Chapter 8 Configuring the Java Virtual Machine Security Policy

This chapter describes how to configure the security policy of the N1 Grid Service Provisioning System 5.0 applications to allow them only to accept connections from a specific IP Address and Port range or to allow them only to connect to a specific IP Address and Port range.

Configuring the JVM Security Policy

Each N1 Grid Service Provisioning System 5.0 application has a Java Virtual Machine (JVM) security policy file located in lib/security/rox.policy. This file specifies the permissions assigned to the application. As installed, the policy file allows the application to connect to and accept connections from any host. If you are using the CLI Client with SSH, change the policy file to restrict the connection to only the localhost.

The following line in the lib/security/rox.policy file grants these permissions.

permission java.net.SocketPermission "*", "connect,accept,listen";

If you want to restrict the network access abilities of the application, delete this line and add more restrictive permissions.

The host parameter for SocketPermission is as follows:

host = hostname|IPaddress :portrange

hostname is the host name of the machine. IPaddress is the IP address of the machine. portrange is the following:

portrange = portnumber | -portnumber | portnumber-[portnumber]  

For more information about the syntax for the security policy file, see http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html and click on the Policy File Syntax link.

How to Configure the JVM Policy for the Master Server

Steps

1. Edit the lib/security/rox.policy file.

2. Delete the line that allows the application to connect to or accept connections from all hosts.

3. Add the following lines to give the application permission selectively.

   permission java.net.SocketPermission "localhost:localport", "accept"; permission java.net.SocketPermission "localhost:dbport", "connect"; permission java.net.SocketPermission "<domain>:httpport", "connect"; permission java.net.SocketPermission "ipAddress1:port1", "connect"; permission java.net.SocketPermission "ipAddress2:port2", "connect"; ...

   • localport is the port that the CLI Client uses to connect to the Master Server. The first line restricts the Master Server to allow CLI Clients to connect only locally or through ssh-proxy.

   • dbport is the port number for the Postgres database server.

   • domain is the domain of the hosts that are to be allowed to connect to the browser interface. httpport is the port number the browser interface.

   • ipAddress1:port1 and ipAddress2:port2 are the IP address and port numbers of the Remote Agents or Local Distributors that are connected directly to the Master Server.

How to Configure the JVM Policy for the Remote Agent

Steps

1. Edit the lib/security/rox.policy file.

2. Delete the line that allows the application to connect to or accept connections from all hosts.

3. Add the following line to give the application permission.

   permission java.net.SocketPermission "ipAddress", "accept";

   ipAddress is the IP address of the Local Distributor or the Master Server to which this Remote Agent is connected.

Adding Permissions to Connect to a Host

If you plan to execute plans containing steps that require network access, such as urltest, you might want to add permissions for this Remote Agent to connect to a particular host.

How to Configure the JVM Policy for the Local Distributor

Steps

1. Edit the lib/security/rox.policy file.

2. Delete the line that allows the application to connect to or accept connections from all hosts.

3. Add the following lines to give the application permission selectively.

   permission java.net.SocketPermission "ipAddress", "accept"; permission java.net.SocketPermission "ipAddress1:port1", "connect"; permission java.net.SocketPermission "ipAddress2:port2", "connect"; ...

   • ipAddress is the IP address of the Local Distributor or Master Server that is the parent of this Local Distributor.

   • ipAddress1:port1 and ipAddress2:port2 are the IP address and port numbers of the Remote Agents or Local Distributors for which this Local Distributor is the parent.

Postgres Security

Ensure that the Postgres database does not accept connections from other hosts. The default configuration of the Postgres database is to accept connections from UNIX sockets and localhost. Change this default setting in the server/postgres/data/pg_hba.conf configuration file. Also, change the database password after installation using the alter user username with password `password' query. If you make these changes to the Postgres configuration file, in the N1SPS5.0-MasterServer-home/config/config.properties file, you must change the value of db.password.