Chat now with support
Chat with Support

Foglight for Java EE Technologies 5.9.13 - Installation Guide

Installing and Configuring Foglight for Java EE Technologies Integrating with JBoss Integrating with Apache Tomcat Integrating with WebLogic Domain Startup Scripts Integrating with WebSphere Integrating with WebSphere Liberty Integrating with Oracle AS Integrating with Spring Boot for Embedded Tomcat Creating a Generic Installation for Manual Java EE Agent Integration Managing Java EE Agent Installations, Integrations, and Configurations Managing Java EE Agent Configurations Managing Java EE Installation Java EE Integration Configuration FAQ and Troubleshooting Manually Integrating Application Server Appendix A: Java EE Application Methods AppendixB: Managing Permissions for the Java EE Integration Agent

Managing permissions on remote filesystems

Before creating and activating an instance of the Java EE Integration Agent on a remote host, the user running the Agent Manager process must have permission to create the Installation directory (DEPLOYMENT_DIRECTORY).

Before submitting an integration task to a Java EE Integration Agent, the Java EE Integration Agent must be granted permission to make the necessary changes to application server files and to create backup copies of the files being changed. The following permissions must be granted to the user running the Agent Manager process (for the application server being integrated):

DEPLOYMENT_DIRECTORY

.

(managed)

..

ugo+rwx

(JBoss)

JBOSS_HOME/bin

.

ugo+rwx

standlone.bat, domain.bat , run.bat

ugo+rw

standalone.sh, domain.sh, run.sh

(Tomcat)

CATALINA_HOME/bin

.

ugo+rwx

catalina.bat, catalina.sh

ugo+rw

(WebLogic)

WL_HOME/server/bin

.

ugo+rwx

startNodeManager.cmd, startManagedWebLogic.cmd, startWLS.cmd

ugo+rw

startNodeManager.sh, startManagedWebLogic.sh, startWLS.sh

(WebLogic)

DOMAIN_HOME/common/bin

.

ugo+rwx

startWebLogic.cmd, startWebLogic.sh

ugo+rw

(WebSphere)

PROFILE_HOME/bin

.

ugo+rwx

startServer.bat, startNode.bat, startManager.bat, setupCmdLine.bat

ugo+rw

startServer.sh, startNode.sh, startManager.sh, setupCmdLine.sh

(WebSphere)

PROFILE_HOME/properties

.

ugo+rwx

server.policy

ugo+rw

(WebSphere)

WAS_HOME/bin

.

ugo+rwx

setupCmdLine.bat

ugo+rw

setupCmdLine.sh,

startServer.sh,

startNode.sh,

startManager.sh,

If the Agent Manager and Application Server processes use the same user, the "g" and "o" permissions can be omitted.

If the Agent Manager user is in the same group as the Application Server files being modified, the "u" and "o" can be omitted.

If the Agent Manager is not the same as the Application Server user, or in the same group, then the "o" must be included.

Windows Services permissions

For integration of Windows Services, the Agent Manager user requires permission to run the regedit.exe executable in export or import modes on one or more registry keys, under the HKEY_LOCAL_MACHINE hive.

System\CurrentControlSet\Services

Y

N

Software \Apache Software Foundation\Procrun 2.0\<service>\ Parameters\Java

Y

Y

Software\JavaSoft\Java Runtime Environment

Y

N

Software\JavaSoft\Java Development Kit

Y

N

Software \Wow6432Node\Apache Software Foundation\Procrun 2.0\<service>\ Parameters\Java

Y

Y

Software \Wow6432Node\JavaSoft\Java Runtime Environment

Y

N

Software\Wow6432Node\JavaSoft\Java Development Kit

Y

N

System\CurrentControlSet\Services\<service>\Parameters

Y

Y

Permissions required by the application server user

The Java EE Integration Agent automatically grants permissions on the files and directories within the DEPLOYMENT_DIRECTORY to be readable by any other user on the remote filesystem. By default, only users in the same group as the Agent Manager (and the Agent Manager user itself) can create files within the DEPLOYMENT_DIRECTORY.

If the Application Server user is the same as the Agent Manager user, or belongs to the group owning the Agent Manager files, these category permissions do not need to be changed.

Otherwise, the permissions for Dynamic Directories should be changed to rwx for the For Other (default r-x) setting.

The Java EE Integration Agent manages file permissions using a set of six categories to apply particular permissions to particular types of files. Review the categories and the files they represent in the following table.

Stock Directories

config, lib, scripts, and their subdirectories within versioned homes
All parent directories of DEPLOYMENT_DIRECTORY created by the Agent Manager

Stock Files

All files within config and lib and their subdirectories

Stock Scripts

By default, stock scripts are not set executable as they are sourced instead of run. If manual execution of pre-instrumentor.sh is required, it may be provided as an argument to /bin/sh instead of changing the permissions for this category.

 

Includes:

Non-customized copies of integrate.cmd, integrate.sh
Files within versioned scripts directory

Dynamic Directories

This is the most important category, as it affects the ability of the Application Server user to create files within the DEPLOYMENT_DIRECTORY

 

Includes:

bootstrap, logs and state sub-directories
config file parent directories (except config, which is created using stock directory permissions)
DEPLOYMENT_DIRECTORY/exports (this is the WORKING_SUBDIR)

Dynamic Files

Agent-local config files (agent.config, log.config, agenttype.config)

Dynamic Scripts

Customized integration scripts (for example, integrate-MyTask.sh)

Each category provides a set of permissions for the file or directory owner, group, and everyone else. Also provided are the abilities to set the setuid, setgid and sticky bits.

The setuid bit can be set on script files to have the launched process take on the user ID of the script file itself. This ability is not needed in stock integrations.

The setgid bit can be set on script files and directories. When set on script files, the effect is similar to the setuid bit, except the launched process takes on the group ID of the script file, instead of the user ID. When set on a directory, the setgid bit results in files created in that directory having the same group ownership as the directory itself, rather than the group of the user who creates the file. By default, the setgid bit is set on Dynamic Directories, so that the Java EE Integration Agent can maintain these directories regardless of which user creates files within them.

The sticky bit can be used on directories with other write permission to prevent a user from deleting another user’s file.

With the lone exception noted above, these file permissions should not need to be changed during stock integrations. The options exist to aid integrations where extraordinary circumstances require them.

 

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating