Mlet security

The Java Dynamic Management Kit 4.1 offers security within the Mlet service. Security differs between the JDK 1.1x and Java 2 Java runtime environments. This is explained in the following sections.

JDK 1.1x

The default behavior of the Java Virtual Machine forbids you to download classes and native libraries across the network. For secure operation of the Mlet service, the Java Dynamic Management Kit provides a simple implementation of a security manager, called com.sun.jdmk.AgentSecurityManager, which accepts incoming libraries. This security manager extends the java.lang.SecurityManager interface and you must install it as the default security manager in the Java virtual machine on which the agent is running.

Code signing must also be employed to ensure the secure operation of class and library loading services. The Mlet service allows you to load .jar files that have been signed using the javakey utility. The machine where the agent is running must have the signer's certificate in its keystore. Otherwise, the service will be unable to load .jar files signed by that particular signer. The class loader must have access to the signer's certificate, that is, the signer's certificate must be stored in the keystore on the machine on which the agent is running.

Registering the Mlet Service with the MBean server

The Mlet service is registered in one of the following ways:

• Security Mode.

  • The security mode of the Mlet Service is specified at instantiation time through a parameter passed in the Mlet constructor.

  • If no secure parameter is specified, the service assumes insecure mode to be enabled.

Java 2

Code signing must also be employed to ensure the secure operation of the class and library loading services. The Mlet service allows you to load .jar files that have been signed using the jarsigner utility. The machine where the agent is running must have the signer's certificate in its keystore. Otherwise, the service will be unable to load .jar files signed by that signer. The class loader must have access to the signer's certificate, that is, the signer's certificate must be stored in the keystore on the machine on which the agent is running.

As well as jarsigner, the java.lang.SecurityManager provides the keytool and Policy Tool utilities. You can use keytool to manage your keystore and Policy Tool to create and modify the external policy configuration files that define your installation's security policy.