N4.3 security: module-permissions.xml


#1

Is there a plan to make the CSV driver compliant with the new security restrictions introduced in N4.3?

Specifically, the driver needs to include the module-permissions.xml file with the additional permissions required for logging and URL connections.

As it stands right now, the URL importer does not work and fails with the following stacktrace:

SEVERE [11:43:27 13-Oct-17 PDT][sys.engine] Action failed: poll()
java.security.AccessControlException: access denied (“java.util.logging.LoggingPermission” “control”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.util.logging.LogManager.checkPermission(LogManager.java:1586)
at java.util.logging.Logger.checkPermission(Logger.java:422)
at java.util.logging.Logger.setLevel(Logger.java:1689)
at javax.baja.log.Log.(Log.java:229)
at javax.baja.log.Log.getLog(Log.java:168)
at javax.baja.driver.BDeviceNetwork.getLog(BDeviceNetwork.java:799)
at com.csi3.csv.BCsvDevice.getLog(BCsvDevice.java:170)
at com.csi3.csv.BAbstractImportDevice.doPoll(BAbstractImportDevice.java:777)
at auto.com_csi3_csv_BCsvUrlImport.invoke(AutoGenerated)
at com.tridium.sys.schema.ComponentSlotMap.invoke(ComponentSlotMap.java:1871)
at com.tridium.sys.engine.EngineUtil.doInvoke(EngineUtil.java:62)
at javax.baja.sys.BComponent.doInvoke(BComponent.java:1257)
at javax.baja.util.Invocation.run(Invocation.java:47)
at javax.baja.util.ThreadPoolWorker$WorkerThread.run(ThreadPoolWorker.java:277)


#2

Version 4.2.36.34.3 addresses these issues. This version also adds support for ftps which was not allowed in previous versions due to heightened security in N4.

You can download this version here:
http://www.kodaro.com/products/driver-software.html


#3

Jonathan,

I just tested the URL import feature, with the latest CSV dirver, from a JACE 8000 running N4.3.58.18, and I’m still getting a permission error:

SEVERE [12:38:39 25-Jan-18 PST][sys.engine] Action failed: poll()
java.security.AccessControlException: access denied (“java.util.logging.LoggingPermission” “control”)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.util.logging.LogManager.checkPermission(LogManager.java:1586)
at java.util.logging.Logger.checkPermission(Logger.java:422)
at java.util.logging.Logger.setLevel(Logger.java:1688)
at javax.baja.log.Log.(Log.java:229)
at javax.baja.log.Log.getLog(Log.java:168)
at javax.baja.driver.BDevice.getLog(BDevice.java:642)
at com.csi3.csv.BAbstractImportDevice.doPoll(BAbstractImportDevice.java:777)
at auto.com_csi3_csv_BCsvUrlImport.invoke(AutoGenerated)
at com.tridium.sys.schema.ComponentSlotMap.invoke(ComponentSlotMap.java:1871)
at com.tridium.sys.engine.EngineUtil.doInvoke(EngineUtil.java:62)
at javax.baja.sys.BComponent.doInvoke(BComponent.java:1257)
at javax.baja.util.Invocation.run(Invocation.java:47)
at javax.baja.util.ThreadPoolWorker$WorkerThread.run(ThreadPoolWorker.java:277)

The file import appears to work.


#4

This was due to Niagara 4 changing it’s logging methodology to be more in line with that of the traditional JAVA logger scheme and requiring extra permissions to use the legacy logging methods of AX starting in NIagara 4.3 Instead of adding additional permissions to the module, the logging methods were updated to the newly supported logging.

This issue has been fixed in release csi3csv-rt-4.2.36.34.4


#5

where can I download csi3csv-rt-4.2.36.34.4?


#6

I sent you a direct link to download. This version will be made available on the website shortly.


#7

The updated CSV driver that addresses the N4 security patch is now available on the Kodaro website as v4.2.36.34.4 here: http://kodaro.com/products/driver-software.html and here: http://kodaro.com/products/niagara-csv-driver.html


#8

Hi Jonathan,

Even with the updated driver version, I am still running into the same N4.3 security issue and receiving a “cannot access” error. Any other suggestions to solve this?

Thank you,
Will


#9

Can you provide the following:

  1. Driver/module version
  2. Niagara version
  3. Full stack trace of the error
  4. Description of what is being attempted
  5. Screen shots of configuration for number 4.

#10
  1. Driver/module version: Module csi3csv-rt version CSI3 4.2.36.34.4; module csi3csv-wb Version CSI3 4.2.36.34.1
  2. Niagara version: 4.3.58.18
  3. Full stack trace of the error: I cannot upload a txt file here. How can I best provide this?
  4. Description of what is being attempted: write the CSV and then load to URL export
  5. Screen shots of configuration for number 4: see below

Error: access denied (“java.util.logging.LoggingPermission” “control”)

CSV Capture 2


#11

You should be able to just copy paste the contents of the stack trace for review.


#12

Not sure what exactly qualifies as the stack trace, is this it?

78> (a java.net.DatagramPacket)
- locked <0x0b32c098> (a java.net.MulticastSocket)
at com.tridium.fox.session.MulticastUtil.lambda$receive$0(MulticastUtil.java:195)
at com.tridium.fox.session.MulticastUtil$$Lambda$245/13675080.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.tridium.fox.session.MulticastUtil.receive(MulticastUtil.java:193)
at com.tridium.fox.session.MulticastServer.run(MulticastServer.java:233)

“Foxs:Server” #62 prio=5 os_prio=10 tid=0x1abfec08 nid=0x38 runnable [0x775ff000]
java.lang.Thread.State: RUNNABLE
at java.net.PlainSocketImpl.socketAccept(Native Method)
at java.net.AbstractPlainSocketImpl.accept(AbstractPlainSocketImpl.java:416)
at java.net.ServerSocket.implAccept(ServerSocket.java:545)
at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:348)
at com.tridium.crypto.core.io.CryptoCoreServerSocketFactory$NSSLServerSocket.accept(CryptoCoreServerSocketFactory.java:255)
at com.tridium.fox.session.FoxServer.run(FoxServer.java:206)
at com.tridium.fox.session.FoxServer.runFoxs(FoxServer.java:104)
at com.tridium.fox.session.FoxServer.access$100(FoxServer.java:25)
at com.tridium.fox.session.FoxServer$MainLoop.run(FoxServer.java:361)
at java.lang.Thread.run(Thread.java:745)

“Tuning:CsvNetwork” #60 prio=5 os_prio=10 tid=0x1abe9300 nid=0x36 waiting on condition [0x7767f000]
java.lang.Thread.State: TIMED_WAITING (sleeping)
at java.lang.Thread.sleep(Native Method)
at javax.baja.driver.point.BTuningPolicyMap$BackgroundThread.run(BTuningPolicyMap.java:238)

“Csv Worker” #59 daemon prio=5 os_prio=10 tid=0x1abea680 nid=0x35 in Object.wait() [0x776bf000]
java.lang.Thread.State: WAITING (on object monitor)
at java.lang.Object.wait(Native Method)
at javax.baja.util.Queue.dequeue(Queue.java:174)
- locked <0x0b32ca70> (a javax.baja.util.CoalesceQueue)
at javax.baja.util.Queue.todo(Queue.java:268)
at javax.baja.util.Worker$Processor.run(Worker.java:137)
at java.lang.Thread.run(Thread.java:745)


#13

That looks like piece of the thread dump. The stack trace is the full error that may or may not show up in the application director when the error occurs. I have attempted to recreate the scenario locally based on the information provided but not able to product the same error. If there is a full error found in the app director, that would help me track this issue down.


#14

Hi Jonathan, it looks like there were some other issues going on on our network side that we weren’t aware of. I thought they had already been taken care of but IT just informed me they were ongoing and just resolved. This also seems to have fixed our CSV driver error. Sorry for the confusion and thank you so much for the help!


#15

Glad to hear it’s resolved.