Apache Derby Database JVM Security Policy

Abstract

I have already posted a number of blogs about Derby:

• Derby Database Backup
• Multiple Derby Network Servers on the same Host
• Apache Derby Database Users and Permissions
• Integration Testing with Maven and an In-Memory Derby Database

This wasn’t intended to be a series. But over the years I’ve been using Derby more and more. I started using Derby as my database of choice for my Microservice architecture. These are personal-use applications, so Derby is more than sufficient. Even though these are personal-use applications, I require multiple servers with limited user permissions, and of course database backup and restoration. The final requirement is security. I run my Derby databases on an Ubuntu Linux VM with the derby usr account. Although the derby usr account has limited permissions on the VM, any extra layer of security is good. So the purpose of this blog is to demonstrate how to run Derby with a Java security policy to limit the JVM’s permissions and enhance runtime security.

Disclaimer

This post is solely informative. Critically think before using any information presented. Learn from it but ultimately make your own decisions at your own risk.

Requirements

I did all of the work for this post using the following major technologies. You may be able to do the same thing with different technologies or versions, but no guarantees.

• Apache Derby 10.14.2.0
• Java zulu11.39.15-ca-jdk11.0.7-linux_x64

I am not going to go through the process of downloading and installing these technologies. I’ll leave that as an exercise for you.

NOTE Starting with version 10.15, the Derby project has been updated to use the Java 9 module system. As a result, the JAR files have changed quite a bit. It’s unlikely the security.policy below will work with version 10.15+. As of this blog’s publication date, I’ve yet to try it.

Linux bash scripts

In order to manage Derby to run with a Java security policy, you need 3 scripts. The 1st script will setup the setup environment variables to configure Derby. The 2nd script will start the Derby network server, passing the correct command line parameters. The 3rd will stop the Derby network server.

Listing 1.1 shows you the first of these scripts. It exports a number of system environment variables with configuration values specific to run Derby in your environment.

Listing 1.1 – setenv.sh

DERBY_HOME is self explanatory. It’s where Derby is unzipped (installed). Add Derby’s bin directory to the PATH.

JAVA_HOME is self explanatory. It’s where Java is unzipped (installed). Add Java’s bin directory to the PATH.

NS_HOME is “Network Server Home”. This is the directory the Derby network server will use to store its configuration and databases. Whenever a new database is created on this Derby network server, a new sub-directory will be created under NS_HOME for the new database. This allows multiple Derby network servers running on the same host to keep their data separate.

NS_PORT is “Network Server Port”. It’s the port the Derby network server uses to listen for connections. This allows multiple Derby network servers to run on the same host.

NS_HOST is “Network Server Host”. It sets the network interface used by the Derby network server when listening for connections. By default, the Derby network server only listens for connections on the loopback address of 127.0.0.1. This default means clients must run on the same host as the network server – not very useful. By setting the host to 0.0.0.0, the Derby network server will listen for connections on any network interface on the host. If your VM has multiple network interfaces, NS_HOST should be set to the IP of one of those interfaces. Setting this value allows clients to be remote.

DERBY_OPTS is the system property used to get all of the configuration options to Derby. Its value is created by concatenating together the appropriate Derby system properties with their associated values. The first 3 properties are needed to start Derby with or without a security policy.

1. derby.drda.host
2. derby.drda.portNumber
3. derby.system.home

The final 5 properties are needed for configuring Derby to run with a security policy.

1. derby.stream.error.logSeverityLevel
2. derby.security.port
3. derby.install.url
4. java.security.manager
5. java.security.policy

One of the most important properties is java.security.policy=$NS_HOME/security.policy". The value of this property points to a security.policy file which will configure the Java SecurityManager. You will read about creating the security.policy file in just a little bit. Next, you will look at the script for starting the server.

Listing 1.2 shows you the second of these scripts. It starts the Derby networks server, passing the correct command line parameters so Derby runs with a security policy.

Listing 1.2 – start.sh

SD is Script Directory. The evaluation determines the fully-qualified file system location of the start.sh script and assigns it to SD. This is useful when referencing other scripts.

source is self explanatory. It sources in the system environment variables to configure the Derby network server. See listing 1.1 for details.

Symlink configuration is for the security.policy file and the derby.properties file. The purpose of the symlinks is to get these 2 files into the $NS_HOME directory. Derby looks for the derby.properties file in the $NS_HOME directory, so it needs to be there. For consistency (not a necessity), you want to put the security.policy file there as well. In listing 1.1 the java.security.policy=$NS_HOME/security.policy" property configures this location. For my environment, I have separated the $NS_HOME directory from the directory where I keep the management scripts and other Derby configuration files. The reason I do this is because of disaster recovery. I consider the $NS_HOME directory to be volitile, meaning if for some reason it goes missing (deleted, disk drive error, corrupted, new VM built, etc) I must be able to restore the database data, management scripts (setenv.sh, start.sh, stop.sh) and configuration files (security.policy, derby.properties) from my cloud backups. The real configuration files are kept outside of the $NS_HOME directory and start.sh symlinks them in the proper location.

startNetworkServer is a script provided by Derby ($DERBY_HOME/bin) to start the network server. The DERBY_OPTS variable – set in setenv.sh – is used to configure the network server. By default, Derby runs with a limited security policy. However, since you configured the security policy, Derby will use your configuration instead of the default.

You now have the Derby server environment configuration and start script. What you don’t have yet is the ability to stop the Derby network server. Stopping the server is easy. You will look at the script for stopping the server next.

NOTE The security.policy file is also needed still. You will read about it in just a few moments, I promise!

Listing 1.3 shows you the third of these scripts. It stops the Derby networks server. Not too exciting, but it’s important to have a managed shutdown of the server to prevent data corruption.

Listing 1.3 – stop.sh

All of this is self explanatory. No further comments are needed for this script.

The security.policy file

Derby comes with a demo security policy file. It is located in DERBY_HOME/demo/templates/security.policy. Using this file as the starting point, I was able to produce a final version that met my requirements for:

• Network (remote) access
• Localhost access
• Startup
• Shutdown
• Backup

Listing 2.1 – security.policy

Policy files are a lot to take in. After 20 years using Java, I’ve only come across them just a handful of times. I don’t pretend to know everything that goes into a policy file. All I know is this file is working for all my requirements. Each Derby update requires testing and maybe some tweeking. The derby-users@db.apache.org mailing list is your best source of information.

A big shout out to Rick Hillegas from the derby-users@db.apache.org mailing list for helping me get to this version of the policy file. He provided most of it and I added the following to meet my requirements.

Line 50 permission java.io.FilePermission "/tmp${/}-", "read,write,delete";. My database backup process uses CALL SYSCS_UTIL.SYSCS_BACKUP_DATABASE (‘/tmp/resiste-backup/1527’). So the derby.jar file needs read,write,delete permissions to the /tmp directory on the file system so it can write the backup into that directory.

Line 92 permission java.sql.SQLPermission "deregisterDriver";. When administering my Derby database with the the ij tool, found an exception in the derby.log file about deregisterDriver. So I added this permission to the derby.jar file as well.

Line 160 permission java.net.SocketPermission "${derby.drda.host}:${derby.security.port}", "connect,resolve";. Properties derby.drda.host and derby.security.port are set in the setenv.sh script (listing 1.1). I had to add this permission because my Derby network server is accessed by remote (non-localhost) clients. In setenv.sh, I use -Dderby.drda.host=0.0.0.0 to override the default localhost-only interface listening. I also found I needed this in the policy file while testing the stop.sh script (listing 1.3).

Summary

That’s it. I hope you enjoyed learning how to run a Derby network server with a security policy.

Do you want to know how to develop your skillset to become a Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you our best selling eBooks for FREE!

1. JPA Mini Book

2. JVM Troubleshooting Guide

3. JUnit Tutorial for Unit Testing

4. Java Annotations Tutorial

5. Java Interview Questions

6. Spring Interview Questions

7. Android UI Design

and many more ....

I agree to the Terms and Privacy Policy

Sign up

Thank you!

We will contact you soon.