12.4. Running Subsystems under a Java Security Manager
Java services have the option of having a Security Manager which defines unsafe and safe operations for applications to perform. When the subsystems are installed, they have the Security Manager enabled automatically, meaning each Tomcat instance starts with the Security Manager running (the
-secure flag). (The Security Manager is disabled if the instance is created with the -sans_security_manager option.)
12.4.1. About the Security Manager Policy Files
When the four Java subsystems (the CA, OCSP, DRM, and TKS) run within the Java Security Manager, they use a combination of three sets of policies:
- The
catalina.policyfile from the Tomcat 5.5.23 policy; this is updated whenever the general Tomcat files are updated. - A
pki.policyfile, in the/var/lib/instance_name/confdirectory, that is supplied with the subsystem instance. - A
custom.policyfile, in the/var/lib/instance_name/confdirectory, that contains user-defined security policies.
These three files are contatenated together whenever the Tomcat service starts to create a pki-instance
.policy file, also in the /var/lib/instance_name/conf directory, which is used for the instance.
NOTE
Only Java subsystems — the CA, OCSP, DRM, and TKS — can run under a Java Security Manager. The RA and TPS cannot.
The default
pki.policy file contains permissions that grant unrestricted access to the Tomcat, LDAP, and symkey services used by the PKI subsystems. For example:
// These permissions apply to Tomcat5 java as utilized by PKI instances grant codeBase "file:/usr/share/java/tomcat5/-" { permission java.security.AllPermission; };
The
custom.policy file is empty by default; administrators can write policies in that file which will be used in addition to the given PKI policies and Tomcat policies.
12.4.2. Starting a Subsystem Instance without the Java Security Manager
The Java subsystems automatically run under a Java Security Manager (unless
pkicreate was run with the -sans_security_manager option). However, it is possible to start or restart a subsystem and run it without starting the Java Security Manager.
Instead of using the normal
start or restart options when managing the subsystems with service, use special start|restart_sans_security_manager options:
service instance_name start_sans_security_manager service instance_name restart_sans_security_manager