(OO) Support Tip: Increasing the security of the OO installation
In OO version 10.50 or newer is possible to prevent the flow access to the file system, network or a resource.
In order to enable additional security in RAS the following option needs to be added to ras-wrapper.conf:
Additionally the rules needs to be configured in <OO_DIR>/java/lib/security/java.policy .
The best way is to start with the config highlighted in the Security and Hardening guide, Section "Preventing Flows from Accessing the Central/RAS Local File System" and add any rules that are needed based on the error messages from the RAS logs in order to enable all the operations/flows to work.
i'm surprised you posted this with so little real information for HP customers given our recent experience with this feature.
i would like to see HP post more usefull info when giving tips on documented features. e.g. As you are aware of the new defects raised against the Security and hardening document, why not in this post also inform customers and provide links to existing defets against this specific sections of the document.? why make customers waste time trying the current example only to find it doesn't work, and have to raise a case themselves, or troll the knowledge base?
Also inform customers, OO has not been actualy developed with this model in mind. HP does not currently know or understand the full implications across all the supplied Content PAcks on enabling this setting. Customers WILL need to log cases and get support involved if they enable this setting. And that currently, the Reverse RAS feature does not work with this setting enabled, due to a bug in a third party library usedby OO.
Personally, i think the entire section should be pulled from the Security guide, until HP has actually deployed and run OO in all its possible deplyment configurations, and attempted to use the HP supplied content packs with this feature enabled, rather than use customers as its testing platform.
The purpose of the support tips is to provide couple of sentences about the issue, but I agree with you that more information about this should be provided.
As a result I will include here the link to a new KM created realted to this issue: https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/KM02523386
Also the link to the open documentation bug:
Thank you for the feedback