Enviar búsqueda
Cargar
OSGi als App-Plattform - Ein Ausflug durch den Security-Layer
•
2 recomendaciones
•
1,439 vistas
OSGiUsers
Seguir
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 24
Descargar ahora
Descargar para leer sin conexión
Recomendados
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp
Devicemgmt
Devicemgmt
xyxz
Blockchain Introduction
Blockchain Introduction
Nur Aini Rakhmawati Gunawan
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
Architecture & Functionality for Learning Spaces Website
Architecture & Functionality for Learning Spaces Website
Pragati Kunwer
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
Cryptography In Silverlight
Cryptography In Silverlight
Barry Dorrans
Recomendados
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...
Michael Man
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp 2013 - Mitigate DDoS attack with effective cost - Nguyễn Ch...
Security Bootcamp
Devicemgmt
Devicemgmt
xyxz
Blockchain Introduction
Blockchain Introduction
Nur Aini Rakhmawati Gunawan
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
The Linux Foundation
Architecture & Functionality for Learning Spaces Website
Architecture & Functionality for Learning Spaces Website
Pragati Kunwer
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
Cryptography In Silverlight
Cryptography In Silverlight
Barry Dorrans
Common Security Services. Consolidation patterns for legacy components - Stef...
Common Security Services. Consolidation patterns for legacy components - Stef...
mfrancis
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Kai Hackbarth
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Phú Phùng
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
mfrancis
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
mfrancis
Hilf mir, OBR - Du bist meine letzte Hoffnung!
Hilf mir, OBR - Du bist meine letzte Hoffnung!
OSGiUsers
OSGi Community Update
OSGi Community Update
OSGiUsers
OSGi in the Residential Market
OSGi in the Residential Market
OSGiUsers
Update OSGi Residential Expert Group
Update OSGi Residential Expert Group
OSGiUsers
OSGi Alliance Residential Expert Group
OSGi Alliance Residential Expert Group
OSGiUsers
OSGi for In-Vehicle Systems
OSGi for In-Vehicle Systems
OSGiUsers
PojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of Us
OSGiUsers
Building Secure OSGi Applications
Building Secure OSGi Applications
Marcel Offermans
Open Services Gateway Initiative (OSGI)
Open Services Gateway Initiative (OSGI)
Peter R. Egli
Sia door supervisor training 5
Sia door supervisor training 5
hilario859
OSGi Web Development in Action
OSGi Web Development in Action
OSGiUsers
OSGi IoT Demo & Contest 2015
OSGi IoT Demo & Contest 2015
mfrancis
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
Raising information security awareness
Raising information security awareness
Terranovatraining
Gfk Smart Home Studie
Gfk Smart Home Studie
myDLS
Practical security In a modular world
Practical security In a modular world
Martin Toshev
Essentials of PCI Assessment
Essentials of PCI Assessment
Gazzang
Más contenido relacionado
Destacado
Common Security Services. Consolidation patterns for legacy components - Stef...
Common Security Services. Consolidation patterns for legacy components - Stef...
mfrancis
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Kai Hackbarth
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Phú Phùng
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
mfrancis
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
mfrancis
Hilf mir, OBR - Du bist meine letzte Hoffnung!
Hilf mir, OBR - Du bist meine letzte Hoffnung!
OSGiUsers
OSGi Community Update
OSGi Community Update
OSGiUsers
OSGi in the Residential Market
OSGi in the Residential Market
OSGiUsers
Update OSGi Residential Expert Group
Update OSGi Residential Expert Group
OSGiUsers
OSGi Alliance Residential Expert Group
OSGi Alliance Residential Expert Group
OSGiUsers
OSGi for In-Vehicle Systems
OSGi for In-Vehicle Systems
OSGiUsers
PojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of Us
OSGiUsers
Building Secure OSGi Applications
Building Secure OSGi Applications
Marcel Offermans
Open Services Gateway Initiative (OSGI)
Open Services Gateway Initiative (OSGI)
Peter R. Egli
Sia door supervisor training 5
Sia door supervisor training 5
hilario859
OSGi Web Development in Action
OSGi Web Development in Action
OSGiUsers
OSGi IoT Demo & Contest 2015
OSGi IoT Demo & Contest 2015
mfrancis
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
Raising information security awareness
Raising information security awareness
Terranovatraining
Gfk Smart Home Studie
Gfk Smart Home Studie
myDLS
Destacado
(20)
Common Security Services. Consolidation patterns for legacy components - Stef...
Common Security Services. Consolidation patterns for legacy components - Stef...
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security in OSGi applications: Robust OSGi Platforms, secure Bundles
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Pr...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...
Hilf mir, OBR - Du bist meine letzte Hoffnung!
Hilf mir, OBR - Du bist meine letzte Hoffnung!
OSGi Community Update
OSGi Community Update
OSGi in the Residential Market
OSGi in the Residential Market
Update OSGi Residential Expert Group
Update OSGi Residential Expert Group
OSGi Alliance Residential Expert Group
OSGi Alliance Residential Expert Group
OSGi for In-Vehicle Systems
OSGi for In-Vehicle Systems
PojoSR or OSGi (µ)Services For the Rest of Us
PojoSR or OSGi (µ)Services For the Rest of Us
Building Secure OSGi Applications
Building Secure OSGi Applications
Open Services Gateway Initiative (OSGI)
Open Services Gateway Initiative (OSGI)
Sia door supervisor training 5
Sia door supervisor training 5
OSGi Web Development in Action
OSGi Web Development in Action
OSGi IoT Demo & Contest 2015
OSGi IoT Demo & Contest 2015
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Raising information security awareness
Raising information security awareness
Gfk Smart Home Studie
Gfk Smart Home Studie
Similar a OSGi als App-Plattform - Ein Ausflug durch den Security-Layer
Practical security In a modular world
Practical security In a modular world
Martin Toshev
Essentials of PCI Assessment
Essentials of PCI Assessment
Gazzang
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
mfrancis
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models
Milosch Meriac
Oracle Solaris 11 - Best for Enterprise Applications
Oracle Solaris 11 - Best for Enterprise Applications
glynnfoster
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
Agile Testing Alliance
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
David Sweigert
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
hidenorly
Placing backdoors-through-firewalls
Placing backdoors-through-firewalls
Akapo Damilola
Autopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native Storage
SF Bay Cloud Native Open Infra Meetup
Security best practices for hyperledger fabric
Security best practices for hyperledger fabric
ManishKumarGiri2
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
Priyanka Aash
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
OSGi made simple - Fuse Application Bundles
OSGi made simple - Fuse Application Bundles
Rob Davies
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
The Linux Foundation
Why ClouDoc to protect CAD files?
Why ClouDoc to protect CAD files?
Sang Yoo
Guidelines to Improve the Robustness of the OSGi Framework and Its Services A...
Guidelines to Improve the Robustness of the OSGi Framework and Its Services A...
mfrancis
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
RSIS International
Similar a OSGi als App-Plattform - Ein Ausflug durch den Security-Layer
(20)
Practical security In a modular world
Practical security In a modular world
Essentials of PCI Assessment
Essentials of PCI Assessment
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models
Oracle Solaris 11 - Best for Enterprise Applications
Oracle Solaris 11 - Best for Enterprise Applications
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
#Interactive Session by Kirti Ranjan Satapathy and Nandini K, "Elements of Qu...
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
Placing backdoors-through-firewalls
Placing backdoors-through-firewalls
Autopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native Storage
Security best practices for hyperledger fabric
Security best practices for hyperledger fabric
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
OSGi made simple - Fuse Application Bundles
OSGi made simple - Fuse Application Bundles
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
Why ClouDoc to protect CAD files?
Why ClouDoc to protect CAD files?
Guidelines to Improve the Robustness of the OSGi Framework and Its Services A...
Guidelines to Improve the Robustness of the OSGi Framework and Its Services A...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Último
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
SynarionITSolutions
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Último
(20)
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
OSGi als App-Plattform - Ein Ausflug durch den Security-Layer
1.
www.neat-it.de OSGi as an
App Platform An Excursion through the Security Layer Michael Grammling, M.Sc. Dipl.-Inform (FH)
2.
System Boundaries © Grammling
und Müller GbR – neat-IT 2
3.
Packaging Apps • Use
a simple container format which can store 1..N bundles (e.g. a JAR or ZIP) • There are open standards available for container formats • However they are often much more complex than needed • Think on using an ApplicationManifest file (e.g. XML based) for meta-information • Think on signing the content of the container © Grammling und Müller GbR – neat-IT 3
4.
Certify Apps • Usually
Apps are certified by a certification department • If specific permissions, which the App acquires, are critical, reject the App • Do runtime checks • An automatic certification suite can help (can be complex) • If the App is accepted, deploy it in a clean software repository © Grammling und Müller GbR – neat-IT 4
5.
Sell and Deploy
Apps • The customer buys an App in the shop • The app is deployed (e.g. automatically) on the App Platform through a provisioning service (can be part of the App Repository) © Grammling und Müller GbR – neat-IT 5
6.
Protect Access • Usually
there are direct connections to the App Platform (e.g. by Telnet, SSH, Web-Client or Rich-Client user interfaces) • Use a proxy service on the App Platform to manage access rights © Grammling und Müller GbR – neat-IT 6
7.
Requirements © Grammling und
Müller GbR – neat-IT 7
8.
The OSGi-Specification © Grammling
und Müller GbR – neat-IT 8
9.
The Security Layer ©
Grammling und Müller GbR – neat-IT 9
10.
OSGi Security-Mechanisms ► OSGi
Bundle-Authentication ► Bundle-Location ► Bundle-Signatures ► Conditional Permission Admin ► Visibility rules on level of Java packages ► User Admin (part of the OSGi Compendium) © Grammling und Müller GbR – neat-IT 10
11.
OSGi Bundle-Signatures –
Overall ► Bundle-Location ► Wires a Bundle with the installation location, which is persisted ► Could be a location in the local file system or an internet address ► Can be simply tampered e.g. by „mount points“ ► Bundle-Signatures ► Authenticates the originator ► Shows modifications on the data itself ► Requires a PKI (Public Key Infrastructure) ► Bundle-Locations as well as Bundle-Signatures can be used for definitions of permissions ► Bundle-Signatures are an optional feature in OSGi © Grammling und Müller GbR – neat-IT 11
12.
Java Key Store ►
Is a repository for certificates ► Consists of one file (e.g. with the file extension *.jks) ► Can be managed using the tool „keytool“ from the JDK Schlüssel- und Zertifikatsverwaltungstool Befehle: -certreq -changealias -delete -exportcert -genkeypair -genseckey -gencert -importcert -importkeystore -keypasswd -list -printcert -printcertreq -printcrl -storepasswd Generiert eine Zertifikatanforderung Ändert den Alias eines Eintrags Löscht einen Eintrag Exportiert ein Zertifikat Generiert ein Schlüsselpaar Generiert einen Secret Key Generiert ein Zertifikat aus einer Zertifikatanforderung Importiert ein Zertifikat oder eine Zertifikatkette Importiert einen oder alle Einträge aus einem anderen Keystore Ändert das Schlüsselkennwort eines Eintrags Listet die Einträge in einem Keystore auf Druckt den Content eines Zertifikats Druckt den Content einer Zertifikatanforderung Druckt den Content einer CRL-Datei Ändert das Speicherkennwort eines Keystores "keytool -command_name -help" für Verwendung von command_name verwenden © Grammling und Müller GbR – neat-IT 12
13.
Structure of a
Certificate ► Check public key by requesting the Public Authority (Trust Center) ► Check signature: decrypt(public_key, signature) = digest © Grammling und Müller GbR – neat-IT 13
14.
OSGi Bundle-Signature Files ►
Resources within the META-INF directory are not signed ► A Bundle can be signed from more than one originator © Grammling und Müller GbR – neat-IT 14
15.
Signing Bundles –
jarsigner ► Bundles can be signed using the tool „jarsigner“ from the JDK jarsigner -keystore my-keystore.jks -storepass my-store-password myjar.jar my-alias Warning: The signer certificate will expire within six months. The signer's certificate chain is not validated. © Grammling und Müller GbR – neat-IT 15
16.
Signing Bundles –
Maven ► Bundles can be signed using a Maven-Plugin … <build> … <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> <version>1.2</version> <executions> <execution> <id>sign</id> <goals> <goal>sign</goal> </goals> </execution> </executions> <configuration> <keystore>C:/my-keystore.jks</keystore> <alias>my-alias</alias> <storepass>my-store-password</storepass> <keypass>my-keypassword</keypass> </configuration> </plugin> … </plugins> </build> … © Grammling und Müller GbR – neat-IT 16
17.
Activate the Security-Layer ►
System Variables of the JVM Property-Key Value Description java.security.policy <File> Policy file, which the OSGi Service Platform should use itself. org.osgi.framework.security osgi Activates the Security-Layer of OSGi. A specific OSGi Security-Manager is used now. Using this parameter enables also the (Conditional) Permission Admin. org.osgi.framework.trust.repositories <Files> List of Java-Keystores. © Grammling und Müller GbR – neat-IT 17
18.
The Policy File
for OSGi ► The file „all.policy“ ► Usually the OSGi-Framework requires full access ► -Djava.security.policy=all.policy ► Take care to restrict the rights of the JVM itself grant { permission java.security.AllPermission; }; © Grammling und Müller GbR – neat-IT 18
19.
Conditional Permission Admin ►
Offers authorization during runtime ► Review – Bundle-Signatures: Checks only integrity ► Defining permissions during runtime ► Simplification comparing to Java 2 Security • ALLOW, DENY and reverse rules can be defined ► OSGi specific extensions comparing to Java 2 Security • E.g. setting the permission to register a service © Grammling und Müller GbR – neat-IT 19
20.
Local Permissions of
a Bundle ► The developer defines specific permissions for the Bundle ► E.g. Access to the file system or using a service ► Local permissions are defined in the ASCII file „permissions.perm“ in the directory of the Bundle „OSGI-INF“ ► The OSGi Platform ensures that the Bundle gets only these permissions the developer has specified in the „permissions.perm“ file … # Accept exporting and re-importing package of service interface (org.osgi.framework.PackagePermission "de.telekom.connectedhome.services.clock.*" "exportonly,import") # Accept registering a concrete service (org.osgi.framework.ServicePermission "de.telekom.connectedhome.services.clock.TimeService" "register") … © Grammling und Müller GbR – neat-IT 20
21.
Globale Permissions in
the System ► Sandboxes can be defined for the OSGi platform for all or a set of Bundles using: ► Bundle signatures ► Bundle location ► Global permissions must be set by using the Conditional Permission Admin service ► The OSGi specification defines also a textual format and a parser for it: … ALLOW { [org.osgi.service.condpermadmin.BundleLocation "file:foo.jar"] (org.osgi.framework.PackagPermission "*" "import") } "allow-all-packages" ALLOW { [org.osgi.service.condpermadmin.BundleSignerCondition "CN=cn, OU=ou, O=o, ST=st, C=c"] (java.security.AllPermission "*" "*") } "allow-all-signed-bundles" … © Grammling und Müller GbR – neat-IT 21
22.
Bundle Protection Domains ©
Grammling und Müller GbR – neat-IT 22
23.
Permissions in OSGi ►
PackagePermission ► Restrict the import- and export of Java packages ► BundlePermission ► Restrict access to Bundles (e.g. Require-Bundle) ► AdminPermission ► Restrict management access (e.g. lifecycle) ► ServicePermission ► Restrict registering and using services © Grammling und Müller GbR – neat-IT 23
24.
Luise-Riegger-Str. 21 ●
76137 Karlsruhe Grammling und Müller GbR www.neat-it.de
Descargar ahora