Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

4.2. Enabling the Java Security Manager

Enabling the Java Security Manager (JSM) with the specified policy ensures JBoss Enterprise Application Platform remains protected from any deployed application accidentally or intentionally interfering with its operation.
The policy limits granting full permissions to those jar files included with the evaluated configuration.

Warning

You must configure the policy settings as explained in Section 2.5.5, “Java Security Manager Policy File ”. Operating JBoss Enterprise Application Platform using the JSM with different policy settings is not considered to be a certified configuration.
To enable the JSM, you must edit the run.conf (Linux) or run.conf.bat (Windows) file, located in the JBOSS_HOME/bin/ directory.

Note

Read the Java Security Manager chapter in the JBoss Security Guide for complete instructions regarding JSM activation and configuration. Refer back to the Common Criteria Configuration Guide for certification-specific overrides.
Enabling the Java Security Manager

To enable JSM for JBoss EAP add following lines to run.conf:

  • Add this line to enable JSM and set its policy: 
    JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$JBOSS_HOME/bin/security_cc.policy"
  • Add this line to set Java system properties which are referred by the added security policy: 
    JAVA_OPTS="$JAVA_OPTS -Djboss.home.dir=$JBOSS_HOME -Djboss.server.home.dir=$JBOSS_HOME/server/production -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"

    Important

    Make sure to add the lines exactly as shown including the double equal sign (this orders JSM to use only this policy without combining it with the system policy).
  • Add this line to ensure the security policy persists when an RPM installation is stopped and restarted : 
    export JBOSS_HOME=/var/lib/jbossas

4.2.1. Keystore Setup

Because the security policy uses jar file signatures, you need to enable a keystore, which will hold JBoss public keys for signature validation and permission granting to JBoss provided code.
You can create your keystore with a JBoss public key (refer to Section 4.2.1.1, “Creating New Keystore with the JBoss Public Key”) or use the Java System keystore (refer to Section 4.2.1.2, “Using the Java System Keystore”)

4.2.1.1. Creating New Keystore with the JBoss Public Key

Follow this procedure to create a keystore with the JBoss public key:
  1. Run the following command to create keystore that contains the JBoss public key: 
    keytool -importcert -alias jboss -keystore JBOSS_HOME/server/production/cc.keystore \
-storepass jbosseap -file JBOSS_HOME/bin/JBossPublicKey.RSA -noprompt \
-trustcacerts

    Note

    The jboss alias must end up in trustedCertEntry. You can check the result with the following keytool command: 
    keytool -list -keystore JBOSS_HOME/server/production/cc.keystore -storepass jbosseap
  2. Run this command to create the password file: 
    echo jbosseap > JBOSS_HOME/server/production/cc.password
    Password file is a plain file with the password for key store opening (cc.keystore).
  3. Uncomment lines number 6 and 7 of the JBOSS_HOME/bin/security_cc.policy file to enable the keystore: 
    keystore "file:${jboss.server.home.dir}/cc.keystore";
keystorePasswordURL "file:${jboss.server.home.dir}/cc.password";

    Note

    The password jbosseap used in Step 1 during key store creation must be the same as the password in the cc.password file. We highly recommend you use a password different than the example password in this guide.

4.2.1.2. Using the Java System Keystore

Follow this procedure to use the Java System keystore:
Run the following command to modify you Java system keystore: 
keytool -importcert -alias jboss -keystore JAVA_HOME/jre/lib/security/cacerts \
-storepass changeit -file JBOSS_HOME/bin/JBossPublicKey.RSA -noprompt \
-trustcacerts
Make sure you are running the command as a user with write permission for the $JAVA_HOME directory. The default password for the cacerts keystore is changeit.

Important

Every change to the Java runtime JBoss public key must be added to cacerts keystore.

4.2.1.3. IBM JRE 1.6 and the Java Security Manager

IBM JRE 1.6 uses a default policy provider which does not work correctly with the JBoss Enterprise Application Platform security policy. You must change the JRE configuration to use the standard policy provider if you want to use IBM JRE 1.6 to host JBoss Enterprise Application Platform with the Java Security Manager enabled.
You do this by editing the file JAVA_HOME/jre/lib/security/java.security and setting the value of policy.provider to sun.security.provider.PolicyFile instead of org.apache.harmony.security.fortress.DefaultPolicy: 
policy.provider=sun.security.provider.PolicyFile