Question & Answer
Question
In some cases, problems observed with the loading or run-time function of the WebSphere Application Server Web server plug-in for Internet Information Services (IIS) may be due to file permissions. What file permissions are required for the plug-in to function properly with IIS 7.x on Microsoft Windows Server 2008, Microsoft Windows Vista & Microsoft Windows 7 ?
Answer
Determining the IIS Application Pool Identity
To verify that the plug-in is configured with the correct file permissions it is first necessary to determine the Windows account that is being used to load the plug-in. At run-time, this account is referred to as an IIS Worker Process Identity. Within the IIS configuration itself, it is known as the Application Pool Identity.
Perform the following steps to determine the Application Pool Identity (account) being used to load the plug-in:
- Launch the IIS Manager application.
- From the connections pane, expand the "Server" node
, then expand the "Sites" node 
. Select the web site intended for use with the plug-in and click "Basic Settings" from the actions pane.
- Make a note of the "Application pool" field value in this dialog, then click Cancel.
- From the connections pane, select the "Application Pools" node
. From the features pane, locate the Application Pool name from step 3 and make a note of its "Identity" column value. This is the account which is responsible for loading the plug-in.
| Application Pool Identity | File System Account Name |
| LocalService | LOCAL SERVICE |
| LocalSystem | SYSTEM |
| NetworkService | NETWORK SERVICE |
| ApplicationPoolIdentity | IIS AppPool\[app_pool_name] |
* NOTE: An example of the File System Name for "ApplicationPoolIdentity" would be:
IIS AppPool\DefaultAppPool
NTFS Permissions for the plug-in
The following table lists the primary plug-in related files / folders and the minimum NTFS Permissions required for the Application Pool Identity account identified above:
* NOTE: The "Special Permissions" values are the granular level permissions which comprise the main "Permissions" values.
File / Folder | Permissions | Special Permissions | ||
| Plug-in binary file iisWASPlugin_http.dll | - Read & execute - Read | - Traverse folder / execute file - List folder / read data - Read attributes - Read extended attributes - Read permissions | ||
| Plug-in location file plugin-cfg.loc | - Read | - List folder / read data - Read attributes - Read extended attributes - Read permissions | ||
| Plug-in config file plugin-cfg.xml | - Read | - List folder / read data - Read attributes - Read extended attributes - Read permissions | ||
| Plug-in keystore files plugin-key.* | - Read | - List folder / read data - Read attributes - Read extended attributes - Read permissions | ||
| Plug-in log directory [plugins_install_root]\logs\[website] | - Read - Write | - List folder / read data - Read attributes - Read extended attributes - Create files / write data - Create folders / append data - Write attributes - Write extended attributes - Read permissions |
Default File Locations
plugins_install_root = C:\Program Files\IBM\WebSphere\Plugins
| ..\bin\IIS_webserver1\iisWASPlugin_http.dll ..\bin\IIS_webserver1\plugin-cfg.loc ..\config\webserver1\plugin-cfg.xml ..\config\webserver1\plugin-key.kdb ..\config\webserver1\plugin-key.sth ..\config\webserver1\plugin-key.rdb ..\config\webserver1\plugin-key.crl ..\logs\webserver1\ |
Verifying Effective Permissions
Because permissions can be granted both explicitly and via group membership, to estimate the current total permissions for an account on a file or folder, it is recommended to check the "Effective Permissions" for that account.
Perform the following steps to check "Effective Permissions":
- Right-click the desired file or folder and choose Properties.
- Select the 'Security' tab and click on the 'Advanced' button.
- Select the 'Effective Permissions' tab and click the 'Select' button.
- Ensure that 'Object Types' has all three values selected (User, Group, or Built-in security principal) and that 'Locations' is set to the local machine.
- In the 'Enter the object name...' field, type in the Application Pool Identity's "File System Account Name". Refer to the table referenced under the 'Determining the IIS Worker Process ID' section for a listing of these account names.
- Click the 'Check Names' button and ensure the typed value becomes underlined. Then click OK.
- The resulting list of Effective permissions shows which, if any, special permissions are granted for the given account. Refer to the "Special Permissions" listed in the table above for comparison.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21443293