IBM Support

MustGather: Problems using Java 2 security

Troubleshooting


Problem

This MustGather provides instruction for collecting data for problems with the IBM WebSphere® Application Server Java™ 2 security component. Collecting this information and uploading the diagnostic data to the case can help refine the problem description and improves the quality of support's response. Java 2 security is enabled and disabled at the cell level. It cannot be isolated to an application, server, node, or cluster. However, you can selectively enable Java 2 security in a security domain

Diagnosing The Problem

Resolving The Problem

Diagnostic Questions
  1. Is there a requirement for Java 2 security enablement? Support recommends disabling Java 2 security unless there is explicit requirement.
  2. Was the application designed and packaged to run with Java 2 security enabled?
  3. Is there an architectural statement that documents the resources that the application needs, and what kind of access (read, write) it requires? 
  4. Do you have any Java 2 policy files such as was.policy or app.policy with the necessary statements?
  5. Was the Java 2 security property file manually edited? The supported approach is to use the Java policytool.
Reproduce the Issue

image 13009 IBM support recommends that you gather traces from JVM startup.

  • Although WebSphere traces can be enabled at the runtime, it is recommended for the provided logs to observe JVM startup.  Startup logs contain important messages that print only during initialization of the JVM.

image 13009 IBM support recommends that you remove of any historical logs before you reproduce the issue.

  • Support advises the removal of any historical logs before you reproduce the issue. This approach can greatly help the analysis of the logs and ensures that support is focused on the reported issue. Unlike WebSphere traces, Java custom properties require a JVM restart to take effect.

Enabling Traces
image 13012 On the JVM observing the error, warning, or exception, use the instructions on Setting up a trace in WebSphere Application Server to set the following trace specification:
*=info:com.ibm.ws.security.policy.*=all:com.ibm.ws.security.core.SecurityManager=all

image 13012 Enable the com.ibm.websphere.java2secman.norethrow Java custom property

  • The norethrow property is best used for debug purposes, as it instructs the security manager not to throw an AccessControl exception.
  • image-20230531135514-3 When the com.ibm.websphere.java2secman.norethrow property is set to true, Java 2 security is not enforced. This property is not recommended for production environments because it weakens the integrity that Java 2 security is intended to produce. However, this property can be used to iteratively resolve permission issues by adjusting the statements within the policy files.
  • In the administrative console, navigate to the Java Virtual Machine Custom properties, then set the following custom property:
    Name: com.ibm.websphere.java2secman.norethrow
    Value: true 

    • Navigation for WebSphere Application Server for IBM® i and distributed platforms
      • Application server
        Servers > Server Types > WebSphere Application Servers > server_name > Expand Java and Process Management (under Server Infrastructure) > Process definition > Java Virtual Machine > Custom properties > New...
      • Deployment Manager
        System Administration > Deployment manager > Expand Java and Process Management (under Server Infrastructure) > Process definition > Java Virtual Machine > Custom properties > New...
      • Node Agent
        System Administration > Node agents > (pick a node agent) > Expand Java and Process Management (under Server Infrastructure) > Process definition > Java Virtual Machine > Custom properties > New...
    • Navigation for WebSphere Application Server for z/OS
  • Panel:
    image-20230526104946-1

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000Cd9NAAS","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003EJava 2 Security"}],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;9.0.5","Type":"MASTER"}]

Document Information

Modified date:
31 May 2023

UID

swg21199333

Page Feedback