Securing the server directory

The first step towards securing the Geronimo server environment is to secure access to the server installation directory, which we refer to as <GERONIMO_HOME>. Some of the directories under <GERONIMO_HOME> that contain sensitive information are:

• var/config: .The config.xml file under this directory may contain passwords and so on.

• var/security: This directory contains users.properties and groups.properties files which contain the user credentials used by the default security realm, geronimo-admin.

• var/security/keystores: This directory contains cryptographic keystore files used by the server.

• var/derby: This directory contains the databases created when using embedded Derby database server. This directory may also have a derby.properties file containing user IDs and passwords for accessing the databases.

• var/repository: The configuration directories created during deployment may have deployment plans, packaged as part of the archives, which contain passwords in clear text. Also, the config.ser files created during deployment may contain passwords in serialized java objects.

It is recommended to use the operating system provided security to restrict user access to the <GERONIMO_HOME> directory on the filesystem.