-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification
Chapter 14. Java Security Manager
- Java Security Manager
- The Java Security Manager is a class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. When the Java Security Manager is activated the Java API checks with the security manager for approval before executing a wide range of potentially unsafe operations.
- Security Policy
- A set of defined permissions for different classes of code. The Java Security Manager compares actions requested by applications against the security policy. If an action is allowed by the policy, the Security Manager will permit that action to take place. If the action is not allowed by the policy, the Security Manager will deny that action. The security policy can define permissions based on the location of code or on the code's signature.
java.security.manager
and java.security.policy
.
Security Manager-related options
- java.security.manager
- Use a security manager, optionally specifying which security manager to use. If no argument is supplied with this option the default JDK security manager,
java.lang.SecurityManager
, is used. To use another security manager implementation, supply the fully qualified classname of a subclass ofjava.lang.SecurityManager
with this option. - java.security.policy
- Specifies a policy file to augment or replace the default security policy for the VM. This option takes two forms:
-
java.security.policy=policyFileURL
- The policy file referenced by policyFileURL will augment the default security policy configured by the VM.
-
java.security.policy==policyFileURL
- The policy file referenced by policyFileURL will replace the default security policy configured by the VM.
The policyFileURL value can be a URL or a file path. -
14.1. Using the Security Manager
jboss-as/bin/server.policy.cert
is included as a starting point.
The file run.conf
(Linux) or run.conf.bat
(Windows) is used to configure the Security Manager and security policy. This file is found in the jboss-as/bin
directory.
run.conf
or run.conf.bat
file from jboss-as/bin/
to the server profile (for example: jboss-as/server/production/run.conf
), and make the configuration changes there. A configuration file in the server profile takes precedence over the global run.conf
/ run.conf.bat
file when the server profile is started.
Procedure 14.1. Activate the Security Manager
run.conf
(Linux), or run.conf.bat
(Windows) in the server profile directory, if one exists there, or in jboss-as/bin
. Refer to Configuration File for details on the location of this file.
Specify the JBoss home directory
Edit the filerun.conf
(Linux), orrun.conf.bat
(Windows). Add thejboss.home.dir
option, specifying the path to thejboss-as
directory of your installation.LinuxJAVA_OPTS="$JAVA_OPTS -Djboss.home.dir=/path/to/jboss-eap-5.1/jboss-as"
WindowsJAVA_OPTS="%JAVA_OPTS% -Djboss.home.dir=c:\path\jboss-eap-5.1\jboss-as"
Specify the server home directory
Add thejboss.server.home.dir
option, specifying the path to your server profile.LinuxJAVA_OPTS="$JAVA_OPTS -Djboss.server.home.dir=path/to/jboss-eap-5.1/jboss-as/server/production"
WindowsJAVA_OPTS="%JAVA_OPTS% -Djboss.server.home.dir=c:\path\to\jboss-eap-5.1\jboss-as\server\production"
Specify the Protocol Handler
Add thejava.protocol.handler.pkgs
option, specifying the JBoss stub handler.LinuxJAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"
WindowsJAVA_OPTS="%JAVA_OPTS% -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"
Specify the security policy to use
Add the$POLICY
variable, specifying the security policy to use. Add the variable definition before the line that activates the Security Manager.Example 14.1. Use the Platform's included security policy
POLICY="server.policy.cert"
Activate the Security Manager
Uncomment the following line by removing the initial#
:Linux#JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY"
Windows#JAVA_OPTS="%JAVA_OPTS% -Djava.security.manager -Djava.security.policy=%POLICY%"
Result:JBoss Enterprise Application Platform is now configured to start with the Security Manager activated.
Optional: Import Red Hat's JBoss signing key
The included security policy grants permissions to JBoss-signed code. If you use the included policy you must import the JBoss signing key to the JDKcacerts
key store.The following command assumes that the environment variableJAVA_HOME
is set to the location of a JDK supported by JBoss Enterprise Application Platform 5. You configureJAVA_HOME
when you first install JBoss Enterprise Application Platform 5. Refer to the Installation Guide for further information.Note
To ensure the correct JVM is selected, you can use thealternatives
command to select from JDKs installed on your Linux system. Refer to Appendix A, Setting the default JDK with the/usr/sbin/alternatives
Utility .Execute the following command in a terminal:Linux[~]$ sudo $JBOSS_HOME/bin/keytool -import -alias jboss -file JBossPublicKey.RSA \ -keystore $JAVA_HOME/lib/security/cacerts
WindowsC:> $JBOSS_HOME\bin\keytool -import -alias jboss -file JBossPublicKey.RSA -keystore $JAVA_HOME\lib\security\cacerts
Although broken across two lines in this documentation, the commands above should be entered on one single line in a terminal.Note
The default password for the cacerts key store ischangeit
.Result:The key used to the sign the JBoss Enterprise Application Platform code is now installed.