I’m trying to output data to a file on shared network location, but I’m getting a ‘Access is denied’ error. What user account does the IS use when writing files to shared network locations? I would like to setup the destination folder so that it will give write access to the IS network account.
User account that IS would use while writing the files is the same that is used during installation of IS. “ls -lrt” will display it. You got to add this user into the user group of mounted drive and provide permission for write access.
-Senthil
Thank you for your reply. The IS was installed on a Windows server. Do you perhaps know what the windows command prompt equivalent is for “ls -lrt”?
Navigate to the folder where webMethods is installed in Windows Explorer. You could see the column names as ‘name’, ‘size’, ‘type’, ‘date modified’ by default. Right click on that bar, and choose ‘Owner’. Attached a screenshot.
HTH
Senthil
Take a look at your Integration Server’s About page (which you can get to from the Integration Server administration web site and clicking on the About link in the top right of the page or by visiting http://server:port/WmRoot/server-environment.dsp directly) and check the value of Current User in the Server Environment section. This is the user context under which Integration Server is running, and therefore is the user that needs to be granted write access to the directory you are trying to write the file to.
And now for some background: when running Integration Server on Windows, you can either run it as a console application (by running server.bat in a cmd.exe process) or as a Windows service.
If you’re running it as a console application, then Integration Server will run under the same user context as the cmd.exe process that started it, which is usually, but not necessarily because you can “run as”, the logged on user.
However, if you are running Integration Server as a Windows service, then the Windows service can be configured to run under a different user context to the logged on user. This user account can be one of the special built-in Windows accounts, such as SYSTEM, or some other local Windows account, or a domain account if the computer is a domain member. You can check the user account the Integration Server Windows service logs on as by opening services.msc, double-clicking on the Integration Server Windows service, and looking at the Log On tab. Generally if you are trying to access network resources (ie. not local), you would need Integration Server to run under a domain user account context.
Please refer to the Built in service reference.
File Access Control Configuration for the pub.file Services
The fileAccessControl.cnf configuration file in Software AG_directory\Integration
Server\packages\WmPublic\config directory contains parameters that Integration
Server uses to provide additional validation checks to make the services in the pub.file
folder secure.
Parameter Settings
The following table shows the parameter settings for the fileAccessControl.cnf file:
Thank you all for your replies. The Software AG tech forums seems to be a great place to share knowledge concerning anything webMethods related.
@Senthilkumar G
I added the ‘Owner’ column to the Windows Explorer window and can now see the Owner of the webMethods folder is ‘Administrators’.
@Lachlan Dowding
The Current User of the Integration Server under section Server Environment is ‘SYSTEM’. The IS is currently running as a Windows service and when I go to the Log On tab under the service’s properties, ‘Local System Account’ is selected.
@sonagi
Currently my fileAccessControl.cnf for the WmPublic package is setup to be able to write to the destination folder I require, so no problem there.
This is probably not the best solution, but I managed to organize public write access for the destination folder I’m having the problem with. The IS is now able to write the required data to the file in the folder.
"This is probably not the best solution, but I managed to organize public write access for the destination folder I’m having the problem with. The IS is now able to write the required data to the file in the folder. "
Not a bad idea as long as you know who is writing and edited the file access privileges internally 
Your solution works, but it is far from ideal: now anyone can write to your destination folder, which is a security risk. Any user could overwrite or replace the files you’ve written, causing a denial of service or worse.
I’d like to offer you a couple of different options that lets you avoid making the destination folder public:
Option 1 - Change the Integration Server Windows service to log on with a domain account (sometimes called a service account) with limited privileges, then grant that account write access to the destination folder. After changing the Windows service properties, you will need to restart Integration Server.
Option 2 - As any Windows process running under the Local System (NT AUTHORITY\SYSTEM) context accesses network resources using the computer’s domain account (http://msdn.microsoft.com/en-us/library/ms684190(v=vs.85).aspx), you could grant the Integration Server computer’s account write access to the destination folder, as per this thread on ServerFault: http://serverfault.com/questions/135867/howt-to-grant-network-access-to-localsystem-account.
@Lachlan
Thank you for providing me with those safer options. I’ve tried OPTION 2 and it works beautifully!
Not a bad idea on the option 2 NT level changes…as long it works for you 
hi to all,
i have the same error when i launch the service.
i’ve tried to edit the file “fileAccessControl.cnf” in this way:
allowedWritePaths=D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example ; D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv
allowedReadPaths=D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example ; D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv
allowedDeletePaths=D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example ; D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv
reloaded the WmPublic package and relaunch the service… but i obtain always the same error.
someone can help me?
thank you
Kindly share the error dump from error log/server log to help you better!
Meanwhile try the below setting and re-load WmPublic package
allowedWritePaths=D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example;D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv
allowedReadPaths=D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example;D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv
allowedDeletePaths=D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example;D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv
or
allowedWritePaths=D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example;D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv
allowedReadPaths=D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example;D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv
allowedDeletePaths=D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example;D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv
hi,
thank for your help.
i’be tried with the two string you sent me, but it’s seems not working.
here the error:
Launch started: 2014-09-08 10:52:16.955
Configuration name: SfTransformLanguagesFromKM_1
Configuration location: C:/Users/i.marzuillo/workspace96/.metadata/.plugins/org.eclipse.debug.core/.launches/SfTransformLanguagesFromKM_1.launch
Could not run ‘SfTransformLanguagesFromKM_1’
com.wm.app.b2b.server.ServiceException: [ISS.0086.9263] Specified path [D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv] is not on the [allowedWritePaths] allowed list in the fileAccessControl configuration file
com.wm.app.b2b.server.ServiceException: [ISS.0086.9263] Specified path [D:\Progetti InEssence\Reply-SF\file caricamento prova\KM42-Skill-Example\987911-languages.csv] is not on the [allowedWritePaths] allowed list in the fileAccessControl configuration file
at pub.file.checkPathValidity(file.java:152)
at pub.file.readerToFile(file.java:222)
at pub.file.stringToFile(file.java:923)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.wm.app.b2b.server.JavaService.baseInvoke(JavaService.java:443)
at com.wm.app.b2b.server.invoke.InvokeManager.process(InvokeManager.java:640)
at com.wm.app.b2b.server.util.tspace.ReservationProcessor.process(ReservationProcessor.java:39)
at com.wm.app.b2b.server.invoke.StatisticsProcessor.process(StatisticsProcessor.java:49)
at com.wm.app.b2b.server.invoke.ServiceCompletionImpl.process(ServiceCompletionImpl.java:243)
at com.wm.app.b2b.server.invoke.ValidateProcessor.process(ValidateProcessor.java:49)
at com.wm.app.b2b.server.invoke.PipelineProcessor.process(PipelineProcessor.java:171)
at com.wm.app.b2b.server.ACLManager.process(ACLManager.java:289)
at com.wm.app.b2b.server.invoke.DispatchProcessor.process(DispatchProcessor.java:34)
at com.wm.app.b2b.server.AuditLogManager.process(AuditLogManager.java:368)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:544)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:383)
at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java:244)
at com.wm.app.b2b.server.BaseService.invoke(BaseService.java:205)
at com.wm.lang.flow.FlowInvoke.invoke(FlowInvoke.java:259)
at com.wm.lang.flow.FlowState.invokeNode(FlowState.java:511)
at com.wm.lang.flow.FlowState.step(FlowState.java:389)
at com.wm.lang.flow.FlowState.invoke(FlowState.java:360)
at com.wm.app.b2b.server.FlowSvcImpl.baseInvoke(FlowSvcImpl.java:1080)
at com.wm.app.b2b.server.invoke.InvokeManager.process(InvokeManager.java:640)
at com.wm.app.b2b.server.util.tspace.ReservationProcessor.process(ReservationProcessor.java:39)
at com.wm.app.b2b.server.invoke.StatisticsProcessor.process(StatisticsProcessor.java:49)
at com.wm.app.b2b.server.invoke.ServiceCompletionImpl.process(ServiceCompletionImpl.java:243)
at com.wm.app.b2b.server.invoke.ValidateProcessor.process(ValidateProcessor.java:49)
at com.wm.app.b2b.server.invoke.PipelineProcessor.process(PipelineProcessor.java:171)
at com.wm.app.b2b.server.ACLManager.process(ACLManager.java:289)
at com.wm.app.b2b.server.invoke.DispatchProcessor.process(DispatchProcessor.java:34)
at com.wm.app.b2b.server.AuditLogManager.process(AuditLogManager.java:368)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:544)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:383)
at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java:244)
at com.wm.app.b2b.server.comm.DefaultServerRequestHandler.handleMessage(DefaultServerRequestHandler.java:119)
at com.wm.app.b2b.server.HTTPMessageHandler.process(HTTPMessageHandler.java:164)
at com.wm.app.b2b.server.HTTPDispatch.handleRequest(HTTPDispatch.java:174)
at com.wm.app.b2b.server.Dispatch.run(Dispatch.java:383)
at com.wm.util.pool.PooledThread.run(PooledThread.java:127)
at java.lang.Thread.run(Thread.java:744)
Launch completed: 2014-09-08 10:52:19.344
thank you
Ilaria
Hi All,
can we set network path into fileAccessControl.cnf , currently i am getting error while using network path in Configuration file while its working when we set local system path .