OSGi als App-Plattform - Ein Ausflug durch den Security-Layer

978 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
978
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OSGi als App-Plattform - Ein Ausflug durch den Security-Layer

  1. 1. www.neat-it.de OSGi as an App Platform An Excursion through the Security Layer Michael Grammling, M.Sc. Dipl.-Inform (FH)
  2. 2. System Boundaries © Grammling und Müller GbR – neat-IT 2
  3. 3. Packaging Apps • Use a simple container format which can store 1..N bundles (e.g. a JAR or ZIP) • There are open standards available for container formats • However they are often much more complex than needed • Think on using an ApplicationManifest file (e.g. XML based) for meta-information • Think on signing the content of the container © Grammling und Müller GbR – neat-IT 3
  4. 4. Certify Apps • Usually Apps are certified by a certification department • If specific permissions, which the App acquires, are critical, reject the App • Do runtime checks • An automatic certification suite can help (can be complex) • If the App is accepted, deploy it in a clean software repository © Grammling und Müller GbR – neat-IT 4
  5. 5. Sell and Deploy Apps • The customer buys an App in the shop • The app is deployed (e.g. automatically) on the App Platform through a provisioning service (can be part of the App Repository) © Grammling und Müller GbR – neat-IT 5
  6. 6. Protect Access • Usually there are direct connections to the App Platform (e.g. by Telnet, SSH, Web-Client or Rich-Client user interfaces) • Use a proxy service on the App Platform to manage access rights © Grammling und Müller GbR – neat-IT 6
  7. 7. Requirements © Grammling und Müller GbR – neat-IT 7
  8. 8. The OSGi-Specification © Grammling und Müller GbR – neat-IT 8
  9. 9. The Security Layer © Grammling und Müller GbR – neat-IT 9
  10. 10. OSGi Security-Mechanisms ► OSGi Bundle-Authentication ► Bundle-Location ► Bundle-Signatures ► Conditional Permission Admin ► Visibility rules on level of Java packages ► User Admin (part of the OSGi Compendium) © Grammling und Müller GbR – neat-IT 10
  11. 11. OSGi Bundle-Signatures – Overall ► Bundle-Location ► Wires a Bundle with the installation location, which is persisted ► Could be a location in the local file system or an internet address ► Can be simply tampered e.g. by „mount points“ ► Bundle-Signatures ► Authenticates the originator ► Shows modifications on the data itself ► Requires a PKI (Public Key Infrastructure) ► Bundle-Locations as well as Bundle-Signatures can be used for definitions of permissions ► Bundle-Signatures are an optional feature in OSGi © Grammling und Müller GbR – neat-IT 11
  12. 12. Java Key Store ► Is a repository for certificates ► Consists of one file (e.g. with the file extension *.jks) ► Can be managed using the tool „keytool“ from the JDK Schlüssel- und Zertifikatsverwaltungstool Befehle: -certreq -changealias -delete -exportcert -genkeypair -genseckey -gencert -importcert -importkeystore -keypasswd -list -printcert -printcertreq -printcrl -storepasswd Generiert eine Zertifikatanforderung Ändert den Alias eines Eintrags Löscht einen Eintrag Exportiert ein Zertifikat Generiert ein Schlüsselpaar Generiert einen Secret Key Generiert ein Zertifikat aus einer Zertifikatanforderung Importiert ein Zertifikat oder eine Zertifikatkette Importiert einen oder alle Einträge aus einem anderen Keystore Ändert das Schlüsselkennwort eines Eintrags Listet die Einträge in einem Keystore auf Druckt den Content eines Zertifikats Druckt den Content einer Zertifikatanforderung Druckt den Content einer CRL-Datei Ändert das Speicherkennwort eines Keystores "keytool -command_name -help" für Verwendung von command_name verwenden © Grammling und Müller GbR – neat-IT 12
  13. 13. Structure of a Certificate ► Check public key by requesting the Public Authority (Trust Center) ► Check signature: decrypt(public_key, signature) = digest © Grammling und Müller GbR – neat-IT 13
  14. 14. OSGi Bundle-Signature Files ► Resources within the META-INF directory are not signed ► A Bundle can be signed from more than one originator © Grammling und Müller GbR – neat-IT 14
  15. 15. Signing Bundles – jarsigner ► Bundles can be signed using the tool „jarsigner“ from the JDK jarsigner -keystore my-keystore.jks -storepass my-store-password myjar.jar my-alias Warning: The signer certificate will expire within six months. The signer's certificate chain is not validated. © Grammling und Müller GbR – neat-IT 15
  16. 16. Signing Bundles – Maven ► Bundles can be signed using a Maven-Plugin … <build> … <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> <version>1.2</version> <executions> <execution> <id>sign</id> <goals> <goal>sign</goal> </goals> </execution> </executions> <configuration> <keystore>C:/my-keystore.jks</keystore> <alias>my-alias</alias> <storepass>my-store-password</storepass> <keypass>my-keypassword</keypass> </configuration> </plugin> … </plugins> </build> … © Grammling und Müller GbR – neat-IT 16
  17. 17. Activate the Security-Layer ► System Variables of the JVM Property-Key Value Description java.security.policy <File> Policy file, which the OSGi Service Platform should use itself. org.osgi.framework.security osgi Activates the Security-Layer of OSGi. A specific OSGi Security-Manager is used now. Using this parameter enables also the (Conditional) Permission Admin. org.osgi.framework.trust.repositories <Files> List of Java-Keystores. © Grammling und Müller GbR – neat-IT 17
  18. 18. The Policy File for OSGi ► The file „all.policy“ ► Usually the OSGi-Framework requires full access ► -Djava.security.policy=all.policy ► Take care to restrict the rights of the JVM itself grant { permission java.security.AllPermission; }; © Grammling und Müller GbR – neat-IT 18
  19. 19. Conditional Permission Admin ► Offers authorization during runtime ► Review – Bundle-Signatures: Checks only integrity ► Defining permissions during runtime ► Simplification comparing to Java 2 Security • ALLOW, DENY and reverse rules can be defined ► OSGi specific extensions comparing to Java 2 Security • E.g. setting the permission to register a service © Grammling und Müller GbR – neat-IT 19
  20. 20. Local Permissions of a Bundle ► The developer defines specific permissions for the Bundle ► E.g. Access to the file system or using a service ► Local permissions are defined in the ASCII file „permissions.perm“ in the directory of the Bundle „OSGI-INF“ ► The OSGi Platform ensures that the Bundle gets only these permissions the developer has specified in the „permissions.perm“ file … # Accept exporting and re-importing package of service interface (org.osgi.framework.PackagePermission "de.telekom.connectedhome.services.clock.*" "exportonly,import") # Accept registering a concrete service (org.osgi.framework.ServicePermission "de.telekom.connectedhome.services.clock.TimeService" "register") … © Grammling und Müller GbR – neat-IT 20
  21. 21. Globale Permissions in the System ► Sandboxes can be defined for the OSGi platform for all or a set of Bundles using: ► Bundle signatures ► Bundle location ► Global permissions must be set by using the Conditional Permission Admin service ► The OSGi specification defines also a textual format and a parser for it: … ALLOW { [org.osgi.service.condpermadmin.BundleLocation "file:foo.jar"] (org.osgi.framework.PackagPermission "*" "import") } "allow-all-packages" ALLOW { [org.osgi.service.condpermadmin.BundleSignerCondition "CN=cn, OU=ou, O=o, ST=st, C=c"] (java.security.AllPermission "*" "*") } "allow-all-signed-bundles" … © Grammling und Müller GbR – neat-IT 21
  22. 22. Bundle Protection Domains © Grammling und Müller GbR – neat-IT 22
  23. 23. Permissions in OSGi ► PackagePermission ► Restrict the import- and export of Java packages ► BundlePermission ► Restrict access to Bundles (e.g. Require-Bundle) ► AdminPermission ► Restrict management access (e.g. lifecycle) ► ServicePermission ► Restrict registering and using services © Grammling und Müller GbR – neat-IT 23
  24. 24. Luise-Riegger-Str. 21 ● 76137 Karlsruhe Grammling und Müller GbR www.neat-it.de

×