This documentation is for WSO2 Carbon 4.4.3. View documentation for the latest release.
Page Comparison - Enabling Java Security Manager (v.3 vs v.4) - Carbon 4.4.3 - WSO2 Documentation
Due to a known issue do not use JDK1.8.0_151 with WSO2 products. Use JDK 1.8.0_144 until JDK 1.8.0_162-ea is released.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Java Security Manager is used to define various security policies that prevent untrusted code from manipulating your system.   Enabling Enabling the Java Security Manager for WSO2 products activates the Java permissions that are in the in the <PRODUCT_HOME>/repository/conf/sec.policy file. You modify this file to change the Java security permissions as required.

Info

Before you begin

  • Ensure that you have Java 1.8 installed.
  • Note that you need to use a keystorefor signing JARs using the Java security manager. In this example, you will be using the default keystorein your WSO2 product (wso2carbon.jks).

The steps below show how to enable the Java Security Manager for WSO2 products.

Before you begin, ensure that you have Java 1.6 installed.

  1. Download the WSO2 product to any location (e.g., <HOME>/user/<product-pack> folder).

  2. To sign the JARs in your product, you need a key. Generate it using the keytool command as follows:You can generate a new keystore (with a new key) by executing the keytool command given below. Note that the new keystore is created in the directory from which you execute the keytool command.

    Code Block
    keytool -genkey -alias signFiles -keyalg RSA -keystore signkeystore.jks -validity 3650 -dname "CN=Sanjeewa,OU=Engineering, O=WSO2, L=Colombo, ST=Western, C=LK"
    
    
    Enter keystore password:  
    Re-enter new password:
    Enter key password for
    (RETURN if same as keystore password)

    The default keystore of the WSO2 products is wso2carbon.jks, which is in the Now you have a new keystore (signkeystore.jks) with a new public key certificate (signFiles). 

  3. By default, WSO2 products use the default wso2carbon.jks keystore for signing JARs. This keystore is stored in the <PRODUCT_HOME>/repository/resources/security folder. It is used for signing JARs.Import the signFiles public key  directory. Therefore, you need to add the signFiles public key certificate that you created earlier to into the wso2carbon.jks. The sample below shows the security policy file referring the signer  keystore. 

    First, export the signFiles public key certificate from the wso2carbonsignkeystore.jks file keystore by executing the following command:

    Code Block
    $ keytool -export -keystore signkeystore.jks -alias signFiles -file sign-cert.cer 
        
    

    Then, import the same signFiles certificate to the wso2carbon.jks keystore by executing the command given below. Be sure to specify the correct directory path to the wso2carbon.jks file of your product.

    Code Block
    $ keytool -import -alias signFiles -file sign-cert.cer -keystore <PATH_to_PRODUCT_HOME>/repository/resources/security/wso2carbon.jks
        Enter keystore password:  
        Owner: CN=Sanjeewa, OU=Engineering, O=WSO2, L=Colombo, ST=Western, C=LK
        Issuer: CN=Sanjeewa, OU=Engineering, O=WSO2, L=Colombo, ST=Western, C=LK
        Serial number: 5486f3b0
        Valid from: Tue Dec 09 18:35:52 IST 2014 until: Fri Dec 06 18:35:52 IST 2024
        Certificate fingerprints:
        MD5:  54:13:FD:06:6F:C9:A6:BC:EE:DF:73:A9:88:CC:02:EC
        SHA1: AE:37:2A:9E:66:86:12:68:28:88:12:A0:85:50:B1:D1:21:BD:49:52
        Signature algorithm name: SHA1withRSA
        Version: 3
        Trust this certificate? [no]:  yes
        Certificate was added to keystore
    Update
    Note

    Note that WSO2 no longer recommends MD5 for JAR signing due to cryptographic limitations. 

  4. Open the security policy file, and update the "grant signedBy" value in the security policy file with the signed alias key. See the following sample security policy file:with the new signFiles alias key, as shown below. 

    Code Block
    grant signedBy "signFiles" {
      // permission java.util.PropertyPermission "*", "read";
      // permission java.lang.RuntimePermission "*", "*";
      // permission java.io.FilePermission "*", "*";
      permission java.security.AllPermission;
    };
  5. Prepare the scripts to sign the JARs and grant them the required permission. For example, the  the signJar.sh script given  script given below can be used to sign each JAR file separately or you can use the use the signJars.sh script, which runs a loop to read all JARs and sign them.

    Code Block
    languagejava
    titlesignJar.sh script
     #!/bin/bash
        set -e
        jarfile=$1
        keystore_file="signkeystore.jks"
        keystore_keyalias='signFiles'
        keystore_storepass='wso2123'
        keystore_keypass='wso2123'
        signjar="$JAVA_HOME/bin/jarsigner -keystore $keystore_file -storepass $keystore_storepass -keypass $keystore_keypass"
        verifyjar="$JAVA_HOME/bin/jarsigner -keystore $keystore_file -verify"
        echo "Signing $jarfile"
        $signjar $jarfile $keystore_keyalias
        echo "Verifying $jarfile"
        $verifyjar $jarfile
        # Check whether the verification is successful.
        if [ $? -eq 1 ]
        then
           echo "Verification failed for $jarfile"
        fi
    Code Block
    languagejava
    titlesignJars.sh script
    #!/bin/bash
        if [[ ! -d $1 ]]; then
           echo "Please specify a target directory"
           exit 1
        fi
        for jarfile in `find . -type f -iname \*.jar`
        do
          ./signJar.sh $jarfile
        done 
  6. Execute the following commands to sign the JARs in your product:

    Code Block
    ./signJars.sh /HOME/user/<product-pack>
    Tip

    Every time you add an external JAR to the WSO2 product, sign them manually using the above instructions for the Java Security Manager to be effective. You add external JARs to the server when extending the product, applying patches etc. 

  7. Open the startup script in the in the <PRODUCT_HOME>/bin folder. For Linux, it is it is wso2server.sh
  8. Add the following system properties to the startup script and save the file:

    Code Block
    -Djava.security.manager=org.wso2.carbon.bootstrap.CarbonSecurityManager \
    -Djava.security.policy=$CARBON_HOME/repository/conf/sec.policy \
    -Drestricted.packages=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,org.wso2.carbon. \
    -Ddenied.system.properties=javax.net.ssl.trustStore,javax.net.ssl.trustStorePassword,denied.system.properties \
  9. Create a sec.policy file with the required security policies in the policies in the <PRODUCT_HOME>/repository/conf folder and  folder and start the server. Starting the server makes the Java permissions defined in the in the sec.policy file to  file to take effect. 

    An example of a sec.policy file is given below. It includes mostly WSO2 Carbon-level permissions.

    Code Block
    languagetext
    grant {
        // Allow socket connections for any host
        permission java.net.SocketPermission "*:1-65535", "connect,resolve";
       
        // Allow to read all properties. Use -Ddenied.system.properties in wso2server.sh to restrict properties
        permission java.util.PropertyPermission "*", "read";
           
        permission java.lang.RuntimePermission "getClassLoader";
           
        // CarbonContext APIs require this permission
        permission java.lang.management.ManagementPermission "control";
       
        // Required by any component reading XMLs. For example: org.wso2.carbon.databridge.agent.thrift:4.2.1.
        permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.bind.v2.runtime.reflect";
       
        // Required by org.wso2.carbon.ndatasource.core:4.2.0. This is only necessary after adding above permission. 
        permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.bind";
    };