[Pki-devel] [PATCH] 130 Enabled Tomcat security manager.
Matthew Harmsen
mharmsen at redhat.com
Sat Oct 27 02:39:24 UTC 2012
On 10/25/12 19:29, Endi Sukma Dewata wrote:
> On 10/22/2012 5:07 PM, Endi Sukma Dewata wrote:
>> On 10/3/2012 6:01 PM, Endi Sukma Dewata wrote:
>>> The tomcat.conf and pkideployment.cfg have been modified to enable
>>> the security manager. The catalina.policy has been updated with
>>> more specific permissions for PKI.
>>>
>>> Ticket #223
>>
>> New patch attached. It will now combine the default Tomcat policy with
>> PKI standard policy and custom policy.
>
> New patch attached. It fixes pki.policy and the code to generate
> catalina.policy.
>
ACK
Applied patch, built, installed, and successfully tested a CA running
under the Tomcat Java Security Manager:
* # ps -ef | grep tomcat
pkiuser 28050 1 2 19:15 ? 00:00:17
/usr/lib/jvm/jre/bin/java -classpath
:/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
-Dcatalina.base=/var/lib/pki/pki-tomcat
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
-Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
*-Djava.security.manager
-Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy* -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
org.apache.catalina.startup.Bootstrap start
I noticed one oddity in the '/usr/sbin/tomcat' file where they had
specified*-Djava.security.policy=="${CATALINA_BASE}/conf/catalina.policy"*
rather than
*-Djava.security.policy="${CATALINA_BASE}/conf/catalina.policy"* (used
an "==" rather than an single "="), but when I manually changed this,
and restarted the server, I was still able to successfully request,
approve, and issue another cert.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20121026/88e8ddf8/attachment.htm>
More information about the Pki-devel
mailing list