The Java Security Manager is used to define various security policies that prevent untrusted code from manipulating your system.
Enabling the Java Security Manager for WSO2 products activates the Java permissions that are in the/repository/conf/sec.policy file. You modify this file to change the Java security permissions as required.
The steps below show how to enable the Java Security Manager for WSO2 products.
Before you begin, ensure that you have Java 1.7 or above installed.
To sign the JARs in your product, you need a key. Generate it using the keytool command as follows:
The default keystore of the WSO2 products is wso2carbon.jks, which is in the/repository/resources/security folder. It is used for signing JARs.
Import the signFiles public key certificate that you created earlier to wso2carbon.jks. The sample below shows the security policy file referring the signer certificate from the wso2carbon.jks file:
If you dont have sec.policy file then create file named sec.policy in /repository/conf directory with following content
Prepare the scripts to sign the JARs and grant them the required permission.
For example, the signJar.sh script given below can be used to sign each JAR file separately or you can use the signJars.sh script, which runs a loop to read all JARs and sign them.
You may create signJar and signJars scripts in server root and gran permissions using chmod 777 to run scripts.
signJar.sh script
Execute the following commands to sign the JARs in your product:
./signJars.sh ./repository > output.log
Every time you add an external JAR to the WSO2 product, sign them manually using the above instructions for the Java Security Manager to be effective. You add external JARs to the server when extending the product, applying patches etc.
Open the startup script in the/bin folder. For Linux, it is wso2server.sh.
Add the following system properties to the startup script and save the file:
Starting the server makes the Java permissions defined in the sec.policy file to take effect.
And once server started you don't need to restart server per each sec.policy file modification.
Enabling the Java Security Manager for WSO2 products activates the Java permissions that are in the
The steps below show how to enable the Java Security Manager for WSO2 products.
Before you begin, ensure that you have Java 1.7 or above installed.
To sign the JARs in your product, you need a key. Generate it using the keytool command as follows:
keytool -genkey -alias signFiles -keyalg RSA -keystore signkeystore.jks -validity 3650 -dname "CN=Sanjeewa,OU=Engineering, O=WSO2, L=Colombo, ST=Western, C=LK"
Enter keystore password:
Re-enter new password:
Enter key password for
(RETURN if same as keystore password)
The default keystore of the WSO2 products is wso2carbon.jks, which is in the
Import the signFiles public key certificate that you created earlier to wso2carbon.jks. The sample below shows the security policy file referring the signer certificate from the wso2carbon.jks file:
$ keytool -export -keystore signkeystore.jks -alias signFiles -file sign-cert.cerUpdate the "grant signedBy" value in the security policy file with the signed alias key. See the following sample security policy file:
$ keytool -import -alias signFiles -file sign-cert.cer -keystore repository/resources/security/wso2carbon.jks
Enter keystore password:
Owner: CN=Sanjeewa, OU=Engineering, O=WSO2, L=Colombo, ST=Western, C=LK
Issuer: CN=Sanjeewa, OU=Engineering, O=WSO2, L=Colombo, ST=Western, C=LK
Serial number: 5486f3b0
Valid from: Tue Dec 09 18:35:52 IST 2014 until: Fri Dec 06 18:35:52 IST 2024
Certificate fingerprints:
MD5: 54:13:FD:06:6F:C9:A6:BC:EE:DF:73:A9:88:CC:02:EC
SHA1: AE:37:2A:9E:66:86:12:68:28:88:12:A0:85:50:B1:D1:21:BD:49:52
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
grant signedBy "signFiles" {
permission java.security.AllPermission;
};
If you dont have sec.policy file then create file named sec.policy in /repository/conf directory with following content
keystore "file:${user.dir}/repository/resources/security/wso2carbon.jks", "JKS";
grant {
// Allow socket connections for any host
permission java.net.SocketPermission "*:1-65535", "connect,resolve";
// Allow to read all properties. Use -Ddenied.system.properties in wso2server.sh to restrict properties
permission java.util.PropertyPermission "*", "read";
permission java.lang.RuntimePermission "getClassLoader";
// CarbonContext APIs require this permission
permission java.lang.management.ManagementPermission "control";
// Required by any component reading XMLs. For example: org.wso2.carbon.databridge.agent.thrift:4.2.1.
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.bind.v2.runtime.reflect";
// Required by org.wso2.carbon.ndatasource.core:4.2.0. This is only necessary after adding above permission.
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.bind";
permission java.io.FilePermission "${carbon.home}/repository/deployment/server/jaggeryapps/publisher/localhost/publisher/site/conf/locales/jaggery/locale_en.json", "read,write";
permission java.io.FilePermission "${carbon.home}/repository/deployment/server/jaggeryapps/publisher/localhost/publisher/site/conf/locales/jaggery/locale_default.json", "read,write";
permission java.io.FilePermission "${carbon.home}/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json", "read,write";
permission java.io.FilePermission "${carbon.home}/repository/deployment/server/jaggeryapps/publisher/site/conf/locales/jaggery/-", "read";
permission java.io.FilePermission "${carbon.home}/repository/deployment/server/jaggeryapps/store/localhost/publisher/site/conf/locales/jaggery/locale_en.json", "read,write";
permission java.io.FilePermission "${carbon.home}/repository/deployment/server/jaggeryapps/store/localhost/publisher/site/conf/locales/jaggery/locale_default.json", "read,write";
permission java.io.FilePermission "${carbon.home}/repository/deployment/server/jaggeryapps/store/site/conf/site.json", "read,write";
permission java.io.FilePermission "${carbon.home}/repository/deployment/server/jaggeryapps/store/site/conf/locales/jaggery/-", "read";
};
grant signedBy "signFiles" {
permission java.security.AllPermission;
};
grant codeBase "file:${carbon.home}/repository/deployment/server/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${carbon.home}/modules/carbon/scripts/server/-" {
permission java.security.AllPermission;
};
Prepare the scripts to sign the JARs and grant them the required permission.
For example, the signJar.sh script given below can be used to sign each JAR file separately or you can use the signJars.sh script, which runs a loop to read all JARs and sign them.
You may create signJar and signJars scripts in server root and gran permissions using chmod 777 to run scripts.
signJar.sh script
#!/bin/bashsignJars.sh script
set -e
jarfile=$1
keystore_file="signkeystore.jks"
keystore_keyalias='signFiles'
keystore_storepass='wso2123'
keystore_keypass='wso2123'
signjar="$JAVA_HOME/bin/jarsigner -sigalg MD5withRSA -digestalg SHA1 -keystore $keystore_file -storepass $keystore_storepass -keypass $keystore_keypass"
verifyjar="$JAVA_HOME/bin/jarsigner -keystore $keystore_file -verify"
echo "Signing $jarfile"
$signjar $jarfile $keystore_keyalias
echo "Verifying $jarfile"
$verifyjar $jarfile
# Check whether the verification is successful.
if [ $? -eq 1 ]
then
echo "Verification failed for $jarfile"
fi
#!/bin/bash
if [[ ! -d $1 ]]; then
echo "Please specify a target directory"
exit 1
fi
for jarfile in `find . -type f -iname \*.jar`
do
./signJar.sh $jarfile
done
Execute the following commands to sign the JARs in your product:
./signJars.sh ./repository > output.log
Every time you add an external JAR to the WSO2 product, sign them manually using the above instructions for the Java Security Manager to be effective. You add external JARs to the server when extending the product, applying patches etc.
Open the startup script in the
Add the following system properties to the startup script and save the file:
-Djava.security.manager=org.wso2.carbon.bootstrap.CarbonSecurityManager \
-Djava.security.policy=$CARBON_HOME/repository/conf/sec.policy \
-Drestricted.packages=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,org.wso2.carbon. \
-Ddenied.system.properties=javax.net.ssl.trustStore,javax.net.ssl.trustStorePassword,denied.system.properties \
Starting the server makes the Java permissions defined in the sec.policy file to take effect.
And once server started you don't need to restart server per each sec.policy file modification.
No comments:
Post a Comment