Implementing Java 2 security

If you run IBM® Maximo® Asset Management in an IBM WebSphere® Application Server Network Deployment environment, you can enable Java™ 2 security.

About this task

Java 2 security uses policy files to determine the permission that is granted for each Java program. By default, WebSphere Application Server security reads an app.policy file that is located in each node and grants the permissions in the file to all the applications. If an application requires additional permissions, the was.policy file is required.

To implement Java 2 security, a set of policy files needs to be defined that contain the permissions that are needed for Maximo Asset Management to work correctly. For example, Maximo Asset Management uses a custom class loader mechanism for loading BIRT report framework code and Scheduler Optimization code. You might need to change policy permissions to give access to network resources such as database servers, the file system where attachments are stored, or temporary folders where files are written. These permissions require additional setup in the Java 2 security policy files.

This release includes three policy files that administrators can use to enable Java 2 security. The following three files are located in the \applications\maximo\META-INF folder:
was.policy
A was.policy file is needed when an application accesses resources that require more permissions than the permissions that are granted in the default app.policy file. The default was.policy file that is provided with the product does not support Java 2 security. If you implement Java 2 security, you must rename this file so that is no longer recognized as the was.policy file. You can keep the file that you renamed as a backup.
was.policy.maximo_permissions
This file is provided to help you enable Java 2 security. To implement Java 2 security, you must rename this file to was.policy and modify it to meet the needs of your deployment. For example, the file contains IP addresses that need to be restricted.

Instructions for modifying the file are provided in the file itself. Instructions are included for Windows and Linux® operating systems, but the instructions for Linux operating systems are commented out.

was-maximo.policy.was_and_maximo_permissions
When you implement Java 2 security, you must copy this file to a temporary location, rename the file to was-maximo.policy, and configure it for your environment. Copy this policy file to a temporary location on every WebSphere Application Server that is being configured.

Instructions for modifying the file are provided in the file itself. Instructions are included for Windows and Linux operating systems, but the instructions for Linux operating systems are commented out. Some environments might require additional permissions that are not included in the file.

Repeat the following procedure for every WebSphere Application Server that is being configured.

Procedure

  1. In the \applications\maximo\META-INF folder, rename the was.policy file to a new file name, such as was_old.policy.
  2. Rename the was.policy.maximo_permissions file to was.policy.
  3. Update the new was.policy file to meet the needs of your deployment.
  4. Rebuild and redeploy the EAR file.

Updating was-maximo.policy.was_and_maximo_permissions

After you update the was.policy, you must also update the was-maximo.policy.was_and_maximo_permissions file.

About this task

Repeat the following procedure for every WebSphere Application Server that is being configured.

Procedure

  1. Copy the was-maximo.policy.was_and_maximo_permissions file to a temporary location, for example C:\temp.
  2. Rename the was-maximo.policy.was_and_maximo_permissions file to was-maximo.policy.
  3. Rebuild and redeploy the EAR file.
  4. In the WebSphere Admin Console for the server, go to Java and Process Management > Process definition > Java Virtual Machine.
  5. In the Generic JVM arguments text box, specify the policy file and supply the appropriate parameters for your installation, as shown in the following example: 
    -Djava.security.policy=c:/temp/was-maximo.policy -Djava.security.manager 
-Dmaximo.was.profilename=ProfileName -Dmaximo.was.nodename=NodeName 
-Dmaximo.was.servername=ServerName -Dmaximo.was.appname=AppName 
-Dmaximo.was.cellname=CellName
-Dmaximo.was.lightning.appname=LightningAppName
    When you add the preceding policy file information, ensure that you complete the following steps:
    • Replace the following parameters with the specific names for your environment:
      • ProfileName
      • NodeName
      • ServerName
      • AppName
      • CellName
      • LightningAppName
    • Enter the correct path for the location to which you moved the was-maximo.policy file.

What to do next

For Cognos® reporting, a network permission call is needed to create metadata and to publish packages that use Maximo endpoint functions. Security permission must be added for the MXCOGNOS endpoint publishing URL.