Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Sunday, 31 January 2016

XPages on IBM Bluemix - working with wrong ID file

This is an easy one, but I still think it is worth mentioning all the different findings about a new technology like IBM Bluemix. During my tests with XPages on IBM Bluemix, I once made a little mistake. I forgot to switch to the IBM Bluemix ID file before I started modifying the design of the Bluemix app.



Obviously this is easily possible within Domino Designer. I was also able to deploy my changes to IBM Bluemix, but the new XPage could not be called due to an access issue we know from our good old domino environment too!


Signing the design element and another deployment to Bluemix solved the issue.
Good old Domino security - makes perfectly sense to me :-) It would be really nice to have an option to sign the design during the deployment process though!
(BTW: this is a rather old post which was still unpublished - but I think the deployment process is still the same)
Posted by at 2 comments:
Labels: , , , , , ,

Tuesday, 17 March 2015

Apply Java Permissions to Domino Agents at runtime - again ;-)

This post is supposed to be read by developers only. Admins, please move on ;-)

I have an agent which is used to make SFTP file transfers from Domino to our corporate SAP system. It's an interesting project and I am exploring new stuff on a daily basis :-)

One technical issue I had to solve was this:
The agent opens an SFTP session on a remote host. Unfortunately this is forbidden by Java Policies specified in the java.policy file of the JVM of the Domino server.
The error is
java.lang.SecurityException: not allowed to make a socket connection to MYHOST.MYDOMAIN.COM,-1

So I started to dig into java.policy and java.pol files. And to be honest I was not that much pleased about the whole thing. At first I started to grant ANY permissions in the global section of my policy file:


 grant {   
  ...  
  permission java.security.AllPermission;  
  ...  
 };

This works but it goes a bit over the top for a productive environment... Therefore I started to tweak the policies to only allow one specific application the network operations required to do the job. Honestly, it's been painful... I think I got it more or less configured properly. But given the fact that we run the application in three different environments (DEV/TEST/PROD) on multiple servers I hardly could imagine a proper rollout scenario. I always thought one of the major strengths of domino and NSF was that usually the design and resides in a single database - and the configuration usually resides in the application, a few system databases (+ notes.ini).

There must be an easier way to grant my code the execution rights it needs.
I finally found a solution to grant my code the needed execution rights at runtime of the agent. There is a whole Java package for handling the permissions - and in my particular case I was looking for SocketPermissions. The code to grant a socket permission is pretty straight forward:

 String hostAndPort = "myhost.mydomain.com:22";   
 SocketPermission p = new SocketPermission(hostAndPort,  
       "accept,connect,resolve");


This will allow my code to make a network connection to the specified host on the specified port. There might be neater solutions to that problem and not every admin would be happy about that. In my opinion it is not very consistent for what you need to grant permissions in policy files (like network connects) but on the other hand file handling can be allowed on the agent security (Allow restricted operations).


Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)