Security considerations

Review the following information so that you are aware of the security issues and solutions that are available in the product. Some product features affect the security of the runtime environment itself, others affect the security of applications that you run in the environment:

Attach API
You can use the Java™ Attach API to connect an application to a different virtual machine. Security is handled by Windows security mechanisms on Windows, and by POSIX file permissions on other operating systems. Check and secure access to ensure that only authorized users or processes can connect to another virtual machine, or disable the Java Attach API capability by specifying a system property. For more information, see Java Attach API in the OpenJ9 user documentation.
Dump files
Be careful when handling dump files, because they can contain all the information from your application, some of which might be sensitive. For example, dump files can contain personal information or bank account details. For more information about dump files, see Diagnostic component in the J9 VM reference.
JConsole
JConsole is a graphical tool which you can use to monitor and manage the behavior of Java applications. You can specify options to disable password authentication and encryption, allowing any JMX agent to connect to your Java application. Use these non-secure options only in a development or testing environment. For more information, see Using JConsole in the J9 VM reference.
Securing XML processing
If your application takes untrusted XML, XSD or XSL files as input, you can enforce specific limits during Java API for XML (JAXP) processing to protect your application from malformed data. For more information, see Securing Java API for XML processing (JAXP) against malformed input.
Shared classes
You can share class data between virtual machines by storing it in a cache, which can reduce virtual storage consumption and startup time for virtual machines. Access to the shared class cache is limited by operating system permissions and Java security permissions. You can also restrict access to the cache by specifying the cache location, the permissions for that location, and by including user names in cache names. For more information, see Creating a shared classes cache in the OpenJ9 user documentation.

If you are using the SecurityManager class, there are situations where you must grant permission. For more information, see Support for custom class loaders in the OpenJ9 user documentation.

Java security
By default, Java security is not enabled, which allows applets or untrusted code to run without restrictions. For example, read or write to a file, read process memory, or start new processes. To secure Java the SecurityManager needs to be enabled, which can be achieved by specifying the -Djava.security.manager system property on the command line when you start your application.
Security settings for the Java Plug-in and Web Start, in the Java Control Panel
You use the Java Control Panel to control how Java applications that are embedded in a browser, or launched from a browser, run on your computer. Some of the settings in the Java Control Panel affect security, for example you can prevent all Java applications from running in, or from, a browser. For more information, see Java Control Panel, but note that there are some differences in the IBM® implementation of the control panel. For example, there is no Update tab.
Security components
The SDK provides security components that contain APIs and tools for securing your Java applications. These components cover areas such as cryptography, keys and certification, access control, secure communication, and authentication. For more information, see Security components and tools.
Upgrading
An SDK upgrade can overwrite configuration files and security policy files. Back up these files in case you need to restore them after the upgrade.
Other
The following topics might also contain information about security: The IBM SDK is based on Java Technology developed by Oracle Corporation, so also refer to the documentation available on the Oracle website. For example: