Menu Close
Settings Close

Language and Page Formatting Options

Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

4.2. Enabling the Java Security Manager

By enabling the Java Security Manager with the specified policy JBoss EAP is protected from any application deployed on it accidentally or intentionally interfering with its operation.
This policy limits the granting of full permissions to those jar files included with the evaluated configuration.

Warning

If you use the Java Security Manager, you must configure the policy settings as explained in Section 2.5.5, “Required changes to the included JSM policy”. Operating JBoss EAP using the Java Security Manager with different policy settings is not considered to be a certified configuration.
You must edit the file run.conf located in the Enterprise Platform home directory at /jboss-as/server/production/ and uncomment the lines indicated below to enable the Java Security Manager. Once those items are uncommented from run.conf, simply start the server using the supplied startup script (run.sh or run.bat) as normal.

Example 4.3. run.conf with Java Security Manager enabled

# Uncomment the following to run with Common Criteria configuration 
## Specify the Security Manager Policy 
POLICY="security_cc.policy" 
# 
## Specify the Security Manager options 
JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$POLICY" 
echo "=================================================================" 
echo "                                                                 " 
echo "    Common Criteria Configuration (Security Manager Enabled)" 
echo "                                                                 " 
echo "=================================================================" 
## End of Common Criteria configuration

Important

run.conf is part of the production configuration of the EAP. Only the production configuration with the additional configuration information specified in this guide is allowed in the Common Criteria Configuration.
IBM JRE 1.6 and the Java Security Manager

IBM JRE 1.6 uses a default policy provider which does not work correctly with the JBossEAP security policy. You must change the JRE configuration to use the standard policy provider if you want to use IBM JRE 1.6 to host JBossEAP with the Java Security Manager enabled.

You do this by editing the file ${JAVA_HOME}/jre/lib/security/java.security and setting the value of policy.provider to sun.security.PolicyFile instead of org.apache.harmony.security.fortress.DefaultPolicy:
policy.provider=sun.security.provider.PolicyFile
Additional Policy file configuration

Users and administrators are free to add their own permission blocks to the policy file, however the permissions that are specified for JBoss EAP cannot be changed; doing so will invalidate the certification. Indeed any modifications of the security policy except what has been specified within this guide, will invalidate the certification configuration. Refer to Section 2.5.6, “Guidance on Configuring Java Security Permissions” for additional information on this topic.