "stopThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "readFileDescriptor"; permission java.lang.RuntimePermission "writeFileDescriptor"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "defineClassInPackage.*"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "*", "read,write";
Further, for all installed enterprise applications, you must grant the following permission:
permission java.net.SocketPermission "*", "connect";
To better understand the settings required, look at the sample file java.policy in the properties subdirectory of the WebSphere installation root directory. For information on granting permissions, refer to the JDK documentation available at http://www.sun.com/.
To enable Java 2 Security policy checking, define the following system properties:
For information on system properties, refer to the InfoCenter article "6.6.36.0: JVM properties."
The WebSphere Java 2 Security Manager implementation enforces the policies below. You cannot alter the policies.
For a resource adapter to work properly with Java 2 Security Manager, you must add required permissions to the java.policy file. The ra.xml deployment descriptor file defines required permissions for resource adapters. (A sample ra.xml file is below.) To add the required permissions, do the following:
jar -xvf cicseci.rar META-INF/ra.xml
<security-permission>
<security-permission-spec>
grant {
permission java.net.NetPermission "specifyStreamHandler";
};
</security-permission-spec>
</security-permission>
...
<security-permission>
<security-permission-spec>
grant {
permission java.net.SocketPermission "*", "resolve";
};
</security-permission-spec>
Note that only two resource adapters, CICS ECI and CICS EPI, have been tested with the Java 2 Security Manager configuration option.
<!DOCTYPE connector PUBLIC "-//Sun Microsystems, Inc.//DTD Connector 1.0//EN"
"http://java.sun.com/dtd/connector_1_0.dtd">
<connector>
<display-name>ECIResourceAdapter</display-name>
<description>CICS J2EE ECI Resource Adapter</description>
<vendor-name>IBM</vendor-name>
<spec-version>1.0 Proposed Final Draft #2</spec-version>
<eis-type>CICS</eis-type>
<version>4.0.0 Beta</version>
<license>
<description>This is a beta version of the code.
Please refer to the terms and conditions in the IBM Joint Project Agreement you have signed.</description>
<license-required>true</license-required>
</license>
<resourceadapter>
<managedconnectionfactory-class>com.ibm.connector2.cics.ECIManagedConnectionFactory</managedconnectionfactory-class>
<connectionfactory-interface>javax.resource.cci.ConnectionFactory</connectionfactory-interface>
<connectionfactory-impl-class>com.ibm.connector2.cics.ECIConnectionFactory</connectionfactory-impl-class>
<connection-interface>javax.resource.cci.Connection</connection-interface>
<connection-impl-class>com.ibm.connector2.cics.ECIConnection</connection-impl-class>
<transaction-support>XATransaction</transaction-support>
<config-property>
<description>The CICS Server as defined in the CICS Transaction Gateway</description>
<config-property-name>ServerName</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<description>The URL of the CICS Transaction Gateway</description>
<config-property-name>ConnectionURL</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<description>The port number the gateway is listening on</description>
<config-property-name>PortNumber</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value>2006</config-property-value>
</config-property>
<config-property>
<description>A user Name to access CICS Resources</description>
<config-property-name>UserName</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<description>A Password for the UserName</description>
<config-property-name>Password</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<description>(OPTIONAL)Fully Qualified Class implementing ClientSecurity for
connections to the Gateway (use on conjunction with ServerSecurity</description>
<config-property-name>ClientSecurity</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<description>(OPTIONAL)Fully Qualified Class implementing ServerSecurity for
connections to the Gateway (use on conjunction with ClientSecurity</description>
<config-property-name>ServerSecurity</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<description>Fully Qualified Class containing the SSL Keyrings.
Required only for SSL protocol</description>
<config-property-name>KeyRingClass</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<description>The Password for the KeyRing Class</description>
<config-property-name>KeyRingPassword</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<description>The Transaction name for programs to run under.</description>
<config-property-name>TranName</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<description>The TPN id for programs to run under. This takes precedence over
TranName.</description>
<config-property-name>TPNName</config-property-name>
<config-property-type>java.lang.String</config-property-type>
<config-property-value></config-property-value>
</config-property>
<config-property>
<description>(OPTIONAL)The level of trace to be output to the Server Trace Log.
Range 0-3. 0=off, 1=exceptions, 2=1+entry/exit, 3=2+debug</description>
<config-property-name>TraceLevel</config-property-name>
<config-property-type>java.lang.Integer</config-property-type>
<config-property-value>1</config-property-value>
</config-property>
<authentication-mechanism>
<description>Only userid/password combinations allowed</description>
<authentication-mechanism-type>BasicPassword</authentication-mechanism-type>
<credential-interface>javax.resource.spi.security.PasswordCredential</credential-interface>
</authentication-mechanism>
<reauthentication-support>true</reauthentication-support>
<security-permission>
<security-permission-spec>
grant {
permission java.net.NetPermission "specifyStreamHandler";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission java.net.SocketPermission "*", "resolve";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission java.util.PropertyPermission "*", "read, write";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission java.util.PropertyPermission "user.*", "read, write";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission java.io.FilePermission
"${user.home}${file.separator}ibm${file.separator}ctg${file.separator}-",
"read,write,delete";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission java.lang.RuntimePermission "loadLibrary.*";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission java.lang.RuntimePermission "shutdownHooks";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission java.lang.RuntimePermission "modifyThread";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission java.lang.RuntimePermission "modifyThreadGroup";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission java.lang.RuntimePermission "readFileDescriptor";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission java.lang.RuntimePermission "writeFileDescriptor";
};
</security-permission-spec>
</security-permission>
<security-permission>
<security-permission-spec>
grant {
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
};
</security-permission-spec>
</security-permission>
</resourceadapter>
</connector>