Background
This article is about running JBoss EAP 5.1 under the Java Security Manager.
The Java Security Manager Policy that is shipped with EAP 5.1 is called "server.policy.cert" in the bin directory. Additionally, the bin directory contains the JBossPublicKey.RSA file, which is the public key of the JBoss code signing key.
Steps to perform
1. Do the following one time operation: Import the public key into your keystore.
sudo $JAVA_HOME/bin/keytool -import -alias jboss -file JBossPublicKey.RSA -keystore $JAVA_HOME/jre/lib/security/cacerts
This line is for Linux. But on windows it should be almost identical (except for the sudo command)
Verification:
$ keytool -list Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries jboss, Aug 12, 2009, trustedCertEntry, Certificate fingerprint (MD5): 93:F2:F1:8B:EF:8A:E0:E3:D0:E7:69:BC:69:96:29:C1 jbosscodesign2009, Aug 12, 2009, trustedCertEntry, Certificate fingerprint (MD5): 93:F2:F1:8B:EF:8A:E0:E3:D0:E7:69:BC:69:96:29:C1
By default, the JVM keystore password is "changeit"
2. In your run.conf, just below the JAVA_OPT definition, insert the additional JAVA_OPTS line:
JAVA_OPTS="-Dprogram.name=$PROGNAME $JAVA_OPTS" #The following line starts the EAP under Java Security Manager JAVA_OPTS="$JAVA_OPTS -Xss2M -Djava.security.manager -Djava.security.policy==$DIRNAME/server.policy.cert -Djava.protocol.handler.pkgs=org.jboss.handlers.stub -Djava.security.debug=access:failure -Djboss.home.dir=$DIRNAME/../ -Djboss.server.home.dir=$DIRNAME/../server/default/"
NOTE: The JAVA_OPTS entry should be on one line.
In the above line, you can see we are passing two system properties: jboss.home.dir and jboss.server.home.dir which are used in the security manager policy.
3. Now start EAP using run.sh
Debugging Failing Security Permissions
This is a very challenging task. As part of EAP5.1, we provide a debugging security manager that prints out the protection domain that corresponds to the failing permission.
You will need to provide the additional flag in JAVA_OPTS
-Djava.security.manager=org.jboss.system.security.DebuggingJavaSecurityManager
WARNING: Please do not use the DebuggingJavaSecurityManager in production. It is mainly for debugging security permissions.
Additionally add the following option:
-Djava.security.debug=access:failure
An example of how a run with the debugging security manager is:
anil@localhost:~/eap51/CR1/jboss-eap-5.1/jboss-as/bin$ ./run_sm.sh ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as JAVA: /usr/lib/jvm/java-1.6.0-openjdk.x86_64/bin/java JAVA_OPTS: -Dprogram.name=run_sm.sh -server -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dsun.lang.ClassLoader.allowArraySyntax=true -Djava.net.preferIPv4Stack=true -Xss2M -Djava.security.manager -Djava.security.policy==./server.policy.cert -Djava.protocol.handler.pkgs=org.jboss.handlers.stub -Djava.security.debug=access:failure -Djboss.home.dir=./../ -Djboss.server.home.dir=./../server/default/ -Djava.security.manager=org.jboss.system.security.DebuggingJavaSecurityManager CLASSPATH: /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/run.jar:/usr/lib/jvm/java-1.6.0-openjdk.x86_64/lib/tools.jar ========================================================================= WE ARE SETTING THE error and output streams to FILTERINGPRINTSTREAM Confirming that the error stream is set to FILTERINGPRINTSTREAM : true Confirming that the error stream is set to FILTERINGPRINTSTREAM : true access: access denied (java.util.PropertyPermission * read,write) java.lang.Exception: Stack traceaccess: domain that failed ProtectionDomain (jar:file:/home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/server/default/deploy/quartz-ra.rar!/quartz-ra.jar <no signer certificates>) null <no principals> java.security.Permissions@4b2bd15 ( (unresolved org.jboss.naming.JndiPermission <<ALL BINDINGS>> lookup) (java.io.FilePermission ./../server/default//tmp/- read) (java.io.FilePermission /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/./../common/lib/quartz.jar/org/quartz/quartz.properties read) (java.io.FilePermission /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/./../common/lib/quartz.jar read) (java.io.FilePermission /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/./../common/lib read) (java.io.FilePermission quartz.properties read) (java.lang.RuntimePermission queuePrintJob) (java.util.PropertyPermission * read) )
Additional Notes
For the admin console, you may need the following additional setting:
-Djboss.server.temp.dir=./../server/default/tmp
Comments