Show Table of Contents
13.5. Running Subsystems under a Java Security Manager
Java services have the option of having a Security Manager which defines unsafe and safe operations for applications to perform. When the subsystems are installed, they have the Security Manager enabled automatically, meaning each Tomcat instance starts with the Security Manager running.
13.5.1. About the Security Manager Policy Files
When the five Java subsystems (the CA, OCSP, KRA, TKS, and TPS) run within the Java Security Manager, they use a combination of three sets of policies:
- The
catalina.policyfile from the default Tomcat policy located in the/usr/share/tomcat/confdirectory; this is updated whenever the general Tomcat files are updated. - A
pki.policyfile, in the/var/lib/pki/instance_name/confdirectory, that is supplied with the subsystem instance. - A
custom.policyfile, in the/var/lib/pki/instance_name/confdirectory, that contains user-defined security policies.
These three files are concatenated together whenever the Tomcat service starts to create a revised
catalina.policy file, also in the /var/lib/pki/instance_name/conf directory, which is used for the instance.
The default
pki.policy file contains permissions that grant unrestricted access to the Tomcat, LDAP, and symkey services used by the PKI subsystems. For example:
// These permissions apply to Tomcat java as utilized by PKI instances
grant codeBase "file:/usr/share/java/tomcat/-" {
permission java.security.AllPermission;
};
The
custom.policy file is empty by default; administrators can write policies in that file which will be used in addition to the given PKI policies and Tomcat policies.
13.5.2. Starting a Subsystem Instance without the Java Security Manager
All Java subsystems configured under a PKI Tomcat instance are automatically run under a Java Security Manager (unless the instance was created by overriding
pki_security_manager=true under the [Tomcat] section in the /etc/pki/default.cfg file). However, it is possible to start or restart an instance and run it without starting the Java Security Manager, as shown below.
Procedure 13.1. Starting an Instance Without the Java Security Manager
- Stop the instance.
# systemctl stop pki-tomcatd@instance_name.service
- Edit the
/etc/sysconfig/instance_namefile and turn off the security manager:SECURITY_MANAGER="false"
- Start the instance.
# systemctl start pki-tomcatd@instance_name.service
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.