From 7dee83bb7c2645ec9062b9ccd8b9b58261770136 Mon Sep 17 00:00:00 2001 From: Maros Marsalek Date: Wed, 10 Jun 2015 10:30:29 +0200 Subject: [PATCH] BUG-3553 Introduce custom java.security config file Set the list of excluded ciphers available for use in ODL. The list was developed in order to disable weak/vulnerable ciphers and also to prevent the Logjam exploit. The security file can be set using ODL_JAVA_SECURITY_PROPERTIES env variable. Change-Id: I4867fe05986c020e09938c138d4d033299e0f9b7 Signed-off-by: Maros Marsalek (cherry picked from commit 482cb4a1845e2e8109b9176704f2421ff7f40277) --- .../src/main/resources/bin/instance | 7 +++++++ .../src/main/resources/bin/instance.bat | 6 ++++++ .../src/main/resources/bin/karaf | 7 +++++++ .../src/main/resources/bin/karaf.bat | 7 +++++++ .../src/main/resources/etc/odl.java.security | 6 ++++++ 5 files changed, 33 insertions(+) create mode 100755 karaf/opendaylight-karaf-resources/src/main/resources/etc/odl.java.security diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance b/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance index 27772fd255..3519258be1 100644 --- a/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance +++ b/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance @@ -275,6 +275,13 @@ setupDefaults() { fi fi + # Add default security file option + if [ "x$ODL_JAVA_SECURITY_PROPERTIES" != "x" ]; then + DEFAULT_JAVA_OPTS="-Djava.security.properties="${ODL_JAVA_SECURITY_PROPERTIES}" $DEFAULT_JAVA_OPTS" + else + DEFAULT_JAVA_OPTS="-Djava.security.properties="${KARAF_ETC}/odl.java.security" $DEFAULT_JAVA_OPTS" + fi + # Add the jars in the lib dir for file in "$KARAF_HOME"/lib/*.jar do diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance.bat b/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance.bat index 2ac8db1897..a9a5509836 100644 --- a/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance.bat +++ b/karaf/opendaylight-karaf-resources/src/main/resources/bin/instance.bat @@ -95,6 +95,12 @@ if "%KARAF_ETC%" == "" ( ) set DEFAULT_JAVA_OPTS= +if not "%ODL_JAVA_SECURITY_PROPERTIES%" == "" ( + set DEFAULT_JAVA_OPTS=-Djava.security.properties="%ODL_JAVA_SECURITY_PROPERTIES%" %DEFAULT_JAVA_OPTS% +) else ( + set DEFAULT_JAVA_OPTS=-Djava.security.properties="%KARAF_ETC%\odl.java.security" %DEFAULT_JAVA_OPTS% +) + set DEFAULT_JAVA_DEBUG_OPTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 rem Support for loading native libraries diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf b/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf index 23fbbec452..232325ea99 100755 --- a/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf +++ b/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf @@ -299,6 +299,13 @@ setupDefaults() { fi fi + # Add default security file option + if [ "x$ODL_JAVA_SECURITY_PROPERTIES" != "x" ]; then + DEFAULT_JAVA_OPTS="-Djava.security.properties="${ODL_JAVA_SECURITY_PROPERTIES}" $DEFAULT_JAVA_OPTS" + else + DEFAULT_JAVA_OPTS="-Djava.security.properties="${KARAF_ETC}/odl.java.security" $DEFAULT_JAVA_OPTS" + fi + # Add the jars in the lib dir for file in "$KARAF_HOME"/lib/karaf*.jar do diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf.bat b/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf.bat index 9c278c3b9a..a5c254a0bf 100644 --- a/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf.bat +++ b/karaf/opendaylight-karaf-resources/src/main/resources/bin/karaf.bat @@ -219,8 +219,15 @@ if not exist "%JAVA_HOME%\bin\server\jvm.dll" ( set JAVA_MODE=-client ) ) + set DEFAULT_JAVA_OPTS=%JAVA_MODE% -Xms%JAVA_MIN_MEM% -Xmx%JAVA_MAX_MEM% -Dderby.system.home="%KARAF_DATA%\derby" -Dderby.storage.fileSyncTransactionLog=true -Dcom.sun.management.jmxremote -XX:+UnlockDiagnosticVMOptions -XX:+UnsyncloadClass +if not "%ODL_JAVA_SECURITY_PROPERTIES%" == "" ( + set DEFAULT_JAVA_OPTS=-Djava.security.properties="%ODL_JAVA_SECURITY_PROPERTIES%" %DEFAULT_JAVA_OPTS% +) else ( + set DEFAULT_JAVA_OPTS=-Djava.security.properties="%KARAF_ETC%\odl.java.security" %DEFAULT_JAVA_OPTS% +) + rem Check some easily accessible MIN/MAX params for JVM mem usage if not "%JAVA_PERM_MEM%" == "" ( set DEFAULT_JAVA_OPTS=%DEFAULT_JAVA_OPTS% -XX:PermSize=%JAVA_PERM_MEM% diff --git a/karaf/opendaylight-karaf-resources/src/main/resources/etc/odl.java.security b/karaf/opendaylight-karaf-resources/src/main/resources/etc/odl.java.security new file mode 100755 index 0000000000..715c847610 --- /dev/null +++ b/karaf/opendaylight-karaf-resources/src/main/resources/etc/odl.java.security @@ -0,0 +1,6 @@ +# Custom java.security config file for odl. This file augmnets the defult java.security config file provided by the JRE itself +# Documentation: https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms +# Additional information can also be found in the default java.security file: JAVA_HOME/jre/lib/security/java.security + +# Disable weak ciphers and ciphers vulnerable to the Logjam exploit, more information can be found here https://bugs.opendaylight.org/show_bug.cgi?id=3552 +jdk.tls.disabledAlgorithms=EXPORT, RC4, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, anon \ No newline at end of file -- 2.36.6