EAP 5.1 : Running under the Java Security Manager

    Background

    This article is about running JBoss EAP 5.1 under the Java Security Manager.

     

    The Java Security Manager Policy that is shipped with EAP 5.1 is called "server.policy.cert" in the bin directory.  Additionally, the bin directory contains the JBossPublicKey.RSA file, which is the public key of the JBoss code signing key.

    Steps to perform

     

    1. Do the following one time operation:  Import the public key into your keystore.

     

    sudo $JAVA_HOME/bin/keytool -import  -alias jboss -file JBossPublicKey.RSA -keystore $JAVA_HOME/jre/lib/security/cacerts
    
    
    
    
    

     

    This line is for Linux.  But on windows it should be almost identical (except for the sudo command)

     

    Verification:

     

     

    $ keytool -list
    Enter keystore password:  
    
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 2 entries
    
    jboss, Aug 12, 2009, trustedCertEntry,
    Certificate fingerprint (MD5): 93:F2:F1:8B:EF:8A:E0:E3:D0:E7:69:BC:69:96:29:C1
    jbosscodesign2009, Aug 12, 2009, trustedCertEntry,
    Certificate fingerprint (MD5): 93:F2:F1:8B:EF:8A:E0:E3:D0:E7:69:BC:69:96:29:C1
    

    By default, the JVM keystore password is "changeit"

     

     

    2. In your run.conf,  just below the JAVA_OPT definition, insert the additional JAVA_OPTS line:

     

     

    JAVA_OPTS="-Dprogram.name=$PROGNAME $JAVA_OPTS"
    
    #The following line starts the EAP under Java Security Manager
    JAVA_OPTS="$JAVA_OPTS -Xss2M -Djava.security.manager 
    -Djava.security.policy==$DIRNAME/server.policy.cert 
    -Djava.protocol.handler.pkgs=org.jboss.handlers.stub 
    -Djava.security.debug=access:failure 
    -Djboss.home.dir=$DIRNAME/../ 
    -Djboss.server.home.dir=$DIRNAME/../server/default/"
    

     

    NOTE:  The JAVA_OPTS entry should be on one line.

     

    In the above line, you can see we are passing two system properties:  jboss.home.dir   and jboss.server.home.dir  which are used in the security manager policy.

     

    3.  Now start EAP using run.sh

     

     

     

    Debugging Failing Security Permissions

    This is a very challenging task.   As part of EAP5.1, we provide a debugging security manager that prints out the protection domain that corresponds to the failing permission.

     

    You will need to provide the additional flag in JAVA_OPTS

     

    -Djava.security.manager=org.jboss.system.security.DebuggingJavaSecurityManager
    

     

    WARNING:  Please do not use the DebuggingJavaSecurityManager in production. It is mainly for debugging security permissions.

     

    Additionally add the following option:

    -Djava.security.debug=access:failure

     

    An example of how a run with the debugging security manager is:

     

    anil@localhost:~/eap51/CR1/jboss-eap-5.1/jboss-as/bin$ ./run_sm.sh 
    =========================================================================
    
      JBoss Bootstrap Environment
    
      JBOSS_HOME: /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as
    
      JAVA: /usr/lib/jvm/java-1.6.0-openjdk.x86_64/bin/java
    
      JAVA_OPTS: -Dprogram.name=run_sm.sh -server -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dsun.lang.ClassLoader.allowArraySyntax=true -Djava.net.preferIPv4Stack=true -Xss2M -Djava.security.manager -Djava.security.policy==./server.policy.cert -Djava.protocol.handler.pkgs=org.jboss.handlers.stub -Djava.security.debug=access:failure -Djboss.home.dir=./../ -Djboss.server.home.dir=./../server/default/ -Djava.security.manager=org.jboss.system.security.DebuggingJavaSecurityManager
    
      CLASSPATH: /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/run.jar:/usr/lib/jvm/java-1.6.0-openjdk.x86_64/lib/tools.jar
    
    =========================================================================
    
    WE ARE SETTING THE error and output streams to FILTERINGPRINTSTREAM
    Confirming that the error stream is set to FILTERINGPRINTSTREAM : true
    Confirming that the error stream is set to FILTERINGPRINTSTREAM : true
    access: access denied (java.util.PropertyPermission * read,write)
    java.lang.Exception: Stack traceaccess: domain that failed ProtectionDomain  (jar:file:/home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/server/default/deploy/quartz-ra.rar!/quartz-ra.jar <no signer certificates>)
     null
     <no principals>
     java.security.Permissions@4b2bd15 (
     (unresolved org.jboss.naming.JndiPermission <<ALL BINDINGS>> lookup)
     (java.io.FilePermission ./../server/default//tmp/- read)
     (java.io.FilePermission /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/./../common/lib/quartz.jar/org/quartz/quartz.properties read)
     (java.io.FilePermission /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/./../common/lib/quartz.jar read)
     (java.io.FilePermission /home/anil/eap51/CR1/jboss-eap-5.1/jboss-as/bin/./../common/lib read)
     (java.io.FilePermission quartz.properties read)
     (java.lang.RuntimePermission queuePrintJob)
     (java.util.PropertyPermission * read)
    )
    

    Additional Notes

     

    For the admin console, you may need the following additional setting:

     

    -Djboss.server.temp.dir=./../server/default/tmp