ApplinX multi-tier architecture supports end-to-end security by utilizing encryption and industry-standard, secured protocols within each layer of communication. The following document details the security measures that are available for each layer, as well as additional security mechanisms available in other ApplinX components.
ApplinX server and clients support the ciphers defined at JVM level. See list of supported SSL cipher suites.
Set the file system permissions for the ApplinX installation folder to allow access only to authorized users.
Define access policy for each ApplinX environment (development, testing and production) and have a clear differentiation between the environments.
Disable the ApplinX non-secure port and enable the ApplinX secure port.
Disable the unsecured connector port in the Tomcat bundled with the ApplinX installation and enable the SSL connector.
Adjust the supported Cipher suites in the bundled JRE .
Communication between ApplinX Server and the host can be encrypted using TLS 1.2. Both client and server authentication are supported. SSL X509 certificate is stored using standard Keystore implementations (JCEKS).
This feature is available for any host that supports TLS 1.2 communication, however, this has only been tested on Mainframe hosts. It is also possible to use the secured protocol SSH V2 (instead of the VT protocol).
To configure an SSL connection between the host and ApplinX server:
Refer to Configuring the SSL Connection.
Communication between ApplinX Server and the ApplinX Base Object (which resides on the web server or application server) can be encrypted using SSL (this layer of security includes encryption only, without authentication).
To configure an SSL connection between ApplinX server and the Web Server/Application
In the Server Properties, General tab, select the Secured port check box and provide a valid server certificate.
In the Web Application Configuration Manager set the Session server URL to the SSL port (e.g. applinxs://localhost:23443).
It is possible to set the address dynamically from within the Base Object by using the method setServerURL in the ApplinX SessionConfig object within the GXBasicContext file, gx_initSessionConfig method (IPv4 and IPv6 address formats are supported).
When you want to enable connecting to the HTTPS port only from the ApplinX server machine, add the following system variable when starting the server:
Using a self-signed certificate:
Java clients connecting to the ApplinX sever should have the client certificate in the Java keystore.
NET clients connecting to the ApplinX server should have the CA certificate in the machine CA authorities. Only TLSv1.2 protocol is supported, please ensure that .NET Framework version you are using supports it.
Communication between the end user web browser and the Web server or application server can be secured using HTTPS, or a firewall. This feature is not related to ApplinX and should be supported by the Web Server / Application Server.
The Java and .NET Procedure Clients (binary SOA clients), can be encrypted using HTTPS (SSL).
To configure an SSL connection between ApplinX server and a Procedure Client
Follow the instructions in the following topic: Creating a Secure SSL Connection between a Procedure Client and ApplinX Server.
When you want to enable connecting to the HTTPS port only from the ApplinX
server machine, add the following system variable when starting the server:
To configure an SSL connection between ApplinX server and a Web Service
In the Server Properties, General tab, select the Secured port checkbox. ApplinX will automatically connect to WS-Stack using a secure connection.
When you want to enable connecting to the HTTPS port only from the ApplinX
server machine, add the following system variable when starting the server:
This layer can be encrypted using HTTPS (SSL). Refer to and also to the relevant commented section in <ApplinXInstallationDirectory>/conf/server.xml.
To use the WS-Stack in HTTPS mode
Enable the secured connector by uncommenting the following section in \ApplinX\conf\server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" /> </SSLHostConfig> </Connector>
Enable the HTTPS transport binding by uncommenting the following section in \ApplinX\wsstack\WEB-INF\conf\axis2.xml:
<transportReceiver name="https" class="com.softwareag.wsstack.transport.http.HTTPSListener"> <parameter name="PROTOCOL">HTTP/1.1</parameter> <parameter name="port">8443</parameter> <parameter name="Transfer-Encoding">chunked</parameter> </transportReceiver>
ApplinX allows managing password-protected users, groups and their permissions. It is possible to define certain permissions to a group, and then associate users with this group, giving the user the permissions defined for this group or to define specific users permissions. Each user/group can be assigned with read/write permissions at the application or folder level. The users' definitions are saved in an encrypted configuration file.
It is also possible to define users based on Integrated Windows Authentication (formerly NT Authentication).
It is possible to specify passwords of host users as part of the connection information sets of connection pools (to enable connection pooling with automatic login to the host application). These passwords are encrypted and saved in the application's repository database.
In order to run the ApplinX server with a Java security manager enabled, the following flags should be appended to the Start_Process_Parameters in the <ApplinX installation>\bin\start-gxserver.bat file, or to the JAVA_OPTS in the <ApplinX installation>\bin\ file or to the Start_Process_Parameters in the GXApplinXService.ini file:
In the policy file (specified in the path above) the following permissions are set inside a grant section (if a different policy file is used, one should add the following manually):
permission "localhost:2323" , "listen,resolve,accept"; permission "localhost:*" , "resolve,accept"; permission "<host name>:<host port>" , "connect,resolve"; permission "${com.sabratec.gxhome}/-", "read, write, delete"; permission "${catalina.home}/-", "read"; permission "${java.home}/../-", "read"; permission "${}/" , "read, delete, write"; permission "${}/-" , "read, delete, write"; //ApplinX Xstream usage. Used mostly by ApplinX configuration persist to XML permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; permission java.lang.RuntimePermission ""; permission java.lang.RuntimePermission "accessClassInPackage.sun.logging.*"; permission java.lang.RuntimePermission ""; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "reflectionFactoryAccess"; permission "enableSubclassImplementation"; permission java.lang.RuntimePermission "getClassLoader"; // For using Log4J permission java.lang.RuntimePermission ""; // Used for showing the server icon in the system tray. Uncomment if needed. // permission java.lang.RuntimePermission "loadLibrary.GXUtil"; // permission java.lang.RuntimePermission "modifyThreadGroup"; permission "enableSubstitution"; permission java.sql.SQLPermission "setLog"; permission java.util.PropertyPermission "com.sabratec.*", "read,write"; permission java.util.PropertyPermission "com.softwareag.*", "read,write"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "", "read,write"; permission java.util.PropertyPermission "javax.xml.registry.ConnectionFactoryClass", "write";
To allow ApplinX to integrate with WSStack, the following are needed:
permission "<ip of host to where the WSStack is deployed>:*", "accept,resolve"; permission "<machine name to where WSStack is deployed: WSStack Http port>", "connect,resolve"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "getenv.WS_STACK_HOME"; // In case WSStack is run in the server's process, the following are also needed permission "specifyStreamHandler"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.lang.RuntimePermission ""; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "setContextClassLoader";
lines with a close that starts with a single '<' character, should be edited
according to the text inside the close.
When ApplinX is running with SSL support, the following should be added as well:
permission "${java.home}/jre/bin/keytool" ,"execute";
You can block access to each URL of a web application by using a property file that contains the URLs of the web application pages and the access to each URL. The following access roles are available:
User that did not pass the authentication process and has the minimal access
User that has regular permissions
User with the highest permissions.
To enable blocking of selected URLs
Uncomment the filter
section in file web.xml of
the web application.
<!-- <filter> <filter-name>GXCheckURLProxyFilter</filter-name> <filter-class>com.sabratec.applinx.j2ee.framework.web.filters.GXCheckURLProxyFilter</filter-class> </filter> <filter-mapping> <filter-name>GXCheckURLProxyFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
Update the property file to set the URL permission. Asterisk notation is supported for directories and file extensions.
Set the role of the user in a session by setting the method
in class inherited from
The table below shows the default access for the URLs of ApplinX applications:
Resource Pattern | Role |
z_resourceReader.jsp |
All (Unauthenticated) |
run_printlet.jsp |
All (Unauthenticated) |
config/* |
Administrator |
log/* |
Administrator |
z_editConfig.jsp |
Administrator |
.class |
Administrator |
Index.jsp |
All (Unauthenticated) |
Administrator |
All URLs not defined in the property files can be accessed only by an authenticated user. When one file is set to two roles, the last definition in the property file has priority.
By using asterisk notation to define directories and/or group of files for a role (e.g.
) you can exclude one file from the group by providing a more exact
definition (e.g. config/web.xml
This feature is available when creating a new web application. If you want to use this feature for an existing web application, you will need to manually add the filter code to the file web.xml and also add the property file to the application.