...
Download the WSO2 product to any location (e.g.,
<HOME>/user/<product-pack>
folder).To sign the JARs in your product, you need a key. Generate it using the
keytool
command as follows:Code Block keytool -genkey -alias signFiles -keyalg RSA -keystore signkeystore.jks -validity 3650 -dname "CN=Sanjeewa,OU=Engineering, O=WSO2, L=Colombo, ST=Western, C=LK"Enter keystore password: Re-enter new password: Enter key password for (RETURN if same as keystore password)
The default keystore of the WSO2 products is
wso2carbon.jks
, which is in the<PRODUCT_HOME>/repository/resources/security
folder. It is used for signing JARs.Import the
signFiles
public key certificate that you created earlier towso2carbon.jks
. The sample below shows the security policy file referring the signer certificate from thewso2carbon.jks
file:Code Block $ keytool -export -keystore signkeystore.jks -alias signFiles -file sign-cert.cer $ keytool -import -alias signFiles -file sign-cert.cer -keystore repository/resources/security/wso2carbon.jks Enter keystore password: Owner: CN=Sanjeewa, OU=Engineering, O=WSO2, L=Colombo, ST=Western, C=LK Issuer: CN=Sanjeewa, OU=Engineering, O=WSO2, L=Colombo, ST=Western, C=LK Serial number: 5486f3b0 Valid from: Tue Dec 09 18:35:52 IST 2014 until: Fri Dec 06 18:35:52 IST 2024 Certificate fingerprints: MD5: 54:13:FD:06:6F:C9:A6:BC:EE:DF:73:A9:88:CC:02:EC SHA1: AE:37:2A:9E:66:86:12:68:28:88:12:A0:85:50:B1:D1:21:BD:49:52 Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore
Prepare the scripts to sign the JARs and grant them the required permission. For example, the
signJar.sh
script given below can be used to sign each JAR file separately or you can use thesignJars.sh
script, which runs a loop to read all JARs and sign them.Code Block language java title signJar.sh script #!/bin/bash set -e jarfile=$1 keystore_file="signkeystore.jks" keystore_keyalias='signFiles' keystore_storepass='wso2123' keystore_keypass='wso2123' signjar="$JAVA_HOME/bin/jarsigner -sigalg MD5withRSA -digestalg SHA1 -keystore $keystore_file -storepass $keystore_storepass -keypass $keystore_keypass" verifyjar="$JAVA_HOME/bin/jarsigner -keystore $keystore_file -verify" echo "Signing $jarfile" $signjar $jarfile $keystore_keyalias echo "Verifying $jarfile" $verifyjar $jarfile # Check whether the verification is successful. if [ $? -eq 1 ] then echo "Verification failed for $jarfile" fi
Code Block language java title signJars.sh script #!/bin/bash if [[ ! -d $1 ]]; then echo "Please specify a target directory" exit 1 fi for jarfile in `find . -type f -iname \*.jar` do ./signJar.sh $jarfile done
Execute the following commands to sign the JARs in your product:
Code Block ./signJars.sh /HOME/user/<product-pack>
Tip Every time you add an external JAR to the WSO2 product, sign them manually using the above instructions for the Java Security Manager to be effective. You add external JARs to the server when extending the product, applying patches etc.
- Open the startup script in the
<PRODUCT_HOME>/bin
folder. For Linux, it iswso2server.sh
. Add the following system properties to the startup script and save the file:
Code Block -Djava.security.manager=org.wso2.carbon.bootstrap.CarbonSecurityManager \ -Djava.security.policy=$CARBON_HOME/repository/conf/sec.policy \ -Drestricted.packages=sun.,com.sun.xml.internal.ws.,com.sun.xml.internal.bind.,com.sun.imageio.,org.wso2.carbon. \ -Ddenied.system.properties=javax.net.ssl.trustStore,javax.net.ssl.trustStorePassword,denied.system.properties \
Create a
sec.policy
file with the required security policies in the<PRODUCT_HOME>/repository/conf
folder and start the server. Starting the server makes the Java permissions defined in thesec.policy
file take effect.An example of a
sec.policy
file is given below. It includes mostly WSO2 Carbon-level permissions.Code Block language text grant { // Allow socket connections for any host permission java.net.SocketPermission "*:1-65535", "connect,resolve"; // Allow to read all properties. Use -Ddenied.system.properties in wso2server.sh to restrict properties permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "getClassLoader"; // CarbonContext APIs require this permission permission java.lang.management.ManagementPermission "control"; // Required by any component reading XMLs. For example: org.wso2.carbon.databridge.agent.thrift:4.2.1. permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.bind.v2.runtime.reflect"; // Required by org.wso2.carbon.ndatasource.core:4.2.0. This is only necessary after adding above permission. permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.bind"; };