Create and edit policy files with the policy tool

Java 2 Security uses several policy files to determine the granted permission for each Java program. The Java development kit and the Java runtime environment provides the policytool graphical application to edit these policy files. While the policy tool is available as part of the iSeries IBM Developer Kit for Java, it is recommended that you run the policy tool on a workstation. The policy tool is located in the bin subdirectory of the Java development kit installation root or the Java runtime environment installation root.

It is recommended that you always use this tool to edit any policy file to guarantee the syntax of its contents. Syntax errors in the policy file causes an AccessControlException during server startup and application run time. Identifying the cause of an AccessControlException is not an easy task. Extreme care should be taken when editing these policy files.

1. Start the policy tool from a command prompt. For example, on a Windows 32-bit system which has the JRE installed in a directory named java, enter this command on the command line:

   C:\java\jre\bin\policytool

2. The PolicyTool window opens. The policy tool looks for the java.policy file in your home directory. If it does not exist, an error message displays. Click OK.

3. If you want to edit an existing policy file, click File --> Open Navigate to the policy file. Select it, and click Open. The code base entries are listed in the window.

   If you want to create a new policy file, click File --> New.

4. Create or modify a code base entry:

   • To modify the existing code base entry, select the entry, and click Edit Policy Entry. The Policy Entry window opens with the permission list that is defined for the selected code base.

   • To create a new code base entry, click Add Policy Entry. The Policy Entry window opens. In the CodeBase field, enter the code base information in URL format, for example: /QIBM/UserData/WebASE51/ASE/instance/InstalledApps/testcase.ear.

5. Modify or add the permission specification:

   • To modify an existing permission specification, click the entry you want to modify, and click Edit Permission. The Permissions window opens with the selecting permission information displayed.

   • To add a new permission, click Add Permission. The Permissions window opens.

   Perform these steps in the Permissions window:

   1. Select the permission from the Permission list. The selected permission displays. After a permission is selected, the Target Name, Actions, and Signed By fields automatically show the valid choices, or they enable text input in the right text input area.
   2. Select Target Name from the list, or enter the target name in the text field.
   3. Select Actions from the list.
   4. Enter a value in the Signed By field, if necessary.

      Note: The Signed By keyword is not supported in the following policy files: app.policy, spi.policy, library.policy, was.policy, and filter.policy. However, the Signed By keyword is supported in the following policy files: java.policy and server.policy. The Java Authentication and Authorization Service (JAAS) principal keyword is not supported in the app.policy, spi.policy, library.policy, was.policy, and filter.policy files. However, the JAAS principal keyword is supported in a JAAS policy file when it is specified by the Java Virtual Machine (JVM) system property, java.security.auth.policy.

   5. Click OK to close the Permissions window.

   The modified permission entries of the specified code base are displayed.

6. Click Done to close the window. The modified code base entries are listed.

7. Repeat steps 4 through 6 until you complete editing.

8. Click File --> Save after you finish editing the file.

For more information about the policy tool, see Policy Tool (http://java.sun.com/j2se/1.3/docs/tooldocs/win32/policytool.html).