Help
Not a customer? Start a free trial

Not a customer? Click the 'Start a free trial' link to begin a 30-day SaaS trial of our product and to join our community.

Existing Cisco AppDynamics customers should click the 'Sign In' button to authenticate to access the community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to identify which permissions to add under server.policy

Preet.Gaur
AppDynamics Team

on ‎07-11-2017 03:51 PM

When running WebSphere with Security Enabled, the user must provide permissions to the Java Agent, to ensure a seamless interaction between the two.

 

Add the following snippet to the security policy file:

 

grant codeBase "file:\* AGENT_DEPLOYMENT_DIRECTORY \*/-" 
{
    permission java.security.AllPermission;
};
 

The security policy file is located in the AppDynamics Agent logs under JVM arguments:

  

-Djava.security.policy=...../security.policy

 

Or Unix users can use the ps command to find the command line parameters for the JVM.

 

If the JVM argument is not provided, the application may be using a default Java policy file (java.policy). Add the previously mentioned snippet to this file. 

 

Examples where applying permissions is not sufficient:

 

1. Agent logs show: java.security.AccessControlException: access denied ("java.io.FilePermission" "/xx/xx/xx/y.xml" "read") 

grant codeBase "file:\* AGENT_DEPLOYMENT_DIRECTORY \*/-" 
{
   permission java.security.AllPermission;

   permission java.io.FilePermission "*","read,write,execute"; 
};
 
2. Agent logs show: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
 
grant codeBase "file:\* AGENT_DEPLOYMENT_DIRECTORY \*/-" 

permission java.security.AllPermission; 
permission java.lang.RuntimePermission "getClassLoader";
}; 
 
 3. Agent logs show: java.security.AccessControlException: access denied ("javax.management.MBeanServerPermission" "findMBeanServer")
 
grant codeBase "file:\* AGENT_DEPLOYMENT_DIRECTORY \*/-" 

permission java.security.AllPermission; 
permission javax.management.MBeanServerPermission "findMBeanServer";
}; 
Note: Replace \*AGENT_DEPLOYMENT_DIRECTORY\* with the Agent home directory path. Do not miss the forward slash (/-) at the end. 
 
Linux example: grant codeBase "file:/opt/appdynamics/appserveragent/-"
Windows example: grant codeBase "file:c:/appdynamics/appserveragent/-"
                
 

Additional solutions: 

 
Add the following property as a JVM argument only on development instances. Remove this property as soon as security debugging is completed. 
-Djava.security.debug="access,failure"
 
Additionally, create a node level property, which can coincide with the above security policy file changes.
 
Node property example:
property name: enable-interceptors-for-security
type: boolean
value: true
 
Note: Changes in the security policy file require a JVM restart. 
 
Labels:
0 Kudos
Version history
Last update:
‎07-11-2017 03:43 PM
Updated by:
Join Us On December 10
Learn how Splunk and AppDynamics are redefining observability

Register Now!
Observe and Explore
Dive into our Community Blog for the Latest Insights and Updates!

Read the blog here

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form

By clicking subscribe, I have read and understood the Privacy Policy and Terms of Use.
Platform
Solutions
Learn

Company
Support