Tomcat 6.0.18 on Win32 - Enabling Security Manager

[Chris Brookes <ca...@hotmail.com>]

Apologies for previous blank question, I am not sure what happened, actual question below.......
Chris
--------------------------------------------------------------------------------------------------------------------------------------
Hi,
I am writing a Tomcat 6 on Windows
hardening guide at the moment and I am looking at the process for enabling the
security manager. On the Tomcat 6 documentation website http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html it
says that on Windows all you need to do is run the following command:

%CATALINA_HOME%\bin\catalina start -security



However, when I install Tomcat there is no such program as "catalina"
in the bin directory so I can't run it like that. Within bin there is only
bootstrap.jar, tomcat6.exe, tomcat6w.exe and tomcat-juli.jar



Using the Tomcat monitor application there is a tab for startup and there is an
input box for arguments that by default contains 'start' but if I try to add '
-security' to this argument text box the service fails to start at all.



Can anyone help in advising me how you get tomcat 6.0.18 to start with a
security manager. Please note that tomcat was installed from the Tomcat Windows
Service installer and it is running Windows Server 2003 SP2 (32bit).



Any help is appreciated, I have searched the archives and googled the web and
this has revealed nothing, it is most likely my error however I am currently at
a loss.

 

Thanks

 

Chris


_________________________________________________________________
Looking to change your car this year? Find car news, reviews and more
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F859641&_t=762955845&_r=tig_OCT07&_m=EXT
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager

[Martin Gainty <mg...@hotmail.com>]

%CATALINA_HOME%\bin\catalina start -security change to 
Windows
%CATALINA_HOME%\bin\catalina.bat start -security 
Unix
%CATALINA_HOME%\bin\catalina.sh start -security make sure you implement  java.lang.RuntimePermission ability for each package
catalina.properties
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the
# corresponding RuntimePermission ("accessClassInPackage."+package) has
# been granted.
package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.
  
then in the catalina.policy file grant the necessary RuntimePermission
$CATALINA_BASE/conf/catalina.policy
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
        permission java.security.RuntimePermission;
};
HTH
Martin 
______________________________________________ 
Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité 
This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.






> From: cabby80@hotmail.com
> To: users@tomcat.apache.org
> Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager
> Date: Mon, 4 May 2009 10:53:14 +1000
> 
> 
> 
> 
> 
> 
> Apologies for previous blank question, I am not sure what happened, actual question below.......
> Chris
> --------------------------------------------------------------------------------------------------------------------------------------
> Hi,
> I am writing a Tomcat 6 on Windows
> hardening guide at the moment and I am looking at the process for enabling the
> security manager. On the Tomcat 6 documentation website http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html it
> says that on Windows all you need to do is run the following command:
> 
> %CATALINA_HOME%\bin\catalina start -security
> 
> 
> 
> However, when I install Tomcat there is no such program as "catalina"
> in the bin directory so I can't run it like that. Within bin there is only
> bootstrap.jar, tomcat6.exe, tomcat6w.exe and tomcat-juli.jar
> 
> 
> 
> Using the Tomcat monitor application there is a tab for startup and there is an
> input box for arguments that by default contains 'start' but if I try to add '
> -security' to this argument text box the service fails to start at all.
> 
> 
> 
> Can anyone help in advising me how you get tomcat 6.0.18 to start with a
> security manager. Please note that tomcat was installed from the Tomcat Windows
> Service installer and it is running Windows Server 2003 SP2 (32bit).
> 
> 
> 
> Any help is appreciated, I have searched the archives and googled the web and
> this has revealed nothing, it is most likely my error however I am currently at
> a loss.
> 
>  
> 
> Thanks
> 
>  
> 
> Chris
> 
> 
> _________________________________________________________________
> Looking to change your car this year? Find car news, reviews and more
> http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F859641&_t=762955845&_r=tig_OCT07&_m=EXT
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

_________________________________________________________________
Hotmail® has ever-growing storage! Don’t worry about storage limits.
http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage1_052009

Re: Tomcat 6.0.18 on Win32 - Enabling Security Manager

[Nikola Milutinovic <al...@yahoo.com>]

> I must say that the nature of your questions leaves me with some concern about the content of your guide...

Hmmm, I wont bite but I will provide a little more information on what I am doing. 

The guide is specifically being written for Tomcat on Windows, which in my searching of the web there is very few resources available, and even fewer that provide collated recommendations.

As you may have guessed (and is eluded to in the response below) I am not an expert at Tomcat or Java however I need to put together a guide that can be delivered to infrastructure managers whose primary goal is to 'get it working' without considering security. 

So as part of the information security team I have to provide recommendations to those Infrastructure managers on how to secure the infrastructure (as well as every other application and piece of infrastructure that is being deployed). The majority of the guide is focused on management of the Tomcat server. Things like running tomcat as an unprivileged user (and getting the appropriate Windows permissions to allow that to work properly), Separation of tomcat directories from program files, segregation of duties for Wep-app content and Infrastructure admins, removing or limiting access to default or manager applications, limiting access to sensitive (or dangerous) Windows files and folders, etc, etc, etc.

________________________________
Noble cause.

Note one thing, that has nothing to do with Windows, but Java Security. When you enable it, almost all activities directed outside JVM, and even some directed inside it, will require particular permissions. See the supplied security policy for some details, but I will add one that is always present and not covered in that file (for obvious reasons): connection to a DB.

If you wish to use any DB server, you will need a TCP/IP connection, via JDBC, to that DB. I am not counting in in-memory DBs, like HSQL. To make the connection, or rather to let JDBC driver make the connection, you must add an appropriate permisssion to your JDBC driver classes. Something like:


grant codeBase "file:${catalina.home}/psa-webapps/mydomain.com/myapplication/" {
    permission java.net.SocketPermission "localhost","resolve";
    permission java.net.SocketPermission "localhost:3306","connect,resolve";
};
I'm not sure this works, though, just picked it up on Google, but that is how it generally should look. Though, I'd use class name, not file location for targeting the JDBC driver.

This applies to all aspects of your application, like web services, RMI, disk access,...

So, turning secure mode on can require additional work. Not that I consider it a bad idea, but just have in mind that it is not just "adding a couple of switches". You should tailor security policy for your application's needs. And it can be a lot of work, plus, it will require testing to see if you've missed something.

Nix.



      

Re: Tomcat 6.0.18 on Win32 - Enabling Security Manager

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris,

On 5/4/2009 7:31 PM, Chris Brookes wrote:
> Yeah the OWASP guide was pretty good, there was one there for Tomcat
> 5.5, that was part of the base for my guide along with a couple of
> other key resources The DISA Tomcat checklist titled "Web Checklist
> Tomcat Version 6 Release 1.5" at
> http://iase.disa.mil/stigs/checklist/ was also pretty good.

I didn't read that DISA stuff in too much detail but it seemed worthless
to me. <shrug>

> As far as enabling security manager is concerned, my guide does say
> that the rules in catalina.policy need to be assessed against the
> business requirements of the application and that the default
> catalina.policy provides limited protection which needs to be
> assessed on an application by application basis.

Actually, the default /allowances/ are exceedingly limited. Try turning
on the security manager and see how much of your stuff breaks.
Basically, nothing works if you just enable the security manager right
out of the box. That's a good thing: you should be extremely limited
unless you specifically make allowances for certain things.

I think you have your logic wrong on this one.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkoAX/EACgkQ9CaO5/Lv0PAdRACcCQhhc686OUZT0R2PTROimcEi
iTAAnjxTAAC/MOrb1GBUJSRfrdhk6VP1
=kExn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager

[Chris Brookes <ca...@hotmail.com>]

Yeah the OWASP guide was pretty good, there was one there for Tomcat 5.5, that was part of the base for my guide along with a couple of other key resources The DISA Tomcat checklist titled "Web Checklist Tomcat Version 6 Release 1.5" at http://iase.disa.mil/stigs/checklist/ was also pretty good. 
 
As far as enabling security manager is concerned, my guide does say that the rules in catalina.policy need to be assessed against the business requirements of the application and that the default catalina.policy provides limited protection which needs to be assessed on an application by application basis. Thanks for the tip on Database connections with security manager
 
Chris

> Date: Mon, 4 May 2009 10:20:13 +0100
> From: p@pidster.com
> To: users@tomcat.apache.org
> Subject: Re: Tomcat 6.0.18 on Win32 - Enabling Security Manager
> 
> Chris Brookes wrote:
>> Thanks for your assistance, I will give that a try.
>> 
>>> I must say that the nature of your questions leaves me with some concern about the content of your guide...
>> 
>> Hmmm, I wont bite but I will provide a little more information on what I am doing. 
> 
> www.owasp.org
> 
> p
> 
> 
> 
>> The guide is specifically being written for Tomcat on Windows, which in my searching of the web there is very few resources available, and even fewer that provide collated recommendations.
>> 
>> As you may have guessed (and is eluded to in the response below) I am not an expert at Tomcat or Java however I need to put together a guide that can be delivered to infrastructure managers whose primary goal is to 'get it working' without considering security. 
>> 
>> So as part of the information security team I have to provide recommendations to those Infrastructure managers on how to secure the infrastructure (as well as every other application and piece of infrastructure that is being deployed). The majority of the guide is focused on management of the Tomcat server. Things like running tomcat as an unprivileged user (and getting the appropriate Windows permissions to allow that to work properly), Separation of tomcat directories from program files, segregation of duties for Wep-app content and Infrastructure admins, removing or limiting access to default or manager applications, limiting access to sensitive (or dangerous) Windows files and folders, etc, etc, etc.
>> 
>> I also give some configuration advice based on research from the internet such as: Setting up SSL to use an approved set of Ciphers, some configuration options in server.xml and web.xml
>> 
>> And most importantly for them, I am combining this into a single document that they can follow, rather then having to rely on them to find the information on the web.
>> 
>> Again thanks for your assistance, I will give it a try when I can
>> 
>> Chris
>> 
>> 
>> ----------------------------------------
>>> From: Chuck.Caldarale@unisys.com
>>> To: users@tomcat.apache.org
>>> Date: Sun, 3 May 2009 21:19:08 -0500
>>> Subject: RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager
>>>
>>>> From: Chris Brookes [mailto:cabby80@hotmail.com]
>>>> Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager
>>>> However, when I install Tomcat there is no such program as "catalina"
>>>> in the bin directory so I can't run it like that.
>>> The .bat scripts are only part of the .zip download, not the .exe (for unexplained reasons). One normally uses the startup.bat script to launch Tomcat, which does some necessary setup, then calls the catalina.bat script, which does the real work of getting Tomcat going.
>>>
>>>> Using the Tomcat monitor application there is a tab for startup and
>>>> there is an input box for arguments that by default contains 'start'
>>>> but if I try to add '-security' to this argument text box the service
>>>> fails to start at all.
>>> As it should. To use the Java tab in tomcat6w.exe, you must specify the appropriate JVM arguments, rather than the options for the scripts. In other words, set the following:
>>>
>>> -Djava.security.manager
>>> -Djava.security.policy=
>>>
>>> The standard Tomcat policy is located in Tomcat's conf/catalina.policy file, but you're free to specify whatever location you need.
>>>
>>>> I am writing a Tomcat 6 on Windows hardening guide
>>> I must say that the nature of your questions leaves me with some concern about the content of your guide...
>>>
>>> - Chuck
>>>
>>>
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>> 
>> _________________________________________________________________
>> View photos of singles in your area Click Here
>> http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fdating%2Eninemsn%2Ecom%2Eau%2Fsearch%2Fsearch%2Easpx%3Fexec%3Dgo%26tp%3Dq%26gc%3D2%26tr%3D1%26lage%3D18%26uage%3D55%26cl%3D14%26sl%3D0%26dist%3D50%26po%3D1%26do%3D2%26trackingid%3D1046138%26r2s%3D1&_t=773166090&_r=Hotmail_Endtext&_m=EXT
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
_________________________________________________________________
Looking to move somewhere new this winter? Let ninemsn property help
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Edomain%2Ecom%2Eau%2F%3Fs%5Fcid%3DFDMedia%3ANineMSN%5FHotmail%5FTagline&_t=774152450&_r=Domain_tagline&_m=EXT
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 6.0.18 on Win32 - Enabling Security Manager

[Pid <p...@pidster.com>]

Chris Brookes wrote:
> Thanks for your assistance, I will give that a try.
> 
>> I must say that the nature of your questions leaves me with some concern about the content of your guide...
> 
> Hmmm, I wont bite but I will provide a little more information on what I am doing. 

www.owasp.org

p



> The guide is specifically being written for Tomcat on Windows, which in my searching of the web there is very few resources available, and even fewer that provide collated recommendations.
> 
> As you may have guessed (and is eluded to in the response below) I am not an expert at Tomcat or Java however I need to put together a guide that can be delivered to infrastructure managers whose primary goal is to 'get it working' without considering security. 
> 
> So as part of the information security team I have to provide recommendations to those Infrastructure managers on how to secure the infrastructure (as well as every other application and piece of infrastructure that is being deployed). The majority of the guide is focused on management of the Tomcat server. Things like running tomcat as an unprivileged user (and getting the appropriate Windows permissions to allow that to work properly), Separation of tomcat directories from program files, segregation of duties for Wep-app content and Infrastructure admins, removing or limiting access to default or manager applications, limiting access to sensitive (or dangerous) Windows files and folders, etc, etc, etc.
> 
> I also give some configuration advice based on research from the internet such as: Setting up SSL to use an approved set of Ciphers, some configuration options in server.xml and web.xml
> 
> And most importantly for them, I am combining this into a single document that they can follow, rather then having to rely on them to find the information on the web.
> 
> Again thanks for your assistance, I will give it a try when I can
> 
> Chris
> 
> 
> ----------------------------------------
>> From: Chuck.Caldarale@unisys.com
>> To: users@tomcat.apache.org
>> Date: Sun, 3 May 2009 21:19:08 -0500
>> Subject: RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager
>>
>>> From: Chris Brookes [mailto:cabby80@hotmail.com]
>>> Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager
>>> However, when I install Tomcat there is no such program as "catalina"
>>> in the bin directory so I can't run it like that.
>> The .bat scripts are only part of the .zip download, not the .exe (for unexplained reasons). One normally uses the startup.bat script to launch Tomcat, which does some necessary setup, then calls the catalina.bat script, which does the real work of getting Tomcat going.
>>
>>> Using the Tomcat monitor application there is a tab for startup and
>>> there is an input box for arguments that by default contains 'start'
>>> but if I try to add '-security' to this argument text box the service
>>> fails to start at all.
>> As it should. To use the Java tab in tomcat6w.exe, you must specify the appropriate JVM arguments, rather than the options for the scripts. In other words, set the following:
>>
>> -Djava.security.manager
>> -Djava.security.policy=
>>
>> The standard Tomcat policy is located in Tomcat's conf/catalina.policy file, but you're free to specify whatever location you need.
>>
>>> I am writing a Tomcat 6 on Windows hardening guide
>> I must say that the nature of your questions leaves me with some concern about the content of your guide...
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> _________________________________________________________________
> View photos of singles in your area Click Here
> http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fdating%2Eninemsn%2Ecom%2Eau%2Fsearch%2Fsearch%2Easpx%3Fexec%3Dgo%26tp%3Dq%26gc%3D2%26tr%3D1%26lage%3D18%26uage%3D55%26cl%3D14%26sl%3D0%26dist%3D50%26po%3D1%26do%3D2%26trackingid%3D1046138%26r2s%3D1&_t=773166090&_r=Hotmail_Endtext&_m=EXT
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager

[Chris Brookes <ca...@hotmail.com>]

Thanks for your assistance, I will give that a try.

> I must say that the nature of your questions leaves me with some concern about the content of your guide...

Hmmm, I wont bite but I will provide a little more information on what I am doing. 

The guide is specifically being written for Tomcat on Windows, which in my searching of the web there is very few resources available, and even fewer that provide collated recommendations.

As you may have guessed (and is eluded to in the response below) I am not an expert at Tomcat or Java however I need to put together a guide that can be delivered to infrastructure managers whose primary goal is to 'get it working' without considering security. 

So as part of the information security team I have to provide recommendations to those Infrastructure managers on how to secure the infrastructure (as well as every other application and piece of infrastructure that is being deployed). The majority of the guide is focused on management of the Tomcat server. Things like running tomcat as an unprivileged user (and getting the appropriate Windows permissions to allow that to work properly), Separation of tomcat directories from program files, segregation of duties for Wep-app content and Infrastructure admins, removing or limiting access to default or manager applications, limiting access to sensitive (or dangerous) Windows files and folders, etc, etc, etc.

I also give some configuration advice based on research from the internet such as: Setting up SSL to use an approved set of Ciphers, some configuration options in server.xml and web.xml

And most importantly for them, I am combining this into a single document that they can follow, rather then having to rely on them to find the information on the web.

Again thanks for your assistance, I will give it a try when I can

Chris


----------------------------------------
> From: Chuck.Caldarale@unisys.com
> To: users@tomcat.apache.org
> Date: Sun, 3 May 2009 21:19:08 -0500
> Subject: RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager
>
>> From: Chris Brookes [mailto:cabby80@hotmail.com]
>> Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager
>
>> However, when I install Tomcat there is no such program as "catalina"
>> in the bin directory so I can't run it like that.
>
> The .bat scripts are only part of the .zip download, not the .exe (for unexplained reasons). One normally uses the startup.bat script to launch Tomcat, which does some necessary setup, then calls the catalina.bat script, which does the real work of getting Tomcat going.
>
>> Using the Tomcat monitor application there is a tab for startup and
>> there is an input box for arguments that by default contains 'start'
>> but if I try to add '-security' to this argument text box the service
>> fails to start at all.
>
> As it should. To use the Java tab in tomcat6w.exe, you must specify the appropriate JVM arguments, rather than the options for the scripts. In other words, set the following:
>
> -Djava.security.manager
> -Djava.security.policy=
>
> The standard Tomcat policy is located in Tomcat's conf/catalina.policy file, but you're free to specify whatever location you need.
>
>> I am writing a Tomcat 6 on Windows hardening guide
>
> I must say that the nature of your questions leaves me with some concern about the content of your guide...
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

_________________________________________________________________
View photos of singles in your area Click Here
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fdating%2Eninemsn%2Ecom%2Eau%2Fsearch%2Fsearch%2Easpx%3Fexec%3Dgo%26tp%3Dq%26gc%3D2%26tr%3D1%26lage%3D18%26uage%3D55%26cl%3D14%26sl%3D0%26dist%3D50%26po%3D1%26do%3D2%26trackingid%3D1046138%26r2s%3D1&_t=773166090&_r=Hotmail_Endtext&_m=EXT
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Chris Brookes [mailto:cabby80@hotmail.com]
> Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager

> However, when I install Tomcat there is no such program as "catalina"
> in the bin directory so I can't run it like that.

The .bat scripts are only part of the .zip download, not the .exe (for unexplained reasons).  One normally uses the startup.bat script to launch Tomcat, which does some necessary setup, then calls the catalina.bat script, which does the real work of getting Tomcat going.

> Using the Tomcat monitor application there is a tab for startup and
> there is an input box for arguments that by default contains 'start'
> but if I try to add '-security' to this argument text box the service
> fails to start at all.

As it should.  To use the Java tab in tomcat6w.exe, you must specify the appropriate JVM arguments, rather than the options for the scripts.  In other words, set the following:

-Djava.security.manager
-Djava.security.policy=<path_to_security_policy_file>

The standard Tomcat policy is located in Tomcat's conf/catalina.policy file, but you're free to specify whatever location you need.

> I am writing a Tomcat 6 on Windows hardening guide

I must say that the nature of your questions leaves me with some concern about the content of your guide...

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org