[jboss-cvs] JBossAS SVN: r82032 - in projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US: extras and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Dec 4 03:31:45 EST 2008
Author: Darrin
Date: 2008-12-04 03:31:45 -0500 (Thu, 04 Dec 2008)
New Revision: 82032
Added:
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Developer_Guidelines.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Ports.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/additional_logging.xmlt
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/dev_guidelines_1.policy
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/dev_guidelines_2.policy
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/login-config.xmlt
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/run.conf.policy
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/rhn_certificate.png
Modified:
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Introduction.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Revision_History.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Installation.xml
Log:
updates
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml 2008-12-04 07:03:09 UTC (rev 82031)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml 2008-12-04 08:31:45 UTC (rev 82032)
@@ -10,9 +10,11 @@
<xi:include href="Requirements_for_the_Evaluated_Configuration.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="System_Installation.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Security_Configuration.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Developer_Guidelines.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Security_Features.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
- <xi:include href="RHEL_4_RPM_List.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="RHEL_4_RPM_List.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="RHEL_5_RPM_List.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Ports.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Revision_History.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
</book>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Developer_Guidelines.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Developer_Guidelines.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Developer_Guidelines.xml 2008-12-04 08:31:45 UTC (rev 82032)
@@ -0,0 +1,169 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<chapter id="Common_Criteria_Guide-Developer_Guidelines">
+ <title>Development Guide for the Common Criteria Certified System</title>
+
+ <para>This section describes the guidelines to be followed by a trusted developer
+ who develops programs or applications that run on the secure certified system.</para>
+
+ <section id="Common_Criteria_Guide-Developer_Guidelines-enterprise_applications">
+ <title>Enterprise Application</title>
+ <para>An enterprise application is a Java Enterprise Edition (formerly J2EE) version 1.4
+ compliant application software. Typically the application accepts requests from clients,
+ does some processing and responds with results. The enterprise application that is
+ developed by the trusted developer is hereby referred to as a <firstterm>user application</firstterm>.</para>
+
+ <para>The types of enterprise applications include the following:</para>
+ <orderedlist>
+ <listitem>
+ <para>Web Applications based on Servlets and Java Server Pages (JSP)</para>
+ </listitem>
+ <listitem>
+ <para>Enterprise Java Beans (EJB)</para>
+ </listitem>
+ <listitem>
+ <para>JavaEE 1.4 Web Service Applications which can be based on
+ Stateless EJBs or Plain Old Java Objects (POJOs) deployed as Java Servlets.</para>
+ </listitem>
+ </orderedlist>
+ </section>
+
+ <section id="Common_Criteria_Guide-Developer_Guidelines-general_restrictions">
+ <title>General Restrictions</title>
+ <para>The trusted software developer needs to follow the following restrictions when
+ developing secure software for the certified system.</para>
+
+ <orderedlist>
+ <listitem>
+ <para>Application Programming Interfaces (API) that is not documented in the product
+ documentation MUST not be used. Please refer to the section on the guidance for System
+ administrators to configure the certified system, for more information on providing
+ security permissions to the user applications.</para>
+ </listitem>
+ <listitem>
+ <para>The programming restrictions mandated by the Enterprise Java Beans Specification
+ version 2.1 (Section 25.2, pages 562-564)
+ (<ulink url="http://jcp.org/aboutJava/communityprocess/final/jsr153/index.html">http://jcp.org/aboutJava/communityprocess/final/jsr153/index.html</ulink>)
+ should be strictly followed.</para>
+ </listitem>
+ </orderedlist>
+
+ <formalpara>
+ <title>Enterprise Java Beans Specification Developer Restrictions</title>
+ <para>The restrictions are:</para>
+ </formalpara>
+
+ <itemizedlist>
+ <listitem>
+ <para>An enterprise bean must not use read/write static fields. Using read-only
+ static fields is allowed. Therefore, it is recommended that all static fields
+ in the enterprise bean class be declared as final.</para>
+ </listitem>
+
+ <listitem>
+ <para>An enterprise bean must not use thread synchronization primitives to
+ synchronize execution of multiple instances.</para>
+ </listitem>
+
+ <listitem>
+ <para>An enterprise bean must not use the AWT functionality to attempt to
+ output information to a display or to input information from a keyboard.</para>
+ </listitem>
+
+ <listitem>
+ <para>An enterprise bean must not use the <classname>java.io</classname> package
+ to attempt to access files and directories in the file system.</para>
+ </listitem>
+
+ <listitem>
+ <para>An enterprise bean must not attempt to listen on a socket, accept
+ connections on a socket, or use a socket for multicast.</para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to query a class to obtain information
+ about the declared members that are not otherwise accessible to the enterprise
+ bean because of the security rules of the Java language. The enterprise bean must
+ not attempt to use the Reflection API to access information that the security
+ rules of the Java programming language make unavailable.</para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to
+ <itemizedlist>
+ <listitem><para>create a class loader</para></listitem>
+ <listitem><para>obtain the current class loader</para></listitem>
+ <listitem><para>set the context class loader</para></listitem>
+ <listitem><para>set security manager</para></listitem>
+ <listitem><para>create a new security manager</para></listitem>
+ <listitem><para>stop the JVM</para></listitem>
+ <listitem><para>or change the input, output, and error streams</para></listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to set the socket factory used by
+ ServerSocket, Socket, or the stream handler factory used by URL.</para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to manage threads. The enterprise bean
+ must not attempt to start, stop, suspend, or resume a thread, or to change a
+ thread's priority or name. The enterprise bean must not attempt to manage thread
+ groups.</para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to obtain the security policy
+ information for a particular code source.</para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to load a native library.</para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to gain access to packages and
+ classes that the usual rules of the Java programming language make
+ unavailable to the enterprise bean.</para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to define a class in a package.</para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to access or modify the security
+ configuration objects (Policy, Security, Provider, Signer, and Identity).</para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to use the subclass and object
+ substitution features of the Java Serialization Protocol.</para>
+ </listitem>
+
+ <listitem>
+ <para>The enterprise bean must not attempt to pass this as an argument or
+ method result. The enterprise bean must pass the result of
+ <classname>SessionContext.getEJBObject</classname>,
+ <classname>SessionContext.getEJBLocalObject</classname>,
+ <classname>EntityContext.getEJBObject</classname>, or
+ <classname>EntityContext.getEJBLocalObject</classname> instead.</para>
+ </listitem>
+
+ </itemizedlist>
+
+ <para>These restrictions will be enforced by the Java Security Manager when the
+ certified system is run in the security manager enabled mode. The system administrators
+ of the certified system have to ensure that they do not provide the user applications
+ security permissions that relax any of the aforementioned restrictions, thereby
+ endangering the security and stability of the certified system.</para>
+
+ </section>
+
+
+</chapter>
\ No newline at end of file
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Introduction.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Introduction.xml 2008-12-04 07:03:09 UTC (rev 82031)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Introduction.xml 2008-12-04 08:31:45 UTC (rev 82032)
@@ -19,14 +19,15 @@
been evaluated under Common Criteria version 3.1 at level of assurance EAL2 augmented
with ALC_FLR.3. This provides assurance that the product has been structurally tested.</para>
- <para>All usages of the term “JBoss EAP” in this document refer to the Common Criteria
+ <para>All usages of the term "JBoss EAP" in this document refer to the Common Criteria
certified configuration of JBoss EAP Version 4.3 CP03.</para>
<para>Chapter 1 contains a brief introduction to the CC certification & the structure of this book.</para>
<para>Chapter 2 contains the requirements for deploying the certified product.</para>
<para>Chapter 3 contains the steps that are required in downloading &verifying the authenticity of the CC product.</para>
<para>Chapter 4 provides instructions on how to start the server and the different modes of operation.</para>
- <para>Chapter 5 contains the details of the security implementation & usage limitations of the CC product.</para>
+ <para>Chapter 5 contains guidelines for developers creating applications for JBoss EAP</para>
+ <para>Chapter 6 contains the details of the security implementation & usage limitations of the CC product.</para>
<para>Should there be any discrepancy between information contained in this guide
and any other product documentation, the CC Guide information takes precedence,
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Ports.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Ports.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Ports.xml 2008-12-04 08:31:45 UTC (rev 82032)
@@ -0,0 +1,454 @@
+<?xml version='1.0'?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<appendix id="appe-ports">
+<title>Ports in JBoss EAP 4.3_CP03 for Common Criteria Evaluation</title>
+
+
+<table frame='all'><title>TCP Port Configuration</title>
+<tgroup cols='4' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1' colwidth="1*"/>
+ <!-- <colspec colname='c2' colwidth="1*"/> -->
+ <colspec colname='c3' colwidth="3*"/>
+ <colspec colname='c4' colwidth="1*"/>
+ <colspec colname='c4' colwidth="3*"/>
+<thead>
+ <row>
+ <entry><para>PORT</para></entry>
+ <!-- <entry><para>TYPE</para></entry> -->
+ <entry><para>CONFIG</para></entry>
+ <entry><para>ENABLED</para></entry>
+ <entry><para>PURPOSE</para></entry>
+ </row>
+</thead>
+
+<tbody>
+ <row>
+ <entry><para>4448</para></entry>
+ <!-- <entry><para/></entry> -->
+ <entry><para>deploy/cluster-service.xml</para></entry>
+ <entry><para>Disabled</para></entry>
+ <entry><para>PooledInvokerHA</para></entry>
+ </row>
+
+<row>
+<entry><para>49920</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>3873</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>deploy/ejb3.deployer/META-INF/jboss-service.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>EJB3 Remoting Connector</para></entry>
+</row>
+
+<row>
+<entry><para>63300</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>54693</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>3528</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>conf/jacorb.properties</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>IIOP Port assigned by IANA</para></entry>
+</row>
+
+<row>
+<entry><para>40616</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>41864</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+<row>
+<entry><para>8009</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>deploy/jbossweb.deployer/server.xml</para></entry>
+<entry><para>Disabled</para></entry>
+<entry><para>AJP Connector</para></entry>
+</row>
+<row>
+<entry><para>4457</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>deploy/jboss-messaging.sar/remoting-bisocket-service.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>Messaging bi-socket connector between client and server</para></entry>
+</row>
+<row>
+<entry><para>1098</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>conf/jboss-service.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>RMI Naming Service</para></entry>
+</row>
+<row>
+<entry><para>54539</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+<row>
+<entry><para>1099</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>conf/jboss-service.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>RMI bootstrap naming service</para></entry>
+</row>
+<row>
+<entry><para>1100</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>deploy/cluster-service.xml</para></entry>
+<entry><para>Disabled</para></entry>
+<entry><para>Clustering</para></entry>
+</row>
+<row>
+<entry><para>1101</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>deploy/cluster-service.xml</para></entry>
+<entry><para>Disabled</para></entry>
+<entry><para>Clustering</para></entry>
+</row>
+<row>
+<entry><para>60686</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+<row>
+<entry><para>8080</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>deploy/jboss-web.deployer/server.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>Http Connector </para></entry>
+</row>
+<row>
+<entry><para>46834</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+<row>
+<entry><para>8083</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>conf/jboss-service.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>RMI - Mini web server needed for RMI Classloading</para></entry>
+</row>
+<row>
+<entry><para>41336</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+<row>
+<entry><para>7900</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>deploy/jboss-messaging.sar/clustered-hsqldb-persistence-service.xml</para></entry>
+<entry><para>Disabled</para></entry>
+<entry><para/></entry>
+</row>
+<row>
+<entry><para>4444</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>conf/jboss-service.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>RMI JRMP Invoker</para></entry>
+</row>
+<row>
+<entry><para>62365</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+<row>
+<entry><para>4445</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>conf/jboss-service.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>RMI Pooled Invoker</para></entry>
+</row>
+<row>
+<entry><para>4446</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>conf/jboss-service.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>Remoting server connector</para></entry>
+</row>
+<row>
+<entry><para>4447</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>conf/jboss-service.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>Remoting server connector</para></entry>
+</row>
+<row>
+<entry><para/></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para/></entry>
+<!-- <entry><para>UDP</para></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+
+
+
+</tbody></tgroup>
+</table>
+
+
+
+
+
+<table frame='all'><title>UDP Port Configuration</title>
+<tgroup cols='4' align='left' colsep='1' rowsep='1'>
+ <colspec colname='c1' colwidth="1*"/>
+ <!-- <colspec colname='c2' colwidth="1*"/> -->
+ <colspec colname='c3' colwidth="3*"/>
+ <colspec colname='c4' colwidth="1*"/>
+ <colspec colname='c4' colwidth="3*"/>
+<thead>
+ <row>
+ <entry><para>PORT</para></entry>
+ <!-- <entry><para>TYPE</para></entry> -->
+ <entry><para>CONFIG</para></entry>
+ <entry><para>ENABLED</para></entry>
+ <entry><para>PURPOSE</para></entry>
+ </row>
+</thead>
+
+<tbody>
+
+<row>
+<entry><para>45568</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>jboss-messaging.sar/clustered-hsqldb-persistence-service.xml</para></entry>
+<entry><para>Disabled</para></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>42372</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>1161 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para>Disabled</para></entry>
+<entry><para>snmp</para></entry>
+</row>
+
+<row>
+<entry><para/></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>45577 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>jboss-web-cluster.sar </para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>Tomcat5 Clustering</para></entry>
+</row>
+
+<row>
+<entry><para>1162 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para>Disabled</para></entry>
+<entry><para>snmp</para></entry>
+</row>
+
+<row>
+<entry><para>42908 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para>Ephemeral</para></entry>
+<entry><para>JGroups (Clustering layer) opens this port for extremely short duration to send data</para></entry>
+</row>
+
+<row>
+<entry><para>62774 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>48567 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para>Ephemeral</para></entry>
+<entry><para>JGroups (Clustering layer) opens this port for extremely short duration to send data</para></entry>
+</row>
+
+<row>
+<entry><para>42936</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>54338 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>43333</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>ejb3-entity-cache-service.xml </para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>Clustering cache service for ejb3 entity beans</para></entry>
+</row>
+
+<row>
+<entry><para>58693</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>7500</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>jboss-web-cluster.sar/diagnostics,</para>
+<para>ejb3-entity-cache-service.xml/diagnostics ,</para>
+<para>cluster-service.xml/HAPartition/diagnostics ,</para>
+<para>jboss-messaging.sar/clustered-hsqldb-persistence-service.xml/diagnostics ,</para>
+<para/></entry>
+<entry><para>Enabled</para></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>44621</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>1102 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>cluster-service.xml/HA-JNDI </para></entry>
+<entry><para>Disabled</para></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>61140 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para>Ephemeral</para></entry>
+<entry><para>JGroups (Clustering layer) opens this port for extremely short duration to send data</para></entry>
+</row>
+
+<row>
+<entry><para>53974 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para/></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>45551 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>ejb3-clustered-sfsbcache-service.xml</para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para>EJB3 Stateful Session Bean Clustered Cache</para></entry>
+</row>
+
+<row>
+<entry><para>46069 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para/></entry>
+<entry><para>Ephemeral</para></entry>
+<entry><para>JGroups</para></entry>
+</row>
+
+<row>
+<entry><para>45566 </para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>cluster-service.xml/HAPartition </para></entry>
+<entry><para>Enabled</para></entry>
+<entry><para/></entry>
+</row>
+
+<row>
+<entry><para>45567</para></entry>
+<!-- <entry><para/></entry> -->
+<entry><para>jboss-messaging.sar/clustered-hsqldb-persistence-service.xml</para></entry>
+<entry><para>Disabled</para></entry>
+<entry><para/></entry>
+</row>
+
+</tbody></tgroup>
+</table>
+
+
+
+
+
+
+
+
+
+
+
+</appendix>
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml 2008-12-04 07:03:09 UTC (rev 82031)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml 2008-12-04 08:31:45 UTC (rev 82032)
@@ -17,7 +17,7 @@
<listitem><para>BEA JRockit JRE 1.5.x &1.6.x</para></listitem>
<listitem><para>HP-UX JRE 1.5.x &1.6.x</para></listitem>
<listitem><para>IBM JRE 1.5.x &1.6.x</para></listitem>
- <!-- <listitem><para>OpenJDK 6</para></listitem> -->
+ <listitem><para>IBM JDK 6</para></listitem>
</itemizedlist>
</section>
@@ -31,100 +31,80 @@
<section id="database_requirements">
<title>Database Servers</title>
- <para>JBoss EAP is evaluated with the following relational database systems. Only
- these database systems are acceptable for use with JBoss EAP.</para>
- <itemizedlist>
- <listitem><para>Oracle 10g R2</para></listitem>
- <listitem><para>Oracle 9i</para></listitem>
- <listitem><para>Microsoft SQL Server 2005</para></listitem>
- <listitem><para>MySQL v5.0</para></listitem>
- <listitem><para>PostgreSQL v8.2</para></listitem>
- <listitem><para>DB2 v8.2</para></listitem>
- <listitem><para>DB2 v9.1</para></listitem>
- </itemizedlist>
- <para>
- For information on how to configure each database with the JBoss Enterprise Application Platform refer to <xref linkend="configuration_requirements-database_configuration"/>.
- </para>
- <para>
- The MD5 checksums for each database system is as follows:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- Oracle 10g R2 version 10.2.0.2.0
- </para>
-<screen>$ md5sum ojdbc14.jar
-8ae726d3a32c3cc3adbbe6793ade57f8 ojdbc14.jar
-</screen>
- <para>
- Download this driver from the <ulink url="http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html">Oracle driver download page</ulink>.
- </para>
- </listitem>
- <listitem>
- <para>
- Oracle 9i
- </para>
-<screen>$ md5sum
-</screen>
- <para>
- Download this driver from the <ulink url="http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html">Oracle driver download page</ulink>.
- </para>
- </listitem>
- <listitem>
- <para>
- Microsoft SQL Server 2005 JDBC Driver 1.2
- </para>
-<screen>$ md5sum jtds-1.2.jar
-8d3457be7178103ac846fcf407b6e559 jtds-1.2.jar
-</screen>
- <para>
- Download this driver from the <ulink url="http://www.microsoft.com/downloads/details.aspx?FamilyId=C47053EB-3B64-4794-950D-81E1EC91C1BA&displaylang=en">Microsoft SQL Server 2005 JDBC Driver download page</ulink>.
- </para>
- </listitem>
- <listitem>
- <para>
- MySQL version 5.0.8
- </para>
-<screen>$ md5sum mysql-connector-java-5.0.8.zip
-569f7284761b8162a2d2ac0a9786581a mysql-connector-java-5.0.8.zip
-</screen>
- <para>
- Download this driver from the <ulink url="http://dev.mysql.com/downloads/connector/j/5.0.html">MySQL Connector/J download page</ulink>.
- </para>
- </listitem>
- <listitem>
- <para>
- PostgreSQL version 8.2-504
- </para>
-<screen>$ md5sum postgresql-8.2-504.jdbc3.jar
-aa8fb66ad71300b635943a8f473a3261 postgresql-8.2-504.jdbc3.jar
-</screen>
- <para>
- Download this driver from the <ulink url="http://jdbc.postgresql.org/">PostgreSQL JDBC Driver download page</ulink>.
- </para>
- </listitem>
- <listitem>
- <para>
- DB2 version 8.2.7 and JDBC version 2.10.52
- </para>
-<screen>$ md5sum db2jcc.jar
-1ae13ee23b595de8b282a7974e5cc25c db2jcc.jar
-</screen>
- </listitem>
- <listitem>
- <para>
- DB2 version 9.1 Fixpack 3 and JDBC version 3.1.57
- </para>
-<screen>$ md5sum db2jcc.jar
-6b33669a5c2173e65f6bb6618e935b8d db2jcc.jar
-</screen>
- </listitem>
- </itemizedlist>
- <important>
- <para>
- Only the exact specified versions of each database and the respective driver is certified to work with the JBoss Enterprise Application Platform 4.3.0.CP03.
- </para>
- </important>
+
+ <para>JBoss EAP is evaluated with the following relational database systems.
+ Only these database systems with the specific driver versions
+ are acceptable for use with JBoss EAP.</para>
+
+ <table id="supported_databases_JDBC">
+ <title>Allowed Database and JDBC Driver Versions</title>
+ <tgroup align="left" cols="2" colsep="1" rowsep="1">
+ <colspec colname="c1" colwidth="1*"/>
+ <colspec colname="c2" colwidth="3*"/>
+ <thead>
+ <row><entry>Database</entry><entry>JDBC Driver</entry></row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Oracle 10g R2 and Oracle 9i</entry>
+ <entry><para>Oracle 10g R2 version 10.2.0.2.0</para>
+ <para>Driver download:
+ <ulink url="http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html">http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html</ulink>.</para>
+ <screen>$ md5sum ojdbc14.jar
+8ae726d3a32c3cc3adbbe6793ade57f8 ojdbc14.jar</screen></entry>
+ </row>
+ <row>
+ <entry>Microsoft SQL Server 2005</entry>
+ <entry><para>Microsoft SQL Server 2005 JDBC Driver 1.2</para>
+ <para>Driver download:
+ <ulink url="http://www.microsoft.com/downloads/details.aspx?FamilyId=C47053EB-3B64-4794-950D-81E1EC91C1BA&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=C47053EB-3B64-4794-950D-81E1EC91C1BA&displaylang=en</ulink>.</para>
+ <screen>$ md5sum jtds-1.2.jar
+8d3457be7178103ac846fcf407b6e559 jtds-1.2.jar</screen></entry>
+ </row>
+ <row>
+ <entry>MySQL v5.0</entry>
+ <entry><para>MySQL version 5.0.8</para>
+ <para>Driver download: <ulink url="http://dev.mysql.com/downloads/connector/j/5.0.html">http://dev.mysql.com/downloads/connector/j/5.0.html</ulink>.</para>
+ <screen>$ md5sum mysql-connector-java-5.0.8.zip
+569f7284761b8162a2d2ac0a9786581a mysql-connector-java-5.0.8.zip</screen></entry>
+ </row>
+ <row>
+ <entry>PostgreSQL v8.1</entry>
+ <entry><para>PostgreSQL version 8.2-504</para>
+ <para>Driver download: <ulink url="http://jdbc.postgresql.org/">http://jdbc.postgresql.org</ulink>.</para>
+ <screen>$ md5sum postgresql-8.2-504.jdbc3.jar
+aa8fb66ad71300b635943a8f473a3261 postgresql-8.2-504.jdbc3.jar</screen></entry>
+ </row>
+ <row>
+ <entry>DB2 v8.2</entry>
+ <entry><para>DB2 version 8.2.7 and JDBC version 2.10.52</para>
+ <para>Driver download: <ulink url="http://www-306.ibm.com/software/data/db2/java/">http://www-306.ibm.com/software/data/db2/java/</ulink></para>
+ <screen>$ md5sum db2jcc.jar
+1ae13ee23b595de8b282a7974e5cc25c db2jcc.jar</screen></entry>
+ </row>
+ <row>
+ <entry>DB2 v9.1</entry>
+ <entry><para>DB2 version 9.1 Fixpack 3 and JDBC version 3.1.57</para>
+ <para>Driver download: <ulink url="http://www-306.ibm.com/software/data/db2/java/">http://www-306.ibm.com/software/data/db2/java/</ulink></para>
+ <screen>$ md5sum db2jcc.jar
+6b33669a5c2173e65f6bb6618e935b8d db2jcc.jar</screen></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <note>
+ <para>The MD5SUM command line examples given are accurate for most Linux
+ and Unix operating systems. Mac OS X includes the equivalent command
+ <command>md5</command>.</para>
+ <para>If you are using Microsoft Windows you will have to download a
+ third party utility to perform these steps as it does not include a
+ MD5SUM tool.</para>
+ </note>
+
+ <para>For information on how to configure each database with the JBoss EAP refer
+ to <xref linkend="configuration_requirements-database_configuration"/>.</para>
+
</section>
</section>
@@ -156,236 +136,347 @@
<section id="connectivity_requirements">
<title>Connectivity Requirements</title>
- <para>The operating system and the Java virtual machine operate according to their specification. These external systems shall be configured in accordance with this guidance.</para>
- <para>Any other system with which JBoss EAP communicates is assumed to be under the same management control and operate under the same security policy constraints as JBoss EAP.</para>
- <section id="connectivity_requirements.cluster">
- <title>
- Cluster Connectivity Requirements
- </title>
- <para>
- In case multiple instances of JBoss are joined into a cluster, it is assumed that the administrator ensures that the cluster communication network is physically separated from any other network attached to cluster nodes. In addition, the administrator has to ensure that the operating system of each cluster node is configured in a way that prevents forwarding of network traffic from any network into the separated cluster network as well as forwarding of network traffic from the cluster network to any other network.
- </para>
+ <para>The operating system and the Java virtual machine operate according to
+ their specification. These external systems shall be configured in accordance
+ with this guidance.</para>
+
+ <para>Any other system with which JBoss EAP communicates is assumed to be under
+ the same management control and operate under the same security policy constraints
+ as JBoss EAP.</para>
+
+ <section id="connectivity_requirements.cluster">
+ <title>Cluster Connectivity Requirements</title>
+
+ <para>In case multiple instances of JBoss are joined into a cluster, it is
+ assumed that the administrator ensures that the cluster communication network
+ is physically separated from any other network attached to cluster nodes. In
+ addition, the administrator has to ensure that the operating system of each
+ cluster node is configured in a way that prevents forwarding of network traffic
+ from any network into the separated cluster network as well as forwarding of
+ network traffic from the cluster network to any other network.</para>
+
+ <para>Each cluster node communicates with the other nodes by means of standard
+ TCP/IP sockets. Whenever this occurs the client side of each connection has a
+ port number assigned to it by the host operating system from a range of ports
+ that are reserved for client sockets. These ports are referred to as
+ <firstterm>dynamic</firstterm> or <firstterm>ephemeral</firstterm> ports. They
+ are only used by a connection until it is closed. Once the connection is closed
+ the port is made available for use by other new client connections.You should
+ refer to your operating system documentation if you need to configure this port range.</para>
</section>
+
</section>
<section id="configuration_requirements">
<title>Configuration Requirements</title>
- <para>
- This section describes modifications to be made to the production server configuration to comply with common certification requirements. It is recommended that you backup the production configuration prior to making the changes shown in the following subsections. To back up the production configuration execute the following commands:
- </para>
-<programlisting>
-cd $JBOSS_HOME/server
-cp -pr productiion production.ORIG
-</programlisting>
- <section id="configuration_requirements-setup_configuration">
- <title>Setup Configuration</title>
- <para>The following general configuration steps must be performed to ensure compliance
- with Common Criteria requirements.</para>
+ <para>The following sections describe modifications to be made to the <literal>production</literal>
+ server configuration to comply with CC requirements. It is recommended,
+ however, to back up the production configuration prior to making the
+ changes shown in the following subsections.</para>
+ <para>Backing up the production configuration simply involves making a copy of the
+ <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production</filename>
+ directory. If you are using Microsoft Windows you can simply use Windows Explorer
+ to make a copy of this folder using copy-paste and rename the copy to
+ <filename>production.backup</filename>. Under UNIX or Linux you can issue the command: </para>
+
+ <screen>cp -pr <replaceable>${JBOSS_HOME}</replaceable>/server/production <replaceable>${JBOSS_HOME}</replaceable>/server/production.backup</screen>
+
+ <para>In an emergency you can always retrieve the original files from the
+ installation zip file.</para>
+
+ <section id="configuration_requirements-setup_configuration">
+ <title>Setup Configuration</title>
+ <para>The following general configuration steps must be performed to ensure compliance
+ with Common Criteria requirements.</para>
+
+ <orderedlist>
+ <listitem>
+ <para>Disable Simple Network Management Protocol (SNMP)</para>
+ <para>Delete <filename>snmp-adaptor.sar</filename> from
+ <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy</filename>.</para>
+ </listitem>
+
+ <listitem>
+ <para>Disable Remote Method Invocation (RMI) under the Internet Inter-ORB
+ Protocol (IIOP).</para>
+ </listitem>
+
+ <listitem>
+ <para>Disable AJP from JBoss Web.</para>
+ <para>Comment out the following section from
+ <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/jboss-web.deployer/server.xml</filename> as shown.
+ <programlisting language="xml"><!-- <Connector port="8009" address="${jboss.bind.address}"
+protocol="AJP/1.3" emptySessionPath="true"
+enableLookups="false" redirectPort="8443" /> --></programlisting></para>
+ </listitem>
+
+ <listitem>
+ <para>Clustering: port 1102</para>
+ <para>Rename <filename>ha-jndi-jms-ds.xml</filename> to
+ <filename>ha-jndi-jms-ds.xml.bak</filename> in
+ <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy</filename>.</para>
+ </listitem>
+
+ <listitem><para>Use password hashing so plain text passwords are not stored on the server.</para></listitem>
+
+ </orderedlist>
+ </section>
+
+ <section>
+ <title>Configuring Audit Logging</title>
+ <para>Audit logging can be configured to print authentication and authorization
+ information for each thread and EJB call. </para>
+
+ <important><para>The logging of individual requests is a resource intensive
+ activity. It is recommended that you test the impact that this will have on
+ your server and application performance before enabling this level of logging
+ on a production server.</para></important>
+
+ <para>You enable this level of logging by making the following changes to <filename>jboss-log4.xml</filename>:</para>
+ <orderedlist>
+ <listitem>
+ <para>Set the logging level of the <classname>SecurityInterceptor</classname> class
+ to <literal>TRACE</literal> by adding the following element to the root element:</para>
+ <programlisting language="xml"><category name="org.jboss.ejb.plugins.SecurityInterceptor">
+ <priority value="TRACE" />
+</category></programlisting>
+ </listitem>
+ <listitem>
+ <para>Update the ConversionPattern parameter in the appender/layout element
+ to show thread information</para>
+ <programlisting language="xml"><param name="ConversionPattern"
+ value="%d %-5r %-5p [%c] (%t:%x) %m%n" /></programlisting>
+ </listitem>
+ </orderedlist>
+
+ <para>If you need additional logging for web-based requests, uncomment
+ the <literal>AccessLogValve</literal> in
+ <filename>deploy/jboss-web.deployer/server.xml</filename>.</para>
+
+ <programlisting language="xml"><xi:include href="extras/additional_logging.xmlt" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include></programlisting>
+
+ <para>The access log is saved in the <filename>log</filename>
+ directory of the server configuration.</para>
+ </section>
+
+ <section id="configuration_requirements-security_configuration">
+ <title>Security Configuration</title>
+ <para>
+ The following configuration steps must be performed to ensure security compliance
+ with Common Criteria requirements
+ </para>
+ <section id="configuration_requirements-security_configuration-JBoss_SX">
+ <title>JBoss SX</title>
+ <para>All security domains must be created in the context of java:/jaas/
+ (e.g. java:/jaas/jmx-console).</para>
+
+ <para>Custom Login Modules are not permitted; the only login modules
+ allowed are the following:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>org.jboss.security.auth.spi.UsersRolesLoginModule</para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.auth.spi.LdapLoginModule</para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.auth.spi.DatabaseServerLoginModule</para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.auth.spi.BaseCertLoginModule</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>This restriction on login modules is also applicable to the
+ DynamicLoginConfig service.</para>
+
+ <para>Only the following security managers are allowed to be configured
+ and used for authentication purposes: </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>org.jboss.security.plugins.JaasSecurityManager </para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.plugins.JaasSecurityDomain </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Other modules, such as SRP module are not allowed.</para>
+
+ </section>
+
+ <section id="sect-Common_Criteria_Guide-Overview_of_the_Security_Functions-Securing_MBean_Invokers">
+ <title>Securing MBean Invokers</title>
+ <para>
+ The <filename>http-invoker.sar</filename> found in the deploy directory is a service
+ that provides RMI/HTTP access for EJBs and the JNDI Naming service. This includes a
+ servlet that processes posts of <classname>marshaled org.jboss.invocation.Invocation</classname>
+ objects that represent invocations that should be dispatched onto the MBeanServer.
+ Effectively this allows access to MBeans that support the detached invoker operation
+ via HTTP when sending appropriately formatted HTTP posts. This servlet has to be
+ protected against the use by unprivileged users. To secure this access point you would
+ need to secure the JMXInvokerServlet servlet found in the
+ <filename>http-invoker.sar/invoker.war/WEB-INF/web.xml</filename> descriptor.
+ </para>
+
+ <para>
+ The <filename>jmx-invoker-adaptor-server.sar</filename> is a service that exposes the
+ JMX MBeanServer interface via an RMI compatible interface using the RMI/JRMP detached
+ invoker service. This interface has to be made unavailable to unprivileged users which
+ can be done by using the <classname>org.jboss.jmx.connector.invoker.AuthenticationInterceptor</classname>
+ interceptor for performing identification and authentication using JAAS. Additionally,
+ access control has to be configured using the interceptors of either
+ <classname>org.jboss.jmx.connector.invoker.RolesAuthorization</classname> or
+ <classname>org.jboss.jmx.connector.invoker.ExternalizableRolesAuthorization</classname>.
+ </para>
+ </section>
+
+ <section id="configuration_requirements-security_configuration-JBoss_Web">
+ <title>JBoss Web</title>
+ <para>The JAAS based authentication and authorization realm implementation
+ (<parameter>org.jboss.web.tomcat.security.JBossSecurityMgrRealm</parameter>)
+ cannot be replaced. The same is true for the authenticator classes defined
+ for each authentication method (BASIC, CLIENT-CERT, DIGEST, FORM, NONE) in
+ <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/jboss-web.deployer/META-INF/jboss-service.xml</filename>. </para>
+
+ <para>Additionally, the <parameter>AllRolesMode</parameter> within
+ <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/jboss-web.deployer/server.xml</filename>
+ must be set to <literal>strict</literal>. This requires the authenticated user to be
+ assigned to one of the <filename>web-app/security-role/role-name</filename> in order
+ to be authorized.</para>
+ </section>
+ </section>
+
+ <section id="configuration_requirements-database_configuration">
+ <title>Database Configuration</title>
+
+ <para>The default database HSQLDB that the Enterprise Application Platform ships with
+ must be disabled as it is not supported. This section will outline how this can be done
+ and then refer you to information on how to configure supported databases. This must
+ be done in the <filename>production</filename> server profile.</para>
+
<orderedlist>
- <listitem><para>Disable Simple Network Management Protocol (SNMP) through ports 1161 and 1162.</para></listitem>
- <listitem><para>Disable Remote Method Invocation (RMI) under the Internet Inter-ORB Protocol (IIOP).</para></listitem>
- <listitem><para>Disable AJP from JBoss Web.</para></listitem>
- <listitem><para>Use password hashing so plain text passwords are not stored on the server.</para></listitem>
- <listitem><para>Disable the following ports:</para>
- <orderedlist>
- <listitem><para>Clustering: port 1102</para></listitem>
- <listitem><para>SNMP: ports 1161 and 1162</para></listitem>
- <listitem><para>JBossWeb: port 8009</para></listitem>
- </orderedlist>
+ <listitem>
+ <para>Create a default DS file for the desired database. Examples of this
+ file are located in <filename>${JBOSS_HOME}/docs/examples/jca</filename>.</para>
+ <important>
+ <para>A <filename>DefaultDS</filename> file must be supplied in the
+ <filename>${JBOSS_HOME}/server/production/deploy</filename> directory.</para>
+ </important>
</listitem>
+
<listitem>
- <para>Configure audit logging to print authentication and authorization
- information for each thread and EJB call. This is done by making the
- following changes to <filename>jboss-log4.xml</filename>:</para>
- <orderedlist>
- <listitem>
- <para>Set the logging level of the <classname>SecurityInterceptor</classname> class
- to <literal>TRACE</literal> by adding the following element to the root element:</para>
- <programlisting language="xml"><category name="org.jboss.ejb.plugins.SecurityInterceptor">
- <priority value="TRACE" />
-</category></programlisting>
- </listitem>
- <listitem><para>Update the ConversionPattern parameter in the appender/layout element
- to show thread information</para>
- <programlisting language="xml"><param name="ConversionPattern"
- value="%d %-5r %-5p [%c] (%t:%x) %m%n" /></programlisting>
- </listitem>
- </orderedlist>
+ <para>Delete the following files as they refer to the HSQLDB database:</para>
+ <itemizedlist>
+ <listitem>
+ <para><filename>${JBOSS_HOME}/server/production/deploy/hsqldb-ds.xml </filename></para>
+ </listitem>
+ <listitem>
+ <para><filename>${JBOSS_HOME}/server/production/lib/hsqldb.jar </filename></para>
+ </listitem>
+ <listitem>
+ <para><filename>${JBOSS_HOME}/server/production/lib/hsqldb-plugin.jar </filename></para>
+ </listitem>
+ <listitem>
+ <para><filename>${JBOSS_HOME}/server/production/deploy/jboss-messaging.sar/clustered-hsqldb-persistence-service.xml </filename></para>
+ </listitem>
+ </itemizedlist>
</listitem>
+ <listitem>
+ <para>Copy the file <filename>oracle-persistence-service.xml</filename> from
+ <filename>${JBOSS_HOME}/docs/examples/jms/oracle-persistence-service.xml</filename>
+ to <filename>${JBOSS_HOME}/server/production/deploy/jboss-messaging.sar/</filename>.</para>
+
+ <para>This file contains the definition of persistence service for JBoss Messaging when
+ using an Oracle Database as storage.</para>
+ <note>
+ <para>The table definitions in <filename>oracle-persistence-service.xml</filename>
+ are not optimized for performance. </para>
+ </note>
+ </listitem>
+
+ <listitem>
+ <para>Place your JDBC driver libraries in the directory
+ <filename>${JBOSS_HOME}/server/production/lib/</filename>.</para>
+
+ <para>If the security policy is to be used, proper permissions must be provided
+ for access to it.</para>
+ </listitem>
+
+ <listitem>
+ <para>When using the Oracle Database, the database persistence plugin definition
+ must be changed in <filename>${JBOSS_HOME}/server/production/deploy/ejb-deployer.xml</filename>
+ from being:</para>
+ <programlisting language="xml"><attribute name="DatabasePersistencePlugin">
+org.jboss.ejb.txtimer.GeneralPurposeDatabasePersistencePlugin
+</attribute></programlisting>
+ <para>to being:</para>
+ <programlisting language="xml"><attribute name="DatabasePersistencePlugin">
+org.jboss.ejb.txtimer.OracleDatabasePersistencePlugin
+</attribute></programlisting>
+ </listitem>
+
+ <listitem>
+ <para>Comment out the policy for <literal>HsqlDbRealm</literal> in the
+ <filename>${JBOSS_HOME}/server/production/conf/login-config.xml</filename> file as shown.</para>
+ <programlisting language="xml"><xi:include parse="text" href="extras/login-config.xmlt" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting>
+ </listitem>
</orderedlist>
- <note>
- <para>
- The SNMP, RMI and AJP services must be disabled ( mentioned previously) as they have been excluded from the evaluation scope and are not allowed in the evaluated configuration.
- </para>
- </note>
- </section>
- <section id="configuration_requirements-security_configuration">
- <title>Security Configuration</title>
- <para>
- The following configuration steps must be performed to ensure security compliance
- with Common Criteria requirements
- </para>
- <section id="configuration_requirements-security_configuration-JBoss_SX">
- <title>JBoss SX</title>
- <para>All security domains must be created in the context of java:/jaas/
- (e.g. java:/jaas/jmx-console).</para>
-
- <para>Custom Login Modules are not permitted; the only login modules
- allowed are the following:</para>
-
- <itemizedlist>
- <listitem>
- <para>org.jboss.security.auth.spi.UsersRolesLoginModule</para>
- </listitem>
- <listitem>
- <para>org.jboss.security.auth.spi.LdapLoginModule</para>
- </listitem>
- <listitem>
- <para>org.jboss.security.auth.spi.DatabaseServerLoginModule</para>
- </listitem>
- <listitem>
- <para>org.jboss.security.auth.spi.BaseCertLoginModule</para>
- </listitem>
- </itemizedlist>
-
- <para>This restriction on login modules is also applicable to the
- DynamicLoginConfig service.</para>
-
- <para>Only the following security managers are allowed to be configured
- and used for authentication purposes: </para>
-
- <itemizedlist>
- <listitem>
- <para>org.jboss.security.plugins.JaasSecurityManager </para>
- </listitem>
- <listitem>
- <para>org.jboss.security.plugins.JaasSecurityDomain </para>
- </listitem>
- </itemizedlist>
-
- <para>Other modules, such as SRP module are not allowed.</para>
- </section>
-
- <section id="configuration_requirements-security_configuration-JBoss_Web">
- <title>JBoss Web</title>
- <para>The JAAS based authentication and authorization realm implementation
- (<parameter>org.jboss.web.tomcat.security.JBossSecurityMgrRealm</parameter>)
- cannot be replaced. The same is true for the authenticator classes defined
- for each authentication method (BASIC, CLIENT-CERT, DIGEST, FORM, NONE) in
- <filename>/EnterprisePlatform-4.3.0.GA_CP03/jboss-as/server/production/deploy/jboss-web.deployer/META-INF/jboss-service.xml</filename>. </para>
-
- <para>Additionally, the <parameter>AllRolesMode</parameter> within <filename>/EnterprisePlatform-4.3.0.GA_CP03/jboss-as/server/production/deploy/jboss-web.deployer/server.xml</filename> must be set to <literal>strict</literal>.
- This requires the authenticated user to be assigned to one of the
- <filename>web-app/security-role/role-name</filename> in order to be authorized.</para>
- </section>
- </section>
- <section id="configuration_requirements-database_configuration">
- <title>Database Configuration</title>
- <para>
- The default database HSQL that the Enterprise Application Platform ships with must be disabled from the outset as it is not supported. This section will outline how this can be done and then refer you to information on how to configure supported databases.
- </para>
- <para>
- The following steps will create a new server called <literal>cc</literal> for you to deploy and disable the HSQL database for this configuration.
- </para>
- <orderedlist>
- <listitem>
- <para>
- Create a default DS file for the desired database. One can find examples of this file within <filename>${JBOSS_HOME}/docs/examples/jca</filename>.
- </para>
- <important>
- <para>
- A <filename>DefaultDS</filename> file must be supplied in the<filename>${JBOSS_HOME}/server/production/deploy</filename> directory.
- </para>
- </important>
- </listitem>
- <listitem>
- <para>
- Delete the following files as they refer to the HSQL database:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <filename> rm ${JBOSS_HOME}/server/cc/deploy/hsqldb-ds.xml </filename>
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>rm ${JBOSS_HOME}/server/cc/lib/hsqldb.jar </filename>
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>rm ${JBOSS_HOME}/server/cc/lib/hsqldb-plugin.jar </filename>
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>rm ${JBOSS_HOME}/server/cc/deploy/jboss-messaging.sar/clustered-hsqldb-persistence-service.xml </filename>
- </para>
- </listitem>
- </itemizedlist>
- </listitem>
- <listitem>
- <para>
- Copy <filename>oracle-persistence-service.xml</filename> to <filename>${JBOSS_HOME}/server/production/deploy/jboss-messaging.sar/</filename>.
- </para>
-<programlisting>
-cp ${JBOSS_HOME}/docs/examples/jms/oracle-persistence-service.xml ${JBOSS_HOME}/server/production/deploy/jboss-messaging.sar/
-</programlisting>
- <para>
- This file contains the definition of persistence service for JBoss Messaging when using an Oracle Database as storage.
- </para>
- <note>
- <para>
- Table definitions in this file are not optimized for performance.
- </para>
- </note>
- </listitem>
- <listitem>
- <para>
- Place your JDBC driver libraries in the <filename>${JBOSS_HOME}/server/production/lib/</filename> directory.
- </para>
- <para>
- If the security policy is to be used, proper permissions must be provided for access to it.
- </para>
- </listitem>
- <listitem>
- <para>
- When using the Oracle Database, the database persistence plugin definition must be changed in <filename>${JBOSS_HOME}/server/production/deploy/ejb-deployer.xml</filename>
- from being:</para>
-<programlisting><attribute name="DatabasePersistencePlugin">org.jboss.ejb.txtimer.GeneralPurposeDatabasePersistencePlugin</attribute>
-</programlisting>
- <para>
- to being:
- </para>
- <programlisting><attribute name="DatabasePersistencePlugin">org.jboss.ejb.txtimer.OracleDatabasePersistencePlugin</attribute></programlisting>
- </listitem>
- <listitem>
- <para>
- Comment out the policy for <literal>HsqlDbRealm</literal> in the <filename>${JBOSS_HOME}/server/conf/login-config.xml</filename> file.
- </para>
-<screen>
-<!-- Security domains for testing new jca framework
- <application-policy name = "HsqlDbRealm">
- <authentication>
- <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
- <module-option name = "principal">sa</module-option>
- module-option name = "userName">cctest</module-option>
- <module-option name = "password">cc1248</module-option>
- <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
- </login-module>
- </authentication>
- </application-policy>
--->
-</screen>
- </listitem>
- </orderedlist>
- <para>
- For information on how to configure other supported databases refer to <ulink url="http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp03/html-single/Server_Configuration_Guide/index.html#alternative_DBs"></ulink>.
- </para>
- </section>
+
+ <para>For information on how to configure other supported databases refer to
+ <ulink url="http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp03/html-single/Server_Configuration_Guide/index.html#alternative_DBs"></ulink>.</para>
</section>
+
+ <section id="Common_Criteria_Guide-Developer_Guidelines-java_security_permissions">
+ <title>Guidance on Configuring Java Security Permissions</title>
+ <para>The system administrator for the operation of the certified system is expected
+ to configure the security permissions for all enterprise applications that are deployed
+ on the certified system, when the certified system runs in the security manager enabled
+ mode.</para>
+ <note><para>This configuration is only necessary when running JBoss EAP with
+ the Java Security Manager enabled. Refer to <xref linkend="enabling_JSM" /> for more
+ details.</para></note>
+ <para>Please refer to the url
+ <ulink url="http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html">http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html</ulink>
+ for information on configuring permissions in the JDK.</para>
+
+ <para>A single entry in the Java Security Manager policy that is shipped with the
+ certified system follows the standard Java Standard Edition model. More information
+ is provided at
+ <ulink url="http://java.sun.com/j2se/1.5.0/docs/guide/security/PolicyFiles.html">http://java.sun.com/j2se/1.5.0/docs/guide/security/PolicyFiles.html</ulink>.</para>
+
+ <para>An example would be the following:</para>
+ <programlisting language="java"><xi:include href="extras/dev_guidelines_1.policy" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include></programlisting>
+
+ <para>This is defined by the certified system by default to provide all permissions
+ to the jmx console web application shipping in the deploy directory.</para>
+
+ <para>So if the administrator needs to provide permissions to an enterprise application
+ called as <filename>TestDeployment.ear</filename> in the deploy directory of the certified
+ system, then an example entry would be the following:</para>
+ <programlisting language="java"><xi:include href="extras/dev_guidelines_2.policy" parse="text" xmlns:xi="http://www.w3.org/2001/XInclude"></xi:include></programlisting>
+
+ <para>This entry provides the enterprise application called as <filename>TestDeployment.ear</filename>
+ to read Java properties as well as the ability to create JAAS login context and obtain JAAS
+ login configuration.</para>
+
+ <para>The certified system in the security manager enabled mode is a locked down system
+ that forces the system administrator to configure the necessary security permissions for
+ the operation of the user applications on the certified system.</para>
+
+ <para>Any interaction with the JBoss JMX Kernel (which is the standard Java JDK MbeanServer)
+ will require the appropriate <classname>javax.management.MBeanPermission</classname> as
+ specified in the Java JDK MbeanServer interface
+ (<ulink url="http://java.sun.com/j2se/1.5.0/docs/api/javax/management/MBeanServer.html">http://java.sun.com/j2se/1.5.0/docs/api/javax/management/MBeanServer.html</ulink>).</para>
+
+ <para>We strongly recommend administrators to NOT assign a <property>java.security.AllPermission</property>
+ to any of the user applications.</para>
+ </section>
+
+ </section>
</chapter>
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Revision_History.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Revision_History.xml 2008-12-04 07:03:09 UTC (rev 82031)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Revision_History.xml 2008-12-04 08:31:45 UTC (rev 82032)
@@ -7,7 +7,7 @@
<revhistory>
<revision>
<revnumber>1.0</revnumber>
- <date>November 07th 2008</date>
+ <date>November 30th 2008</date>
<author>
<firstname>Isaac</firstname>
<surname>Rooskov</surname>
@@ -15,14 +15,33 @@
</author>
<revdescription>
<simplelist>
- <member>The guide has been updated with information in secitons 2.2, 3.2, 4.2, 5.3 and the removal of JNDI from 5.4</member>
+ <member>Initial creation of guide</member>
</simplelist>
</revdescription>
</revision>
</revhistory>
</simpara>
</appendix>
+
<!--
+<revision>
+<revnumber>1.0</revnumber>
+<date>November 07th 2008</date>
+<author>
+<firstname>Isaac</firstname>
+<surname>Rooskov</surname>
+<email>irooskov at redhat.com</email>
+</author>
+<revdescription>
+<simplelist>
+<member>The guide has been updated with information in secitons 2.2, 3.2, 4.2, 5.3 and the removal of JNDI from 5.4</member>
+</simplelist>
+</revdescription>
+</revision>
+-->
+
+
+<!--
<revhistory>
<revision>
<revnumber>0.8</revnumber>
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml 2008-12-04 07:03:09 UTC (rev 82031)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml 2008-12-04 08:31:45 UTC (rev 82032)
@@ -34,6 +34,13 @@
<screen>cd %JBOSS_HOME%/bin
$ run.bat -c production</screen></example>
+ <para>On a multi-homed machine, you can use the <literal>-b</literal> option
+ to force JBoss EAP to only bind to the specified IP address.</para>
+ <example><title>Starting the JBoss EAP server bound to a single ip address on Unix or Linux</title>
+ <screen>$ cd $JBOSS_HOME/bin
+$ ./run.sh -b <replaceable>${ip_address}</replaceable> -c production</screen></example>
+
+
<para>JBoss EAP's default behavior is to run without the use of the Java Security
Manager. This means that any application deployed on JBoss EAP will be running in
the same namespace as JBoss EAP itself. In this environment it is possible that an
@@ -62,38 +69,48 @@
limited to read-only file-system access, adding queue print items &
connecting to sockets.</para>
-<para>You must edit the file <filename>run.conf</filename> located in the Enterprise Platform home directory at <filename>/jboss-as/server/production/</filename> and uncomment the
- lines indicated below to enable the Java Security Manager. Once those items are
+ <para>You must edit the file <filename>run.conf</filename> located in the Enterprise
+ Platform home directory at <filename>/jboss-as/server/production/</filename> and uncomment
+ the lines indicated below to enable the Java Security Manager. Once those items are
uncommented from <filename>run.conf</filename>, simply start the server using the
supplied startup script (<filename>run.sh</filename> or <filename>run.bat</filename>)
as normal.</para>
-<important>
- <para>
- run.conf is part of the production configuration of the EAP. Only the production configuration is allowed in the Common Criteria Configuration.
- </para>
-</important>
-
+
<example><title><filename>run.conf</filename> with Java Security Manager enabled</title>
- <screen># Uncomment the following to run with Common Criteria configuration
-## Specify the Security Manager Policy
-POLICY="security_cc.policy"
-#
-## Specify the Security Manager options
-JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY"
-echo "================================================================="
-echo " "
-echo " Common Criteria Configuration (Security Manager Enabled)"
-echo " "
-echo "================================================================="
-## End of Common Criteria configuration </screen></example>
+ <programlisting><xi:include parse="text" href="extras/run.conf.policy" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting>
+ </example>
-<formalpara>
- <title>Policy file configuration</title>
- <para>
- Users and administrators are free to add their own permission blocks to the policy file, however the permissions that are shipped with the JBoss Enterprise Application Platform cannot change; doing so will invalidate the certification. Indeed any modifications of the security policy except what has been specified within this guide, will invalidate the certification configuration.
- </para>
-</formalpara>
-
+ <important>
+ <para><filename>run.conf</filename> is part of the production configuration
+ of the EAP. Only the production configuration with the additional
+ configuration information specified in this guide is allowed in the Common
+ Criteria Configuration.</para>
+ </important>
+
+ <formalpara>
+ <title>IBM JDK 6 and the Java Security Manager</title>
+ <para>IBM JDK 6 uses a default policy provider which does not work correctly
+ with the JBossEAP security policy. You must change the JDK configuration to
+ use the standard policy provider if you want to use IBM JDK6 to host JBossEAP
+ with the Java Security Manager enabled.</para>
+ </formalpara>
+
+ <para>You do this by editing the file
+ <filename><replaceable>${JAVA_HOME}</replaceable>/jre/lib/security/java.security</filename>
+ and setting the value of <property>policy.provider</property> to
+ <literal>sun.security.PolicyFile</literal> instead of
+ <literal>org.apache.harmony.security.fortress.DefaultPolicy</literal>: </para>
+ <programlisting>policy.provider=sun.security.provider.PolicyFile</programlisting>
+
+ <formalpara>
+ <title>Policy file configuration</title>
+ <para>Users and administrators are free to add their own permission blocks to the policy file,
+ however the permissions that are shipped with the JBoss Enterprise Application Platform cannot
+ be changed; doing so will invalidate the certification. Indeed any modifications of the security
+ policy except what has been specified within this guide, will invalidate the certification
+ configuration. </para>
+ </formalpara>
+
</section>
</chapter>
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml 2008-12-04 07:03:09 UTC (rev 82031)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml 2008-12-04 08:31:45 UTC (rev 82032)
@@ -66,10 +66,16 @@
</listitem>
</varlistentry>
</variablelist>
- <para>
-
- Removal and deployment can be conducted while the server is running. In order to remove any of the mentioned services from opperation, delete the relevant folder for each from the production deploy directory located at <filename>/EnterprisePlatform-4.3.0.GA_CP03/jboss-as/server/production/deploy/</filename>. Contrast to this, to start a service move the folder for the service into the depoy directory. For more information refer to the <ulink url="http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp03/html-single/Server_Configuration_Guide/index.html#Deployment">Deployment chapter</ulink> of the Server Configuration Guide.
- </para>
+
+ <para>
+ Removal and deployment can be conducted while the server is running. In
+ order to remove any of the mentioned services from operation, delete the
+ relevant folder for each from the production deploy directory located at
+ <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/deploy/</filename>.
+ Contrast to this, to start a service move the folder for the service into
+ the deploy directory. For more information refer to the
+ <ulink url="http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp03/html-single/Server_Configuration_Guide/index.html#Deployment">Deployment chapter</ulink>
+ of the Server Configuration Guide.</para>
</section>
<section id="sect-Common_Criteria_Guide-Overview_of_the_Security_Functions-Audit">
@@ -132,9 +138,10 @@
<section id="additional_auditing_options">
<title>Enabling Additional Logging</title>
- <para>
- Additional logging for EJB application requests has been configured during the setup process of this guide when audit logging was configured. For more information see <xref linkend="configuration_requirements-setup_configuration"/>
- </para>
+ <para>Additional logging for EJB application requests has been configured during
+ the setup process of this guide when audit logging was configured. For more
+ information regarding audit logging configuration refer to
+ <xref linkend="configuration_requirements-setup_configuration"/></para>
<!--
<para>If you need additional logging for EJB application requests,
uncomment the following category in <filename>conf/jboss-log4j.xml</filename>.</para>
@@ -145,19 +152,7 @@
</category></programlisting>
</figure>
-->
- <para>If you need additional logging for web-based requests, uncomment
- the <literal>AccessLogValve</literal> in
- <filename>deploy/jboss-web.deployer/server.xml</filename>. The access
- log will be available in the <filename>log</filename> directory of the
- server configuration.</para>
-
- <figure><title>Enabling additional logging for web-based requests</title>
-<programlisting language="xml"><Valve className="org.apache.catalina.valves.AccessLogValve"
- prefix="localhost_access_log." suffix=".log"
- pattern="common" directory="${jboss.server.home.dir}/log"
- resolveHosts="false" /></programlisting></figure>
-
-
+
</section>
</section>
@@ -298,7 +293,7 @@
<para>These additional payloads can be retrieved at the server side
using similar methods on the invocation object.</para>
- <example><title>Retreiving Principal and Credential</title>
+ <example><title>Retrieving Principal and Credential</title>
<programlisting language="java">Principal p = mi.getPrincipal();
Object cred = mi.getCredential();
// Now do authentication (and then authorization)</programlisting></example>
@@ -392,13 +387,5 @@
transactions component can be utilized, which uses SOAP/HTTP.</para>
</section>
- <section id="sect-Common_Criteria_Guide-Overview_of_the_Security_Functions-Securing_MBean_Invokers">
- <title>Securing MBean Invokers</title>
- <para>
- The <filename>http-invoker.sar</filename> found in the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI Naming service. This includes a servlet that processes posts of <classname>marshaled org.jboss.invocation.Invocation</classname> objects that represent invocations that should be dispatched onto the MBeanServer. Effectively this allows access to MBeans that support the detached invoker operation via HTTP when sending appropriately formatted HTTP posts. This servlet has to be protected against the use by unprivileged users. To secure this access point you would need to secure the JMXInvokerServlet servlet found in the <filename>http-invoker.sar/invoker.war/WEB-INF/web.xml</filename> descriptor.
- </para>
- <para>
- The <filename>jmx-invoker-adaptor-server.sar</filename> is a service that exposes the JMX MBeanServer interface via an RMI compatible interface using the RMI/JRMP detached invoker service. This interface has to be made unavailable to unprivileged users which can be done by using the <classname>org.jboss.jmx.connector.invoker.AuthenticationInterceptor</classname> interceptor for performing identification and authentication using JAAS. Additionally, access control has to be configured using the interceptors of either <classname>org.jboss.jmx.connector.invoker.RolesAuthorization</classname> or <classname>org.jboss.jmx.connector.invoker.ExternalizableRolesAuthorization</classname>.
- </para>
- </section>
+
</chapter>
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Installation.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Installation.xml 2008-12-04 07:03:09 UTC (rev 82031)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Installation.xml 2008-12-04 08:31:45 UTC (rev 82032)
@@ -6,11 +6,17 @@
<chapter id="chap-Common_Criteria_Guide-System_Installation">
<title>Downloading and Verifying the Packages</title>
<para>JBoss EAP is delivered on line through the Red Hat JBoss Customer Support Portal (CSP) at
- <ulink url="https://support.redhat.com/jbossnetwork/restricted/main.html">https://support.redhat.com/jbossnetwork/restricted/main.html</ulink> and through the Red Hat Network (RHN) at the following address: <ulink url="https://rhn.redhat.com">https://rhn.redhat.com</ulink>. The EAP is avaliable as ZIP files from the CSP and as ZIP and RPM files from the RHN.
+ <ulink url="https://support.redhat.com/jbossnetwork/restricted/main.html">https://support.redhat.com/jbossnetwork/restricted/main.html</ulink> and through the Red Hat Network (RHN) at the following address: <ulink url="https://rhn.redhat.com">https://rhn.redhat.com</ulink>. The EAP is available as ZIP files from the CSP and as ZIP and RPM files from the RHN.
</para>
<para>To ensure the authenticity of the downloaded software you need to verify
the authenticity of the files and their source.</para>
+
+ <important>
+ <para>Unless specifically stated otherwise the screenshots and other samples shown
+ in this section are only examples. The actual presentation of the download websites
+ may change overtime.</para>
+ </important>
<section id="verify_authenticity_of_site">
<title>Verify the Authenticity of the Download Site.</title>
@@ -36,14 +42,22 @@
</mediaobject>
</figure>
- <para>
- If these items are not visible you may wish to check the authenticity of the site by viewing the identiy certificate. To give an example of how this can be done, we will use the Firefox web browser.
+ <para>
+ If these items are not visible you may wish to check the authenticity of the
+ site by viewing the identity certificate. To give an example of how this can be
+ done, we will use the Firefox web browser.
</para>
<para>
- Within the Firefox browser, go to Tools in the top menu bar and then click on Page Info. From here click the Security icon and then the <guibutton>View Certificate</guibutton> button.
+ Within the Firefox browser, go to Tools in the top menu bar and then click on
+ Page Info. From here click the Security icon and then the <guibutton>View Certificate</guibutton>
+ button.
</para>
+
<para>
- The certificate will display details such as who the owner of the page is, who issued the certificate, when it was issued and when it expires as well as SHA1 and MD5 fingerprint verification strings. An example of the certificate for <ulink url="https://rhn.redhat.com">https://rhn.redhat.com</ulink> follows.
+ The certificate will display details such as who the owner of the page is, who
+ issued the certificate, when it was issued and when it expires as well as SHA1
+ and MD5 fingerprint verification strings. An example of the certificate for
+ <ulink url="https://rhn.redhat.com">https://rhn.redhat.com</ulink> follows.
</para>
<figure><title>The RHN certification certificate</title>
@@ -52,9 +66,10 @@
</mediaobject>
</figure>
- <para>
- If neither of the lock icons are present in your browser and a verified certificate cannot be found, this may mean that you are not at the correct site. If you are unable to reach the secure Red Hat JBoss Customer Support Portal or Red Hat Network sites you should contact Red Hat Support and report this problem.
- </para>
+ <para>If neither of the lock icons are present in your browser and a verified certificate
+ cannot be found, this may mean that you are not at the correct site. If you are unable to
+ reach the secure Red Hat JBoss Customer Support Portal or Red Hat Network sites you should
+ contact Red Hat Support and report this problem.</para>
<!-- <para>When the 'lock' icon is clicked a dialog window will be displayed with the details
of the site certificate. If this dialog does not specify that the web sites identity is
@@ -74,7 +89,7 @@
Customer support site by browsing to <guimenuitem>JBoss Enterprise Middleware</guimenuitem>,
<guimenuitem>Application Platform</guimenuitem>, <guimenuitem>Certified downloads</guimenuitem>.</para>
- <figure><title>Software downloads page showing available JBoss EAP files</title>
+ <figure><title>Software downloads page showing available files</title>
<mediaobject>
<imageobject><imagedata fileref="images/software_downloads.png" /></imageobject>
</mediaobject>
@@ -89,7 +104,7 @@
checksum values for that package. These values are used to verify the integrity
of your downloaded files.</para>
-<figure><title>MD5 & SHA-256 information displayed for a download at the Red Hat JBoss Customer Support Portal</title>
+ <figure><title>MD5 & SHA-256 information displayed for a download at the Red Hat JBoss Customer Support Portal</title>
<mediaobject>
<imageobject><imagedata fileref="images/lookup_MD5_value.png" /></imageobject>
</mediaobject>
@@ -118,7 +133,6 @@
problem. </para>
</warning>
-
<section id="verify_downloaded_files_MD5">
<title>Verifying the Downloaded Files</title>
<para>After you have downloaded the file, run the <command>md5sum</command> command-line utility and specify
@@ -126,9 +140,8 @@
<example><title>Using the md5sum tool on Linux or Unix</title>
<screen>$ md5sum jboss-eap-4.3.0.GA_CP03.zip
-3f750b0bd3ec997658a7368cb46e912a jboss-eap-4.3.0.GA_CP03.zip </screen>
- </example>
-
+4ebffbd38fcb7e259d1d9abbd40b058a jboss-eap-4.3.0.GA_CP03.zip </screen></example>
+
</section>
<section id="verify_downloaded_files_SHA256">
@@ -138,149 +151,149 @@
<example><title>Using the sha256sum tool</title>
<screen>$ sha256sum jboss-eap-4.3.0.GA_CP03.zip
-24f88354add8adc7f6f2807705cc36ed4fc4242c5375414962cbfca77cf19640 jboss-eap-4.3.0.GA_CP03.zip </screen>
- </example>
+c96fae2fa809077ab0d0b969ac279bb5cba892916d06f832908204265916684a jboss-eap-4.3.0.GA_CP03.zip </screen></example>
</section>
-
-
</section>
<section id="verify_downloaded_files_RHN">
<title>Verifying the Downloaded Files from the Red Hat Network</title>
- <para>The JBoss EAP evaluated configuration is found for download on the Red Hat Network by first logging into RHN and then locating and selecting the download. This section will detail the steps necesssary to download the EAP from RHN and then the verification of the download.</para>
+ <para>The JBoss EAP evaluated configuration is found for download on the Red Hat
+ Network by first logging into RHN and then locating and selecting the download.
+ This section will detail the steps necessary to download the EAP from RHN and
+ then the verification of the download.</para>
- <para>
- Firstly you will have to login to the Red Hat Network with your Red Hat login and password. If you have lost these details, click on the <guilabel>Lost login/Password?</guilabel> link and follow the prompts.
- </para>
-
- <figure><title>RHN login page</title>
- <mediaobject>
- <imageobject><imagedata fileref="images/RHN_Login.png" /></imageobject>
- </mediaobject>
- </figure>
-
- <para>
- To find the JBoss EAP download, begin by clicking on the <guimenuitem>Channels</guimenuitem> menu item at the top of the page.
- </para>
-
- <figure><title>RHN Channels Tab</title>
- <mediaobject>
- <imageobject><imagedata fileref="images/RHN_Channels.png" /></imageobject>
- </mediaobject>
- </figure>
-
- <para>
- From the dropdown menu system, select the JBoss Application Platform, version 4.3.0 (as it is the certified version) followed by the architecture of your system and then click on the <guibutton>Filter</guibutton> button.
- </para>
- <para>
- The following image is an example filter search and displays all versions of the EAP that are avaliable. For the certified version select <productname>JBoss Enterprise Application Platform 4.3.0</productname>.
- </para>
-
- <figure><title>Searching for the JBoss Enterprise Application Platform</title>
- <mediaobject>
- <imageobject><imagedata fileref="images/RHN_select_version.png" /></imageobject>
- </mediaobject>
- </figure>
-
- <para>
- From the filtered list that is returned and after selecting the appropriate version of the JBoss EAP for your system, another page will be displayed which outlines the details of the download.
- </para>
-
- <figure><title>JBoss EAP download details</title>
- <mediaobject>
- <imageobject><imagedata fileref="images/RHN_EAP_details.png" /></imageobject>
- </mediaobject>
- </figure>
-
- <para>
- Under the JBoss Application Platform title is a list of tabs. Curently the <guimenuitem>Details</guimenuitem> tab is selected. By clicking on the last tab called <guimenuitem>Downloads</guimenuitem>, a list of all the downloads which form the JBoss EAP will be displayed.
- </para>
-
- <figure><title>JBoss EAP download file list </title>
- <mediaobject>
- <imageobject><imagedata fileref="images/RHN_download.png" /></imageobject>
- </mediaobject>
- </figure>
-
- <para>
- The packages listed above can be explained as follows:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <filename>enterprise-installer-4.3.0.GA_CP03.jar</filename>: The graphical installer for EAP 4.3.0.CP03.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>jboss-eap-4.3.0.GA_CP03.zip</filename>: The software files that make up the EAP 4.3.0.CP03 installation.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>jboss-eap-docs-4.3.0.GA_CP03.zip</filename>: The documentation for EAP 4.3.0.CP03.
- </para>
- </listitem>
- <listitem>
- <para>
- <filename>jboss-eap-src-4.3.0.GA_CP03.zip</filename>: The graphical installer for EAP 4.3.0.CP03.
- </para>
- </listitem>
- </itemizedlist>
-
- <para>The software details page also contains the MD5 checksum values for each package. These values are used to verify the integrity of your downloaded files.</para>
-
- <para>You can use the <command>md5sum</command> utility as detailed below to calculate
- the checksum values of the files to compare to the supplied values on the website.</para>
-
- <note>
- <para>The command line examples given are accurate for most Linux and
- Unix operating systems. Mac OS X includes the equivalent command
- <command>md5</command>.</para>
-
- <para>If you are using Microsoft Windows you will have to download a
- third party utility to perform these steps as it does not include a
- MD5SUM tool.</para>
- </note>
-
- <para>The values that are generated by the MD5SUM tool should be the same as the value
- on the Downloads page. If it is not then your download is either incomplete
- or corrupted. You will need to download it again. </para>
-
- <warning>
- <para>If after several attempts you are unable to download a copy of the file that
- produces a valid checksum values you should open a support case to report the
- problem. </para>
- </warning>
-
-
- <section id="verify_RHN_downloaded_files_MD5">
- <title>Verifying the Downloaded Files</title>
- <para>After you have downloaded the file, run the <command>md5sum</command> command-line utility and specify
- the file you downloaded as the first argument. </para>
-
- <example><title>Using the md5sum tool on Linux or Unix</title>
-<screen>
-$ md5sum enterprise-installer-4.3.0.GA_CP03.jar
+ <note><para>RHN refers to all the files as being ISO Images
+ regardless of what the file actually is.</para></note>
+
+ <para>Firstly you will have to login to the Red Hat Network with your Red Hat login and
+ password. If you have lost these details, click on the <guilabel>Lost login/Password?</guilabel>
+ link and follow the prompts.</para>
+
+ <figure><title>RHN login page</title>
+ <mediaobject>
+ <imageobject><imagedata fileref="images/RHN_Login.png" /></imageobject>
+ </mediaobject>
+ </figure>
+
+ <para>To find the JBoss EAP download, begin by clicking on the <guimenuitem>Channels</guimenuitem>
+ menu item at the top of the page. From the dropdown menu system, select the JBoss Application
+ Platform, version 4.3.0 (as it is the certified version) followed by the architecture of your
+ system and then click on the <guibutton>Filter</guibutton> button. </para>
+
+ <para>The following image is an example filter search and displays all versions of the EAP
+ that are available. For the certified version select
+ <productname>JBoss Enterprise Application Platform 4.3.0</productname>. </para>
+
+ <figure><title>Searching for the JBoss Enterprise Application Platform</title>
+ <mediaobject>
+ <imageobject><imagedata fileref="images/RHN_select_version.png" /></imageobject>
+ </mediaobject>
+ </figure>
+
+ <para>
+ From the filtered list that is returned and after selecting the appropriate version of the JBoss EAP for your system, another page will be displayed which outlines the details of the download.
+ </para>
+
+ <figure><title>JBoss EAP download details</title>
+ <mediaobject>
+ <imageobject><imagedata fileref="images/RHN_EAP_details.png" /></imageobject>
+ </mediaobject>
+ </figure>
+
+ <para>Under the JBoss Application Platform title is a list of tabs. Currently the
+ <guimenuitem>Details</guimenuitem> tab is selected. By clicking on the last tab
+ called <guimenuitem>Downloads</guimenuitem>, a list of all the downloads which
+ form the JBoss EAP will be displayed. </para>
+
+ <figure>
+ <title>JBoss EAP download file list </title>
+ <mediaobject>
+ <imageobject><imagedata fileref="images/RHN_download.png" /></imageobject>
+ </mediaobject>
+ </figure>
+
+ <important>
+ <para>The files listed here are those of the most recent
+ JBoss Enterprise Application Server release. Once 4.3.CP03 is
+ superceded by another version you will have to click on the
+ <guilabel>View ISO Images for Older Releases</guilabel> link
+ and then <guilabel>JBoss Enterprise Application Platform 4.3.0 CP03</guilabel>
+ to access the files for the evaluated configuration.</para>
+ </important>
+
+ <para>The packages listed above can be explained as follows:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ <filename>enterprise-installer-4.3.0.GA_CP03.jar</filename>: The graphical installer for EAP 4.3.0.CP03.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>jboss-eap-4.3.0.GA_CP03.zip</filename>: The software files that make up the EAP 4.3.0.CP03 installation.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>jboss-eap-docs-4.3.0.GA_CP03.zip</filename>: The documentation for EAP 4.3.0.CP03.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>jboss-eap-src-4.3.0.GA_CP03.zip</filename>: The source code distribution for EAP 4.3.0.CP03.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>The software details page also contains the MD5 checksum values for each package.
+ These values are used to verify the integrity of your downloaded files.</para>
+
+ <para>You can use the <command>md5sum</command> utility as detailed below to calculate
+ the checksum values of the files to compare to the supplied values on the website.</para>
+
+ <note>
+ <para>The command line examples given are accurate for most Linux and
+ Unix operating systems. Mac OS X includes the equivalent command
+ <command>md5</command>.</para>
+
+ <para>If you are using Microsoft Windows you will have to download a
+ third party utility to perform these steps as it does not include a
+ MD5SUM tool.</para>
+ </note>
+
+ <para>The values that are generated by the MD5SUM tool should be the same as the value
+ on the Downloads page. If it is not then your download is either incomplete
+ or corrupted. You will need to download it again. </para>
+
+ <warning>
+ <para>If after several attempts you are unable to download a copy of the file that
+ produces a valid checksum values you should open a support case to report the
+ problem. </para>
+ </warning>
+
+
+ <section id="verify_RHN_downloaded_files_MD5">
+ <title>Verifying the Downloaded Files</title>
+ <para>After you have downloaded the file, run the <command>md5sum</command> command-line utility and specify
+ the file you downloaded as the first argument. </para>
+
+ <example><title>Using the md5sum tool on Linux or Unix</title>
+ <screen>$ md5sum enterprise-installer-4.3.0.GA_CP03.jar
7020b8fea3abdfb6c1caeae577dba059 enterprise-installer-4.3.0.GA_CP03.jar
-</screen>
-<screen>
+
$ md5sum jboss-eap-4.3.0.GA_CP03.zip
4ebffbd38fcb7e259d1d9abbd40b058a jboss-eap-4.3.0.GA_CP03.zip
-</screen>
-<screen>
+
$ md5sum jboss-eap-docs-4.3.0.GA_CP03.zip
b981279cb8e9127d918d62beddda3516 jboss-eap-docs-4.3.0.GA_CP03.zip
-</screen>
-<screen>
+
$ md5sum jboss-eap-src-4.3.0.GA_CP03.zip
-3f750b0bd3ec997658a7368cb46e912a jboss-eap-src-4.3.0.GA_CP03.zip
-</screen>
- </example>
+3f750b0bd3ec997658a7368cb46e912a jboss-eap-src-4.3.0.GA_CP03.zip</screen></example>
- </section>
-</section>
+ </section>
+ </section>
</chapter>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/additional_logging.xmlt
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/additional_logging.xmlt (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/additional_logging.xmlt 2008-12-04 08:31:45 UTC (rev 82032)
@@ -0,0 +1,4 @@
+<Valve className="org.apache.catalina.valves.AccessLogValve"
+ prefix="localhost_access_log." suffix=".log"
+ pattern="common" directory="${jboss.server.home.dir}/log"
+ resolveHosts="false" />
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/dev_guidelines_1.policy
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/dev_guidelines_1.policy (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/dev_guidelines_1.policy 2008-12-04 08:31:45 UTC (rev 82032)
@@ -0,0 +1,3 @@
+grant codeBase "file:${jboss.server.home.dir}/deploy/jmx-console.war/-" {
+ permission java.security.AllPermission;
+};
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/dev_guidelines_2.policy
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/dev_guidelines_2.policy (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/dev_guidelines_2.policy 2008-12-04 08:31:45 UTC (rev 82032)
@@ -0,0 +1,5 @@
+grant codeBase "file:${jboss.server.home.dir}/deploy/jmx-console.war/-" {
+ permission java.util.PropertyPermission "*", "read";
+ permission javax.security.auth.AuthPermission "createLoginContext.a_login";
+ permission javax.security.auth.AuthPermission "getLoginConfiguration";
+};
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/login-config.xmlt
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/login-config.xmlt (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/login-config.xmlt 2008-12-04 08:31:45 UTC (rev 82032)
@@ -0,0 +1,16 @@
+<!-- Security domains for testing new jca framework
+<application-policy name = "HsqlDbRealm">
+ <authentication>
+ <login-module
+ code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
+ flag = "required">
+ <module-option name = "principal">sa</module-option>
+ <module-option name = "userName">cctest</module-option>
+ <module-option name = "password">cc1248</module-option>
+ <module-option name = "managedConnectionFactoryName">
+ jboss.jca:service=LocalTxCM,name=DefaultDS
+ </module-option>
+ </login-module>
+ </authentication>
+</application-policy>
+-->
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/run.conf.policy
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/run.conf.policy (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/run.conf.policy 2008-12-04 08:31:45 UTC (rev 82032)
@@ -0,0 +1,12 @@
+# Uncomment the following to run with Common Criteria configuration
+## Specify the Security Manager Policy
+POLICY="security_cc.policy"
+#
+## Specify the Security Manager options
+JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$POLICY"
+echo "================================================================="
+echo " "
+echo " Common Criteria Configuration (Security Manager Enabled)"
+echo " "
+echo "================================================================="
+## End of Common Criteria configuration
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/rhn_certificate.png
===================================================================
(Binary files differ)
Property changes on: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/rhn_certificate.png
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
More information about the jboss-cvs-commits
mailing list