Use the PolicyTool utility to update policy files.
Before you begin
Java 2 security uses several policy files to determine the granted
permission for each Java program. The Java Development Kit provides the
PolicyTool tool
to edit these policy files. This tool is recommended for editing any policy
file to verify the syntax of its contents. Syntax errors in the policy file
cause an AccessControlException exception when the application runs, including
the server start. Identifying the cause of this exception is not easy because
the user might not be familiar with the resource that has an access violation.
Be careful when you edit these policy files.
![[z/OS]](../../ngzos.gif)
To use the
PolicyTool utility
with WebSphere Application Server for z/OS, choose one of the following two
options:
- Copy the policy files to another platform such as Microsoft Windows and
modify the files. To use this option, you must issue the FTP command to transfer
the files to the other platform, invoke the PolicyTool, and transfer
the updated files back to the z/OS system in binary mode.
- Invoke the PolicyTool that is supplied with the Software Development
Kit (SDK) installed on your z/OS system.
Procedure
Invoke the PolicyTool that is supplied with
the Software Development Kit (SDK) installed on your z/OS system.
- Export the display to an Xwindows-enabled device. For
example, in Open MVS (OMVS), type export DISPLAY=<IP_address_of_the_Xwindows_device>:0.0
- Enable the z/OS system to access the display of the Xwindows-enabled
device. For example, on AIX systems, type xhost + address_of_the_MVS_system.
- Convert the policy file to the Extended Binary Coded Decimal
Interchange Code (EBCDIC) format.
- Invoke the PolicyTool on OMVS by typing $JAVA_HOME/policytool.
The JAVA_HOME variable represents the directory in which the
SDK is installed.
Start
the PolicyTool. ![[Windows]](../../windows.gif)
For example, you can
enter the following command at a Windows command prompt:
%{was.install.root}/java/jre/bin/policytool
The PolicyTool window opens. The tool looks for the java.policy file
in your home directory. If it does not exist, an error message displays.
Click OK.
- Click File > Open.
- Navigate the directory tree in the Open window to pick up
the policy file that you need to update. After selecting the policy
file, click Open. The code base entries are listed in the window.
- Create or modify the code base entry.
- Modify the existing code base entry by double-clicking the code
base, or click the code base and click Edit Policy Entry. The
Policy Entry window opens with the permission list defined for the selected
code base.
- Create a new code base entry by clicking Add Policy Entry.
The Policy Entry window opens. At the code base column, enter the
code base information as a URL format.
![[z/OS]](../../ngzos.gif)
For example,
you can enter:
app_server_root/InstalledApps/testcase.ear
where
the
app_server_root variable represents your installation
location.
- Modify or add the permission specification.
- Modify the permission specification by double-clicking the entry
that you want to modify, or by selecting the permission and clicking Edit
Permission. The Permissions window opens with the selected
permission information.
- Add a new permission by clicking Add Permission.
The Permissions window opens. In the Permissions window are four rows
for Permission, Target Name, Actions, and Signed By.
- Select the permission from the Permission list. The selected permission
displays. After a permission is selected, the Target Name, Actions, and Signed
By fields automatically show the valid choices or they enable text input in
the right text input area.
- Select Target Name from the list, or enter the target
name in the right text input area.
- Select Actions from the list.
- Input Signed By if it is needed.
Important: The
Signed By keyword is not supported in the following policy files: app.policy, spi.policy, library.policy, was.policy, and filter.policy files. However, the Signed By keyword is supported
in the following policy files: #java.policy, server.policy,
and client.policy files. The Java Authentication and Authorization
Service (JAAS) is not supported in the app.policy, spi.policy, library.policy, was.policy,
and filter.policy files. However, the JAAS principal keyword is supported
in a JAAS policy file when it is specified by the java.security.auth.policy
Java virtual machine (JVM) system property.
- Click OK to close the Permissions window. Modified
permission entries of the specified code base display.
- Click Done to close the window. Modified code base entries
are listed. Repeat the previous steps until you complete editing.
- Click File > Save after you finish editing the file.
Convert the policy file back from
the EBCDIC format to the ASCII format.
Results
A policy file is updated. If any policy files need editing, use the PolicyTool utility.
Do not edit the policy file manually. Syntax errors in the policy files can
potentially cause application servers or enterprise applications to not start
or function incorrectly. For the changes in the updated policy file to take
effect, restart the Java processes.