SFTP and Java Security

HCL Domino Domino Forum
1

I am trying to implement SFTP using…

http://www.enterprisedt.com/products/edtftpjssl/overview.html

I am having a hard time with the java security model. I added the JAR files to the ${java.home}/lib/ext/ directory and assumed that since that directory had permission java.security.AllPermission it would work. It didn’t. If i give AllPermission to the default for all domains my java agent will work. any body have any ideas on what i might be missing…

thanks,

Steve

From the Java Console…

INFO [JavaAgent] 24 Oct 2006 15:47:08.653 : Creating SFTP client

Missing resource appletsecurityexception.CheckSecurityAccess

COM.ibm.JEmpower.applet.AppletSecurityException: ??

Missing resource appletsecurityexception.CheckSecurityAccess

COM.ibm.JEmpower.applet.AppletSecurityException: ??

Missing resource appletsecurityexception.CheckSecurityAccess

COM.ibm.JEmpower.applet.AppletSecurityException: ??

at COM.ibm.JEmpower.applet.AppletSecurity.checkSecurityPermission(AppletSecurity.java:1197)



at COM.ibm.JEmpower.applet.AppletSecurity.checkPermission(AppletSecurity.java:1382)



at COM.ibm.JEmpower.applet.AppletSecurity.checkPermission(AppletSecurity.java:1318)



at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1711)



at java.security.Provider.check(Provider.java:356)



at java.security.Provider.put(Provider.java:318)



at com.enterprisedt.cryptix.provider.Cryptix.<init>(Unknown Source)



at com.enterprisedt.net.puretls.LoadProviders.init(Unknown Source)



at com.enterprisedt.net.j2ssh.SshClient.<init>(Unknown Source)



at com.enterprisedt.net.ftp.ssh.SSHFTPClient.<init>(Unknown Source)



at JavaAgent.NotesMain(JavaAgent.java:27)



at lotus.domino.AgentBase.runNotes(Unknown Source)



at lotus.domino.NotesThread.run(NotesThread.java:215)
2

Subject: SFTP and Java Security

Hi Steve,

I’m replying exactly a year after you posted this, hoping you solved the problem, as I am suffering from the exact same thing. We had been using EditFTPj Pro successfully for almost a year on R6 (no policy modifications, with the jar attached to the agent), but an upgrade to 7 seems to have broken it.

I moved the files into the “lib\ext” folder and tried this simple test:

import lotus.domino.*;

import com.enterprisedt.net.ftp.FTPTransferType;

import com.enterprisedt.net.ftp.ssh.SSHFTPClient;

import com.enterprisedt.net.ftp.ssh.SSHFTPException;

import java.security.Provider;

import java.security.Security;

import java.util.Iterator;

import java.util.StringTokenizer;

import java.util.Vector;

public class JavaAgent extends AgentBase {

public void NotesMain() {

try {

Session session = getSession();

AgentContext agentContext = session.getAgentContext();

Provider providers = Security.getProviders();

for (int i=0,x=providers.length;i<x;i++){

System.out.println(providers[i]);

}

		System.setProperty("java.protocol.handler.pkgs", "com.enterprisedt.cryptix.provider.Cryptix");

System.out.println("handler: " + System.getProperty(“java.protocol.handler.pkgs”));

SSHFTPClient ftp = new SSHFTPClient();

} catch(Exception e) {

e.printStackTrace();

}

}

}

Which gives these results on the console:

CryptixEDT-Java 3.1.2

IBMJSSE version 1.42

IBMJCE version 1.2

IBMJGSSProvider version 1.42

IBMCertPath version 1.0

handler: com.enterprisedt.cryptix.provider.Cryptix

java.lang.SecurityException

at java.lang.SecurityManager.checkPermission(SecurityManager.java:576)

at COM.ibm.JEmpower.applet.AppletSecurity.checkSecurityPermission(AppletSecurity.java:1305)

at COM.ibm.JEmpower.applet.AppletSecurity.checkPermission(AppletSecurity.java:1500)

at COM.ibm.JEmpower.applet.AppletSecurity.checkPermission(AppletSecurity.java:1437)

at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1692)

at java.security.Provider.check(Provider.java:441)

at java.security.Provider.put(Provider.java:396)

at com.enterprisedt.cryptix.provider.Cryptix.<init>(Unknown Source)

at com.enterprisedt.net.puretls.LoadProviders.init(Unknown Source)

at com.enterprisedt.net.j2ssh.SshClient.<init>(Unknown Source)

at com.enterprisedt.net.ftp.ssh.SSHFTPClient.<init>(Unknown Source)

at JavaAgent.NotesMain(JavaAgent.java:28)

at lotus.domino.AgentBase.runNotes(Unknown Source)

at lotus.domino.NotesThread.run(Unknown Source)

Edtftpj-pro.jar (and the license.jar) is in the “lib/ext” folder, which has all permissions as per the policy document:

grant codeBase “file:${java.home}/lib/ext/*” {

permission java.security.AllPermission;

};

My java.security file as the following entries:

security.provider.1=com.enterprisedt.cryptix.provider.Cryptix

security.provider.2=com.ibm.jsse.IBMJSSEProvider

security.provider.3=com.ibm.crypto.provider.IBMJCE

security.provider.4=com.ibm.security.jgss.IBMJGSSProvider

security.provider.5=com.ibm.security.cert.IBMCertPath

However, if I grant all permissions by default in the policy document, the code works, eg:

grant {

permission java.security.AllPermission;

}

But for obvious reasons I don’t want to do that.

Any advice would be appreciated.

Karl

3

Subject: Solution?

I found this technote which solved the issue:

http://www-1.ibm.com/support/docview.wss?uid=swg21173567

Seems kind of scary thing to do, but it’s an IBM technote, so I’ll give it a go.

Karl

4

Subject: Correction…

That change didn’t solve the problem on the server, but after some further head scratching I found this, which did:

http://www-1.ibm.com/support/docview.wss?rs=0&q1=domino+ibmjcaprovider.jar&uid=swg21243598&loc=en_US&cs=utf-8&cc=us&lang=en

Karl