Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Java 2 security related error with Websphere 8.5.5

SA-25285

Summary



Java 2 Security policy violation errors during server start-up on WAS 8.5.5.x


Error Messages



Access to server temp directory
---------------------------------
Permission:
      /local/web/WebSphere855/AppServer/profiles/asp1/temp/java_io : Access denied ("java.io.FilePermission" "/local/web/WebSphere855/AppServer/profiles/asp1/temp/java_io" "write")
Code:
     com.pega.pegarules.storage.fs.direct.FilesystemStorage  in  {pegajdbc://1649696081:0/prprivcommon.jar}

Stack Trace:

java.security.AccessControlException: Access denied ("java.io.FilePermission" "/local/web/WebSphere855/AppServer/profiles/asp1/temp/java_io" "write")
    at java.security.AccessController.throwACE(AccessController.java:121)
    at java.security.AccessController.checkPermission(AccessController.java:194)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:563)
    at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
    at java.lang.SecurityManager.checkWrite(SecurityManager.java:993)
    at java.io.File.canWrite(File.java:797)
    at com.pega.pegarules.storage.fs.direct.FilesystemStorage._init_privact(FilesystemStorage.java:116)
    at com.pega.pegarules.storage.fs.direct.FilesystemStorage$1.run(FilesystemStorage.java:85)
    at java.security.AccessController.doPrivileged(AccessController.java:416)
    at com.pega.pegarules.storage.fs.direct.FilesystemStorage.<init>(FilesystemStorage.java:82)
    at com.pega.pegarules.storage.FileStorageManager.getStorageImplementation(FileStorageManager.java:198)
    at com.pega.pegarules.storage.FileStorageManager.init(FileStorageManager.java:137)
    at com.pega.pegarules.deploy.internal.archive.ParUtilsImpl.setStageDirectory(ParUtilsImpl.java:220)
    at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineStartup.initEngine(EngineStartup.java:511)
     

     
OSGi Admin permission for WAS ND deployment
---------------------------------------------
Permission:
     (id=30) : Access denied ("org.osgi.framework.AdminPermission" "(id=30)" "resolve,resource")
Code:
    com.pega.pegarules.priv.context.web.WebSphereNodeInfo  in  {pegajdbc://633512308:0/prpublic.jar}

Stack Trace:

java.security.AccessControlException: Access denied ("org.osgi.framework.AdminPermission" "(id=30)" "resolve,resource")
    at java.security.AccessController.throwACE(AccessController.java:121)
    at java.security.AccessController.checkPermission(AccessController.java:194)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:563)
    at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
    at org.eclipse.osgi.framework.internal.core.Framework.checkAdminPermission(Framework.java:1181)
    at org.eclipse.osgi.framework.internal.core.BundleHost.getResources(BundleHost.java:280)
    at com.ibm.ws.management.configservice.CSMetadataMgr.init(CSMetadataMgr.java:158)
    at com.ibm.ws.management.configservice.CSMetadataMgr.<clinit>(CSMetadataMgr.java:72)
    at com.ibm.ws.management.configservice.ConfigServiceImpl.registerRootConfigObjectDelegator(ConfigServiceImpl.java:325)
    at com.ibm.ws.management.configservice.ConfigServiceImpl.initialize(ConfigServiceImpl.java:262)
    at com.ibm.ws.management.configservice.ConfigServiceImpl.resolve(ConfigServiceImpl.java:1058)
    at com.ibm.ws.management.configservice.ConfigServiceImpl.resolve(ConfigServiceImpl.java:1052)
    at com.pega.pegarules.priv.context.web.WebSphereNodeInfo.getNodeInfoWASV8(WebSphereNodeInfo.java:138)


Access to Pega temp directory
--------------------------------

Permission:

      /tmp/poifiles : Access denied ("java.io.FilePermission" "/tmp/poifiles" "read")


Code:

     com.pega.pegarules.search.internal.es.AbstractIndexer  in  {pegajdbc://633512308:0/prprivate.jar}



Stack Trace:

java.security.AccessControlException: Access denied ("java.io.FilePermission" "/tmp/poifiles" "read")
    at java.security.AccessController.throwACE(AccessController.java:121)
    at java.security.AccessController.checkPermission(AccessController.java:194)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:563)
    at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
    at java.lang.SecurityManager.checkRead(SecurityManager.java:902)
    at java.io.File.isDirectory(File.java:850)
    at com.pega.pegarules.search.internal.es.AbstractIndexer.removeTempPOIFiles(AbstractIndexer.java:1681)


Steps to Reproduce



Enabled Java 2 Security under websphere console


Root Cause



A defect or configuration issue in the operating environment

Required access permission not set or picked by the 3 policy files within prpc_j2ee14_ws.ear\META-INF\was.policy, prpc_j2ee14_ws.ear\APP-INF\lib\prresources.jar\prenginesecurity.policy and prpc_j2ee14_ws.ear\APP-INF\lib\prresources.jar\prrulesecurity.policy



Resolution



Make the following change to the operating environment:

1) Update all 3 policy files within PRPC EAR to include permission below

permission org.osgi.framework.AdminPermission "*", "resolve,resource";

2) The PegaRULES policy files reads system properties at runtime to set permission for pega temp and server temp directories. Please set the following system proprties

    -Dpega.tmpdir=<path to Pega temp> -Djava.io.tmpdir=<path to server temp>

 

Published October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us