[Pki-devel] [PATCH] 130 Enabled Tomcat security manager.

[Matthew Harmsen]

On 10/25/12 19:29, Endi Sukma Dewata wrote:
> On 10/22/2012 5:07 PM, Endi Sukma Dewata wrote:
>> On 10/3/2012 6:01 PM, Endi Sukma Dewata wrote:
>>> The tomcat.conf and pkideployment.cfg have been modified to enable
>>> the security manager. The catalina.policy has been updated with
>>> more specific permissions for PKI.
>>>
>>> Ticket #223
>>
>> New patch attached. It will now combine the default Tomcat policy with
>> PKI standard policy and custom policy.
>
> New patch attached. It fixes pki.policy and the code to generate 
> catalina.policy.
>
ACK

Applied patch, built, installed, and successfully tested a CA running 
under the Tomcat Java Security Manager:

  * # ps -ef | grep tomcat
    pkiuser  28050     1  2 19:15 ?        00:00:17
    /usr/lib/jvm/jre/bin/java -classpath
    :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
    -Dcatalina.base=/var/lib/pki/pki-tomcat
    -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
    -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
    *-Djava.security.manager
    -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy* -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
    -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
    org.apache.catalina.startup.Bootstrap start

I noticed one oddity in the '/usr/sbin/tomcat' file where they had 
specified*-Djava.security.policy=="${CATALINA_BASE}/conf/catalina.policy"* 
rather than 
*-Djava.security.policy="${CATALINA_BASE}/conf/catalina.policy"* (used 
an "==" rather than an single "="), but when I manually changed this, 
and restarted the server, I was still able to successfully request, 
approve, and issue another cert.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20121026/88e8ddf8/attachment.htm>