Security Server UI Does Not Open in a Hardened Environment

Problem

In hardened, high security environments accessing Security Server UI generates the error message below.

Xroad-jetty process writes temporary files to /tmp directory. If /tmp directory is mounted with 'noexec' flag, Jetty is not able to write temporary files there and therefore accessing Security Server UI returns an error message.

Solution

In hardened, high security environments it is typically required to mount /tmp directory with 'noexec' flag. Therefore, the problem cannot be solved by removing the 'noexec' flag. Instead, an alternate tmp directory with required permissions is created.

1. Create a new tmp folder in /etc/xroad/services directory and give xroad user read, write and execute permissions to it.

   cd /home/xroad/
   mkdir tmp
   chown xroad:xroad tmp
   chmod 700

2. Go to /etc/xroad/services directory and copy the below Jetty configuration parameters to local.conf file, including the property for new directory (-Djava.io.tmpdir) for temporary files:

   JETTY_PARAMS=" $JETTY_PARAMS -Djava.io.tmpdir=/home/xroad/tmp/ " 

3. Restart the Jetty process:

   # Ubuntu
   service xroad-jetty restart 
    
   # RHEL
   systemctl restart xroad-jetty 

4. After Jetty has been restarted Security Server UI should be accessible again.

Related articles

• Page:
  Security Server UI Does Not Open in a Hardened Environment