Agents › DevTest Java Agent › Java Agent Security

Java Agent Security

The DevTest Java Agent provides a security mechanism for extensions and remote code invocation.

The agent installs its own security manager. All custom agent code runs under special permissions that the security manager enforces. If the application already uses its own security manager, then the agent security manager wraps the existing security manager and delegates to it for regular application code.

Extensions

Agent extensions for CA Continuous Application Insight and CA Service Virtualization run with the following restrictions:

• File access is limited to the agent directory and the temp directory.
• Process creation is disabled.
• Process exit is disabled.

As a result, the system under test is sandboxed from the rest of the computer.

Some applications can explicitly check for the security manager being null and take a different code path depending on the result. In this situation, the agent security manager can cause insurmountable issues. You can disable the agent security manager by using either of the following approaches:

• Specify –Dsecurity.manager.disabled=true on the command line.
• Ensure that the Disable security manager property is enabled.

You can configure this property from the Agents window of the DevTest Portal. The property appears in the Settings tab.

Note: Disabling the security manager disables authorization checks. However, you can still enable token authentication.

Remote Code Invocation

All agent APIs work through remote code invocation, because the agent is located in a remote system.

Security for remote code invocation is handled with tokens.

You use the token option to define one or two tokens for an agent. The first token represents an admin role. The second token represents a user role. If you specify two tokens, use a colon to separate them.

Examples:

• token=asdf1 specifies an admin token with a value of asdf1.
• token=asdf1:asdf2 specifies an admin token with a value of asdf1, and a user token with a value of asdf2.

The admin or user token can include any character except for commas, equal signs, and space characters. The maximum length of a token is 16 characters.

The token concept can be used with consoles. You can specify it with the command-line syntax -Dlisa.token=xxxx or -Dlisa.token=xxxx:xxxx. For consoles, there is no custom security manager, so both tokens have all permissions. Security is achieved by the fact that not supplying the console token prevents you from doing anything.