BUG-3553 Introduce custom java.security config file 66/22566/3
authorMaros Marsalek <mmarsale@cisco.com>
Wed, 10 Jun 2015 08:30:29 +0000 (10:30 +0200)
committerGerrit Code Review <gerrit@opendaylight.org>
Mon, 15 Jun 2015 14:38:53 +0000 (14:38 +0000)
Set the list of excluded ciphers available for use in ODL. The list was
developed in order to disable weak/vulnerable ciphers and also to prevent
the Logjam exploit.

The security file can be set using ODL_JAVA_SECURITY_PROPERTIES env variable.

Change-Id: I4867fe05986c020e09938c138d4d033299e0f9b7
Signed-off-by: Maros Marsalek <mmarsale@cisco.com>
(cherry picked from commit 482cb4a1845e2e8109b9176704f2421ff7f40277)

karaf/opendaylight-karaf-resources/src/main/resources/bin/instance
karaf/opendaylight-karaf-resources/src/main/resources/bin/instance.bat
karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf
karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf.bat
karaf/opendaylight-karaf-resources/src/main/resources/etc/odl.java.security [new file with mode: 0755]

index 27772fd..3519258 100644 (file)
@@ -275,6 +275,13 @@ setupDefaults() {
         fi
     fi
 
+    # Add default security file option
+    if [ "x$ODL_JAVA_SECURITY_PROPERTIES" != "x" ]; then
+        DEFAULT_JAVA_OPTS="-Djava.security.properties="${ODL_JAVA_SECURITY_PROPERTIES}" $DEFAULT_JAVA_OPTS"
+    else
+        DEFAULT_JAVA_OPTS="-Djava.security.properties="${KARAF_ETC}/odl.java.security" $DEFAULT_JAVA_OPTS"
+    fi
+
     # Add the jars in the lib dir
     for file in "$KARAF_HOME"/lib/*.jar
     do
index 2ac8db1..a9a5509 100644 (file)
@@ -95,6 +95,12 @@ if "%KARAF_ETC%" == "" (
 )\r
 \r
 set DEFAULT_JAVA_OPTS=\r
+if not "%ODL_JAVA_SECURITY_PROPERTIES%" == "" (\r
+    set DEFAULT_JAVA_OPTS=-Djava.security.properties="%ODL_JAVA_SECURITY_PROPERTIES%" %DEFAULT_JAVA_OPTS%\r
+) else (\r
+    set DEFAULT_JAVA_OPTS=-Djava.security.properties="%KARAF_ETC%\odl.java.security" %DEFAULT_JAVA_OPTS%\r
+)\r
+\r
 set DEFAULT_JAVA_DEBUG_OPTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005\r
 \r
 rem Support for loading native libraries\r
index 23fbbec..232325e 100755 (executable)
@@ -299,6 +299,13 @@ setupDefaults() {
         fi
     fi
 
+    # Add default security file option
+    if [ "x$ODL_JAVA_SECURITY_PROPERTIES" != "x" ]; then
+        DEFAULT_JAVA_OPTS="-Djava.security.properties="${ODL_JAVA_SECURITY_PROPERTIES}" $DEFAULT_JAVA_OPTS"
+    else
+        DEFAULT_JAVA_OPTS="-Djava.security.properties="${KARAF_ETC}/odl.java.security" $DEFAULT_JAVA_OPTS"
+    fi
+
     # Add the jars in the lib dir
     for file in "$KARAF_HOME"/lib/karaf*.jar
     do
index 9c278c3..a5c254a 100644 (file)
@@ -219,8 +219,15 @@ if not exist "%JAVA_HOME%\bin\server\jvm.dll" (
         set JAVA_MODE=-client\r
     )\r
 )\r
+\r
 set DEFAULT_JAVA_OPTS=%JAVA_MODE% -Xms%JAVA_MIN_MEM% -Xmx%JAVA_MAX_MEM% -Dderby.system.home="%KARAF_DATA%\derby" -Dderby.storage.fileSyncTransactionLog=true -Dcom.sun.management.jmxremote  -XX:+UnlockDiagnosticVMOptions -XX:+UnsyncloadClass\r
 \r
+if not "%ODL_JAVA_SECURITY_PROPERTIES%" == "" (\r
+    set DEFAULT_JAVA_OPTS=-Djava.security.properties="%ODL_JAVA_SECURITY_PROPERTIES%" %DEFAULT_JAVA_OPTS%\r
+) else (\r
+    set DEFAULT_JAVA_OPTS=-Djava.security.properties="%KARAF_ETC%\odl.java.security" %DEFAULT_JAVA_OPTS%\r
+)\r
+\r
 rem Check some easily accessible MIN/MAX params for JVM mem usage\r
 if not "%JAVA_PERM_MEM%" == "" (\r
     set DEFAULT_JAVA_OPTS=%DEFAULT_JAVA_OPTS% -XX:PermSize=%JAVA_PERM_MEM%\r
diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/etc/odl.java.security b/karaf/opendaylight-karaf-resources/src/main/resources/etc/odl.java.security
new file mode 100755 (executable)
index 0000000..715c847
--- /dev/null
@@ -0,0 +1,6 @@
+# Custom java.security config file for odl. This file augmnets the defult java.security config file provided by the JRE itself
+# Documentation: https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms
+# Additional information can also be found in the default java.security file: JAVA_HOME/jre/lib/security/java.security
+
+# Disable weak ciphers and ciphers vulnerable to the Logjam exploit, more information can be found here https://bugs.opendaylight.org/show_bug.cgi?id=3552
+jdk.tls.disabledAlgorithms=EXPORT, RC4, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, anon
\ No newline at end of file

©2013 OpenDaylight, A Linux Foundation Collaborative Project. All Rights Reserved.
OpenDaylight is a registered trademark of The OpenDaylight Project, Inc.
Linux Foundation and OpenDaylight are registered trademarks of the Linux Foundation.
Linux is a registered trademark of Linus Torvalds.