Suche senden
Hochladen
OSGi als App-Plattform - Ein Ausflug durch den Security-Layer
•
2 gefällt mir
•
1,439 views
OSGiUsers
Folgen
Technologie
Melden
Teilen
Melden
Teilen
1 von 24
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp
Devicemgmt
Devicemgmt
xyxz
Blockchain Introduction
Blockchain Introduction
Nur Aini Rakhmawati Gunawan
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
Architecture & Functionality for Learning Spaces Website
Architecture & Functionality for Learning Spaces Website
Pragati Kunwer
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
Cryptography In Silverlight
Cryptography In Silverlight
Barry Dorrans
Empfohlen
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp
Devicemgmt
Devicemgmt
xyxz
Blockchain Introduction
Blockchain Introduction
Nur Aini Rakhmawati Gunawan
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
Architecture & Functionality for Learning Spaces Website
Architecture & Functionality for Learning Spaces Website
Pragati Kunwer
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
Cryptography In Silverlight
Cryptography In Silverlight
Barry Dorrans
Common Security Services. Consolidation patterns for legacy components - Stef...
Common Security Services. Consolidation patterns for legacy components - Stef...
mfrancis
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Kai Hackbarth
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Phú Phùng
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
mfrancis
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
mfrancis
Hilf mir, OBR - Du bist meine letzte Hoffnung!
Hilf mir, OBR - Du bist meine letzte Hoffnung!
OSGiUsers
OSGi Community Update
OSGi Community Update
OSGiUsers
OSGi in the Residential Market
OSGi in the Residential Market
OSGiUsers
Update OSGi Residential Expert Group
Update OSGi Residential Expert Group
OSGiUsers
OSGi Alliance Residential Expert Group
OSGi Alliance Residential Expert Group
OSGiUsers
OSGi for In-Vehicle Systems
OSGi for In-Vehicle Systems
OSGiUsers
PojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of Us
OSGiUsers
Building Secure OSGi Applications
Building Secure OSGi Applications
Marcel Offermans
Open Services Gateway Initiative (OSGI)
Open Services Gateway Initiative (OSGI)
Peter R. Egli
Sia door supervisor training 5
Sia door supervisor training 5
hilario859
OSGi Web Development in Action
OSGi Web Development in Action
OSGiUsers
OSGi IoT Demo & Contest 2015
OSGi IoT Demo & Contest 2015
mfrancis
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
Raising information security awareness
Raising information security awareness
Terranovatraining
Gfk Smart Home Studie
Gfk Smart Home Studie
myDLS
Practical security In a modular world
Practical security In a modular world
Martin Toshev
Essentials of PCI Assessment
Essentials of PCI Assessment
Gazzang
Weitere ähnliche Inhalte
Andere mochten auch
Common Security Services. Consolidation patterns for legacy components - Stef...
Common Security Services. Consolidation patterns for legacy components - Stef...
mfrancis
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Kai Hackbarth
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Phú Phùng
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
mfrancis
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
mfrancis
Hilf mir, OBR - Du bist meine letzte Hoffnung!
Hilf mir, OBR - Du bist meine letzte Hoffnung!
OSGiUsers
OSGi Community Update
OSGi Community Update
OSGiUsers
OSGi in the Residential Market
OSGi in the Residential Market
OSGiUsers
Update OSGi Residential Expert Group
Update OSGi Residential Expert Group
OSGiUsers
OSGi Alliance Residential Expert Group
OSGi Alliance Residential Expert Group
OSGiUsers
OSGi for In-Vehicle Systems
OSGi for In-Vehicle Systems
OSGiUsers
PojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of Us
OSGiUsers
Building Secure OSGi Applications
Building Secure OSGi Applications
Marcel Offermans
Open Services Gateway Initiative (OSGI)
Open Services Gateway Initiative (OSGI)
Peter R. Egli
Sia door supervisor training 5
Sia door supervisor training 5
hilario859
OSGi Web Development in Action
OSGi Web Development in Action
OSGiUsers
OSGi IoT Demo & Contest 2015
OSGi IoT Demo & Contest 2015
mfrancis
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
Raising information security awareness
Raising information security awareness
Terranovatraining
Gfk Smart Home Studie
Gfk Smart Home Studie
myDLS
Andere mochten auch
(20)
Common Security Services. Consolidation patterns for legacy components - Stef...
Common Security Services. Consolidation patterns for legacy components - Stef...
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
Hilf mir, OBR - Du bist meine letzte Hoffnung!
Hilf mir, OBR - Du bist meine letzte Hoffnung!
OSGi Community Update
OSGi Community Update
OSGi in the Residential Market
OSGi in the Residential Market
Update OSGi Residential Expert Group
Update OSGi Residential Expert Group
OSGi Alliance Residential Expert Group
OSGi Alliance Residential Expert Group
OSGi for In-Vehicle Systems
OSGi for In-Vehicle Systems
PojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of Us
Building Secure OSGi Applications
Building Secure OSGi Applications
Open Services Gateway Initiative (OSGI)
Open Services Gateway Initiative (OSGI)
Sia door supervisor training 5
Sia door supervisor training 5
OSGi Web Development in Action
OSGi Web Development in Action
OSGi IoT Demo & Contest 2015
OSGi IoT Demo & Contest 2015
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Raising information security awareness
Raising information security awareness
Gfk Smart Home Studie
Gfk Smart Home Studie
Ähnlich wie OSGi als App-Plattform - Ein Ausflug durch den Security-Layer
Practical security In a modular world
Practical security In a modular world
Martin Toshev
Essentials of PCI Assessment
Essentials of PCI Assessment
Gazzang
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
mfrancis
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models
Milosch Meriac
Oracle Solaris 11 - Best for Enterprise Applications
Oracle Solaris 11 - Best for Enterprise Applications
glynnfoster
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
Agile Testing Alliance
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
David Sweigert
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
hidenorly
Placing backdoors-through-firewalls
Placing backdoors-through-firewalls
Akapo Damilola
Autopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native Storage
SF Bay Cloud Native Open Infra Meetup
Security best practices for hyperledger fabric
Security best practices for hyperledger fabric
ManishKumarGiri2
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
Priyanka Aash
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
OSGi made simple - Fuse Application Bundles
OSGi made simple - Fuse Application Bundles
Rob Davies
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
The Linux Foundation
Why ClouDoc to protect CAD files?
Why ClouDoc to protect CAD files?
Sang Yoo
Guidelines to Improve the Robustness of the OSGi Framework and Its Services A...
Guidelines to Improve the Robustness of the OSGi Framework and Its Services A...
mfrancis
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
RSIS International
Ähnlich wie OSGi als App-Plattform - Ein Ausflug durch den Security-Layer
(20)
Practical security In a modular world
Practical security In a modular world
Essentials of PCI Assessment
Essentials of PCI Assessment
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models
Oracle Solaris 11 - Best for Enterprise Applications
Oracle Solaris 11 - Best for Enterprise Applications
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
Placing backdoors-through-firewalls
Placing backdoors-through-firewalls
Autopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native Storage
Security best practices for hyperledger fabric
Security best practices for hyperledger fabric
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
OSGi made simple - Fuse Application Bundles
OSGi made simple - Fuse Application Bundles
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
Why ClouDoc to protect CAD files?
Why ClouDoc to protect CAD files?
Guidelines to Improve the Robustness of the OSGi Framework and Its Services A...
Guidelines to Improve the Robustness of the OSGi Framework and Its Services A...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Kürzlich hochgeladen
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
Evaluating the top large language models.pdf
Evaluating the top large language models.pdf
ChristopherTHyatt
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
Kürzlich hochgeladen
(20)
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Evaluating the top large language models.pdf
Evaluating the top large language models.pdf
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
OSGi als App-Plattform - Ein Ausflug durch den Security-Layer
1.
www.neat-it.de OSGi as an
App Platform An Excursion through the Security Layer Michael Grammling, M.Sc. Dipl.-Inform (FH)
2.
System Boundaries © Grammling
und Müller GbR – neat-IT 2
3.
Packaging Apps • Use
a simple container format which can store 1..N bundles (e.g. a JAR or ZIP) • There are open standards available for container formats • However they are often much more complex than needed • Think on using an ApplicationManifest file (e.g. XML based) for meta-information • Think on signing the content of the container © Grammling und Müller GbR – neat-IT 3
4.
Certify Apps • Usually
Apps are certified by a certification department • If specific permissions, which the App acquires, are critical, reject the App • Do runtime checks • An automatic certification suite can help (can be complex) • If the App is accepted, deploy it in a clean software repository © Grammling und Müller GbR – neat-IT 4
5.
Sell and Deploy
Apps • The customer buys an App in the shop • The app is deployed (e.g. automatically) on the App Platform through a provisioning service (can be part of the App Repository) © Grammling und Müller GbR – neat-IT 5
6.
Protect Access • Usually
there are direct connections to the App Platform (e.g. by Telnet, SSH, Web-Client or Rich-Client user interfaces) • Use a proxy service on the App Platform to manage access rights © Grammling und Müller GbR – neat-IT 6
7.
Requirements © Grammling und
Müller GbR – neat-IT 7
8.
The OSGi-Specification © Grammling
und Müller GbR – neat-IT 8
9.
The Security Layer ©
Grammling und Müller GbR – neat-IT 9
10.
OSGi Security-Mechanisms ► OSGi
Bundle-Authentication ► Bundle-Location ► Bundle-Signatures ► Conditional Permission Admin ► Visibility rules on level of Java packages ► User Admin (part of the OSGi Compendium) © Grammling und Müller GbR – neat-IT 10
11.
OSGi Bundle-Signatures –
Overall ► Bundle-Location ► Wires a Bundle with the installation location, which is persisted ► Could be a location in the local file system or an internet address ► Can be simply tampered e.g. by „mount points“ ► Bundle-Signatures ► Authenticates the originator ► Shows modifications on the data itself ► Requires a PKI (Public Key Infrastructure) ► Bundle-Locations as well as Bundle-Signatures can be used for definitions of permissions ► Bundle-Signatures are an optional feature in OSGi © Grammling und Müller GbR – neat-IT 11
12.
Java Key Store ►
Is a repository for certificates ► Consists of one file (e.g. with the file extension *.jks) ► Can be managed using the tool „keytool“ from the JDK Schlüssel- und Zertifikatsverwaltungstool Befehle: -certreq -changealias -delete -exportcert -genkeypair -genseckey -gencert -importcert -importkeystore -keypasswd -list -printcert -printcertreq -printcrl -storepasswd Generiert eine Zertifikatanforderung Ändert den Alias eines Eintrags Löscht einen Eintrag Exportiert ein Zertifikat Generiert ein Schlüsselpaar Generiert einen Secret Key Generiert ein Zertifikat aus einer Zertifikatanforderung Importiert ein Zertifikat oder eine Zertifikatkette Importiert einen oder alle Einträge aus einem anderen Keystore Ändert das Schlüsselkennwort eines Eintrags Listet die Einträge in einem Keystore auf Druckt den Content eines Zertifikats Druckt den Content einer Zertifikatanforderung Druckt den Content einer CRL-Datei Ändert das Speicherkennwort eines Keystores "keytool -command_name -help" für Verwendung von command_name verwenden © Grammling und Müller GbR – neat-IT 12
13.
Structure of a
Certificate ► Check public key by requesting the Public Authority (Trust Center) ► Check signature: decrypt(public_key, signature) = digest © Grammling und Müller GbR – neat-IT 13
14.
OSGi Bundle-Signature Files ►
Resources within the META-INF directory are not signed ► A Bundle can be signed from more than one originator © Grammling und Müller GbR – neat-IT 14
15.
Signing Bundles –
jarsigner ► Bundles can be signed using the tool „jarsigner“ from the JDK jarsigner -keystore my-keystore.jks -storepass my-store-password myjar.jar my-alias Warning: The signer certificate will expire within six months. The signer's certificate chain is not validated. © Grammling und Müller GbR – neat-IT 15
16.
Signing Bundles –
Maven ► Bundles can be signed using a Maven-Plugin … <build> … <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> <version>1.2</version> <executions> <execution> <id>sign</id> <goals> <goal>sign</goal> </goals> </execution> </executions> <configuration> <keystore>C:/my-keystore.jks</keystore> <alias>my-alias</alias> <storepass>my-store-password</storepass> <keypass>my-keypassword</keypass> </configuration> </plugin> … </plugins> </build> … © Grammling und Müller GbR – neat-IT 16
17.
Activate the Security-Layer ►
System Variables of the JVM Property-Key Value Description java.security.policy <File> Policy file, which the OSGi Service Platform should use itself. org.osgi.framework.security osgi Activates the Security-Layer of OSGi. A specific OSGi Security-Manager is used now. Using this parameter enables also the (Conditional) Permission Admin. org.osgi.framework.trust.repositories <Files> List of Java-Keystores. © Grammling und Müller GbR – neat-IT 17
18.
The Policy File
for OSGi ► The file „all.policy“ ► Usually the OSGi-Framework requires full access ► -Djava.security.policy=all.policy ► Take care to restrict the rights of the JVM itself grant { permission java.security.AllPermission; }; © Grammling und Müller GbR – neat-IT 18
19.
Conditional Permission Admin ►
Offers authorization during runtime ► Review – Bundle-Signatures: Checks only integrity ► Defining permissions during runtime ► Simplification comparing to Java 2 Security • ALLOW, DENY and reverse rules can be defined ► OSGi specific extensions comparing to Java 2 Security • E.g. setting the permission to register a service © Grammling und Müller GbR – neat-IT 19
20.
Local Permissions of
a Bundle ► The developer defines specific permissions for the Bundle ► E.g. Access to the file system or using a service ► Local permissions are defined in the ASCII file „permissions.perm“ in the directory of the Bundle „OSGI-INF“ ► The OSGi Platform ensures that the Bundle gets only these permissions the developer has specified in the „permissions.perm“ file … # Accept exporting and re-importing package of service interface (org.osgi.framework.PackagePermission "de.telekom.connectedhome.services.clock.*" "exportonly,import") # Accept registering a concrete service (org.osgi.framework.ServicePermission "de.telekom.connectedhome.services.clock.TimeService" "register") … © Grammling und Müller GbR – neat-IT 20
21.
Globale Permissions in
the System ► Sandboxes can be defined for the OSGi platform for all or a set of Bundles using: ► Bundle signatures ► Bundle location ► Global permissions must be set by using the Conditional Permission Admin service ► The OSGi specification defines also a textual format and a parser for it: … ALLOW { [org.osgi.service.condpermadmin.BundleLocation "file:foo.jar"] (org.osgi.framework.PackagPermission "*" "import") } "allow-all-packages" ALLOW { [org.osgi.service.condpermadmin.BundleSignerCondition "CN=cn, OU=ou, O=o, ST=st, C=c"] (java.security.AllPermission "*" "*") } "allow-all-signed-bundles" … © Grammling und Müller GbR – neat-IT 21
22.
Bundle Protection Domains ©
Grammling und Müller GbR – neat-IT 22
23.
Permissions in OSGi ►
PackagePermission ► Restrict the import- and export of Java packages ► BundlePermission ► Restrict access to Bundles (e.g. Require-Bundle) ► AdminPermission ► Restrict management access (e.g. lifecycle) ► ServicePermission ► Restrict registering and using services © Grammling und Müller GbR – neat-IT 23
24.
Luise-Riegger-Str. 21 ●
76137 Karlsruhe Grammling und Müller GbR www.neat-it.de
Jetzt herunterladen