Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1134619

Summary:	[DOCS] Cannot run Business Central if Java security manager is enabled
Product:	[Retired] JBoss BRMS Platform 6	Reporter:	Vikram Goyal <vigoyal>
Component:	Documentation	Assignee:	Vikram Goyal <vigoyal>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Lukáš Petrovický <lpetrovi>
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	brms-docs, etirelli, kverlaen, mbaluch, psiroky, rrajasek, thauser, tlivora, vigoyal
Target Milestone:	CR2
Target Release:	One-off release
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	1133486	Environment:
Last Closed:	2014-12-17 03:38:18 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1133486
Bug Blocks:

Comment 1 Vikram Goyal 2014-08-29 00:07:57 UTC

Rajesh - not sure what you mean here by it needing to be documented for the deployable package. 

Do you mean the generic deployable package instructions for Tomcat [1]? Or the standalone package for EAP [2]? 

Further, if I understand this correctly, it just requires the addition of this -Djboss.modules.policy-permissions=true in the standalone.conf file, right?

BTW - does this only affect the BRMS package or both BRMS and BPMS?

[1] https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BRMS/6.0/html-single/Installation_Guide/index.html#Installing_JBoss_BRMS_on_JBoss_EWS_2

[2] https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BRMS/6.0/html-single/Installation_Guide/index.html#Installing_the_standalone_package1

Comment 3 Rajesh Rajasekaran 2014-08-29 19:02:47 UTC

(In reply to Vikram Goyal from comment #1)
> Rajesh - not sure what you mean here by it needing to be documented for the
> deployable package. 
> 
> Do you mean the generic deployable package instructions for Tomcat [1]? Or
> the standalone package for EAP [2]? 
> 
> Further, if I understand this correctly, it just requires the addition of
> this -Djboss.modules.policy-permissions=true in the standalone.conf file,
> right?
> 
> BTW - does this only affect the BRMS package or both BRMS and BPMS?
> 
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BRMS/6.0/html-
> single/Installation_Guide/index.html#Installing_JBoss_BRMS_on_JBoss_EWS_2
> 
> [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_BRMS/6.0/html-
> single/Installation_Guide/index.html#Installing_the_standalone_package1

I meant [2]. standalone.conf is part of the /bin folder of the deployable-eap-6.x.zip that we ship.

Comment 4 Vikram Goyal 2014-09-01 03:52:52 UTC

@Petr - thanks for the clarification about it being applicable to both BRMS and BPMS.

I am 50-50 about the need to include this in the release notes. On the one hand, it is important information that should be included, on the other, if we include information about everything that needs to change, the release notes will bloat.

Rajesh, your opinion on this?

Comment 5 Vikram Goyal 2014-09-02 02:40:29 UTC

I need confirmation of this fix from someone because there are a few variables here and I just don't have the bandwidth to test all of them.

Marek: Can you confirm that after the installation, we need to add the following at the end of the standalone configuration file for both BRMS and BPMS:

JAVA_OPTS="$JAVA_OPTS -Djboss.modules.policy-permissions=true -Djava.security.manager \"-Djava.security.policy=$DIRNAME/security.policy\" \"-Dkie.security.policy=$DIRNAME/kie.policy\""

Further - this note is only if being installed on EAP versions 6.1.2 or greater and NOT 6.1.1 - correct?

Comment 6 Vikram Goyal 2014-09-02 05:13:11 UTC

Looking at this comment [1] by Tomas on the original bug, I am not sure if there is anything that needs changing in the docs. 

If standalone-secure.conf needs the addition of the policy permissions, then the user would not need to do anything.

I am moving this bug to modified. Will close it if I get confirmation. 

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1133486#c1

Comment 7 Tomas Livora 2014-09-02 08:14:46 UTC

Vikram, the original bug 1133486 requires only a small configuration change. The string which needs to be added to standalone.conf or domain.conf to activate Java security manager in version 6.0.2 looks like this:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager \"-Djava.security.policy=$DIRNAME/security.policy\" \"-Dkie.security.policy=$DIRNAME/kie.policy\""

Since version 6.0.3 there needs to be added -Djboss.modules.policy-permissions=true because of changes introduced by EAP 6.1.2 so the final string should look like this:

JAVA_OPTS="$JAVA_OPTS -Djboss.modules.policy-permissions=true -Djava.security.manager \"-Djava.security.policy=$DIRNAME/security.policy\" \"-Dkie.security.policy=$DIRNAME/kie.policy\""

When the original bug is fixed, the customers will not notice any change if they start to use directly version 6.0.3. However, this version should have been a roll-up patch so a more common use case will be the update of their existing instance of BPMS/BRMS. In my opinion in this case it is very likely that they will just use their old configuration files and they will get stuck on the exceptions mentioned in the original bug. So I would recommend to add a note about this change to release notes as Petr suggested in comment 2 to avoid confusion and save their time.

And yes, this issue only occurs when using EAP 6.1.2. But this version is an internal release and only a patch for EAP 6.1.1 will be distributed with BPMS/BRMS 6.0.3. So I would suggest not to mention EAP at all or just mention the patch if you want to specify in the documentation why this change needs to be made.

Comment 9 Vikram Goyal 2014-09-02 23:15:38 UTC

Thanks Tomas and Rajesh.

We have a migration section for the 6.0.3 release notes [1] which currently just discusses issues with persistence.xml [2].

Is it sufficient to add the following note to this section to cover this issue:

Title: Activate Java Security Manager

When migrating from 6.0.2 to 6.0.3 version of the product, update your configuration files (standalone.conf or domain.conf) and activate the Java Security Manager by adding -Djboss.modules.policy-permissions=true to these files. The addition of this parameter to the Java environment, by way of editing the JAVA_OPTS variable ensures that the deployment of the product can take without any errors.

The JAVA_OPTS variable should look like this after the addition of this permission:

JAVA_OPTS="$JAVA_OPTS -Djboss.modules.policy-permissions=true -Djava.security.manager \"-Djava.security.policy=$DIRNAME/security.policy\" \"-Dkie.security.policy=$DIRNAME/kie.policy\"

[1] http://docbuilder.usersys.redhat.com/22915/#chap-Migration_from_6.0.2

[2] https://bugzilla.redhat.com/show_bug.cgi?id=1134748

Comment 10 Tomas Livora 2014-09-03 07:48:29 UTC

Vikram, note that customers might not have the Java Security Manager enabled. So I would suggest something like this:

Title: Java Security Manager

When migrating from 6.0.2 to 6.0.3 version of the product and applying the EAP patch, you might need to make a small change in your configuration. If you have the Java Security Manager enabled, update your configuration files (standalone.conf or domain.conf) and add -Djboss.modules.policy-permissions=true to JAVA_OPTS...

Comment 11 Vikram Goyal 2014-09-03 11:01:15 UTC

Excellent. Thanks Tomas. Will be updating this and publishing the release notes early tomorrow Brisbane time.

Comment 12 Vikram Goyal 2014-09-09 00:57:54 UTC

This can now be verified here [1] (the same content is available in the BPMS Release Notes). Moving this to ON_QA.

[1] http://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_JBoss_BRMS/6.0/html-single/6.0.3_Release_Notes/index.html#chap-Migration_from_6.0.2