You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Chavez Ortiz, Oscar (Externo)" <Os...@vwfs.com> on 2022/05/09 12:20:49 UTC
Tomcat with Security Manager for SAP Business Objects issues
Hello group.
I have a SAP Business Object 4.2 server wich uses Tomcat 9.0.58 as web container.
For Security reasons this server needs to implement Security Manager for Tomcat on it, thus, i've configured starting configuration in java options with "- Security Manager" option.
Also i've configured catalina.policy file by adding needed permissions every time log file gets the AccessControlException message, today, there aren't any AccessControlException errors in log file.
Now, the problem is when opening SAP BO Launch Pad tool in web browser i'm gettint the HTTP 500 error:
[cid:image001.png@01D863AD.2435D770]
I've asked to SAP BO Support for help and they answered me that Tomcat configuration is not covered by SAP Suppor, they recommend me to ask for help in Tomcat support.
Please, i would like to know why i can't get Tomcat with Security Manager and how to solve to get it working.
Any help will be appreciated.
Thank you in advance.
Best regards.
Oscar.
AVISO LEGAL
Este mensaje y su contenido est? dirigido ?nicamente a su destinatario y es confidencial. Por ello, se informa a quien lo reciba por error o tenga conocimiento del mismo sin ser su destinatario, que la informaci?n contenida en ?l es reservada y su uso no autorizado, por lo que en tal caso le rogamos nos lo comunique por la misma v?a o por tel?fono 91.427.99.03, as? como que se abstenga de reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a otra persona, procediendo a su destrucci?n de manera inmediata.
VOLKSWAGEN RENTING SA se reserva las acciones legales que le correspondan contra todo tercero que acceda de forma ileg?tima al contenido de cualquier mensaje externo procedente del mismo.
VOLKSWAGEN FINANCIAL SERVICES es una marca comercializada por Volkswagen Renting SA
Se le informa que sus datos personales son tratados por Volkswagen Renting S.A., con domicilio social en Avda. de Bruselas, n? 34, 28108, Alcobendas (Madrid).
Ud. podr? ejercitar los derechos de acceso, rectificaci?n o supresi?n, oposici?n y portabilidad de los datos, bien por correo postal a VOLKSWAGEN RENTING S.A. a la direcci?n indicada arriba o por correo electr?nico a clientes.renting@vwfs.com<ma...@vwfs.com>. Asimismo, y en las mismas direcciones, Ud. podr? solicitar la limitaci?n del tratamiento de sus datos en los casos legalmente previstos. Igualmente, puede contactar con nuestro Delegado de Protecci?n de Datos en la siguiente direcci?n DPO.es@vwfs.com<ma...@vwfs.com>. Asimismo, podr? dirigirse a la Agencia Espa?ola de Protecci?n de Datos.
Re: Tomcat with Security Manager for SAP Business Objects issues
Posted by Mark Thomas <ma...@apache.org>.
On 09/05/2022 16:23, Chavez Ortiz, Oscar (Externo) wrote:
> Hello Mark, thank you for your answer.
> - With Security reasons i mean from head quarters the server must be certified by accomplishing a set of security hardening rules. One of those is Security Manager.
It would be worth making sure they are aware that the security manager
is going away eventually.
> - In this case our system uses Tomcat 9.0.58, at this moment newer versions of Tomcat are not recommended by SAP.
There haven't been any recent changes I can think of related to the
security manager so I don't think that running a slightly older version
than the latest is going to be a factor in this instance.
> - Actually the Windows Server 2016 (which hosts the SAP BO System) is a VM but as i've said it must be certified on Hardening Security.
The security manager probably isn't gaining you that much then. Run
Tomcat under an appropriately locked down OS user and you'll get most of
the benefits.
> - I just have launched Tomcat with -Djava.security.debug=access,failure option and after checked log file there aren't any AccessControlException error in it.
That wasn't what I was expecting.
A few things to try.
The 500 error should trigger an entry in a log somewhere. What does that
log entry say?
You could try "-Djava.security.debug=all" but that is likely to be very
verbose.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat with Security Manager for SAP Business Objects issues
Posted by "Chavez Ortiz, Oscar (Externo)" <Os...@vwfs.com>.
Hello Mark, thank you for your answer.
- With Security reasons i mean from head quarters the server must be certified by accomplishing a set of security hardening rules. One of those is Security Manager.
- In this case our system uses Tomcat 9.0.58, at this moment newer versions of Tomcat are not recommended by SAP.
- Actually the Windows Server 2016 (which hosts the SAP BO System) is a VM but as i've said it must be certified on Hardening Security.
- I just have launched Tomcat with -Djava.security.debug=access,failure option and after checked log file there aren't any AccessControlException error in it.
Thank you.
Best regards.
Oscar.
-----Mensaje original-----
De: Mark Thomas <ma...@apache.org>
Enviado el: lunes, 9 de mayo de 2022 14:57
Para: users@tomcat.apache.org
Asunto: Re: Tomcat with Security Manager for SAP Business Objects issues
On 09/05/2022 13:20, Chavez Ortiz, Oscar (Externo) wrote:
> Hello group.
>
> I have a SAP Business Object 4.2 server wich uses Tomcat 9.0.58 as web
> container.
>
> For Security reasons this server needs to implement Security Manager
> for Tomcat on it, thus, i’ve configured starting configuration in java
> options with “– Security Manager” option.
Could you expand on what you mean by "security reasons"?
Newer version of Java have deprecated the security manager and it is likely that Jakarta EE 11 onwards (and hence Tomcat 11 onwards) will not support the use of a security manager.
Generally, you should be be able to achieve similar results by running Tomcat on a dedicated server / VM / container / etc.
> Also i’ve configured catalina.policy file by adding needed permissions
> every time log file gets the *AccessControlException* message, today,
> there aren’t any AccessControlException errors in log file.
>
> Now, the problem is when opening SAP BO Launch Pad tool in web browser
> i’m gettint the HTTP 500 error:
>
> I’ve asked to SAP BO Support for help and they answered me that Tomcat
> configuration is not covered by SAP Suppor, they recommend me to ask
> for help in Tomcat support.
>
> Please, i would like to know why i can’t get Tomcat with Security
> Manager and how to solve to get it working.
I suspect that an exception or two is being swallowed rather than reported.
Adding "-Djava.security.debug=access,failure" to CATLINA_OPTS should highlight any additional permissions that are required.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AVISO LEGAL
Este mensaje y su contenido está dirigido únicamente a su destinatario y es confidencial. Por ello, se informa a quien lo reciba por error o tenga conocimiento del mismo sin ser su destinatario, que la información contenida en él es reservada y su uso no autorizado, por lo que en tal caso le rogamos nos lo comunique por la misma vía o por teléfono 91.427.99.03, así como que se abstenga de reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a otra persona, procediendo a su destrucción de manera inmediata.
VOLKSWAGEN RENTING SA se reserva las acciones legales que le correspondan contra todo tercero que acceda de forma ilegítima al contenido de cualquier mensaje externo procedente del mismo.
VOLKSWAGEN FINANCIAL SERVICES es una marca comercializada por Volkswagen Renting SA
Se le informa que sus datos personales son tratados por Volkswagen Renting S.A., con domicilio social en Avda. de Bruselas, nº 34, 28108, Alcobendas (Madrid).
Ud. podrá ejercitar los derechos de acceso, rectificación o supresión, oposición y portabilidad de los datos, bien por correo postal a VOLKSWAGEN RENTING S.A. a la dirección indicada arriba o por correo electrónico a clientes.renting@vwfs.com<ma...@vwfs.com>. Asimismo, y en las mismas direcciones, Ud. podrá solicitar la limitación del tratamiento de sus datos en los casos legalmente previstos. Igualmente, puede contactar con nuestro Delegado de Protección de Datos en la siguiente dirección DPO.es@vwfs.com<ma...@vwfs.com>. Asimismo, podrá dirigirse a la Agencia Española de Protección de Datos.
Re: Tomcat with Security Manager for SAP Business Objects issues
Posted by Mark Thomas <ma...@apache.org>.
On 09/05/2022 13:20, Chavez Ortiz, Oscar (Externo) wrote:
> Hello group.
>
> I have a SAP Business Object 4.2 server wich uses Tomcat 9.0.58 as web
> container.
>
> For Security reasons this server needs to implement Security Manager for
> Tomcat on it, thus, i’ve configured starting configuration in java
> options with “– Security Manager” option.
Could you expand on what you mean by "security reasons"?
Newer version of Java have deprecated the security manager and it is
likely that Jakarta EE 11 onwards (and hence Tomcat 11 onwards) will not
support the use of a security manager.
Generally, you should be be able to achieve similar results by running
Tomcat on a dedicated server / VM / container / etc.
> Also i’ve configured catalina.policy file by adding needed permissions
> every time log file gets the *AccessControlException* message, today,
> there aren’t any AccessControlException errors in log file.
>
> Now, the problem is when opening SAP BO Launch Pad tool in web browser
> i’m gettint the HTTP 500 error:
>
> I’ve asked to SAP BO Support for help and they answered me that Tomcat
> configuration is not covered by SAP Suppor, they recommend me to ask for
> help in Tomcat support.
>
> Please, i would like to know why i can’t get Tomcat with Security
> Manager and how to solve to get it working.
I suspect that an exception or two is being swallowed rather than reported.
Adding "-Djava.security.debug=access,failure" to CATLINA_OPTS should
highlight any additional permissions that are required.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org