[jboss-cvs] JBossAS SVN: r79912 - in projects/docs/enterprise/4.3.3: Common_Criteria_Guide and 5 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Oct 22 00:03:38 EDT 2008
Author: irooskov at redhat.com
Date: 2008-10-22 00:03:38 -0400 (Wed, 22 Oct 2008)
New Revision: 79912
Added:
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/Makefile
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Appendix.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Author_Group.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Book_Info.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.ent
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Introduction.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Preface.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Revision_History.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Configuration.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Installation.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Tested_Security_Policy.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/certificate.png
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/lookup_MD5_value.png
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/software_downloads.png
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/ssl_addressbar.png
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/ssl_statusbar.png
Modified:
projects/docs/enterprise/4.3.3/JDK6_Compatibility_Notes/en-US/JDK6_readme.xml
projects/docs/enterprise/4.3.3/Server_Configuration_Guide/en-US/Author_Group.xml
projects/docs/enterprise/4.3.3/Server_Configuration_Guide/en-US/Server_Configuration_Guide_CP03.xml
projects/docs/enterprise/4.3.3/readme/en-US/Release_Notes_CP03.xml
Log:
adding new book, Common Criteria Guide, to repo
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/Makefile
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/Makefile (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/Makefile 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,11 @@
+#Makefile for Common_Criteria_Guide
+
+XML_LANG = en-US
+BRAND = JBoss
+
+#OTHER_LANGS = as-IN bn-IN de-DE es-ES fr-FR gu-IN hi-IN it-IT ja-JP kn-IN ko-KR ml-IN mr-IN or-IN pa-IN pt-BR ru-RU si-LK ta-IN te-IN zh-CN zh-TW
+TRANSLATIONS = $(XML_LANG) $(OTHER_LANGS)
+
+COMMON_CONFIG = /usr/share/publican
+include $(COMMON_CONFIG)/make/Makefile.common
+
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Appendix.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Appendix.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Appendix.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,13 @@
+<?xml version='1.0'?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<appendix id="Common_Criteria_Guide-Revision_History">
+ <appendixinfo>
+ <xi:include href="Revision_History.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ </appendixinfo>
+ <title>Revision History</title>
+ <para>
+ </para>
+</appendix>
+
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Author_Group.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Author_Group.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Author_Group.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,7 @@
+<?xml version='1.0'?>
+<!DOCTYPE authorgroup PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<authorgroup>
+ <corpauthor>Red Hat Documentation Group</corpauthor>
+</authorgroup>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Book_Info.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Book_Info.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Book_Info.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,30 @@
+<?xml version='1.0'?>
+<!DOCTYPE bookinfo PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<bookinfo id="Common_Criteria_Guide-Product_Name_and_Version">
+ <title>Common Criteria Configuration Guide</title>
+ <subtitle>JBoss Enterprise Application Platform</subtitle>
+ <edition>1.0</edition>
+ <pubsnumber>1</pubsnumber>
+ <productnumber>4.3</productnumber>
+ <productname>JBoss Enterprise Application Platform</productname>
+
+ <abstract>
+ <para>This book describes the configuration of JBoss EAP 4.3 used for
+ the Common Criteria security evaluation</para>
+ </abstract>
+
+ <corpauthor>
+ <inlinemediaobject>
+ <imageobject>
+ <imagedata format='SVG' fileref="Common_Content/images/title_logo.svg" />
+ </imageobject>
+ </inlinemediaobject>
+ </corpauthor>
+
+ <xi:include href="Common_Content/Legal_Notice.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+</bookinfo>
+
+
+
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.ent
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.ent (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.ent 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,6 @@
+<!ENTITY PRODUCT "JBoss_Enterprise_Application_Platform">
+<!ENTITY BOOKID "Common_Criteria_Guide">
+<!ENTITY YEAR "2008">
+<!ENTITY HOLDER "Red Hat, Inc">
+<!ENTITY TITLE "Common Criteria Guide">
+<!ENTITY SUBTITLE "JBoss Enterprise Application Platform">
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,17 @@
+<?xml version='1.0'?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<book>
+ <xi:include href="Book_Info.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Preface.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+
+ <xi:include href="Introduction.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Requirements_for_the_Evaluated_Configuration.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="System_Installation.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Security_Configuration.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Security_Features.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+
+ <!--<xi:include href="Appendix.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />-->
+</book>
+
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Introduction.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Introduction.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Introduction.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,67 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<chapter id="chap-Common_Criteria_Guide-Introduction">
+ <title>Introduction</title>
+ <section id="sect-Common_Criteria_Guide-Introduction-Purpose_of_this_Document">
+ <title>Purpose of this Document</title>
+ <para>This document is a security guide for administrators and application developers
+ who wish to use JBoss Enterprise Application Platform (JBoss EAP) 4.3 CP03 in its
+ certified Common Criteria compliant secure configuration. It is intended to be
+ self-contained in addressing the most important issues at a high level, and refers to
+ other existing documentation where more details are needed. Knowledge of the Common
+ Criteria is not required for readers of this document.</para>
+
+ <para>JBoss EAP Version 4.3 CP03 is the subject of this document as the Target of
+ Evaluation (TOE) for Common Criteria certification. JBoss EAP Version 4.3 CP03 has
+ been evaluated under Common Criteria version 3.1 at level of assurance EAL2 augmented
+ with ALC_FLR.3. This provides assurance that the product has been structurally tested.</para>
+
+ <para>All usages of the term “JBoss EAP” in this document refer to the Common Criteria
+ certified configuration of JBoss EAP Version 4.3 CP03.</para>
+
+ <para>Chapter 1 contains a brief introduction to the CC certification & the structure of this book.</para>
+ <para>Chapter 2 contains the requirements for deploying the certified product.</para>
+ <para>Chapter 3 contains the steps that are required in downloading &verifying the authenticity of the CC product.</para>
+ <para>Chapter 4 provides instructions on how to start the server and the different modes of operation.</para>
+ <para>Chapter 5 contains the details of the security implementation & usage limitations of the CC product.</para>
+
+ <para>Should there be any discrepancy between information contained in this guide
+ and any other product documentation, the CC Guide information takes precedence,
+ as it addresses the requirements for the evaluated configuration of JBoss EAP.</para>
+
+ </section>
+
+ <section id="sect-Common_Criteria_Guide-Introduction-What_is_a_CC_compliant_system">
+ <title>What is a Common Criteria Compliant System?</title>
+ <para>The <firstterm>Common Criteria for Information Technology Security Evaluation</firstterm>,
+ usually known as <firstterm>Common Criteria</firstterm> or <firstterm>CC</firstterm>, is
+ an internationally-recognized standard (ISO/IEC 15408) used as the basis for independent
+ evaluation of the security properties of an IT product.</para>
+
+ <para>Common Criteria provide consumers with an impartial security assurance of a
+ product to predefined levels. These levels range from EAL1 to EAL7, each placing
+ increased demands on the developer for evidence of testing, in turn providing
+ increased assurance within the product for consumers.</para>
+
+ <para>Under the Common Criteria Recognition Arrangement (CCRA), members agree to
+ recognize Common Criteria certificates that have been produced by any certificate
+ authorizing participant, in accordance with the terms laid out in the CCRA. Currently,
+ the CCRA is comprised of 22 member nations: Australia, Austria, Canada, the Czech
+ Republic, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, the
+ Netherlands, New Zealand, Norway, the Republic of Singapore, Spain, Sweden, Turkey,
+ the United Kingdom, and the United States. New members are expected to join in the
+ near future.</para>
+
+ <para>A system can be considered to be <emphasis>CC compliant</emphasis> if it matches
+ an evaluated and certified configuration. This implies various requirements concerning
+ hardware and software, as well as requirements concerning the operating environment,
+ users, and the ongoing operating procedures.</para>
+
+ <para>You can find further information on Common Criteria at
+ <ulink url="http://www.commoncriteria.org">http://www.commoncriteria.org</ulink>.</para>
+ </section>
+
+</chapter>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Preface.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Preface.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Preface.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,15 @@
+<?xml version='1.0'?>
+<!DOCTYPE preface PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<preface id="Common_Criteria_Guide-Preface">
+ <title>Preface</title>
+ <para>
+ </para>
+ <xi:include href="Common_Content/Conventions.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Feedback.xml" xmlns:xi="http://www.w3.org/2001/XInclude">
+ <xi:fallback xmlns:xi="http://www.w3.org/2001/XInclude">
+ <xi:include href="Common_Content/Feedback.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ </xi:fallback>
+ </xi:include>
+</preface>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,119 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<chapter id="chap-Common_Criteria_Guide-Requirements_for_the_Evaluated_Configuration">
+ <title>Requirements for the Evaluated Configuration</title>
+ <section id="Software_Requirements">
+ <title>Software Requirements</title>
+
+ <section id="JVM-requirements">
+ <title>Java Virtual Machine</title>
+ <para>JBoss EAP is evaluated on the following Java Virtual Machines (JVMs). Only
+ these JVMs are acceptable for the deployment of JBoss EAP.</para>
+ <itemizedlist>
+ <listitem><para>Sun JRE 1.5.x &1.6.x</para></listitem>
+ <listitem><para>BEA JRockit JRE 1.5.x &1.6.x</para></listitem>
+ <listitem><para>HP-UX JRE 1.5.x &1.6.x</para></listitem>
+ <listitem><para>IBM JRE 1.5.x &1.6.x</para></listitem>
+ <listitem><para>OpenJDK 6</para></listitem>
+ </itemizedlist>
+ </section>
+
+ <section id="OS-requirements">
+ <title>Operating System</title>
+ <para>All of the JBoss EAP functionality in the evaluated configuration relies only
+ on the correct operation of the Java virtual machine. Thus it can operate on any
+ operating system that is supported by the respective Java virtual machine. This also
+ means that any hardware supported by the aforementioned operating systems can be used.</para>
+ </section>
+
+ <section id="database_requirements">
+ <title>Database Servers</title>
+ <para>JBoss EAP is evaluated with the following relational database systems. Only
+ these database systems are acceptable for use with JBoss EAP.</para>
+ <itemizedlist>
+ <listitem><para>Oracle 10g R2</para></listitem>
+ <listitem><para>Oracle 9i</para></listitem>
+ <listitem><para>Microsoft SQL Server 2005</para></listitem>
+ <listitem><para>MySQL v5.0</para></listitem>
+ <listitem><para>PostgreSQL v8.2</para></listitem>
+ </itemizedlist>
+ </section>
+ </section>
+
+ <section id="physical_requirements">
+ <title>Physical Requirements</title>
+
+ <para>The hardware and software executing JBoss EAP as well as the software
+ critical to security policy enforcement will be protected from unauthorized
+ modification including unauthorized modifications by potentially hostile
+ outsiders. Reasonable physical security measures to ensure that unauthorized
+ personnel do not have physical access to the hardware running the JBoss EAP
+ software.</para>
+ </section>
+
+ <section id="personnel_requirements">
+ <title>Personnel Requirements</title>
+
+ <para>There shall be one or more competent individuals who are assigned to manage
+ JBoss EAP, its environment and the security of the information it contains. The
+ system administrative personnel shall not be carelessly or willfully negligent,
+ or hostile, and will follow and abide by the instructions provided by the
+ administrator documentation.</para>
+
+ <para>The developer of user applications executed by JBoss EAP, including web server
+ applications and enterprise beans, shall be trustworthy and comply with all instructions
+ set forth by the user guidance and evaluated configuration guidance of the JBoss EAP.</para>
+
+ </section>
+
+ <section id="connectivity_requirements">
+ <title>Connectivity Requirements</title>
+ <para>The operating system and the Java virtual machine operate according to their specification. These external systems shall be configured in accordance with this guidance.</para>
+ <para>Any other system with which JBoss EAP communicates is assumed to be under the same management control and operate under the same security policy constraints as JBoss EAP.</para>
+ </section>
+
+ <section id="configuration_requirements">
+ <title>Configuration Requirements</title>
+ <para>The following general configuration steps must be performed to ensure compliance
+ with Common Criteria requirements.</para>
+
+ <orderedlist>
+ <listitem><para>Disable SNMP.</para></listitem>
+ <listitem><para>Disable RMI under IIOP.</para></listitem>
+ <listitem><para>Disable AJP from JBoss Web.</para></listitem>
+ <listitem><para>Use password hashing so plain text passwords are not stored on the server.</para></listitem>
+ <listitem><para>Disable the following ports:</para>
+ <orderedlist>
+ <listitem><para>Clustering: port 1102</para></listitem>
+ <listitem><para>SNMP: ports 1161 and 1162</para></listitem>
+ <listitem><para>JBossWeb: port 8009</para></listitem>
+ </orderedlist>
+ </listitem>
+ <listitem>
+ <para>Configure audit logging to print authentication and authorization
+ information for each thread and EJB call. This is done by making the
+ following changes to <filename>jboss-log4.xml</filename>:</para>
+ <orderedlist>
+ <listitem>
+ <para>Set the logging level of the <classname>SecurityInterceptor</classname> class
+ to <literal>TRACE</literal> by adding the following element to the root element:</para>
+ <programlisting language="xml"><category name="org.jboss.ejb.plugins.SecurityInterceptor">
+ <priority value="TRACE" />
+</category></programlisting>
+ </listitem>
+ <listitem><para>Update the ConversionPattern parameter in the appender/layout element
+ to show thread information</para>
+ <programlisting language="xml"><param name="ConversionPattern"
+ value="%d %-5r %-5p [%c] (%t:%x) %m%n" /></programlisting>
+ </listitem>
+ </orderedlist>
+ </listitem>
+ </orderedlist>
+
+ </section>
+
+
+</chapter>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Revision_History.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Revision_History.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Revision_History.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,50 @@
+<?xml version='1.0'?>
+<!DOCTYPE revhistory PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<revhistory>
+ <revision>
+ <revnumber>0.8</revnumber>
+ <date>July 25th</date>
+ <author>
+ <firstname></firstname>
+ <surname></surname>
+ <email></email>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>In section 2, the possible EAL levels are 1-7, not "EAL0 - EAL7."
+Also in section 2, this evaluation is for EAL2 augmented with ALC_FLR.3, not "ALC_FLR.1." </member>
+ </simplelist>
+ </revdescription>
+ </revision>
+
+ <revision>
+ <revnumber>0.8</revnumber>
+ <date>July 25th</date>
+ <author>
+ <firstname></firstname>
+ <surname></surname>
+ <email></email>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>Replaced JDK with JRE, and Azul with IBM</member>
+ </simplelist>
+ </revdescription>
+ </revision>
+ <revision>
+ <revnumber>0.8</revnumber>
+ <date>July 25th</date>
+ <author>
+ <firstname></firstname>
+ <surname></surname>
+ <email></email>
+ </author>
+ <revdescription>
+ <simplelist>
+ <member>Replaced JDK with JRE, and Azul with IBM</member>
+ </simplelist>
+ </revdescription>
+ </revision>
+</revhistory>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,87 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<chapter id="Common_Criteria_Guide-Security_Configuration">
+ <title>Launching the JBoss EAP Server</title>
+
+ <para>JBoss EAP includes startup scripts for both Linux/Unix platforms & Microsoft
+ Windows as well a configuration file , <filename>run.conf</filename>, which determines
+ the startup environment of the server. </para>
+
+ <para>The evaluated configuration of JBoss EAP has been certified both with and without
+ the use of the Java Security Manger. If you use the Java Security Manager, you must
+ also use the specific policy which is supplied with the product. Operating JBoss EAP
+ using the Java Security Manager and a modified or completely different policy is not
+ considered to be a certified configuration.</para>
+
+ <para>This allows two modes of operation which affect how JBoss EAP can protect
+ itself against the behavior of applications. These modes are discussed fully below.
+ As the administrator of your JBoss EAP server, you must decide which mode of
+ operation is most appropriate.</para>
+
+ <section id="starting_EAP">
+ <title>Starting the JBoss EAP Server</title>
+ <para>To start the server with the <firstterm>production</firstterm>
+ configuration simply use the supplied start up script.</para>
+
+ <example><title>Starting the JBoss EAP server on Unix or Linux</title>
+ <screen>$ cd $JBOSS_HOME/bin
+$ ./run.sh -c production</screen></example>
+
+ <example><title>Starting the JBoss EAP server on Windows</title>
+ <screen>cd %JBOSS_HOME%/bin
+$ run.bat -c production</screen></example>
+
+ <para>JBoss EAP's default behavior is to run without the use of the Java Security
+ Manager. This means that any application deployed on JBoss EAP will be running in
+ the same namespace as JBoss EAP itself. In this environment it is possible that an
+ application deployed on JBoss EAP may interfere with the execution of JBoss EAP
+ itself either accidentally or intentionally.</para>
+
+ <para>If you choose to run without using the Java Security Manger & supplied
+ policy then you are responsible for performing your own risk analysis to ensure
+ that deployed applications do not contain bugs that may be abused by users of
+ the application to circumvent the security functionality of JBoss EAP.</para>
+
+ <para>It is only recommended to run in this mode if your deployed applications
+ require more permissions that the included security policy allows.</para>
+ </section>
+
+ <section id="enabling_JSM">
+ <title>Enabling the Java Security Manager</title>
+
+ <para>By enabling the Java Security Manager with the included policy file
+ (<filename>security_cc.policy</filename>) JBoss EAP is protected from any
+ application deployed on it accidentally or intentionally interfering with
+ its operation.</para>
+
+ <para>This policy limits the granting of full permissions to those jar files
+ included with the evaluated configuration. All other deployed jar files are
+ limited to read-only file-system access, adding queue print items &
+ connecting to sockets.</para>
+
+ <para>You must edit the file <filename>run.conf</filename> and uncomment the
+ lines indicated below to enable the Java Security Manager. Once those items are
+ commented out from <filename>run.conf</filename>, simply start the server using the
+ supplied startup script (<filename>run.sh</filename> or <filename>run.bat</filename>)
+ as normal.</para>
+
+ <example><title><filename>run.conf</filename> with Java Security Manager enabled</title>
+ <screen># Uncomment the following to run with Common Criteria configuration
+## Specify the Security Manager Policy
+POLICY="security_cc.policy"
+#
+## Specify the Security Manager options
+JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY"
+echo "================================================================="
+echo " "
+echo " Common Criteria Configuration (Security Manager Enabled)"
+echo " "
+echo "================================================================="
+## End of Common Criteria configuration </screen></example>
+
+ </section>
+
+</chapter>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Features.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,443 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<chapter id="chap-Security_feature_overview">
+ <title>Overview of the Security Functions</title>
+ <para>The following sections describe the JBoss security functions included
+ in the product evaluation.</para>
+
+ <section id="sect-Common_Criteria_Guide-Overview_of_the_Security_Functions-Access_Control">
+ <title>Access Control</title>
+ <para>JBoss Enterprise Application Platform has access control mechanisms
+ to restrict access for the following request types:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>HTTP</term>
+ <listitem>
+ <para>URLs and paths provided with URLs can be protected from
+ access by subjects.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>EJB</term>
+ <listitem>
+ <para>EJBs and associated method names can be protected from
+ invocation by subjects.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>JMS</term>
+ <listitem>
+ <para>Message queue destinations and topic destinations can be
+ protected from access by subjects.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Web Services</term>
+ <listitem>
+ <para>Plain Old Java Objects (POJOs) deployed as Servlets and
+ Session Beans can be protected from access by subjects.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>JMX</term>
+ <listitem>
+ <para>The JMX invokers can be protected by validating the role
+ of the authenticated user.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </section>
+
+ <section id="sect-Common_Criteria_Guide-Overview_of_the_Security_Functions-Audit">
+ <title>Audit</title>
+ <para>JBoss Enterprise Application Platform can generate audit records for access control events.
+ Attempts to access to web resources, invocation of EJB methods, unauthorized message destinations,
+ and regular Web Service related access control can all be logged. As the administrator you can select
+ the level of events to audit.</para>
+
+ <para>The JBoss Application server generates log events at start-up time and when it is shutdown:</para>
+ <example><title>JBoss EAP start up log events</title>
+<screen>00:30:18,876 INFO [Server] Starting JBoss (MX MicroKernel)...
+00:30:18,876 INFO [Server] Release ID: JBoss [EAP] 4.3.0.GA_CP01 (build: SVNTag=JBPAPP_4_3_0_GA_CP01 date=200804211657)
+00:30:18,877 DEBUG [Server] Using config: org.jboss.system.server.ServerConfigImpl at 46ae506e
+00:30:18,877 DEBUG [Server] Server type: class org.jboss.system.server.ServerImpl
+00:30:18,877 DEBUG [Server] Server loaded through: org.jboss.system.server.NoAnnotationURLClassLoader
+00:30:18,877 DEBUG [Server] Boot URLs: </screen></example>
+
+ <example><title>JBoss EAP shutdown log events</title>
+<screen>2008-06-12 00:32:16,460 DEBUG [org.jboss.deployment.MainDeployer] Destroying jboss.system:service=MainDeployer
+2008-06-12 00:32:16,460 DEBUG [org.jboss.deployment.MainDeployer] Destroyed jboss.system:service=MainDeployer
+2008-06-12 00:32:16,460 DEBUG [org.jboss.system.ServiceController] removing service: jboss.system:service=MainDeployer
+2008-06-12 00:32:16,460 DEBUG [org.jboss.system.ServiceController] removing jboss.system:service=MainDeployer from server
+2008-06-12 00:32:16,460 DEBUG [org.jboss.system.ServiceController] Stopped 3 services
+2008-06-12 00:32:16,460 DEBUG [org.jboss.system.server.Server] Deleting server tmp/deploy directory
+2008-06-12 00:32:16,463 INFO [org.jboss.system.server.Server] Shutdown complete</screen></example>
+
+ <para>The audit facility is based on the integrated <package>log4j</package>
+ mechanism. <package>Log4j</package> has three main components: loggers,
+ appenders and layouts. These three types of components work together to
+ enable developers to log messages according to message type and level,
+ and to control at run-time how these messages are formatted and where
+ they are reported.</para>
+
+ <para>The audit information is recorded in text files which can be reviewed
+ using tools from the underlying operating system, such as pagers or editors.</para>
+
+
+ <para>User information (principal name) appears <emphasis>only</emphasis>
+ in the first log that records the authentication request, and also in the
+ ERROR log generated if the authentication is unsuccessful. Subsequent log
+ events do not record explicitly the user executing the methods. </para>
+
+ <para>User information can be obtained by using the container and thread
+ ids that are recorded in each audit log and remain during the life of the
+ user session.</para>
+
+ <para>In the example below (<xref linkend="log_output_example"/>) the first log entry informs that authentication for container 753,
+ thread id 826541 has been requested by principal name “scott”. The second
+ log records the execution of a method, and, although the principal name
+ does not appear, it can be inferred by looking all logs with the same
+ container and thread id.</para>
+
+
+ <example id="log_output_example"><title>Log output</title>
+ <screen>2008-07-17 16:04:33,753 826541 TRACE [org.jboss.ejb.plugins.SecurityInterceptor] (WorkerThread#0[127.0.0.1:33182]:) Authenticated principal=scott
+2008-07-17 16:04:33,753 826541 TRACE [org.jboss.ejb.plugins.SecurityInterceptor] (WorkerThread#0[127.0.0.1:33182]:) method=public abstract org.jboss.test.jca.securedejb.CallerIdentity org.jboss.test.jca.securedejb.CallerIdentityHome.create() throws javax.ejb.CreateException,java.rmi.RemoteException, interface=HOME, requiredRoles=[CallerIdentityUser]</screen></example>
+
+
+ <section id="additional_auditing_options">
+ <title>Enabling Additional Logging</title>
+
+ <para>If you need additional logging for EJB application requests,
+ uncomment the following category in <filename>conf/jboss-log4j.xml</filename>.</para>
+
+ <figure><title>Enabling additional logging for EJBs</title>
+<programlisting language="xml"><category name="org.jboss.ejb.plugins.SecurityInterceptor">
+ <priority value="TRACE"/>
+ </category></programlisting>
+ </figure>
+
+ <para>If you need additional logging for web-based requests, uncomment
+ the <literal>AccessLogValve</literal> in
+ <filename>deploy/jbossweb.deployer/server.xml</filename>. The access
+ log will be available in the <filename>log</filename> directory of the
+ server configuration.</para>
+
+ <figure><title>Enabling additional logging for web-based requests</title>
+<programlisting language="xml"><Valve className="org.apache.catalina.valves.AccessLogValve"
+ prefix="localhost_access_log." suffix=".log"
+ pattern="common" directory="${jboss.server.home.dir}/log"
+ resolveHosts="false" /></programlisting></figure>
+
+
+ </section>
+ </section>
+
+ <section id="sect-Common_Criteria_Guide-Overview_of_the_Security_Functions-Clustering">
+ <title>Clustering</title>
+ <para>A cluster is a group of linked systems (nodes) working closely together
+ to increase efficiency. Clustering enables the execution of applications on
+ several parallel servers. In a JBoss EAP cluster each node is a JBoss server
+ instance. Several JBoss server instances are grouped together to form a
+ cluster, also known as a "partition".</para>
+
+ <para>JBoss EAP implements two different cluster configurations: a failover
+ cluster and a load-distribution cluster.</para>
+
+ <para>In a failover cluster scenario a single node services requests from
+ clients. In the event that the node fails another node in the cluster
+ continues to service requests.</para>
+
+ <para>In a load-distribution cluster scenario multiple nodes service requests
+ from clients. In this way a single address is serviced with the power of
+ multiple systems.</para>
+
+ <para>In both cases, the server state is distributed across different servers.
+ If any of the servers fails the application is still accessible via other
+ non-failed cluster nodes.</para>
+
+ <para>Communication between the different cluster nodes ensures the data
+ consistency of the following information:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Applications - an application deployed on one node is
+ replicated to the other nodes of the cluster (farming deployment)</para>
+ </listitem>
+ <listitem>
+ <para>State of HTTP sessions, EJB 3.0 session beans, EJB 3.0 entity
+ beans, as well as Hibernate persistence objects (distributed state
+ replication service using JBoss Cache)</para>
+ </listitem>
+ <listitem>
+ <para>State of HTTP sessions and EJB 2.x session beans (distributed
+ state replication service using HASessionState MBean)</para>
+ </listitem>
+ <listitem>
+ <para>JNDI state (JBoss HA-JNDI)</para>
+ </listitem>
+ <listitem>
+ <para>JMS queues</para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section id="sect-Common_Criteria_Guide-Overview_of_the_Security_Functions-Identification_and_Authentication">
+ <title>Identification and Authentication</title>
+ <para>Each user is assigned a unique user identifier. Access control
+ decisions and auditing use this identifier. JBoss EAP authenticates
+ the user's claimed identity before allowing the user to perform any
+ actions. After successful authentication JBoss EAP associates the
+ identifier with the thread spawned for the user.</para>
+
+ <para>JBoss EAP provides different identification and authentication
+ mechanisms for various request types.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>HTTP and Web Services</term>
+ <listitem>
+ <para>HTTP-basic authentication, HTTP-digest authentication,
+ form-based authentication, client certificate based
+ authentication.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>EJB</term>
+ <listitem>
+ <para>username and password based authentication, client
+ certificate based authentication.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>JMS</term>
+ <listitem>
+ <para>username and password based authentication.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>JNDI</term>
+ <listitem>
+ <para>username and password based authentication.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>JBoss EAP uses JBoss SX framework to implement identification and
+ authentication. The JBossSX framework utilizes the Java Authentication
+ and Authorization Service (JAAS) provided by the Java Virtual Machine.
+ The authentication capabilities of JAAS are used to implement the
+ declarative role-based J2EE security model.</para>
+
+ <para>The following authentication back-ends are configurable with the
+ JAAS modules.</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>File-based storage</para>
+ </listitem>
+ <listitem>
+ <para>BaseCertLoginModule</para>
+ </listitem>
+ <listitem>
+ <para>LDAP</para>
+ </listitem>
+ <listitem>
+ <para>Databases accessible through JDBC</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Password quality can be enforced with configuration options for
+ the JAAS modules provided by JBoss EAP.</para>
+
+ <section id="Common_Criteria_Guide-authentication-User_Credentials_in_RMI">
+ <title>Developer Advice for User Credentials in Remote Method Invocation (RMI)</title>
+ <para>In Remote Method Invocation credentials are transmitted from
+ client to server. These credentials populate the security context
+ in the method invocation object. This is done through the
+ <methodname>setPrincipal</methodname> and
+ <methodname>setCredential</methodname> methods.</para>
+
+ <example><title>Setting Principal and Credential</title>
+ <programlisting language="java">MethodInvocation mi = new MethodInvocation();
+ mi.setPrincipal(new SimplePrincipal("myusername"));
+ mi.setCredential("mypassword");</programlisting></example>
+
+ <para>These additional payloads can be retrieved at the server side
+ using similar methods on the invocation object.</para>
+
+ <example><title>Retreiving Principal and Credential</title>
+ <programlisting language="java">Principal p = mi.getPrincipal();
+Object cred = mi.getCredential();
+// Now do authentication (and then authorization)</programlisting></example>
+
+ </section>
+
+ </section>
+
+ <section id="sect-Common_Criteria_Guide-Overview_of_the_Security_Functions-Transaction_Rollback">
+ <title>Transaction Rollback</title>
+ <para>JBoss EAP supports the aggregation of operations into transactions,
+ which can be applied and rolled back consistently.</para>
+
+ <para>A transaction is a unit of work containing one or more operations
+ involving one or more shared resources having ACID properties. ACID is
+ an acronym for atomicity, consistency, isolation and durability - the
+ four important properties of transactions.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>Atomicity</term>
+ <listitem>
+ <para>A transaction must be atomic. This means that either all
+ the work done in the transaction must be performed, or none of
+ it must be performed. Doing only part of a transaction is not
+ allowed.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Consistency</term>
+ <listitem>
+ <para>When a transaction is completed, the system must be in a
+ stable and consistent condition.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Isolation</term>
+ <listitem>
+ <para>Different transactions must be isolated from each other.
+ This means that the partial work done in one transaction is not
+ visible to other transactions until the transaction is committed,
+ and that each process in a multi-user system can be programmed as
+ if it was the only process accessing the system.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Durability</term>
+ <listitem>
+ <para>The changes made during a transaction are made persistent
+ when it is committed. When a transaction is committed, its changes
+ will not be lost, even if the server crashes afterward.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>The default transaction manager for JBoss EAP is JBoss Transactions,
+ a fast in-VM transaction manager implementation.</para>
+
+ <para>Traditionally ACID transaction systems have shared three
+ characteristics:</para>
+
+ <orderedlist>
+ <listitem>
+ <para>Transactions are short lived</para>
+ </listitem>
+ <listitem>
+ <para>Resources (such as databases) are locked for the duration
+ of the transaction</para>
+ </listitem>
+ <listitem>
+ <para>Participants have a high degree of trust with each other.</para>
+ </listitem>
+ </orderedlist>
+
+ <para>The advent of the Internet and Web services has given rise to
+ distributed transactions between participants unknown to each other.
+ JBoss Transactions adds native support for Web services transactions
+ by providing the components necessary to build interoperable,
+ reliable, multi-party, Web services-based applications with minimum
+ effort. The programming interfaces are based on the Java API for XML
+ Transactions (JAXTX) and include protocol support for the
+ WS-AtomicTransaction and WS-BusinessActivity specifications. JBoss is
+ designed to support multiple coordination protocols.</para>
+
+ <para>JBoss supports both local and distributed transactions. A transaction
+ is considered to be distributed if it spans multiple process instances,
+ i.e. virtual machines (VMs). Typically a distributed transaction will contain
+ participant that are located within multiple VMs but the transaction is
+ coordinated in a separate VM (or co-located with one of the participants).
+ If the deployment requires distributed transactions then the Web Services
+ transactions component can be utilized, which uses SOAP/HTTP.</para>
+ </section>
+
+ <section id="sect-Common_Criteria_Guide-Introduction-Limitations_in_the_Evaluated_Configuration">
+ <title>Limitations in the Evaluated Configuration</title>
+
+ <section id="sect-Common_Criteria_Guide-Limitations_in_the_Evaluated_Configuration-Services">
+ <title>Services</title>
+ <para>The following services provided by the product have been excluded
+ from the evaluation scope and are not allowed in the evaluated configuration.</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Simple Network Management Protocol (SNMP, through ports 1161
+ and 1162).</para>
+ </listitem>
+ <listitem>
+ <para>Remote Method Invocation (RMI) through IIOP.</para>
+ </listitem>
+ <listitem>
+ <para>Use of AJP in JBoss Web</para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+ <section id="sect-Common_Criteria_Guide-Limitations_in_the_Evaluated_Configuration-">
+ <title>JBoss SX</title>
+ <para>All security domains must be created in the context of java:/jaas/
+ (e.g. java:/jaas/jmx-console).</para>
+
+ <para>Custom Login Modules are not permitted; the only login modules
+ allowed are the following:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>org.jboss.security.auth.spi.UsersRolesLoginModule</para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.auth.spi.LdapLoginModule</para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.auth.spi.DatabaseServerLoginModule</para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.auth.spi.BaseCertLoginModule</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>This restriction on login modules is also applicable to the
+ DynamicLoginConfig service.</para>
+
+ <para>Only the following security managers are allowed to be configured
+ and used for authentication purposes: </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>org.jboss.security.plugins.JaasSecurityManager </para>
+ </listitem>
+ <listitem>
+ <para>org.jboss.security.plugins.JaasSecurityDomain </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Other modules, such as SRP module are not allowed.</para>
+ </section>
+
+ <section id="sect-Common_Criteria_Guide-Limitations_in_the_Evaluated_Configuration-JBoss_Web">
+ <title>JBoss Web</title>
+ <para>The JAAS based authentication and authorization realm implementation
+ (<parameter>org.jboss.web.tomcat.security.JBossSecurityMgrRealm</parameter>)
+ cannot be replaced. The same is true for the authenticator classes defined
+ for each authentication method (BASIC, CLIENT-CERT, DIGEST, FORM, NONE) in
+ <filename>jboss-service.xml</filename>. </para>
+
+ <para>Additionally, AllRolesMode must be set to <literal>strict</literal>.
+ This requires the authenticated user to be assigned to one of the
+ web-app/security-role/role-name in order to be authorized.</para>
+ </section>
+ </section>
+</chapter>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Configuration.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Configuration.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Configuration.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,109 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<chapter id="chap-Common_Criteria_Guide-System_Configuration">
+ <title>System Configuration</title>
+ <section id="sect-Common_Criteria_Guide-System_Configuration-General">
+ <title>General</title>
+ <para>
+ The following general configuration steps must be performed to configure the platform:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Disable SNMP
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Disable RMI under IIOP.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Disable AJP from JBoss Web
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ In order to avoid plain text passwords from being stored on the server side, you should
+ use password hashing. <!--as documented in [JBSCG] section 5.3.2 “Password Hashing”-->
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Disable the following ports:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Clustering: port 1102
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ SNMP: ports 1161 and 1162
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ JBossWeb: port 8009
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ <listitem>
+ <para>
+ Authenticator classes defined for each authentication method (BASIC, CLIENT-CERT, DIGEST,
+ FORM, NONE) cannot be modified.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ If you are using the Java Security Manager to protect the JBoss server from insecure
+ applications, you must use the provided security policy, modified to give permissions to
+ your applications. See <xref linkend="Common_Criteria_Guide-Security_Configuration"/> for
+ more details.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Configure audit logging to print authentication and authorization information for each thread
+ and EJB call. Edit the <filename>jboss-log4.xml</filename> file and make the following changes:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ Set the logging level of the <classname>SecurityInterceptor</classname> class to <literal>TRACE</literal>,
+ adding the following element to the root element:
+ </para>
+
+ <programlisting><category name="org.jboss.ejb.plugins.SecurityInterceptor">
+ <priority value="TRACE"/>
+</category></programlisting>
+ </listitem>
+
+ <listitem>
+ <para>
+ Modify the logging pattern to show thread information, changing the <literal>ConversionPattern</literal>
+ parameter in the appender/layout element as follows:
+ </para>
+
+ <programlisting><param name="ConversionPattern" value="%d %-5r %-5p [%c] (%t:%x) %m%n"/></programlisting>
+
+ <para>
+ See <xref linkend="sect-Common_Criteria_Guide-Additional_Guidance_Documentation-Audit_Logging" /> for more information on Audit logging.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </itemizedlist>
+
+ </section>
+
+</chapter>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Installation.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Installation.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/System_Installation.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,136 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<chapter id="chap-Common_Criteria_Guide-System_Installation">
+ <title>Downloading and Verifying the Packages</title>
+ <para>JBoss EAP is exclusively delivered on line through the Red Hat JBoss Customer Support Portal at
+ <ulink url="https://support.redhat.com/jbossnetwork/restricted/main.html">https://support.redhat.com/jbossnetwork/restricted/main.html</ulink>.
+ </para>
+
+ <para>To ensure the authenticity of the downloaded software you need to verify
+ the authenticity of the files and their source.</para>
+
+ <section id="verify_authenticity_of_site">
+ <title>Verify the Authenticity of the Download Site.</title>
+
+ <para>The Red Hat JBoss Customer Support Portal is a secure site. This is
+ indicated by the 'lock' icon in the browser address bar or status bar.</para>
+
+ <important>
+ <para>The following images are taken from the Firefox2 web browser. While most
+ popular web-browsers display this information in a very similar manner it may
+ differ slightly to these images.</para>
+ </important>
+
+ <figure><title>Secure site 'lock' icon displayed in the Firefox address bar.</title>
+ <mediaobject>
+ <imageobject><imagedata fileref="images/ssl_addressbar.png" /></imageobject>
+ </mediaobject>
+ </figure>
+
+ <figure><title>Secure site 'lock' icon displayed in the Firefox status bar.</title>
+ <mediaobject>
+ <imageobject><imagedata fileref="images/ssl_statusbar.png" /></imageobject>
+ </mediaobject>
+ </figure>
+
+ <para>If these items are not visible this means that you are not at the correct site.
+ If you are unable to reach the secure Red Hat JBoss Customer Support Portal site you
+ should contact Red Hat Support &report this problem.</para>
+
+ <para>When the 'lock' icon is clicked a dialog window will be displayed with the details
+ of the site certificate. If this dialog does not specify that the web sites identity is
+ verified then you are not at the correct site.</para>
+
+ <figure><title>Firefox Security dialog displaying verification for support.redhat.com.</title>
+ <mediaobject>
+ <imageobject><imagedata fileref="images/certificate.png" /></imageobject>
+ </mediaobject>
+ </figure>
+
+ </section>
+
+ <section id="verify_downloaded_files">
+ <title>Verifying the Downloaded Files</title>
+ <para>The JBoss EAP evaluated configuration is found for download on the
+ Customer support site by browsing to <guimenuitem>JBoss Enterprise Middleware</guimenuitem>,
+ <guimenuitem>Application Platform</guimenuitem>, <guimenuitem>Certified downloads</guimenuitem>.</para>
+
+ <figure><title>Software downloads page showing available JBoss EAP files</title>
+ <mediaobject>
+ <imageobject><imagedata fileref="images/software_downloads.png" /></imageobject>
+ </mediaobject>
+ </figure>
+
+ <para>The packages can be downloaded using either the download link on that page,
+ or by using the download link on the software details page for that package. The
+ software details page is reached by clicking on the package name rather than the
+ download link.</para>
+
+ <para>The software details page for each package also contains the MD5 and SHA-256
+ checksum values for that package. These values are used to verify the integrity
+ of your downloaded files.</para>
+
+ <figure><title>MD5 & SHA-256 information displayed for a download at the Red Hat JBoss Customer Support Portal</title>
+ <mediaobject>
+ <imageobject><imagedata fileref="images/lookup_MD5_value.png" /></imageobject>
+ </mediaobject>
+ </figure>
+
+ <para>You can use either the <command>md5sum</command> or <command>sha256sum</command> utilities as detailed below to calculate
+ the checksum values of the files to compare to the supplied values on the website.</para>
+
+ <note>
+ <para>The command line examples given are accurate for most Linux and
+ Unix operating systems. Mac OS X includes the equivalent command
+ <command>md5</command>.</para>
+
+ <para>If you are using Microsoft Windows you will have to download a
+ third party utility to perform these steps as it does not include a
+ MD5SUM or SHA256SUM tool.</para>
+ </note>
+
+ <para>The values that are generated by these tools should be the same as those
+ on the Software Details page. If it is not then your download is either incomplete
+ or corrupted. You will need to download it again. </para>
+
+ <warning>
+ <para>If after several attempts you are unable to download a copy of the file that
+ produces a valid checksum values you should open a support case to report the
+ problem. </para>
+ </warning>
+
+
+ <section id="verify_downloaded_files_MD5">
+ <title>Verifying the Downloaded Files</title>
+ <para>After you have downloaded the file, run the <command>md5sum</command> command-line utility and specify
+ the file you downloaded as the first argument. </para>
+
+ <example><title>Using the md5sum tool on Linux or Unix</title>
+ <screen>$ md5sum jboss-eap-4.3.0.GA_CP03.zip
+b6fd40c285f0243133dd29789f6a08a0 jboss-eap-4.3.0.GA_CP03.zip </screen>
+ </example>
+
+ </section>
+
+ <section id="verify_downloaded_files_SHA256">
+ <title>Verifying the Downloaded Files</title>
+ <para>After you have downloaded the file, run the <command>sha256sum</command> command-line utility and specify
+ the file you downloaded as the first argument. </para>
+
+ <example><title>Using the sha256sum tool</title>
+ <screen>$ sha256sum jboss-eap-4.3.0.GA_CP03.zip
+5528af48ce51f4fd5dcdda13a53e132d0807385b5e416da0f5d631d36e86aabf jboss-eap-4.3.0.GA_CP03.zip </screen>
+ </example>
+
+ </section>
+
+
+
+ </section>
+
+
+
+</chapter>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Tested_Security_Policy.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Tested_Security_Policy.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Tested_Security_Policy.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -0,0 +1,77 @@
+<?xml version='1.0'?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<appendix id="Common_Criteria_Guide-Tested_Security_Policy">
+
+ <title>Tested Security Policy</title>
+
+ <para>
+ Below is the security policy that was used during the certification evaluation and testing. It does (fill in here with a description of what it does).
+ </para>
+
+ <programlisting>// The Java2 security policy for the securitymgr tests
+// Install with -Djava.security.policy==server.policy
+// and -Djboss.home.dir=path_to_jboss_distribution
+
+// Trusted core Java code
+grant codeBase "file:${java.home}/lib/ext/-" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:${java.home}/lib/*" {
+ permission java.security.AllPermission;
+};
+// For java.home pointing to the JDK jre directory
+grant codeBase "file:${java.home}/../lib/*" {
+ permission java.security.AllPermission;
+};
+
+// Trusted core Jboss code
+grant codeBase "file:${jboss.home.dir}/bin/-" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:${jboss.home.dir}/lib/-" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:${jboss.server.home.dir}/lib/-" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:${jboss.server.home.dir}/deploy/-" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:${jboss.server.home.dir}/work/-" {
+ permission java.security.AllPermission;
+};
+
+// Permissions for the WarPermissionsUnitTestCase
+grant codeBase "file:${jboss.test.deploy.dir}/securitymgr/-" {
+ permission java.util.PropertyPermission "*", "read";
+ permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
+};
+
+// Minimal permissions are allowed to everyone else
+grant {
+ permission java.util.PropertyPermission "*", "read";
+ permission java.lang.RuntimePermission "queuePrintJob";
+ permission java.net.SocketPermission "*", "connect";
+ permission java.security.SecurityPermission "getPolicy";
+ permission java.lang.RuntimePermission "accessClassInPackage.*";
+ permission java.lang.RuntimePermission "getProtectionDomain";
+ permission java.lang.RuntimePermission "getClassLoader";
+ permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject";
+ permission javax.management.MBeanServerPermission "findMBeanServer";
+ permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*";
+ permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[jboss*:*]", "*";
+ permission javax.security.auth.AuthPermission "createLoginContext.*";
+};
+
+// To handle tests run with JBoss installed from RPMs - http://jira.jboss.com/jira/browse/JBPAPP-60
+grant codeBase "file:/usr/share/java/-" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:/etc/jbossas/-" {
+ permission java.security.AllPermission;
+};
+</programlisting>
+
+</appendix>
\ No newline at end of file
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/certificate.png
===================================================================
(Binary files differ)
Property changes on: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/certificate.png
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/lookup_MD5_value.png
===================================================================
(Binary files differ)
Property changes on: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/lookup_MD5_value.png
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/software_downloads.png
===================================================================
(Binary files differ)
Property changes on: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/software_downloads.png
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/ssl_addressbar.png
===================================================================
(Binary files differ)
Property changes on: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/ssl_addressbar.png
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/ssl_statusbar.png
===================================================================
(Binary files differ)
Property changes on: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/images/ssl_statusbar.png
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Modified: projects/docs/enterprise/4.3.3/JDK6_Compatibility_Notes/en-US/JDK6_readme.xml
===================================================================
--- projects/docs/enterprise/4.3.3/JDK6_Compatibility_Notes/en-US/JDK6_readme.xml 2008-10-21 23:59:24 UTC (rev 79911)
+++ projects/docs/enterprise/4.3.3/JDK6_Compatibility_Notes/en-US/JDK6_readme.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -23,6 +23,19 @@
<itemizedlist>
<listitem>
<para>
+ Java version: JRockit 1.6, Update 5
+ </para>
+ <para>
+ Platforms: RHEL-4.5 x86, x86_64 and RHEL-5.2 x86, x86_64
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ We have successfully certified JBoss Enterprise Application Platform 4.3, Cumulative Patch release 03 and above to run on the following combinations:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
Java version: Sun JDK 1.6, Update 7
</para>
<para>
@@ -31,18 +44,26 @@
</listitem>
<listitem>
<para>
- Java version: JRockit 1.6, Update 5
+ Java version: JRockit 1.6, Update 5
</para>
<para>
- Platforms: RHEL-4.5 x86, x86_64 and RHEL-5.2 x86, x86_64
+ Platforms: RHEL-4.5 x86, x86_64 and RHEL-5.2 x86, x86_64
</para>
</listitem>
<listitem>
<para>
+ Java version: IBM JDK 1.6, SR1
+ </para>
+ <para>
+ Platforms: RHEL-4.5 x86, x86_64 and RHEL-5.2 x86, x86_64
+ </para>
+ </listitem>
+ <listitem>
+ <para>
Java version: HP JDK 1.6
</para>
<para>
- Platform: HP UX RISC
+ Platform: HP-UX RISC, HP-UX IA64
</para>
</listitem>
</itemizedlist>
@@ -50,7 +71,7 @@
<title>Setup Required:</title>
<listitem>
<para>
- JavaSE 6 includes includes support for JAX-WS, Version 2.1. Before starting your server, you
+ JavaSE 6 includes support for JAX-WS, Version 2.1. Before starting your server, you
need replace the APIs included in JDK 6 with the JBossWS jars by simply copying the following jars to ${JBOSS_HOME}/lib/endorsed from ${JBOSS_HOME}/server/production/lib:
</para>
<itemizedlist>
@@ -80,19 +101,19 @@
</itemizedlist>
<section id="JDK6_Compatibility_Notes-Running_JBoss_Enterprise_Application_Platform_4.3_with_JavaSE_6-Known_Issues">
<title>Known Issues</title>
- <itemizedlist>
+ <!-- <itemizedlist>
<title>The issues listed below with hibernate are to be fixed in the third cumulative patch release of EAP 4.3</title>
- <listitem>
+ <listitem> -->
<para>
<ulink url="http://jira.jboss.org/jira/browse/JBPAPP-916">JBPAPP-916</ulink>: Unimplemented methods in Hibernate for JDK 6 interfaces. NoSuchMethodError occurs when trying to use these methods with JDK 6.
</para>
- </listitem>
- <listitem>
+ <!-- </listitem> -->
+ <!-- <listitem> -->
<para>
<ulink url="http://jira.jboss.org/jira/browse/JBPAPP-906">JBPAPP-906</ulink>: Bad usage of ClassLoader.loadClass() for Java6 in SerializationHelper $CustomObjectInputStream - deserialization bottleneck for arrays.
</para>
- </listitem>
- </itemizedlist>
+ <!-- </listitem>
+ </itemizedlist> -->
</section>
<section id="JDK6_Compatibility_Notes-Running_JBoss_Enterprise_Application_Platform_4.3_with_JavaSE_6-References">
Modified: projects/docs/enterprise/4.3.3/Server_Configuration_Guide/en-US/Author_Group.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Server_Configuration_Guide/en-US/Author_Group.xml 2008-10-21 23:59:24 UTC (rev 79911)
+++ projects/docs/enterprise/4.3.3/Server_Configuration_Guide/en-US/Author_Group.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -2,4 +2,9 @@
<!DOCTYPE authorgroup PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
]>
-<authorgroup><corpauthor> Red Hat Documentation Group </corpauthor></authorgroup>
+<authorgroup>
+<author>
+ <firstname>Red Hat Documentation Group</firstname>
+ <surname></surname>
+ </author>
+</authorgroup>
Modified: projects/docs/enterprise/4.3.3/Server_Configuration_Guide/en-US/Server_Configuration_Guide_CP03.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Server_Configuration_Guide/en-US/Server_Configuration_Guide_CP03.xml 2008-10-21 23:59:24 UTC (rev 79911)
+++ projects/docs/enterprise/4.3.3/Server_Configuration_Guide/en-US/Server_Configuration_Guide_CP03.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -36,6 +36,7 @@
<xi:include href="Clustering_Guide_HTTP.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Clustering_Guide_JMS.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Clustering_Guide_JBoss_Cache_JGroups.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+<xi:include href="Clustering_Guide_Clustered_Session_Notification_Policy.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
</part>
<part id="Legacy_EJB_Support" label="IV">
<title>Legacy EJB Support</title>
Modified: projects/docs/enterprise/4.3.3/readme/en-US/Release_Notes_CP03.xml
===================================================================
--- projects/docs/enterprise/4.3.3/readme/en-US/Release_Notes_CP03.xml 2008-10-21 23:59:24 UTC (rev 79911)
+++ projects/docs/enterprise/4.3.3/readme/en-US/Release_Notes_CP03.xml 2008-10-22 04:03:38 UTC (rev 79912)
@@ -791,6 +791,11 @@
<itemizedlist>
<listitem>
<para>
+ <ulink url="http://jira.jboss.com/jira/browse/JBPAPP-1286">JBPAPP-1286</ulink>: Footnotes within documentation tables and lists do not appear within PDFs. This issue resides within FOP and currently no workaround exists. Where possible footnotes are not used in the circumstances mentioned, however in documents such as the Release Notes the web address of a JIRA is automaticly generated as a footnote and places a number beside that of the JIRA, referencing a footnote that does not appear.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
<ulink url="http://jira.jboss.com/jira/browse/JBPAPP-909">JBPAPP-909</ulink>: Within the Hibernate component of the EAP the HashMap and HashSet iteration order changed from past releases because of support for JDK 1.6. However this has meant that the order of columns in union clauses and union-subclasses has changed, generating a slight impact on the components performance.
</para>
</listitem>
More information about the jboss-cvs-commits
mailing list