Framework Execution Modalities

Since ESF 3.2+ two execution modalities are supported by the framework:

development mode - enables some specific features that simplify the development process and provide remote debugging. This is the factory default.
production mode - strengthens the security checks; remote debugging and profiling are not allowed.

🚧
Warning!
Eurotech recommends the usage of ESF development mode only in the early stages of software development, while suggests switching to production mode for deployed solutions.

The execution modality may be determined through the ESF Gateway Administration Console. In development mode, the lower part of the console displays a warning message as shown in the screen capture below.

In production mode, no warning messages are displayed.

Switch to Production Mode

This section will describe the suggested steps that need to be followed to move ESF from Development to Production mode.

🚧
If steps are not executed in the proper order, the switching to Production mode can fail and might require ESF reinstallation.

Shutdown ESF

# Note: on Linux distribution based on System V init scripts, the ESF process
# is monitored by Monit which will restart ESF is this is stopped.

/etc/init.d/monit stop
/etc/init.d/kura stop

Replace the default /opt/eurotech/esf/kura/security.policy with one suitable for production mode (see above). At a minimum the value of the permit-debug property must be set to false

<?xml version="1.0" encoding="UTF-8"?>
<esf:security xmlns:esf="http://eurotech.com/esf/2.0" version="1">
  <esf:properties>
    <esf:property>
      <esf:name>permit-debug</esf:name>
      <esf:value>false</esf:value>
    </esf:property>
  </esf:properties>
  <esf:policies>
    <esf:policy>
      <esf:access>ALLOW</esf:access>
      <esf:conditions>
        <esf:condition>
          <esf:name>
            BundleSignerCondition
          </esf:name>
          <esf:value>
            "CN=\"Eclipse.org Foundation\, Inc.\", OU=IT, O=\"Eclipse.org Foundation\, Inc.\", L=Ottawa, ST=Ontario, C=CA; CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US;-"
          </esf:value>
        </esf:condition>
      </esf:conditions>

      <esf:permissions>
        <esf:permission>
          <esf:name>java.security.AllPermission</esf:name>
          <esf:values>
            <esf:value>
              *
            </esf:value>
            <esf:value>
              *
            </esf:value>
          </esf:values>
        </esf:permission>
      </esf:permissions>
      <esf:name>
        All permissions to Eclipse
      </esf:name>
    </esf:policy>

    <esf:policy>
      <esf:access>ALLOW</esf:access>
      <esf:conditions>
        <esf:condition>
          <esf:name>
            BundleSignerCondition
          </esf:name>
          <esf:value>
            "*;CN=EUROTECH S.p.A. Root Software ESF CA,OU=www.eurotech.com,O=EUROTECH S.p.A.,L=Amaro,ST=Udine,C=IT;-"
          </esf:value>
        </esf:condition>
      </esf:conditions>
      <esf:permissions>
        <esf:permission>
          <esf:name>java.security.AllPermission</esf:name>
          <esf:values>
            <esf:value>
              *
            </esf:value>
            <esf:value>
              *
            </esf:value>
          </esf:values>
        </esf:permission>
      </esf:permissions>
      <esf:name>
        All permissions to ESF signed bundles
      </esf:name>
    </esf:policy>
  </esf:policies>
</esf:security>

Restart ESF

# Monit will restart ESF

/etc/init.d/monit start

Upon starting in production mode, ESF automatically fingerprints the new security policy file and the command line of its process.
The method will also work straight after ESF installation, omitting step number 1.

🚧Warning!

Switch to Production Mode

🚧

🚧
Warning!