Specifying system properties/security manager for OC4J

Similar Messages

• Cannot start OC4J instance after specifying default java.security.manager

  Hi All,
  I am using OracleiAS 10.1.3.4 and trying to make use of the new User and Role APIs introduced in 10.1.3.1.
  While trying to get an object of IdentityStore using the following code, I got this error -
  java.security.PrivilegedActionException: oracle.security.idm.ConfigurationException: java.security.AccessControlException: access denied (oracle.security.jazn.JAZNPermission getOC4JIntegrationData)
  oidFactory = (IdentityStoreFactory) AccessController.doPrivileged(
  new PrivilegedExceptionAction()
  public Object run() throws IMException
  IdentityStoreFactoryBuilder builder =
  new IdentityStoreFactoryBuilder();
  return builder.getIdentityStoreFactory();
  I then tried specifying the default security manager in start JAVA options for my oc4j instance - Djava.security.manager. I also verified that my java policy file is present under $ORACLE_HOME/j2ee/oc4j_soa/config/java2.policy. But the issue is - once I put this default secirity manager in startup options in opmn.xml, the oc4j instance does not get started, it gives following error -
  08/12/30 02:58:22 Start process
  Dec 30, 2008 2:58:24 AM com.evermind.server.XMLDataSourcesConfig parseRootNode
  INFO: Legacy datasource detected...attempting to convert to new syntax.
  08/12/30 02:58:29 WARNING: Application.setConfig Application: default is in failed state as initialization failed.
  java.lang.ExceptionInInitializerError
  08/12/30 02:58:29 Error initializing server: Application: default is in failed state as initialization failed
  08/12/30 02:58:32 Fatal error: server exiting
  Any idea ? Any pointers please ?
  Thanks,
  Ankit

  Ankit,
  Check your syntax for the datasource. If you migrated from file-based to OID, then you should look at this link:
  http://download.oracle.com/docs/cd/E12524_01/relnotes.1013/e12523/oc4j.htmThere is a known issue when migrating from file-based to OIM\OID. Navigate to:
  12.2 JAZNMigration Tool Does Not Migrate ADFPrincipal Type Correctly
  -Michael

• Security Manager for decryption is not set

  Hey,
  I am using the Livecycle virtual appliance in a test version to evaluate its features. When I decrypt an encrypted document with the java API I get an error message that says that the security manager is not set.
  Is the security Manager part of the appliance?
  How can I solve that problem?
  My Code:
          //Set connection properties required to invoke LiveCycle ES                               
          Properties connectionProps = new Properties();
          connectionProps.setProperty(ServiceClientFactoryProperties.DSC_DEFAULT_EJB_ENDPOINT, getConfig("lc.ejb-endpoint.url", "jnp://192.168.56.50:1099"));
          connectionProps.setProperty(ServiceClientFactoryProperties.DSC_TRANSPORT_PROTOCOL,Service ClientFactoryProperties.DSC_EJB_PROTOCOL);         
          connectionProps.setProperty(ServiceClientFactoryProperties.DSC_SERVER_TYPE, "JBoss");
          connectionProps.setProperty(ServiceClientFactoryProperties.DSC_CREDENTIAL_USERNAME, getConfig("lc.ejb-endpoint.username", "jjacobs"));
          connectionProps.setProperty(ServiceClientFactoryProperties.DSC_CREDENTIAL_PASSWORD, getConfig("lc.ejb-endpoint.password", "password"));
          //Create a ServiceClientFactory object
          ServiceClientFactory myFactory = ServiceClientFactory.createInstance(connectionProps);
          //Create an EncryptionServiceClient object
          EncryptionServiceClient encryptClient = new EncryptionServiceClient(myFactory);
          //Unlock the password-encrypted PDF document
          Document unlockedDoc = encryptClient.unlockPDFUsingPassword(pdf, pdfPassword);
          return unlockedDoc;
  Exceptions details:
  Caused by: com.adobe.internal.pdftoolkit.core.exceptions.PDFSecurityAuthorizationException: Security Manager for decryption is not set
      at com.adobe.internal.pdftoolkit.core.encryption.EncryptionImpl.getStreamEncryption(Encrypti onImpl.java:196)
      at com.adobe.internal.pdftoolkit.core.encryption.EncryptionImpl.getStreamDecryptionHandler(E ncryptionImpl.java:263)
      at com.adobe.internal.pdftoolkit.core.cos.CosEncryption.getStreamDecryptionStateHandler(CosE ncryption.java:675)
      at com.adobe.internal.pdftoolkit.core.cos.CosStream.getStreamForCopying(CosStream.java:377)
      at com.adobe.internal.pdftoolkit.core.cos.CosStream.copyStream(CosStream.java:310)
      at com.adobe.internal.pdftoolkit.core.cos.CosStream.getStream(CosStream.java:422)
      at com.adobe.internal.pdftoolkit.core.cos.CosObjectStream.getDataStream(CosObjectStream.java :130)
      at com.adobe.internal.pdftoolkit.core.cos.CosObjectStream.<init>(CosObjectStream.java:80)
      at com.adobe.internal.pdftoolkit.core.cos.CosToken.readObject(CosToken.java:576)
      at com.adobe.internal.pdftoolkit.core.cos.CosToken.readIndirectObject(CosToken.java:108)
      at com.adobe.internal.pdftoolkit.core.cos.XRefTable.getIndirectObject(XRefTable.java:607)
      at com.adobe.internal.pdftoolkit.core.cos.CosDocument.getIndirectObject(CosDocument.java:287 5)
      at com.adobe.internal.pdftoolkit.core.cos.XRefTable.getIndirectObject(XRefTable.java:599)
      at com.adobe.internal.pdftoolkit.core.cos.CosDocument.getIndirectObject(CosDocument.java:287 5)
      at com.adobe.internal.pdftoolkit.core.cos.CosDocument.resolveReference(CosDocument.java:1067 )
      at com.adobe.internal.pdftoolkit.core.cos.CosDictionary.get(CosDictionary.java:278)
      at com.adobe.internal.pdftoolkit.pdf.document.PDFCosDictionary.getDictionaryCosObjectValue(P DFCosDictionary.java:423)
      at com.adobe.internal.pdftoolkit.pdf.document.PDFCatalog.getInteractiveForm(PDFCatalog.java: 156)
      at com.adobe.internal.pdftoolkit.pdf.document.PDFDocument.getInteractiveForm(PDFDocument.jav a:521)
      at com.adobe.formServer.utils.CommonGibsonUtils.isForm(CommonGibsonUtils.java:153)
      at com.adobe.livecycle.formdataintegration.server.FormData.exportDataInternal(FormData.java: 338)
      at com.adobe.livecycle.formdataintegration.server.FormData.exportData2(FormData.java:217)
      ... 81 more

  I think you answered your own question - the PDF is password protected therefore LC can't open it to extract the data.
  You'll have to remove the security first.  You can do that in a process by using the Common.EncryptionService.Remove PDF Password Encryption operation.
  Note that you will need the document's password to remove the security.

• Error during install " specify system property "is.debug" for more information."

  I am trying to install Livecycle Reader Extensions onto a Unix box and the setup.sh is giving the following error when I try to invoke it.
  "An unhandled error occurred -- specify system property "is.debug" for more information."
  Anyone know how to set the is.debug property?
  Sorry i'm not to familiar with the unix env.

  Andrew,
  can you provide more information on the following?
  - variant of Unix
  - java version installed
  - reader extensions version
  - application server enviornment intended (WAS, Weblogic, JBOSS?)
  Thanks
  David
  www.ensemble.com

• FormDataIntegration Security Manager for decryption not set

  When trying to export or import from a specific PDF form, I am getting the error below.  I suspect it's the pdf b/c I can import and export from different pdf forms.  Any ideas or help in order to modify or resolve this problem?
  com.adobe.livecycle.formdataintegration.client.ImportFormDataException: Security Manager for decryption is not set
  [5/5/10 16:12:04:953 EDT] 0000001e SystemErr     R     at com.adobe.livecycle.formdataintegration.server.FormData.importData(FormData.java:98)
  [5/5/10 16:12:04:953 EDT] 0000001e SystemErr     R     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  [5/5/10 16:12:04:953 EDT] 0000001e SystemErr     R     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
  [5/5/10 16:12:04:953 EDT] 0000001e SystemErr     R     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  [5/5/10 16:12:04:953 EDT] 0000001e SystemErr     R     at java.lang.reflect.Method.invoke(Method.java:615)
  [5/5/10 16:12:04:953 EDT] 0000001e SystemErr     R     at com.adobe.idp.dsc.component.impl.DefaultPOJOInvokerImpl.invoke(DefaultPOJOInvokerImpl.jav a:118)
  [5/5/10 16:12:04:953 EDT] 0000001e SystemErr     R     a

  I think you answered your own question - the PDF is password protected therefore LC can't open it to extract the data.
  You'll have to remove the security first.  You can do that in a process by using the Common.EncryptionService.Remove PDF Password Encryption operation.
  Note that you will need the document's password to remove the security.

• Has anyone tried Advanced Security Manager for System 9.0

  Hi All,
  I am having issues with Advanced Security Manager in system 9.0
  I am getting an error "essapin.dll" cannot be found.
  has anyone faced similar issue, if yes, how did you get around with that.
  thanks and regards.

  I got the problem solved.
  essapin.dll was with version 6.5 and from essapin.dll was replaced by essapinu.dll. Advanced Security Manager was searching for essapin.dll.
  I installed client version of 6.5, which got me essapin.dll.
  I am able to export all my filters with ASM now :-)

• How to setup security manager for applet at runtime?

  hello everyone,
  I am wonder if there is a way to setup security manager at runtime. This is what I am trying to do:
  1. Create a Applet GUI and allow users to specify in an input dialog box of the URL they like make connection to.
  I know there is two way of do this
  1. Is modify java.policy file and specify the URL SocketPermission to connect to.
  2. setup signed certificate applet.
  But, I would to try to see if there is a way to have applet make connection at runtime when users specify the URL.
  Anyone have any ideas.
  Thanks.

  Thanks, Peter
  Going over some articles you and references that you pointed out was very useful on how the java security model work and a little bit history too.
  So, I am assuming that I can make my own securitymanager class that defines the permission of the applet that I am working, using Permission, SecurityManager, ....etc class right? I just want to be clear on what I am going to be doing.
  If you have any other thoughts, Thanks,

• Setting security manager for weblogic6.0

  I need to be able to get the weblogic6.0 server to use third party security manager. I tried setting "-Dweblogic.security.manager = <security_manager_class>". Unfortunately this doesn't work.. on my test servlet I find no security manager has been set.This argument worked successfully in weblogic5.1.If you have any hints/ideas, please let me know.Thanks!!

  I need to be able to get the weblogic6.0 server to use third party security manager. I tried setting "-Dweblogic.security.manager = <security_manager_class>". Unfortunately this doesn't work.. on my test servlet I find no security manager has been set.This argument worked successfully in weblogic5.1.If you have any hints/ideas, please let me know.Thanks!!

• Using OID 9.0.4.x  as security provider  for OC4J 10.1.3

  If you upgrade OC4J to release 10.1.3 (needed for new releases of Jdeveloper)
  and you your Metadata respository is based on 9.0.4.x, you can use Oracle® Containers for J2EE Security Guide 10g Release 3 (10.1.3) B14429-01 Chapter 6 for the steps needed.
  The section Considerations for 9.0.4.x Infrastructure: Access Control List Settings describes that some content in OID needs to be replace to cater for 10.1.3 and ldap ldif file structure is given with instruction on how to run it
  We tried it exactly as instructed (Show below)
  ID management realm (for example, dc=PALCO,dc=com), then execute the steps that follow.
  dn: cn=JAZNContext,cn=Products,cn=OracleContext,%s_MgmtRealmDN%
  changetype: modify
  replace: orclaci
  orclaci: access to entry
  by group= "cn=JAZNAdminGroup,cn=Groups,cn=JAZNContext,cn=Products,cn=OracleContext"
  (browse, add, delete)
  by group= "cn=IASAdmins,cn=Groups,cn=OracleContext,%s_MgmtRealmDN%
  added_object_constraint=(objectclass=orclApplicationEntity) (add, delete, browse)
  by * (none)
  orclaci: access to attr=(*)
  by group= "cn=JAZNAdminGroup,cn=Groups,cn=JAZNContext,cn=Products,cn=OracleContext"
  (search, read, write, compare)
  by group= "cn=IASAdmins,cn=Groups,cn=OracleContext,%s_MgmtRealmDN%"
  (read, search, write, compare)
  by * (none)
  and then running the ldapmodify program
  ldapmodify -c -a -p 389 -h localhost -D cn=orcladmi -w xxxxxx \
  -f int_ammar.ldif
  produces errors
  ldap_modify: additional info: INVALID ACI is access to entry by group
  There has to be something error with the syntax error is providing in the Doc
  Ammar Sajdi, Oracle consultant
  www.e-ammar.com
  oraclejo.blogspot.com
  www.palco-me.com
  Amman

  Finally, i found out what the problem is
  First of all , make sure that no new line exists between LDAP LDIF directives, additionally, make sure that you close the double quotation for CN where even it appears as the script provided does not close all of them when appropriate
  you can fine an already modified file in my website shortly
  http://www.e-ammar.com/Oracle.htm
  This will hopefully save you time
  Regards
  Ammar Sajdi

• Connection From Satellite System to Solution Manager for key users

  Hi All,
  Can anybody suggest which RFC connection/destination should be maintained in BCOS_CUST table under satellite system to connect to Solution Manager.
  1. SM_SSMCLNT010_TRUSTED
  2. SM_SSMCLNT010_BACK
  I don't want user to Login to solution manager while creating a support message. They should create a support messsage seamlessly from satellite system.
  Any help is greatly appreciated.
  Thanks...

  Thakur,
    Sorry for the cryptic answer back there - read it myself and it didn't make much sense to me either so here we go with the seamless way to allow users to create service messages.
    There are 2 ways to do this - 1 way is to use a connection like the 'BACK' connection but if you do this - all user tickets entered will have the username of the 'BACK' connection logon id as the message creator.  The other way is to use the trusted connection so the userid of the person logging the message is transfered with the created ticket.
    I will assume that you want to preserve the unique userid and use trusted connections. So here we go:
  Step 1 - Go into BCOS_CUST on the Satelite and put in your TRUSTED RFC Connection as the detination for the Service Messages - either use the one that Solman created when generating or make your own ABAP Trusted Connection.
  Step 2 - All users in Satelite and in Solution Manager need to have Authority Object S_RFCACL assigned to their userid's so they can use the Trusted RFC Connection (this is not in SAP_ALL or SAP_NEW).
  Step 3 - All users that will use this method of creating service tickets need both a userID and a BP with the respective system keys to allow them to enter tickets for those Satelites.
    That is all there is to it assuming that all issues with Trusted Connections have been worked through already (test this in SM59 by going to your 'TRUSTED' connection on the Satelite and execute the RemoteLogon button - you should be sent to the Solution Manager with out having to logon).
    If this answers your question, please set this message to answered.
  Edited by: David Milliken on Jan 25, 2008 1:55 AM

• Ant deployment - specifying system properties

  Hi,
  Below I have my deployment and bind tasks. The question I have is if I'm specifying the -D property correctly (in the jvmarg tag)?
  Also, How would I specify -D system properites using the oracle:deploy and oracle:bindWebApp tasks?
  <target name="deploy_oc4j" depends="packageEAR"
  description="deploy the enterprise archive to a standalone oc4j">
  <java classname="${jdev.home}/j2ee/home/admin.jar" fork="true">
  <jvmarg value="-DServiceLocatorEndpoint=http://estaging/ws/ServiceLocator/ServiceLocator"/>
  <jvmarg value="-jar"/>
  <arg value="ormi://localhost/"/>
  <arg value="${oc4j.admin.user}"/>
  <arg value="${oc4j.admin.password}"/>
  <arg value="-deploy"/>
  <arg value="-file"/>
  <arg value="${deploy.home}/testApp.ear"/>
  <arg value="-deploymentName"/>
  <arg value="${app.name}"/>
  </java>
  <!-- now we need to bind the webapplication -->
  <java classname="${jdev.home}/j2ee/home/admin.jar" fork="true">
  <jvmarg value="-DServiceLocatorEndpoint=http://estaging/ws/ServiceLocator/ServiceLocator"/>
  <jvmarg value="-jar"/>
  <arg value="ormi://localhost/"/>
  <arg value="${oc4j.admin.user}"/>
  <arg value="${oc4j.admin.password}"/>
  <arg value="-bindWebApp"/>
  <arg value="${app.name}"/>
  <arg value="${web.name}"/>
  <arg value="default-web-site"/>
  <arg value="/testApp"/>
  </java>
  </target>
  Thanks.

  I have resolved this issue:
  you need to set the env variable OC4J_JVM_ARGS to your desired system property.
  Thanks.

• Security Manager Setting for Tomcat.

  Hi,
  Can anyone show me how to setup Security Manager for Tomcat step by step ?
  What do we need to set in server.xml and tomcat policy?
  After setting, how do run Tomcat?
  I did refer to the Tomcat Security Guide, but I didn't success to setup Security Manager.
  Can anyone explain in layman term to me?
  Your help will be appreciated.
  Thank you.

  I've solved my problem.
  For those who have are interested,
  you can refer to :
  http://jakarta.apache.org/tomcat/tomcat-3.2-doc/uguide/tomcat-security.html

• Security Permissions for simple file transfer

  Hey All
  I'm transferring a file using RMI as part of an enhancement. I want to restrict where the file can be transferred to and thus will use a security manager (On the destination object). However the object its being transferred to shares the same JVM with another quite complex application that currently doesn't need a security manager.
  Will I need to set a whole host of permissions for this application even though I only want to restrict file writing?
  I suspect this is the case just want confirmation.

  Hi,
  In the code which receives the file being transferred, you might try calling System.setSecurityManager(new SecurityManager()). Use the configured Java policy to limit where the file can be written. After calling setSecurityManager(), save the file. Before returning to the rest of the application, call System.setSecurityManager(null). Ensure that your code has setSecurityManager permission or this call will fail. If this idea doesn't work, you could simply use a security manager for the whole application, and just grant AllPermission to everything except the file receiving code. Everyone says AllPermission is dangerous, but it's no more dangerous than running with no security manager at all :)

• System.properties (what is the scope in memory)

  Does each JVM have it's own System properties? Hence calls from one JVM System.getProperty() or System.setProperty() should be within each individual JVM? Also I need to know this so that I can gurantee that using the System properties for private information won't be accessed by anyone else on the system... Any input?

  System properties are unique for each VM, they are therefore visible to all code running in the VM.
  This seems like a good thing to use for storing things like passwords because of the global visibility however using the System properties for storing such things has to be considered as being insecure.
  System properties should be regarded as a place to read data from that is relevant for either the Java runtime environment or for setting component specific properties, XML Parsers make use of this for example. Using System properties as an in memory database is neither secure nor sensible. Careless selection of keys for the properties you wish to store can have unexpected results if you accidentally overwrite a property that is used for other purposes.
  I would use a separate Properties instance that has nothing to do with the System properties and I would also recommend the encryption of sensitive data like passwords.

• Custom Security Manager or Security Event Interception from WebLogic Console

  Hello,
  I have built my own Security Manager and implemented custom preference/property mechanism for every Principal, so when I use my Swing client to create new User and new Group, as well as addMember to a Group, I know what to do with those properies/preferences.
  Now, I want to use WebLogic Console to manage users and groups. I want to intercept events in my Security Manager about new User or Group creation or changing their memberships as Principals in order to handle their Preference/properties stuff myself...
  I wonder what should I "listen" in order to understand that someone has changed membership of Users or Groups or about creation of new User or Group?
  I use Weblogic Server 6.0 sp2
  serge

  Hi Daniel,
  > a custom security manager for the standard CM Repository
  And this dictates you indeed to use the old API, as the CMRepositoryManager itself is using the old API.
  The standard AclSecurityManager is implemented by com.sapportals.wcm.repository.manager.generic.security.AclSecurityManager. If you check out Configuration - Content Management - Repository Managers - Security Manager, you will see "ACL Security Manager" (the one from above) and "ACL Security Manager (for new Manager-API)". This is implementing / using the new API, but needs also a RM using the new API.
  > java.lang.NoSuchMethodException: MySecurityManager.<init>
  This exception only complains about a missing constructor!? Have you implemented a default constructor?!
  > If this is the case, where can I find the API for IUMPrincipal? It is not included in any provided API because of deprecation.
  The methods of the old EP5 user management are more or less similar to the new UME, so using the old deprecated API should be more or less straight forward.
  There are also transformer methods for example to transform a "new" user object to an old EP5 one, see https://forums.sdn.sap.com/thread.jspa?threadID=235656&tstart=0
  Hope it helps
  Detlev