[jboss-cvs] JBossAS SVN: r80546 - projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Nov 4 23:14:24 EST 2008
Author: irooskov at redhat.com
Date: 2008-11-04 23:14:24 -0500 (Tue, 04 Nov 2008)
New Revision: 80546
Modified:
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml
Log:
updated CC Guide with fixed JIRA issues and a re-ordering of information.
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml 2008-11-05 03:20:44 UTC (rev 80545)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml 2008-11-05 04:14:24 UTC (rev 80546)
@@ -77,12 +77,15 @@
<section id="configuration_requirements">
<title>Configuration Requirements</title>
+
+ <section id="configuration_requirements-setup_configuration">
+ <title>Setup Configuration</title>
<para>The following general configuration steps must be performed to ensure compliance
with Common Criteria requirements.</para>
<orderedlist>
- <listitem><para>Disable SNMP.</para></listitem>
- <listitem><para>Disable RMI under IIOP.</para></listitem>
+ <listitem><para>Disable Simple Network Management Protocol (SNMP) through ports 1161 and 1162.</para></listitem>
+ <listitem><para>Disable Remote Method Invocation (RMI) under the Internet Inter-ORB Protocol (IIOP).</para></listitem>
<listitem><para>Disable AJP from JBoss Web.</para></listitem>
<listitem><para>Use password hashing so plain text passwords are not stored on the server.</para></listitem>
<listitem><para>Disable the following ports:</para>
@@ -112,7 +115,72 @@
</orderedlist>
</listitem>
</orderedlist>
-
+ <note>
+ <para>
+ The SNMP, RMI and AJP services must be disabled ( mentioned previously) as they have been excluded from the evaluation scope and are not allowed in the evaluated configuration.
+ </para>
+ </note>
+ </section>
+ <section id="configuration_requirements-security_configuration">
+ <title>Security Configuration</title>
+ <para>
+ The following configuration steps must be performed to ensure security compliance
+ with Common Criteria requirements
+ </para>
+ <section id="configuration_requirements-security_configuration-JBoss_SX">
+ <title>JBoss SX</title>
+ <para>All security domains must be created in the context of java:/jaas/
+ (e.g. java:/jaas/jmx-console).</para>
+
+ <para>Custom Login Modules are not permitted; the only login modules
+ allowed are the following:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>org.jboss.security.auth.spi.UsersRolesLoginModule</para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.auth.spi.LdapLoginModule</para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.auth.spi.DatabaseServerLoginModule</para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.auth.spi.BaseCertLoginModule</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>This restriction on login modules is also applicable to the
+ DynamicLoginConfig service.</para>
+
+ <para>Only the following security managers are allowed to be configured
+ and used for authentication purposes: </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>org.jboss.security.plugins.JaasSecurityManager </para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.plugins.JaasSecurityDomain </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Other modules, such as SRP module are not allowed.</para>
+ </section>
+
+ <section id="configuration_requirements-security_configuration-JBoss_Web">
+ <title>JBoss Web</title>
+ <para>The JAAS based authentication and authorization realm implementation
+ (<parameter>org.jboss.web.tomcat.security.JBossSecurityMgrRealm</parameter>)
+ cannot be replaced. The same is true for the authenticator classes defined
+ for each authentication method (BASIC, CLIENT-CERT, DIGEST, FORM, NONE) in
+ <filename>/EnterprisePlatform-4.3.0.GA_CP03/jboss-as/server/production/deploy/jboss-web.deployer/META-INF/jboss-service.xml</filename>. </para>
+
+ <para>Additionally, the <parameter>AllRolesMode</parameter> within <filename>/EnterprisePlatform-4.3.0.GA_CP03/jboss-as/server/production/deploy/jboss-web.deployer/server.xml</filename> must be set to <literal>strict</literal>.
+ This requires the authenticated user to be assigned to one of the
+ <filename>web-app/security-role/role-name</filename> in order to be authorized.</para>
+ </section>
+ </section>
</section>
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml 2008-11-05 03:20:44 UTC (rev 80545)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml 2008-11-05 04:14:24 UTC (rev 80546)
@@ -388,80 +388,13 @@
transactions component can be utilized, which uses SOAP/HTTP.</para>
</section>
- <section id="sect-Common_Criteria_Guide-Introduction-Limitations_in_the_Evaluated_Configuration">
- <title>Limitations in the Evaluated Configuration</title>
-
- <section id="sect-Common_Criteria_Guide-Limitations_in_the_Evaluated_Configuration-Services">
- <title>Services</title>
- <para>The following services provided by the product have been excluded
- from the evaluation scope and are not allowed in the evaluated configuration.</para>
-
- <itemizedlist>
- <listitem>
- <para>Simple Network Management Protocol (SNMP, through ports 1161
- and 1162).</para>
- </listitem>
- <listitem>
- <para>Remote Method Invocation (RMI) through IIOP.</para>
- </listitem>
- <listitem>
- <para>Use of AJP in JBoss Web</para>
- </listitem>
- </itemizedlist>
- </section>
-
- <section id="sect-Common_Criteria_Guide-Limitations_in_the_Evaluated_Configuration-">
- <title>JBoss SX</title>
- <para>All security domains must be created in the context of java:/jaas/
- (e.g. java:/jaas/jmx-console).</para>
-
- <para>Custom Login Modules are not permitted; the only login modules
- allowed are the following:</para>
-
- <itemizedlist>
- <listitem>
- <para>org.jboss.security.auth.spi.UsersRolesLoginModule</para>
- </listitem>
- <listitem>
- <para>org.jboss.security.auth.spi.LdapLoginModule</para>
- </listitem>
- <listitem>
- <para>org.jboss.security.auth.spi.DatabaseServerLoginModule</para>
- </listitem>
- <listitem>
- <para>org.jboss.security.auth.spi.BaseCertLoginModule</para>
- </listitem>
- </itemizedlist>
-
- <para>This restriction on login modules is also applicable to the
- DynamicLoginConfig service.</para>
-
- <para>Only the following security managers are allowed to be configured
- and used for authentication purposes: </para>
-
- <itemizedlist>
- <listitem>
- <para>org.jboss.security.plugins.JaasSecurityManager </para>
- </listitem>
- <listitem>
- <para>org.jboss.security.plugins.JaasSecurityDomain </para>
- </listitem>
- </itemizedlist>
-
- <para>Other modules, such as SRP module are not allowed.</para>
- </section>
-
- <section id="sect-Common_Criteria_Guide-Limitations_in_the_Evaluated_Configuration-JBoss_Web">
- <title>JBoss Web</title>
- <para>The JAAS based authentication and authorization realm implementation
- (<parameter>org.jboss.web.tomcat.security.JBossSecurityMgrRealm</parameter>)
- cannot be replaced. The same is true for the authenticator classes defined
- for each authentication method (BASIC, CLIENT-CERT, DIGEST, FORM, NONE) in
- <filename>jboss-service.xml</filename>. </para>
-
- <para>Additionally, AllRolesMode must be set to <literal>strict</literal>.
- This requires the authenticated user to be assigned to one of the
- web-app/security-role/role-name in order to be authorized.</para>
- </section>
+ <section id="sect-Common_Criteria_Guide-Overview_of_the_Security_Functions-Securing_MBean_Invokers">
+ <title>Securing MBean Invokers</title>
+ <para>
+ The <filename>http-invoker.sar</filename> found in the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI Naming service. This includes a servlet that processes posts of <classname>marshaled org.jboss.invocation.Invocation</classname> objects that represent invocations that should be dispatched onto the MBeanServer. Effectively this allows access to MBeans that support the detached invoker operation via HTTP when sending appropriately formatted HTTP posts. This servlet has to be protected against the use by unprivileged users. To secure this access point you would need to secure the JMXInvokerServlet servlet found in the <filename>http-invoker.sar/invoker.war/WEB-INF/web.xml</filename> descriptor.
+ </para>
+ <para>
+ The <filename>jmx-invoker-adaptor-server.sar</filename> is a service that exposes the JMX MBeanServer interface via an RMI compatible interface using the RMI/JRMP detached invoker service. This interface has to be made unavailable to unprivileged users which can be done by using the <classname>org.jboss.jmx.connector.invoker.AuthenticationInterceptor</classname> interceptor for performing identification and authentication using JAAS. Additionally, access control has to be configured using the interceptors of either <classname>org.jboss.jmx.connector.invoker.RolesAuthorization</classname> or <classname>org.jboss.jmx.connector.invoker.ExternalizableRolesAuthorization</classname>.
+ </para>
</section>
</chapter>
More information about the jboss-cvs-commits
mailing list