Skip to main content

Software  >  WebSphere  >  

Security considerations for the Java Attach API function

 Flash (Alert)
 
Abstract
The Java™ Attach API function must be configured to ensure that only privileged applications can use the capability. Check that the function is configured correctly on your system. On z/OS® you must use UNIX® user and group permissions to protect your applications.
 
Content
The Java Attach API allows your application to connect to another virtual machine. Your application can then load an agent application into that virtual machine to perform tasks. This capability can be used to enable a command line option or feature on a running server without disruption to the service. For example, the API could be used to attach a monitoring tool to help diagnose problems with your application.
The Java Attach API was introduced in Java 5.0 SR 10, and in Java 6 SR 6. The following table shows the default state for Java Attach API support.

Default state for Java Attach API support, according to Java version and platform
IBM Java versionAll platforms, except z/OSz/OS 31-bit and 64-bit
Java 5 SR 10UnsupportedEnabled by default on z/OS 31-bit
Disabled by default on z/OS 64-bit
Java 5 after SR 10Disabled by defaultDisabled by default
Java 6 SR 6Enabled by defaultDisabled by default
Java 6 after SR 6Enabled by defaultDisabled by default

Security considerations
On AIX®, Linux® and z/OS, security for the Java Attach API is handled by UNIX-style user and group file permissions. This applies to the z/OS platform as well; on z/OS you must use UNIX user and group permissions to protect your applications. It is not sufficient to rely on RACF or system level security to protect your applications, because these mechanisms do not have the necessary UNIX user and group permissions set up and configured for the Java Attach API to remain secure.

The Java Attach API creates files and directories in a common directory. On AIX, Linux and z/OS, the common directory, subdirectories and files in it, have UNIX file permissions. It is recommended that you change the ownership of the common directory to ROOT or another privileged user ID, to prevent 'spoofing' attacks.

The key security features of the Java Attach API are:
  • For Java 5 SR 10, a process using the Java Attach API must belong to the same UNIX group as the target process. This ensures that only users in the same UNIX group can attach to another user's target process.
  • For Java 6, and for Java 5 after SR 10, a process using the Java Attach API must be owned by the same UNIX userid as the target process. This ensures that only the target process owner can attach other applications to the target process.
  • For Java 6 after SR 6, and Java 5 after SR 10, access to the files or directories owned by a process is controlled by user permissions only; group access is disabled.
  • The common directory uses the sticky bit to prevent a user from deleting or replacing another user's subdirectory. To preserve the security of this mechanism, the ownership of the common directory should be set to ROOT.
  • The subdirectory for a process is accessible only by members of the same UNIX group as the owner of a process. For Java 6 after SR 6, and Java 5 after SR 10, access is restricted to the owner only.
  • Information about the target process can be written only by the owner and read only by the owner or a member of the owner's group. For Java 6 after SR 6, and Java 5 after SR 10, access is restricted to the owner only.

On Windows®, security of the common directory and its subdirectories and files is handled by Windows security mechanisms. This means that only the process owner can connect to their processes.

You must secure access to the Java Attach API function to ensure that only authorized users or processes can connect to another virtual machine. If you do not intend to use the capability, disable it using the Java system property:
-Dcom.ibm.tools.attach.enable=no.

The Java Attach API common directory
The Java Attach API common directory is called .com_ibm_tools_attach. On UNIX, the common directory is created in /tmp. On Windows, the common directory is created in the default system temporary directory, for example:
C:\Temp
or
C:\Documents and Settings\<user>\Local Settings\Temp\
Each Java process that uses the Java Attach API creates a subdirectory in .com_ibm_tools_attach, which is typically named using the process ID. When the application terminates, the subdirectory and contents are removed.

You can change the default location of the common directory using the following Java system property
-Dcom.ibm.tools.attach.directory=</directory_name>
where directory_name is the directory you want to use.

For example, on UNIX platforms, the Java system property
-Dcom.ibm.tools.attach.directory=/usr/sampledir
creates the common directory in the location
/usr/sampledir/.com_ibm_tools_attach

On Windows, the Java system property
-Dcom.ibm.tools.attach.directory=C:/example
creates the common directory in the location
C:\example\.com_ibm_tools_attach

If your Java application ends abnormally, for example, following a crash or a SIGKILL signal, the process subdirectory is not deleted. The Java VM detects and removes obsolete subdirectories where possible. The subdirectory can also be deleted by the owning userid using the rmdir command on UNIX, or Windows Explorer on Windows.
 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Application Servers
 Distributed Application Support
 Runtimes for Java Technology
 Java SDK
 Operating system(s):
  AIX, HP-UX, Linux, Solaris, Windows, z/OS
 Software version:
  5.0, 6.0, 6.1
 Software edition:
  J2EE
 Reference #:
  1407964
 IBM Group:
 Software Group
 Modified date:
 2009-11-10

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.