Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

How to identify which permissions to add under server.policy

When running WebSphere with Security Enabled, the user must provide permissions to the Java Agent, to ensure a seamless interaction between the two.

 

Add the following snippet to the security policy file:

 

grant codeBase "file:\* AGENT_DEPLOYMENT_DIRECTORY \*/-" 
{
    permission java.security.AllPermission;
};
 

The security policy file is located in the AppDynamics Agent logs under JVM arguments:

  

-Djava.security.policy=...../security.policy

 

Or Unix users can use the ps command to find the command line parameters for the JVM.

 

If the JVM argument is not provided, the application may be using a default Java policy file (java.policy). Add the previously mentioned snippet to this file. 

 

Examples where applying permissions is not sufficient:

 

1. Agent logs show: java.security.AccessControlException: access denied ("java.io.FilePermission" "/xx/xx/xx/y.xml" "read") 

grant codeBase "file:\* AGENT_DEPLOYMENT_DIRECTORY \*/-" 
{
   permission java.security.AllPermission;

   permission java.io.FilePermission "*","read,write,execute"; 
};
 
2. Agent logs show: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
 
grant codeBase "file:\* AGENT_DEPLOYMENT_DIRECTORY \*/-" 

permission java.security.AllPermission; 
permission java.lang.RuntimePermission "getClassLoader";
}; 
 
 3. Agent logs show: java.security.AccessControlException: access denied ("javax.management.MBeanServerPermission" "findMBeanServer")
 
grant codeBase "file:\* AGENT_DEPLOYMENT_DIRECTORY \*/-" 

permission java.security.AllPermission; 
permission javax.management.MBeanServerPermission "findMBeanServer";
}; 
Note: Replace \*AGENT_DEPLOYMENT_DIRECTORY\* with the Agent home directory path. Do not miss the forward slash (/-) at the end. 
 
Linux example: grant codeBase "file:/opt/appdynamics/appserveragent/-"
Windows example: grant codeBase "file:c:/appdynamics/appserveragent/-"
                
 

Additional solutions: 

 
Add the following property as a JVM argument only on development instances. Remove this property as soon as security debugging is completed. 
-Djava.security.debug="access,failure"
 
Additionally, create a node level property, which can coincide with the above security policy file changes.
 
Node property example:
property name: enable-interceptors-for-security
type: boolean
value: true
 
Note: Changes in the security policy file require a JVM restart. 
 
Version history
Revision #:
4 of 4
Last update:
‎07-11-2017 03:43 PM
Updated by:
 
Labels (1)


Found this article helpful? Click the Thumbs Up button.
Have an additional comment? Post it below.
0 Kudos