Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

5.4.2. Java Security Manager Policy File

To operate JBoss EAP 6.2 according to the requirements of the certification, you must install the Common Criteria-evaluated Java Security Manager policy to ensure applications running on the system have the correct access privileges.

Procedure 5.3. Install Common Criteria-evaluated Security Manager Policy

  1. Create the Common Criteria-evaluated Policy File

    Copy the following text into a text editor and save it in EAP_HOME/bin/ directory. The suggested file name is jbosseap62.policy.
    // Grant all to the jboss-modules.jar
    grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" {
      permission java.security.AllPermission;
    };
    
    // Standard extensions get all permissions by default
    grant codeBase "file:${java.home}/lib/ext/*" {
      permission java.security.AllPermission;
    };
    

    Note

    The CC-evaluated policy file may need additional permissions configured, such as permissions to database drivers. These permissions are site-specific.
  2. Configure the Java Parameters

    Add the following Java command line parameters to the JBoss EAP start-up configuration scripts (standalone.conf, domain.conf, standalone.conf.bat, domain.conf.bat):
    -Djava.security.manager
    Enables the security manager
    -Djava.security.policy==/path/to/security.policy
    Specify the path to the security policy file.
    -Djboss.home.dir=/path/to/JBOSS_EAP_HOME
    Define the system property that is used in the policy file.
    -Djboss.modules.policy-permissions=true
    Enables deployment level security permissions.

    Example 5.1. standalone.conf

    JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$JBOSS_HOME/bin/jbosseap62.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true"

    Note

    The JBOSS_HOME environment variable is not defined when domain.conf is processed. It can be used only in standalone.conf.
  3. Configure the Java Security Manager to use the policy file

    See Java Security Manager in the Security Guide.