EAP 5.1 : Running under the Java Security Manager

Background

This article is about running JBoss EAP 5.1 under the Java Security Manager.

 

The Java Security Manager Policy that is shipped with EAP 5.1 is called "server.policy.cert" in the bin directory.  Additionally, the bin directory contains the JBossPublicKey.RSA file, which is the public key of the JBoss code signing key.

Steps to perform

 

1. Do the following one time operation:  Import the public key into your keystore.

 

sudo $JAVA_HOME/bin/keytool -import  -alias jboss -file JBossPublicKey.RSA -keystore $JAVA_HOME/jre/lib/security/cacerts




 

This line is for Linux.  But on windows it should be almost identical (except for the sudo command)

 

Verification:

 

 

$ keytool -list
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

jboss, Aug 12, 2009, trustedCertEntry,
Certificate fingerprint (MD5): 93:F2:F1:8B:EF:8A:E0:E3:D0:E7:69:BC:69:96:29:C1
jbosscodesign2009, Aug 12, 2009, trustedCertEntry,
Certificate fingerprint (MD5): 93:F2:F1:8B:EF:8A:E0:E3:D0:E7:69:BC:69:96:29:C1

By default, the JVM keystore password is "changeit"

 

 

2. In your run.conf,  just below the JAVA_OPT definition, insert the additional JAVA_OPTS line:

 

 

JAVA_OPTS="-Dprogram.name=$PROGNAME $JAVA_OPTS"

#The following line starts the EAP under Java Security Manager
JAVA_OPTS="$JAVA_OPTS -Xss2M -Djava.security.manager 
-Djava.security.policy==$DIRNAME/server.policy.cert 
-Djava.protocol.handler.pkgs=org.jboss.handlers.stub 
-Djava.security.debug=access:failure 
-Djboss.home.dir=$DIRNAME/../ 
-Djboss.server.home.dir=$DIRNAME/../server/default/"

 

NOTE:  The JAVA_OPTS entry should be on one line.

 

In the above line, you can see we are passing two system properties:  jboss.home.dir   and jboss.server.home.dir  which are used in the security manager policy.

 

3.  Now start EAP using run.sh

 

 

 

Debugging Failing Security Permissions

This is a very challenging task.   As part of EAP5.1, we provide a debugging security manager that prints out the protection domain that corresponds to the failing permission.

 

You will need to provide the additional flag in JAVA_OPTS

 

-Djava.security.manager=org.jboss.system.security.DebuggingJavaSecurityManager

 

WARNING:  Please do not use the DebuggingJavaSecurityManager in production. It is mainly for debugging security permissions.

 

Additionally add the following option:

-Djava.security.debug=access:failure

 

An example of how a run with the debugging security manager is:

 

anil@localhost:~/eap51/CR1/jboss-eap-5.1/jboss-as/bin$ ./run_sm.sh 
=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as

  JAVA: /usr/lib/jvm/java-1.6.0-openjdk.x86_64/bin/java

  JAVA_OPTS: -Dprogram.name=run_sm.sh -server -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dsun.lang.ClassLoader.allowArraySyntax=true -Djava.net.preferIPv4Stack=true -Xss2M -Djava.security.manager -Djava.security.policy==./server.policy.cert -Djava.protocol.handler.pkgs=org.jboss.handlers.stub -Djava.security.debug=access:failure -Djboss.home.dir=./../ -Djboss.server.home.dir=./../server/default/ -Djava.security.manager=org.jboss.system.security.DebuggingJavaSecurityManager

  CLASSPATH: /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/run.jar:/usr/lib/jvm/java-1.6.0-openjdk.x86_64/lib/tools.jar

=========================================================================

WE ARE SETTING THE error and output streams to FILTERINGPRINTSTREAM
Confirming that the error stream is set to FILTERINGPRINTSTREAM : true
Confirming that the error stream is set to FILTERINGPRINTSTREAM : true
access: access denied (java.util.PropertyPermission * read,write)
java.lang.Exception: Stack traceaccess: domain that failed ProtectionDomain  (jar:file:/home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/server/default/deploy/quartz-ra.rar!/quartz-ra.jar <no signer certificates>)
 null
 <no principals>
 java.security.Permissions@4b2bd15 (
 (unresolved org.jboss.naming.JndiPermission <<ALL BINDINGS>> lookup)
 (java.io.FilePermission ./../server/default//tmp/- read)
 (java.io.FilePermission /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/./../common/lib/quartz.jar/org/quartz/quartz.properties read)
 (java.io.FilePermission /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/./../common/lib/quartz.jar read)
 (java.io.FilePermission /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/./../common/lib read)
 (java.io.FilePermission quartz.properties read)
 (java.lang.RuntimePermission queuePrintJob)
 (java.util.PropertyPermission * read)
)

Additional Notes

 

For the admin console, you may need the following additional setting:

 

-Djboss.server.temp.dir=./../server/default/tmp