Configuring and Deploying Restrictive Policy Files

About Restrictive Policy Files

An express or typical installation completed with the SAS Deployment Wizard creates a SAS environment that does not use restrictive policy files to limit the access given to SAS Web applications. By default, the sas.all.permissions.policy file is used to allow access to the SAS Web applications. As a result, SAS Web applications can access the necessary content.
Java 2 Security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. By default, Java 2 Security is turned off. If your site requires Web applications to use Java 2 Security, the custom installation option in the SAS Deployment Wizard enables you to configure your SAS environment with restrictive policy files.
A custom installation of SAS software gives you the opportunity to select the use of restrictive policy files for JBoss or WebSphere Application Server. Although WebLogic Server provides restrictive policy files, implementation of these policy files is problematic, and they cannot be used in the SAS environment. Therefore, SAS does not support restrictive policy files for WebLogic Server.
Your Instructions.html file provides basic guidelines for creating policy files from existing sample files, saving those files, and rebuilding the applications. If you chose not to enforce restrictive policy files at the time of initial installation, choose from one of the following methods for configuring restrictive policy files:
  • Use the SAS Deployment Manager to remove the existing configuration of your SAS environment. Then, reconfigure the environment by choosing the custom installation option in SAS Deployment Wizard. The custom installation option enables you to configure restrictive policy files. This method, which is highly recommended, offers the most dependable and thorough approach to ensure that your SAS environment is set up correctly to use the Java 2 Security and restrictive policy files.
  • Manually configure and enforce the use of restrictive policy files. Follow this method if your site has significantly large amounts of custom content, and the previously described method is not feasible at your site.
CAUTION:
SAS strongly discourages the use of restrictive policy files on SAS middle-tier applications because they provide no end-user security, they are difficult to maintain, and they can be very detrimental to application performance.
The SAS Deployment Wizard implements the following restrictive policies by using different methods for JBoss and WebSphere Application Server:
  • JBoss: When policy files are edited and the SAS Web applications are rebuilt by using the SAS Deployment Manager, the edits made to the policy files are united into a single policy file (sas.restrictive.permissions.policy) that is applied to JBoss.
  • WebSphere Application Server: Policy files for WebSphere Application Server are applied to each EAR file. Each policy file's inputs are placed into the corresponding EAR file as a was.policy file.

Example Policy Files for JBoss and WebSphere Application Server

SAS applications provide policy files (example.policy) for JBoss and WebSphere Application Server in the SAS-config-dir\Lev1\Web\Common\SASServer1\Application-name\PolicyFileInputs\ears directory. These example.policy files contain default restrictive policy settings. Do not edit policy files directly. Instead, copy the example.policy file, rename the copied file to policy, and edit the policy file. If the policy file exists, it is used to implement restrictive policies.
Note: The united example.policy file for JBoss is located in the SAS-config-dir\Lev1\Web\Common\SASServer1\JBoss\PolicyFileInputs\ears directory.
The following table shows the directory paths for the JBoss and WebSphere Application Server policy files with security restrictions for SAS applications.
Policy Files with Security Restrictions
Application
Location of example.policy below \Lev1\Web\Common\SASServer1 Directory
SAS Information Delivery Portal
SASPortal4.3\PolicyFileInputs\ears\sas.portal
SAS Web Report Studio
SASWebReportStudio4.3\PolicyFileInputs\ears\sas.webreportstudio
SAS Content Server
SASContentServer9.3\PolicyFileInputs\ears\sas.wip.scs
SAS Stored Process
SASStoredProcess9.3\PolicyFileInputs\ears\sas.storedprocess
SAS WebInfrastructure Platform Applications
SASWebInfrastructurePlatformApplications9.3\PolicyFileInputs\ears\sas.wip.apps
SAS WebInfrastructure Platform Services
SASWebInfrastructurePlatformServices9.3\PolicyFileInputs\ears\sas.wip.services
SAS Workflow
SASWorkflow9.3\PolicyFileInputs\ears\sas.workflow
SAS BI Dashboard
SASBIDashboard4.3\PolicyFileInputs\ears\sas.bidashboard
SAS BI Portlets
SASBIPortlets4.3\PolicyFileInputs\ears\sas.biportlets
SAS Package Viewer
SASPackageViewer4.3\PolicyFileInputs\ears\sas.packageviewer
SAS Help Viewer for the Web
SASWebDoc9.3\PolicyFileInputs\ears\sas.webdocmd

Create Restrictive Policies for JBoss

To create a restrictive policy file for JBoss, follow these steps for each applicable SAS application's policy file:
  1. Copy the example.policy file in the same directory and name the copied file policy.
  2. Edit the policy file that you created from the original example.policy file. Policy files must use UTF-8 character encoding.
  3. A restrictive policy file that is unique to JBoss is located in SAS-config-dir\Lev1\Web\Common\SASServer1\JBoss\PolicyFileInputs\ears\jboss.policy. If you need to modify this file, copy it to policy, and then edit it.
  4. Run the SAS Deployment Manager to rebuild SAS Web applications. Select JBoss and any applications for which you have edited the restrictive policy file. Rebuilding for JBoss re-creates the Java 2 security policy file, and the sas.restrictive.permissions.policy.
  5. Redeploy each SAS Web application that was modified previously.
  6. If you performed an auto-configuration of JBoss, restart the JBoss application server. If you want to follow a manual process, copy the sas.restrictive.permissions.policy file located in the SAS-config-dir\Lev1\Web\Common\jboss directory to the JBOSS_HOME\server\SASServer1\conf directory. Then restart JBoss.

Create Restrictive Policies for WebSphere

To convert an environment that does not use restrictive policies to an environment where restrictive policies are applied, modify the was.policy file for each SAS application that has a EAR file associated with it.
Although the following task applies to the policy file for SAS Information Delivery Portal, you can follow the same steps by substituting the appropriate directories for the policy file that applies to each SAS application.
To convert from all permissions to restrictive permissions for SAS applications, follow these steps:
  1. The webappsrv.policy.use_restrictive property that is stored in metadata must be updated and set to true. You can do this with the Metadata Browser window that is started with the METABROWSE command from a Base SAS session. Contact SAS Technical Support for more information about using the Metadata Browser window.
  2. In the Integrated Solutions Console, navigate to Securitythen selectSecure administration, applications, and infrastructure. Enable Java 2 Security by selecting the check box Use Java 2 Security to restrict application access to local resources. Save your changes.
  3. Copy the SAS-config-dir\Lev1\Web\Common\SASServer1\SASPortal4.3\PolicyFileInputs\ears\sas.portal\example.policy file to SAS-config-dir\Lev1\Web\Common\SASServer1\SASPortal4.3\CustomContent\ears\sas.portal\META-INF\was.policy.
    Tip
    You must create the META-INF directory that is specified in the destination path. Also, the file is renamed from example.policy to was.policy.
  4. Edit the was.policy file that you copied from the original example.policy file. Policy files must use UTF-8 character encoding. Remove comments from the was.policy file.
  5. Rename the SAS-home-dir\SASInformationDeliveryPortal\4.31\Configurable\ears\sas.portal\META-INF\was.policy.websphere.orig to was.policy.websphere.bak. You must perform this step so that the Web application is built with the was.policy file from the CustomContent directory path.
  6. Run the SAS Deployment Manager to rebuild the SAS Web applications (select the applications for which the policy files were modified). The edited was.policy files are inserted into the appropriate EAR files. When you rebuild the Web applications, SAS Deployment Manager rebuilds a complete EAR file that includes any custom content, including the was.policy file.
  7. Redeploy each SAS Web application that was modified previously.
  8. Restart the Web application server.

Restore Your SAS Environment to Use Default Policies

If you customized your SAS environment by implementing the use of restrictive policy files, and you determined that the policy restrictions are unnecessary or that the performance impact is debilitating, you can restore your SAS environment to use default policies. To turn off restrictive policies and the use of Java 2 Security in your SAS environment, follow these steps:
  1. Use the SAS Deployment Manager to remove the current configuration of your SAS environment.
  2. Use the SAS Deployment Wizard to configure your SAS environment by not selecting the option to use restrictive policy files.
It is highly recommended that you use the SAS Deployment Manager and the SAS Deployment Wizard to complete the process of disabling restrictive policy files. However, if your site contains large amounts of custom content, or there are other reasons that require you to manually disable restrictive policy handling, see the following topics:

Disable Restrictive Policy Handling for JBoss

To manually disable the use of SAS restrictive policy files for JBoss, follow these steps:
  1. On Windows, access the SASServer1.bat file located in the JBOSS_HOME\bin directory. On UNIX, the file is named SASServer1.sh.
  2. In the JAVA_OPTS variable that is located in the start_as_script section, remove the following parameters:
    —Djava.security.manager -Djava.security.policy=
    JBOSS_HOME\server\SASServer1\sas.restrictive.permissions.policy
  3. Restart the JBoss application server.
If JBoss is running as a Windows service, follow these steps to remove restrictive policy files:
  1. Edit the JBOSS_HOME\server\SASServer1\wrapper.conf file.
  2. Remove the following parameters in the wrapper.conf file:
    wrapper.java.additional.nn=-Djava.security.manager
    wrapper.java.additional.nn=Djava.security.policy=
    JBOSS_HOME\server\SASServer1\sas.restrictive.permissions.policy
  3. Restart the JBoss application server.

Disable Restrictive Policy Handling for WebSphere Application Server

To manually disable SAS restrictive policy handling for WebSphere Application Server, follow these steps:
  1. Using the Integrated Solutions Console, navigate to Securitythen selectSecure administration, applications, and infrastructure.
  2. To disable Java 2 security deselect the check box for Use Java 2 security to restrict application access to local resources.
  3. Restart the WebSphere application server.

Customize Permissions for Socket Access

For each application (Web or stand-alone) that needs to communicate with a SAS server, the Java policy files for the calling application include a permission to communicate with the SAS server. By default, the example.policy files for each SAS Web application contain wildcard permission for socket access:
permission.java.net.SocketPermission "*", "accept,connect,listen,resolve”;
This wildcard permission enables the Java code in the applications to connect to any host or port that is accessible to your site's network topology. If you want to provide strong protection with custom access, you can create specific socket permissions for the hosts and ports that are accessed by an individual SAS Web application.

Access Permissions for Custom Portlets and Web Applications

About Access Permissions for Custom Portlets and Web Applications

If you implement a remote portlet or foundation service-enabled Web application, you must add additional permissions to each Web application component's codebase and define a codebase and permissions for the remote portlet or foundation service-enabled Web application.
The following sections show the permission statements that you must specify in each application or portlet's policy file in order to enable communication with its required servers and services.

CodeBase: <Remote Portlet or Web Application>

The localhost is the machine where the Web application server resides along with the metadata server and SAS Remote Services. When using a localhost, specify the permissions for the remote portlet or Web application's CodeBase:
  • Access to the SAS Metadata Server:
    When running on localhost, create an entry that contains the fully qualified host name.
    // permission java.net.SocketPermission 
    // "localhost:8561", "listen, connect, accept, resolve";
    
    permission java.net.SocketPermission 
     <SAS Metadata Server's machine>:8561, 
     "listen, connect, accept, resolve";
    		
  • Access to the Java RMI server and remote SAS Foundation Services:
    When running on localhost, create an entry that contains the fully qualified host name.
    // permission java.net.SocketPermission 
    // "localhost:1024-", "listen, connect, accept, resolve";
    
    permission java.net.SocketPermission 
     <SAS Services application's machine name>:1024-, 
     "listen, connect, accept, resolve";
  • Access to the remote portlet or Web application's local SAS Foundation Services:
    Always create an entry for both the localhost and fully qualified host name.
    permission java.net.SocketPermission 
     "localhost:1024-", "listen, connect, accept, resolve";
    permission java.net.SocketPermission 
     <remote portlet or Web application's machine name>:1024-, 
     "listen, connect, accept, resolve";
  • Access for foundation service-enabled applications that call this application to pass objects (via RMI to this application):
    Create one entry per machine.
    permission java.net.SocketPermission 
     <portal Web application's machine name>:1024-, 
     "listen, connect, accept, resolve";
  • Access to a SAS Stored Process Server, SAS Workspace Server, or SAS OLAP Server:
    Create one entry per machine.
    permission java.net.SocketPermission 
     <SAS Workspace Server's machine name>:1024-, 
     		"connect, resolve";
    permission java.net.SocketPermission 
     <SAS Stored Process Server's machine name>:1024-, 
     		"connect, resolve";
    permission java.net.SocketPermission 
     <SAS OLAP Server's machine name>:1024-, 
     		"connect, resolve";
  • Access to the host and port where the SAS Web Application Themes is running:
    // ---------- Socket Access to Themes ------------
     permission java.net.SocketPermission 
     Theme_host:Theme_Port:,
     "connect, resolve";

CodeBase: Portal

Access for foundation service-enabled applications that are called by this application to pass objects (via RMI) (for example, remote portlets, Web applications, and applications):
Create one entry per machine.
permission java.net.SocketPermission 
 <remote portlet/Web application's machine name>:1024-,
 "listen, connect, accept, resolve";

CodeBase: SASServices

The remoteservices.policy file is located in the SAS-config-dir\Lev1\Web\Applications\RemoteServices directory. The following applies to connections with applications that use SAS Foundation Service session sharing:
permission java.net.SocketPermission 
 <remote portlet/Web application's machine name>:1024-,
 "listen, connect, accept, resolve";