Please note that this document is currently under review. Currently, WSO2 does not recommend Java security manager for production environments due to some known issues.
The Java Security Manager is used to define various security policies that prevent untrusted code from manipulating your system. Enabling the Java Security Manager for WSO2 products activates the Java permissions that are in the
<PRODUCT_HOME>/repository/conf/sec.policy file. You modify this file to change the Java security permissions as required.
Before you begin
- Ensure that you have Java 1.8 installed.
- Note that you need to use a keystore for signing JARs using the Java security manager. In this example, you will be using the default keystore in your WSO2 product (
wso2carbon.jks). You can read about the recommendations for using keystores from here.
The steps below show how to enable the Java Security Manager for WSO2 products.
Download the WSO2 product to any location (e.g.,
To sign the JARs in your product, you need a key. You can generate a new keystore (with a new key) by executing the keytool command given below. Note that the new keystore is created in the directory from which you execute the keytool command.
Now you have a new keystore (
signkeystore.jks) with a new public key certificate (
By default, WSO2 products use the default
wso2carbon.jks keystore for signing JARs. This keystore is stored in the
<PRODUCT_HOME>/repository/resources/securitydirectory. Therefore, you need to add the
signFilespublic key certificate that you created earlier into the
First, export the
signFilespublic key certificate from the
signkeystore.jkskeystore by executing the following command:
Then, import the same signFiles certificate to the
wso2carbon.jkskeystore by executing the command given below. Be sure to specify the correct directory path to the
wso2carbon.jksfile of your product.
Note that WSO2 no longer recommends MD5 for JAR signing due to cryptographic limitations.
Open the security policy file, and update the "grant signedBy" value in the with the new
signFilesalias key, as shown below.
Prepare the scripts to sign the JARs and grant them the required permission. For example, the
signJar.shscript given below can be used to sign each JAR file separately or you can use the
signJars.shscript, which runs a loop to read all JARs and sign them.
Execute the following commands to sign the JARs in your product:
Every time you add an external JAR to the WSO2 product, sign them manually using the above instructions for the Java Security Manager to be effective. You add external JARs to the server when extending the product, applying patches etc.
- Open the startup script in the
<PRODUCT_HOME>/binfolder. For Linux, it is
Add the following system properties to the startup script and save the file:
sec.policyfile with the required security policies in the
<PRODUCT_HOME>/repository/conffolder and start the server. Starting the server makes the Java permissions defined in the
sec.policyfile to take effect.
An example of a
sec.policyfile is given below. It includes mostly WSO2 Carbon-level permissions.