Activate the security manager
14.1. Using the Security Manager JBoss Enterprise Application Platform can use the JDK default Security Manager or a custom security manager. For details on selecting a custom Security Manager, refer to Security Manager-related options . When the Platform is configured to use a security manager, a security policy file must be specified. A security policy file, jboss-as/bin/server.policy.cert is included as a starting point. For information on writing security policy, refer to Section 14.3, “Writing Security Policy for JBoss Enterprise Application Platform” . Configuration File The file run.conf (Linux) or run.conf.bat (Windows) is used to configure the Security Manager and security policy. This file is found in the jboss-as/bin directory. This file is used to configure server-level options, and applies to all server profiles. Configuring the Security Manager and security policy involves profile-specific configuration. You may elect to copy the global run.conf or run.conf.bat file from jboss-as/bin/ to the server profile (for example: jboss-as/server/production/run.conf ), and make the configuration changes there. A configuration file in the server profile takes precedence over the global run.conf / run.conf.bat file when the server profile is started. Procedure 14.1. Activate the Security Manager This procedure configures JBoss Enterprise Application Platform to start with the Java Security Manager activated. The file editing actions in this procedure refer to the file run.conf (Linux), or run.conf.bat (Windows) in the server profile directory, if one exists there, or in jboss-as/bin . Refer to Configuration File for details on the location of this file. Specify the JBoss home directory Edit the file run.conf (Linux), or run.conf.bat (Windows). Add the jboss.home.dir option, specifying the path to the jboss-as directory of your installation. Linux JAVA_OPTS="$JAVA_OPTS -Djboss.home.dir=/path/to/jboss-eap-5.1/jboss-as" Windows JAVA_OPTS="%JAVA_OPTS% -Djboss.home.dir=c:\path\jboss-eap-5.1\jboss-as" Specify the server home directory Add the jboss.server.home.dir option, specifying the path to your server profile. Linux JAVA_OPTS="$JAVA_OPTS -Djboss.server.home.dir=path/to/jboss-eap-5.1/jboss-as/server/production" Windows JAVA_OPTS="%JAVA_OPTS% -Djboss.server.home.dir=c:\path\to\jboss-eap-5.1\jboss-as\server\production" Specify the Protocol Handler Add the java.protocol.handler.pkgs option, specifying the JBoss stub handler. Linux JAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.jboss.handlers.stub" Windows JAVA_OPTS="%JAVA_OPTS% -Djava.protocol.handler.pkgs=org.jboss.handlers.stub" Specify the security policy to use Add the $POLICY variable, specifying the security policy to use. Add the variable definition before the line that activates the Security Manager. Example 14.1. Use the Platform's included security policy POLICY="server.policy.cert" Activate the Security Manager Uncomment the following line by removing the initial # : Linux #JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY" Windows #JAVA_OPTS="%JAVA_OPTS% -Djava.security.manager -Djava.security.policy=%POLICY%" Result: JBoss Enterprise Application Platform is now configured to start with the Security Manager activated. Optional: Import Red Hat's JBoss signing key The included security policy grants permissions to JBoss-signed code. If you use the included policy you must import the JBoss signing key to the JDK cacerts key store. The following command assumes that the environment variable JAVA_HOME is set to the location of a JDK supported by JBoss Enterprise Application Platform 5. You configure JAVA_HOME when you first install JBoss Enterprise Application Platform 5. Refer to the Installation Guide for further information. JVM Selection To ensure the correct JVM is selected, you can use the alternatives command to select from JDKs installed on your Linux system. Refer to Appendix A, Setting the default JDK with the /usr/sbin/alternatives Utility . Execute the following command in a terminal: Linux [~]$ sudo $JBOSS_HOME/bin/keytool -import -alias jboss -file JBossPublicKey.RSA \ -keystore $JAVA_HOME/lib/security/cacerts Windows C:> $JBOSS_HOME\bin\keytool -import -alias jboss -file JBossPublicKey.RSA -keystore $JAVA_HOME\lib\security\cacerts Although broken across two lines in this documentation, the commands above should be entered on one single line in a terminal. Note The default password for the cacerts key store is changeit . Result: The key used to the sign the JBoss Enterprise Application Platform code is now installed.