Support Article
Java 2 security related error with Websphere 8.5.5
SA-25285
Summary
Java 2 Security policy violation errors during server start-up on WAS 8.5.5.x
Error Messages
Access to server temp directory
---------------------------------
Permission:
/local/web/WebSphere855/AppServer/profiles/asp1/temp/java_io : Access denied ("java.io.FilePermission" "/local/web/WebSphere855/AppServer/profiles/asp1/temp/java_io" "write")
Code:
com.pega.pegarules.storage.fs.direct.FilesystemStorage in {pegajdbc://1649696081:0/prprivcommon.jar}
Stack Trace:
java.security.AccessControlException: Access denied ("java.io.FilePermission" "/local/web/WebSphere855/AppServer/profiles/asp1/temp/java_io" "write")
at java.security.AccessController.throwACE(AccessController.java:121)
at java.security.AccessController.checkPermission(AccessController.java:194)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:563)
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
at java.lang.SecurityManager.checkWrite(SecurityManager.java:993)
at java.io.File.canWrite(File.java:797)
at com.pega.pegarules.storage.fs.direct.FilesystemStorage._init_privact(FilesystemStorage.java:116)
at com.pega.pegarules.storage.fs.direct.FilesystemStorage$1.run(FilesystemStorage.java:85)
at java.security.AccessController.doPrivileged(AccessController.java:416)
at com.pega.pegarules.storage.fs.direct.FilesystemStorage.<init>(FilesystemStorage.java:82)
at com.pega.pegarules.storage.FileStorageManager.getStorageImplementation(FileStorageManager.java:198)
at com.pega.pegarules.storage.FileStorageManager.init(FileStorageManager.java:137)
at com.pega.pegarules.deploy.internal.archive.ParUtilsImpl.setStageDirectory(ParUtilsImpl.java:220)
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineStartup.initEngine(EngineStartup.java:511)
OSGi Admin permission for WAS ND deployment
---------------------------------------------
Permission:
(id=30) : Access denied ("org.osgi.framework.AdminPermission" "(id=30)" "resolve,resource")
Code:
com.pega.pegarules.priv.context.web.WebSphereNodeInfo in {pegajdbc://633512308:0/prpublic.jar}
Stack Trace:
java.security.AccessControlException: Access denied ("org.osgi.framework.AdminPermission" "(id=30)" "resolve,resource")
at java.security.AccessController.throwACE(AccessController.java:121)
at java.security.AccessController.checkPermission(AccessController.java:194)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:563)
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
at org.eclipse.osgi.framework.internal.core.Framework.checkAdminPermission(Framework.java:1181)
at org.eclipse.osgi.framework.internal.core.BundleHost.getResources(BundleHost.java:280)
at com.ibm.ws.management.configservice.CSMetadataMgr.init(CSMetadataMgr.java:158)
at com.ibm.ws.management.configservice.CSMetadataMgr.<clinit>(CSMetadataMgr.java:72)
at com.ibm.ws.management.configservice.ConfigServiceImpl.registerRootConfigObjectDelegator(ConfigServiceImpl.java:325)
at com.ibm.ws.management.configservice.ConfigServiceImpl.initialize(ConfigServiceImpl.java:262)
at com.ibm.ws.management.configservice.ConfigServiceImpl.resolve(ConfigServiceImpl.java:1058)
at com.ibm.ws.management.configservice.ConfigServiceImpl.resolve(ConfigServiceImpl.java:1052)
at com.pega.pegarules.priv.context.web.WebSphereNodeInfo.getNodeInfoWASV8(WebSphereNodeInfo.java:138)
Access to Pega temp directory
--------------------------------
Permission:
/tmp/poifiles : Access denied ("java.io.FilePermission" "/tmp/poifiles" "read")
Code:
com.pega.pegarules.search.internal.es.AbstractIndexer in {pegajdbc://633512308:0/prprivate.jar}
Stack Trace:
java.security.AccessControlException: Access denied ("java.io.FilePermission" "/tmp/poifiles" "read")
at java.security.AccessController.throwACE(AccessController.java:121)
at java.security.AccessController.checkPermission(AccessController.java:194)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:563)
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
at java.lang.SecurityManager.checkRead(SecurityManager.java:902)
at java.io.File.isDirectory(File.java:850)
at com.pega.pegarules.search.internal.es.AbstractIndexer.removeTempPOIFiles(AbstractIndexer.java:1681)
Steps to Reproduce
Enabled Java 2 Security under websphere console
Root Cause
A defect or configuration issue in the operating environment
Required access permission not set or picked by the 3 policy files within prpc_j2ee14_ws.ear\META-INF\was.policy, prpc_j2ee14_ws.ear\APP-INF\lib\prresources.jar\prenginesecurity.policy and prpc_j2ee14_ws.ear\APP-INF\lib\prresources.jar\prrulesecurity.policy
Resolution
Make the following change to the operating environment:
1) Update all 3 policy files within PRPC EAR to include permission below
permission org.osgi.framework.AdminPermission "*", "resolve,resource";
2) The PegaRULES policy files reads system properties at runtime to set permission for pega temp and server temp directories. Please set the following system proprties
-Dpega.tmpdir=<path to Pega temp> -Djava.io.tmpdir=<path to server temp>
Published October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.