Re: [Pki-devel] [PATCH] 130 Enabled Tomcat security manager.
On 10/25/12 19:29, Endi Sukma Dewata wrote:
On 10/22/2012 5:07 PM, Endi Sukma Dewata wrote:
> On 10/3/2012 6:01 PM, Endi Sukma Dewata wrote:
>> The tomcat.conf and pkideployment.cfg have been modified to enable
>> the security manager. The catalina.policy has been updated with
>> more specific permissions for PKI.
>>
>> Ticket #223
>
> New patch attached. It will now combine the default Tomcat policy with
> PKI standard policy and custom policy.
New patch attached. It fixes pki.policy and the code to generate
catalina.policy.
ACK
Applied patch, built, installed, and successfully tested a CA running
under the Tomcat Java Security Manager:
* # ps -ef | grep tomcat
pkiuser 28050 1 2 19:15 ? 00:00:17
/usr/lib/jvm/jre/bin/java -classpath
:/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
*-Djava.security.manager
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy*
-Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
I noticed one oddity in the '/usr/sbin/tomcat' file where they had
specified*-Djava.security.policy=="${CATALINA_BASE}/conf/catalina.policy"*
rather than
*-Djava.security.policy="${CATALINA_BASE}/conf/catalina.policy"* (used
an "==" rather than an single "="), but when I manually changed this,
and restarted the server, I was still able to successfully request,
approve, and issue another cert.
Attachments:
- attachment.html (text/html — 2.6 KB)