4.2. Enabling the Java Security Manager
Enabling the Java Security Manager (JSM) with the specified policy ensures JBoss Enterprise Application Platform remains protected from any deployed application accidentally or intentionally interfering with its operation.
The policy limits granting full permissions to those jar files included with the evaluated configuration.
Warning
You must configure the policy settings as explained in Section 2.5.5, “Java Security Manager Policy File ”. Operating JBoss Enterprise Application Platform using the JSM with different policy settings is not considered to be a certified configuration.
To enable the JSM, you must edit the
run.conf
(Linux) or run.conf.bat
(Windows) file, located in the JBOSS_HOME/bin/
directory.
Note
Read the Java Security Manager chapter in the JBoss Security Guide for complete instructions regarding JSM activation and configuration. Refer back to the Common Criteria Configuration Guide for certification-specific overrides.
Enabling the Java Security Manager
To enable JSM for JBoss EAP add following lines to run.conf
:
- Add this line to enable JSM and set its policy:
JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$JBOSS_HOME/bin/security_cc.policy"
- Add this line to set Java system properties which are referred by the added security policy:
JAVA_OPTS="$JAVA_OPTS -Djboss.home.dir=$JBOSS_HOME -Djboss.server.home.dir=$JBOSS_HOME/server/production -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"
Important
Make sure to add the lines exactly as shown including the double equal sign (this orders JSM to use only this policy without combining it with the system policy). - Add this line to ensure the security policy persists when an RPM installation is stopped and restarted :
export JBOSS_HOME=/var/lib/jbossas
4.2.1. Keystore Setup
Because the security policy uses jar file signatures, you need to enable a keystore, which will hold JBoss public keys for signature validation and permission granting to JBoss provided code.
You can create your keystore with a JBoss public key (refer to Section 4.2.1.1, “Creating New Keystore with the JBoss Public Key”) or use the Java System keystore (refer to Section 4.2.1.2, “Using the Java System Keystore”)
4.2.1.1. Creating New Keystore with the JBoss Public Key
Follow this procedure to create a keystore with the JBoss public key:
- Run the following command to create keystore that contains the JBoss public key:
keytool -importcert -alias jboss -keystore JBOSS_HOME/server/production/cc.keystore \ -storepass jbosseap -file JBOSS_HOME/bin/JBossPublicKey.RSA -noprompt \ -trustcacerts
Note
The jboss alias must end up in trustedCertEntry. You can check the result with the followingkeytool
command:keytool -list -keystore JBOSS_HOME/server/production/cc.keystore -storepass jbosseap
- Run this command to create the password file:
echo jbosseap > JBOSS_HOME/server/production/cc.password
Password file is a plain file with the password for key store opening (cc.keystore
). - Uncomment lines number 6 and 7 of the
JBOSS_HOME/bin/security_cc.policy
file to enable the keystore:keystore "file:${jboss.server.home.dir}/cc.keystore"; keystorePasswordURL "file:${jboss.server.home.dir}/cc.password";
Note
The passwordjbosseap
used in Step 1 during key store creation must be the same as the password in thecc.password
file. We highly recommend you use a password different than the example password in this guide.
4.2.1.2. Using the Java System Keystore
Follow this procedure to use the Java System keystore:
Run the following command to modify you Java system keystore:
keytool -importcert -alias jboss -keystore JAVA_HOME/jre/lib/security/cacerts \ -storepass changeit -file JBOSS_HOME/bin/JBossPublicKey.RSA -noprompt \ -trustcacertsMake sure you are running the command as a user with write permission for the $JAVA_HOME directory. The default password for the cacerts keystore is
changeit
.
Important
Every change to the Java runtime JBoss public key must be added to cacerts keystore.
4.2.1.3. IBM JRE 1.6 and the Java Security Manager
IBM JRE 1.6 uses a default policy provider which does not work correctly with the JBoss Enterprise Application Platform security policy. You must change the JRE configuration to use the standard policy provider if you want to use IBM JRE 1.6 to host JBoss Enterprise Application Platform with the Java Security Manager enabled.
You do this by editing the file
JAVA_HOME/jre/lib/security/java.security
and setting the value of policy.provider to sun.security.provider.PolicyFile
instead of org.apache.harmony.security.fortress.DefaultPolicy
:
policy.provider=sun.security.provider.PolicyFile