{jaggery.js} Enabling Java Security Manager in Jaggery

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInDigg thisShare on RedditPin on PinterestPrint this pageEmail this to someone

This post summarizes steps relevant to enabling Java Security Manager in Jaggery server. Steps are summarised for using default keystore to sign JAR files and also for using a custom keystore.

Jaggery servers comes with a default keystore located at “JAGGERY_HOME/carbon/repository/resources/security/wso2carbon.jks”. It is highly recommended to create a new keystore and link it with Jaggery server before moving into production. This process is a totally different post and you may find additional information at : https://docs.wso2.com/display/Carbon420/Configuring+Keystores+in+WSO2+Products

Below steps are derived from https://docs.wso2.com/display/AS530/Enabling+Java+Security+Manager and were modified to fit into Jaggery context.

 

Download Attachments.

 

Using “default” keystore

1. Stop server and create a backup of the full pack
2. Upload attached scripts to JAGGERY_HOME/carbon
3. Execute : signJars.sh .
4. Add below lines towards the end of bin/wso2server.sh, right above line : “org.wso2.carbon.bootstrap.Bootstrap $*”

-Djava.security.manager=org.wso2.carbon.bootstrap.CarbonSecurityManager \
-Djava.security.policy=”$CARBON_HOME/repository/conf/sec.policy” \
-Drestricted.packages=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,org.wso2.carbon. \
-Ddenied.system.properties=javax.net.ssl.trustStore,javax.net.ssl.trustStorePassword,denied.system.properties \

5. Upload sec.policy attached to “JAGGERY_HOME/carbon/repository/conf”

To be up to date on default security policy to use, you may download WSO2 Application Server and retrieve the default security policy available at “/repository/conf” of the downloaded pack.

Add below additional permission within “grant” block which is required by Jaggery engine :

permission java.io.FilePermission “../apps/-“, “read”;

6. Restart server

Using “custom” keystore.

1. Stop server and create a backup of the full pack

2. Upload attached scripts to JAGGERY_HOME/carbon
3. Modify “signJar.sh” to reflect keystore details and key details to be used in Jar signing.
4. Execute : signJars.sh .
5. Add below lines towards the end of bin/wso2server.sh, right above line : “org.wso2.carbon.bootstrap.Bootstrap $*”

-Djava.security.manager=org.wso2.carbon.bootstrap.CarbonSecurityManager \
-Djava.security.policy=”$CARBON_HOME/repository/conf/sec.policy” \
-Drestricted.packages=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,org.wso2.carbon. \
-Ddenied.system.properties=javax.net.ssl.trustStore,javax.net.ssl.trustStorePassword,denied.system.properties \

6. Upload sec.policy attached to “JAGGERY_HOME/carbon/repository/conf”

To be up to date on default security policy to use, you may download WSO2 Application Server and retrieve the default security policy available at “/repository/conf” of the downloaded pack.

Add below additional permission within “grant” block which is required by Jaggery engine :

permission java.io.FilePermission “../apps/-“, “read”;

7. Change keystore details mentioned in first line of “sec.policy” and modify below line to reflect key alias used to signJar

grant signedBy “wso2carbon”

8. Restart server

 

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInDigg thisShare on RedditPin on PinterestPrint this pageEmail this to someone

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">