Middle-Tier Security

Configuring and Deploying Restrictive Policy Files

An express or typical installation completed with the SAS Deployment Wizard creates a SAS environment that does not use restrictive policy files to limit the access given to SAS Web applications. By default, the sas.all.permissions.policy file is used to allow access to the SAS Web applications. As a result, SAS Web applications can access the necessary content.

Java 2 Security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. By default, Java 2 Security is turned off. If your site requires Web applications to use Java 2 Security, the custom installation option in the SAS Deployment Wizard enables you to configure your SAS environment with restrictive policy files.

A custom installation of SAS 9.2 software gives you the opportunity to select the use of restrictive policy files for JBoss or IBM WebSphere application servers. Although WebLogic provides restrictive policy files, implementation of these policy files is problematic, and they cannot be used in the SAS 9.2 environment. Therefore, SAS 9.2 does not support restrictive policy files for WebLogic.

Your Instructions.html file provides basic guidelines for creating policy files from existing sample files, saving those files, and rebuilding the applications. If you chose not to enforce restrictive policy files at the time of initial installation, choose from one of the following methods for configuring restrictive policy files:

Use the SAS Deployment Manager to remove the existing configuration of your SAS environment. Then, reconfigure the environment by choosing the custom installation option in SAS Deployment Wizard. The custom installation option enables you to configure restrictive policy files. This method, which is highly recommended, offers the most dependable and thorough approach to ensure that your SAS environment is set up correctly to use the Java 2 Security and restrictive policy files.
Manually configure and enforce the use of restrictive policy files. Follow this method if your site has significantly large amounts of custom content, and the previously described method is not feasible at your site.

CAUTION:: SAS strongly discourages the use of restrictive policy files on SAS middle-tier applications because they provide no end-user security, they are difficult to maintain, and they can be very detrimental to application performance.

The SAS Deployment Wizard implements the following restrictive policies by using different methods for JBoss and WebSphere:

JBoss application server. When policy files are edited and the SAS Web applications are rebuilt by using the SAS Deployment Manager, the edits made to the policy files are united into a single policy file (sas.restrictive.permissions.policy) that is applied to JBoss.
WebSphere. Policy files for WebSphere are applied to each EAR file. Each policy file's inputs are placed into the corresponding EAR file as a was.policy file.

Example Policy Files for JBoss and WebSphere

SAS applications provide policy files (example.policy) for JBoss and WebSphere in the SAS-configuration-directory\Lev1\Web\Common\SASServer1\Application-name\PolicyFileInputs\ears directory. These example.policy files contain default restrictive policy settings. You do not edit policy files directly. Instead, you make a copy of the example.policy file, rename the copied file as policy, and edit the policy file. If the policy file exists, it is used to implement restrictive policies. See Create Restrictive Policies for JBoss.

Note: The united example.policy file for JBoss is located in the SAS-configuration-directory\Lev1\Web\Commons\SASServer1\JBoss\PolicyFileInputs\ears directory. [cautionend]

The following table shows the directory paths for the JBoss and WebSphere policy files with security restrictions for SAS applications.

Policy Files with Security Restrictions for JBoss and WebSphere
Application	Location of example.policy below \Lev1\Web\Common\SASServer1 Directory
SAS Information Delivery Portal	SASPortal4.2\PolicyFileInputs\ears\sas.portal\
SAS Web Report Studio	SASWebReportStudio4.2\PolicyFileInputs\ears\ sas.webreportstudio\
SAS Content Server	SASContentServer9.2\PolicyFileInputs\ears\ sas.wip.scs\
SAS Shared Services	SASSharedServices9.2\PolicyFileInputs\ears\ sas.shared\
SAS Stored Process Application	SASStoredProcessApplication9.2\PolicyFileInputs\ears\ sas.storedprocess\
SAS WebInfrastructure Platform	SASWebInfrastructurePlatformApplications9.2\ PolicyFileInputs\ears\ sas.wip.apps\
SAS Web OLAP Viewer	SASWebOLAPViewer4.2\PolicyFileInputs\ears\ sas.webolapviewer\
SAS BI Dashboard	SASBIDashboard4.2\PolicyFileInputs\ears\ sas.bidashboard\
SAS BI Portlets (table note 1)	SASBIPortlets4.2\PolicyFileInputs\ears\ sas.biportlets\
SAS Package Viewer	SASPackageViewer4.2\PolicyFileInputs\ears\ sas.packageviewer\
SAS Preferences	SASPreferences9.2\CustomContent\wars\ sas.preferences\
SAS Help Viewer for the Web	SASWebDoc9.2\PolicyFileInputs\ears\sas.webdocmd\
SAS OnlineDoc for the Web	SAS-installation-directory\Documentation\9.2\onlinedocweb\
SAS Stored Process	SASStoredProcessApplication9.2\CustomContent\wars\ sas.storedprocess\

TABLE NOTE 1: Available in the October 2009 Release.

Create Restrictive Policies for JBoss

To create a restrictive policy file for JBoss, follow these steps for each applicable SAS application's policy file:

Make a copy of the example.policy file in the same directory and name the copied file as policy. If you need to edit the restrictive policy settings for JBoss, make a copy of the example.policy, rename it as policy, and save the renamed file in the SAS-configuration-directory\Lev1\Web\Common\jboss\PolicyFileInputs directory.

Note: SAS OnlineDoc for the Web is not delivered with the SAS Intelligence Platform, and is deployed separately. To apply Java permissions to SAS OnlineDoc for the Web, make a copy of the example.policy in the SAS-installation-directory\Documentation\9.2\onlinedocweb directory, name the copied file policy, and place the renamed file within the same directory. Then, copy the contents of the policy file for SAS Online Doc for the Web directly to the JBoss policy file.
Edit the policy file that you created from the original example.policy file. Policy files must use UTF-8 character encoding.
Run the SAS Deployment Manager to rebuild SAS Web applications. Select JBoss and any applications for which you have edited the restrictive policy file. Rebuilding for JBoss will recreate the Java 2 security policy file, and the sas.restrictive.permissions.policy. For information about how to rebuild Web applications, see Rebuilding the SAS Web Applications. If you are using the second maintenance release for SAS 9.2 and rebuilding Web applications, the EAR files are automatically exploded. Previously, in SAS 9.2, this was not the case.

Note: SAS Online Doc for the Web is not rebuilt or redeployed via SAS Deployment Manager. You must manually rebuild and redeploy SAS Online Doc for the Web. For information about manual deployment of the application, see Deploying SAS OnlineDoc Manually for the Web.
If you perform an auto-configuration of JBoss, restart the JBoss application server. If you want to follow a manual process, copy the sas.restrictive.permissions.policy file located in the SAS-configuration-directory\Lev1\Web\Common\jboss directory to the JBoss-installation-directory\server\SASServer1\conf directory. Then restart JBoss.

Create Restrictive Policies for WebSphere

To convert a SAS 9.2 environment that does not use restrictive policies to an environment where restrictive policies are applied, you modify the policy file for each SAS application that has a EAR file associated with it.

Note: SAS OnlineDoc for the Web is not delivered with the SAS Intelligence Platform, and it is deployed separately. The was.policy file for SAS OnlineDoc for the Web already contains the appropriate restrictive policies, and is included in the EAR file for WebSphere. Therefore, you do not edit any policies for SAS OnlineDoc for the Web. [cautionend]

Although the following procedure applies to the policy file for SAS Information Delivery Portal, you can follow the same steps by substituting the appropriate directories for the policy file that applies to each SAS application. To convert from all permissions to restrictive permissions for SAS applications, follow these steps:

In the WebSphere Admin Console, navigate to Security Secure administration, applications, and infrastructure. Enable Java 2 Security by selecting the check box Use Java 2 Security to restrict application access to local resources. Save your changes.
Make a copy of the example.policy file located in the SAS-configuration-directory\Lev1\Web\Common\SASServer1\SASPortal4.2\PolicyFileInputs\ears

\sas.portal directory, name the copied file as policy, and save this file in the same directory where example.policy file resides.
For all SAS applications for which you want to implement restrictive policies (with the exception of SAS OnlineDoc for the Web), edit the policy file that you created from the original example.policy file, and make any changes that should apply to your site. Save the modified policy file in the SAS-configuration-directory\Lev1\Web\Common\SASServer1\SASPortal4.2\PolicyFileInputs\ears

\sas.portal directory. Policy files must use UTF-8 character encoding.
Run the SAS Deployment Manager to rebuild the SAS Web applications (select the applications for which the policy files were modified). For information about how to rebuild Web applications, see Rebuilding the SAS Web Applications. The edited policy files are stripped of all comments, and their contents are inserted into the appropriate EAR file as a was.policy file. When you rebuild the Web applications, SAS Deployment Manager rebuilds a complete EAR file that includes any new content that was added to the policy files.

Note: SAS OnlineDoc for the Web is not rebuilt or redeployed via SAS Deployment Manager. You must manually rebuild and redeploy SAS OnlineDoc for the Web. For information about manual deployment of this application, see Deploying SAS OnlineDoc Manually for the Web.
Using the WebSphere Admin Console, redeploy each SAS Web application that was modified previously.
Using the WebSphere Admin Console, restart the Web application server.

Restore Your SAS Environment to Use Default Policies

If you customized your SAS environment by implementing the use of restrictive policy files, and you determined that the policy restrictions are unnecessary or that the performance impact is debilitating, you can restore your SAS environment to use default policies. To turn off restrictive policies and the use of Java 2 Security in your SAS environment, follow these steps:

Use the SAS Deployment Manager to remove the current configuration of your SAS environment.
Use the SAS Deployment Wizard to configure your SAS environment by not selecting the option to use restrictive policy files.

It is highly recommended that you use the SAS Deployment Manager and the SAS Deployment Wizard to complete the process of disabling restrictive policy files. However, if your site contains large amounts of custom content, or there are other reasons that require you to manually disable restrictive policy handling, see the following topics:

Disable Restrictive Policy Handling for JBoss

To manually disable the use of SAS restrictive policy files for JBoss, follow these steps:

On Windows, access the SASServer1.bat file located in the JBoss-home-directory\bin directory. On UNIX, access the SASServer1.sh file located in the JBoss-home-directory\bin directory.
In the section JAVA_OPTS line located within the start_as_script section, remove the following parameters:
```
--Djava.security.manager-Djava.security.policy=
```
JBoss-home-directory\server\SASServer1\sas.restrictive.permissions.policy
Restart the JBoss application server.

If JBoss is running as a Windows service, follow these steps to remove restrictive policy files:

On Windows, access the wrapper.conf file located in the JBoss-home-directory\server\SASServer1 directory.
Remove the following parameters in the wrapper.conf file:
```
wrapper.java.additional.##=-Djava.security.manager
wrapper.java.additional.##=Djava.security.policy=
```
JBoss-home-directory\server\SASServer\conf\sas.restrictive.permissions.policy
Restart the JBoss application server.

Disable Restrictive Policy Handling for WebSphere

To manually disable SAS restrictive policy handling for WebSphere, follow these steps:

Using the WebSphere Admin Console, navigate to Security Secure administration, applications, and infrastructure.
To disable Java 2 security deselect the check box for Use Java 2 security to restrict application access to local resources.
Restart the WebSphere application server.

Customize Permissions for Socket Access

For each application (Web or stand-alone) that needs to communicate with a SAS server, the Java policy files for the calling application include a permission to communicate with the SAS Server. By default, the example.policy files for each SAS Web application contain wildcard permission for socket access:

permission.java.net.SocketPermission "*",
"accept,connect,listen,resolve";

This wildcard permission enables the Java code in the applications to connect to any host or port that is accessible to your site's network topology. If you want to provide strong protection with custom access, you can create specific socket permissions for the hosts and ports that are accessed by an individual SAS Web application.

Access Permissions for Custom Portlets and Web Applications

About Access Permissions for Custom Portlets and Web Applications

If you implement a remote portlet or foundation service-enabled Web application, you must add additional permissions to each Web application component's codebase and define a codebase and permissions for the remote portlet or foundation service-enabled Web application.

The following sections show the permission statements that you must specify in each application or portlet's policy file in order to enable communication with its required servers and services.

CodeBase: <Remote Portlet or Web Application>

The localhost is the machine where the Web application server resides along with the metadata server and SAS Remote Services. When using a localhost, specify the permissions for the remote portlet or Web application's CodeBase:

access to the SAS Metadata Server:

When running on localhost, create an entry that contains the fully qualified host name.

// permission java.net.SocketPermission 
// "localhost:8561", "listen, connect, accept, resolve";

permission java.net.SocketPermission 
 <SAS Metadata Server's machine>:8561, 
 "listen, connect, accept, resolve";

access to the Java RMI server and remote SAS Foundation Services:

When running on localhost, create an entry that contains the fully qualified host name.

// permission java.net.SocketPermission 
// "localhost:1024-", "listen, connect, accept, resolve";

permission java.net.SocketPermission 
 <SAS Services application's machine name>:1024-, 
 "listen, connect, accept, resolve";

Access to the remote portlet or Web application's local SAS Foundation Services:

Always create an entry for both the localhost and fully qualified host name.

permission java.net.SocketPermission 
 "localhost:1024-", "listen, connect, accept, resolve";
permission java.net.SocketPermission 
 <remote portlet or Web application's machine name>:1024-, 
 "listen, connect, accept, resolve";

Access for foundation service-enabled applications that call this application to pass objects (via RMI to this application):

Create one entry per machine.
```
permission java.net.SocketPermission 
 <portal Web application's machine name>:1024-, 
 "listen, connect, accept, resolve";
```

Access to a SAS Stored Process, Workspace, or OLAP server:

Create one entry per machine.

permission java.net.SocketPermission 
 <SAS Workspace Server's machine name>:1024-, 
 		"connect, resolve";
permission java.net.SocketPermission 
 <SAS Stored Process Server's machine name>:1024-, 
 		"connect, resolve";
permission java.net.SocketPermission 
 <SAS OLAP Server's machine name>:1024-, 
 		"connect, resolve";

Access to the host and port where the SAS Web Application Themes is running:

// ---------- Socket Access to Themes ------------
 permission java.net.SocketPermission 
 Theme_host:Theme_Port:,
 "connect, resolve";

CodeBase: Portal

Access for foundation service-enabled applications that are called by this application to pass objects (via RMI) (for example, remote portlets, Web applications, and applications):

Create one entry per machine.

permission java.net.SocketPermission 
 <remote portlet/Web application's machine name>:1024-,
 "listen, connect, accept, resolve";

CodeBase: SASServices

The remoteservices.policy file is located in the SAS-configuration-directory \Lev1\web\applications\remoteservices directory. The following applies to connections with applications that use SAS Foundation Service session sharing:

permission java.net.SocketPermission 
 <remote portlet/Web application's machine name>:1024-,
 "listen, connect, accept, resolve";

Top of Page