Ce contenu n'est pas disponible dans la langue sélectionnée.

13.4. Running Subsystems under a Java Security Manager


Java services have the option of having a Security Manager which defines unsafe and safe operations for applications to perform. When the subsystems are installed, they have the Security Manager enabled automatically, meaning each Tomcat instance starts with the Security Manager running.

13.4.1. About the Security Manager Policy Files

When the five Java subsystems (the CA, OCSP, KRA, TKS, and TPS) run within the Java Security Manager, they use a combination of three sets of policies:
  • The catalina.policy file from the default Tomcat policy located in the /usr/share/tomcat/conf directory; this is updated whenever the general Tomcat files are updated.
  • A pki.policy file, in the /var/lib/pki/instance_name/subsystem_type/conf directory, that is supplied with the subsystem instance.
  • A custom.policy file, in the /var/lib/pki/instance_name/subsystem_type/conf directory, that contains user-defined security policies.
These three files are concatenated together whenever the Tomcat service starts to create a revised catalina.policy file, also in the /var/lib/pki/instance_name/subsystem_type/conf directory, which is used for the instance.
The default pki.policy file contains permissions that grant unrestricted access to the Tomcat, LDAP, and symkey services used by the PKI subsystems. For example:
   // These permissions apply to Tomcat java as utilized by PKI instances
	 grant codeBase "file:/usr/share/java/tomcat/-" {
       permission java.security.AllPermission;
   };
Copy to Clipboard Toggle word wrap
The custom.policy file is empty by default; administrators can write policies in that file which will be used in addition to the given PKI policies and Tomcat policies.
All Java subsystems configured under a PKI Tomcat instance are automatically run under a Java Security Manager (unless the instance was created by overriding pki_security_manager=true under the [Tomcat] section in the /etc/pki/default.cfg file). However, it is possible to start or restart an instance and run it without starting the Java Security Manager, as shown below.

Procedure 13.1. Starting an Instance Without the Java Security Manager

  1. Stop the instance.
    # systemctl stop pki-tomcatd@instance_name.service
    Copy to Clipboard Toggle word wrap
  2. Edit the /etc/sysconfig/instance_name file and turn off the security manager:
    SECURITY_MANAGER="false"
    Copy to Clipboard Toggle word wrap
  3. Start the instance.
    # systemctl start pki-tomcatd@instance_name.service
    Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat