BUG-3553 Introduce custom java.security config file

Set the list of excluded ciphers available for use in ODL. The list was
developed in order to disable weak/vulnerable ciphers and also to prevent
the Logjam exploit.

The security file can be set using ODL_JAVA_SECURITY_PROPERTIES env variable.

Change-Id: I4867fe05986c020e09938c138d4d033299e0f9b7
Signed-off-by: Maros Marsalek <mmarsale@cisco.com>
(cherry picked from commit 482cb4a1845e2e8109b9176704f2421ff7f40277)

diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance b/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance
index 27772fd255e438088c93293bfaae2217d9c1dbc6..3519258be1e7ec765b82d734c6b6e08d7a4626dd 100644 (file)
--- a/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance
+++ b/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance
@@ -275,6 +275,13 @@ setupDefaults() {
         fi
     fi
 
+    # Add default security file option
+    if [ "x$ODL_JAVA_SECURITY_PROPERTIES" != "x" ]; then
+        DEFAULT_JAVA_OPTS="-Djava.security.properties="${ODL_JAVA_SECURITY_PROPERTIES}" $DEFAULT_JAVA_OPTS"
+    else
+        DEFAULT_JAVA_OPTS="-Djava.security.properties="${KARAF_ETC}/odl.java.security" $DEFAULT_JAVA_OPTS"
+    fi
+
     # Add the jars in the lib dir
     for file in "$KARAF_HOME"/lib/*.jar
     do

diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance.bat b/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance.bat
index 2ac8db1897198839e399c7490ca5d6683d070b2c..a9a5509836dba71266780759afd2cda5249f1183 100644 (file)
--- a/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance.bat
+++ b/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance.bat
@@ -95,6 +95,12 @@ if "%KARAF_ETC%" == "" (
 )\r
 \r
 set DEFAULT_JAVA_OPTS=\r
+if not "%ODL_JAVA_SECURITY_PROPERTIES%" == "" (\r
+    set DEFAULT_JAVA_OPTS=-Djava.security.properties="%ODL_JAVA_SECURITY_PROPERTIES%" %DEFAULT_JAVA_OPTS%\r
+) else (\r
+    set DEFAULT_JAVA_OPTS=-Djava.security.properties="%KARAF_ETC%\odl.java.security" %DEFAULT_JAVA_OPTS%\r
+)\r
+\r
 set DEFAULT_JAVA_DEBUG_OPTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005\r
 \r
 rem Support for loading native libraries\r

diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf b/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf
index 23fbbec452ccd912310cd197e36a942429388458..232325ea99f66884d145ef2ca97a9d3f95991085 100755 (executable)
--- a/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf
+++ b/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf
@@ -299,6 +299,13 @@ setupDefaults() {
         fi
     fi
 
+    # Add default security file option
+    if [ "x$ODL_JAVA_SECURITY_PROPERTIES" != "x" ]; then
+        DEFAULT_JAVA_OPTS="-Djava.security.properties="${ODL_JAVA_SECURITY_PROPERTIES}" $DEFAULT_JAVA_OPTS"
+    else
+        DEFAULT_JAVA_OPTS="-Djava.security.properties="${KARAF_ETC}/odl.java.security" $DEFAULT_JAVA_OPTS"
+    fi
+
     # Add the jars in the lib dir
     for file in "$KARAF_HOME"/lib/karaf*.jar
     do

diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf.bat b/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf.bat
index 9c278c3b9ad366ecfe183d932ee153139b75c192..a5c254a0bf5bfef67a17ac0d48e1a24def1728b2 100644 (file)
--- a/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf.bat
+++ b/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf.bat
@@ -219,8 +219,15 @@ if not exist "%JAVA_HOME%\bin\server\jvm.dll" (
         set JAVA_MODE=-client\r
     )\r
 )\r
+\r
 set DEFAULT_JAVA_OPTS=%JAVA_MODE% -Xms%JAVA_MIN_MEM% -Xmx%JAVA_MAX_MEM% -Dderby.system.home="%KARAF_DATA%\derby" -Dderby.storage.fileSyncTransactionLog=true -Dcom.sun.management.jmxremote  -XX:+UnlockDiagnosticVMOptions -XX:+UnsyncloadClass\r
 \r
+if not "%ODL_JAVA_SECURITY_PROPERTIES%" == "" (\r
+    set DEFAULT_JAVA_OPTS=-Djava.security.properties="%ODL_JAVA_SECURITY_PROPERTIES%" %DEFAULT_JAVA_OPTS%\r
+) else (\r
+    set DEFAULT_JAVA_OPTS=-Djava.security.properties="%KARAF_ETC%\odl.java.security" %DEFAULT_JAVA_OPTS%\r
+)\r
+\r
 rem Check some easily accessible MIN/MAX params for JVM mem usage\r
 if not "%JAVA_PERM_MEM%" == "" (\r
     set DEFAULT_JAVA_OPTS=%DEFAULT_JAVA_OPTS% -XX:PermSize=%JAVA_PERM_MEM%\r

diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/etc/odl.java.security b/karaf/opendaylight-karaf-resources/src/main/resources/etc/odl.java.security
new file mode 100755 (executable)
index 0000000..715c847
--- /dev/null
+++ b/karaf/opendaylight-karaf-resources/src/main/resources/etc/odl.java.security
@@ -0,0 +1,6 @@
+# Custom java.security config file for odl. This file augmnets the defult java.security config file provided by the JRE itself
+# Documentation: https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms
+# Additional information can also be found in the default java.security file: JAVA_HOME/jre/lib/security/java.security
+
+# Disable weak ciphers and ciphers vulnerable to the Logjam exploit, more information can be found here https://bugs.opendaylight.org/show_bug.cgi?id=3552
+jdk.tls.disabledAlgorithms=EXPORT, RC4, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, anon
\ No newline at end of file