Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

Chapter 14. Java Security Manager

Java Security Manager
The Java Security Manager is a class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. When the Java Security Manager is activated the Java API checks with the security manager for approval before executing a wide range of potentially unsafe operations.
The Security Manager uses a security policy to determine whether a given action will be permitted or denied.
Security Policy
A set of defined permissions for different classes of code. The Java Security Manager compares actions requested by applications against the security policy. If an action is allowed by the policy, the Security Manager will permit that action to take place. If the action is not allowed by the policy, the Security Manager will deny that action. The security policy can define permissions based on the location of code or on the code's signature.
The Security Manager and the security policy used are configured using the Java Virtual Machine options java.security.manager and java.security.policy .

Security Manager-related options

java.security.manager
Use a security manager, optionally specifying which security manager to use. If no argument is supplied with this option the default JDK security manager, java.lang.SecurityManager, is used. To use another security manager implementation, supply the fully qualified classname of a subclass of java.lang.SecurityManager with this option.
java.security.policy
Specifies a policy file to augment or replace the default security policy for the VM. This option takes two forms:
java.security.policy=policyFileURL
The policy file referenced by policyFileURL will augment the default security policy configured by the VM.
java.security.policy==policyFileURL
The policy file referenced by policyFileURL will replace the default security policy configured by the VM.
The policyFileURL value can be a URL or a file path.
JBoss Enterprise Application Platform does not activate the Java Security Manager by default. To configure the Platform to use the Security Manager, refer to Section 14.1, “Using the Security Manager” .

14.1. Using the Security Manager

JBoss Enterprise Application Platform can use the JDK default Security Manager or a custom security manager. For details on selecting a custom Security Manager, refer to Security Manager-related options .
When the Platform is configured to use a security manager, a security policy file must be specified. A security policy file, jboss-as/bin/server.policy.cert is included as a starting point.
Configuration File

The file run.conf (Linux) or run.conf.bat (Windows) is used to configure the Security Manager and security policy. This file is found in the jboss-as/bin directory.

This file is used to configure server-level options, and applies to all server profiles. Configuring the Security Manager and security policy involves profile-specific configuration. You may elect to copy the global run.conf or run.conf.bat file from jboss-as/bin/ to the server profile (for example: jboss-as/server/production/run.conf ), and make the configuration changes there. A configuration file in the server profile takes precedence over the global run.conf / run.conf.bat file when the server profile is started.

Procedure 14.1. Activate the Security Manager

This procedure configures JBoss Enterprise Application Platform to start with the Java Security Manager activated.
The file editing actions in this procedure refer to the file run.conf (Linux), or run.conf.bat (Windows) in the server profile directory, if one exists there, or in jboss-as/bin . Refer to Configuration File for details on the location of this file.
  1. Specify the JBoss home directory

    Edit the file run.conf (Linux), or run.conf.bat (Windows). Add the jboss.home.dir option, specifying the path to the jboss-as directory of your installation.
    Linux

    JAVA_OPTS="$JAVA_OPTS -Djboss.home.dir=/path/to/jboss-eap-5.1/jboss-as"

    Windows

    JAVA_OPTS="%JAVA_OPTS% -Djboss.home.dir=c:\path\jboss-eap-5.1\jboss-as"

  2. Specify the server home directory

    Add the jboss.server.home.dir option, specifying the path to your server profile.
    Linux

    JAVA_OPTS="$JAVA_OPTS -Djboss.server.home.dir=path/to/jboss-eap-5.1/jboss-as/server/production"

    Windows

    JAVA_OPTS="%JAVA_OPTS% -Djboss.server.home.dir=c:\path\to\jboss-eap-5.1\jboss-as\server\production"

  3. Specify the Protocol Handler

    Add the java.protocol.handler.pkgs option, specifying the JBoss stub handler.
    Linux

    JAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"

    Windows

    JAVA_OPTS="%JAVA_OPTS% -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"

  4. Specify the security policy to use

    Add the $POLICY variable, specifying the security policy to use. Add the variable definition before the line that activates the Security Manager.

    Example 14.1. Use the Platform's included security policy

    POLICY="server.policy.cert"
  5. Activate the Security Manager

    Uncomment the following line by removing the initial # :
    Linux

    #JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY"

    Windows

    #JAVA_OPTS="%JAVA_OPTS% -Djava.security.manager -Djava.security.policy=%POLICY%"

    Result:

    JBoss Enterprise Application Platform is now configured to start with the Security Manager activated.

  6. Optional: Import Red Hat's JBoss signing key

    The included security policy grants permissions to JBoss-signed code. If you use the included policy you must import the JBoss signing key to the JDK cacerts key store.
    The following command assumes that the environment variable JAVA_HOME is set to the location of a JDK supported by JBoss Enterprise Application Platform 5. You configure JAVA_HOME when you first install JBoss Enterprise Application Platform 5. Refer to the Installation Guide for further information.

    Note

    To ensure the correct JVM is selected, you can use the alternatives command to select from JDKs installed on your Linux system. Refer to Appendix A, Setting the default JDK with the /usr/sbin/alternatives Utility .
    Execute the following command in a terminal:
    Linux

    [~]$ sudo $JBOSS_HOME/bin/keytool -import -alias jboss -file JBossPublicKey.RSA \
    -keystore $JAVA_HOME/lib/security/cacerts

    Windows

    C:> $JBOSS_HOME\bin\keytool -import  -alias jboss -file JBossPublicKey.RSA -keystore $JAVA_HOME\lib\security\cacerts

    Although broken across two lines in this documentation, the commands above should be entered on one single line in a terminal.

    Note

    The default password for the cacerts key store is changeit .
    Result:

    The key used to the sign the JBoss Enterprise Application Platform code is now installed.