By default, Java™ applications
have no security restrictions placed on activities requested of the Java API. To use Java security to protect a Java application from performing potentially
unsafe actions, you can enable a security manager for the JVM in which
the application runs.
About this task
The security manager enforces a security policy, which
is a set of permissions (system access privileges) that are assigned
to code sources. A default policy file is supplied with the Java platform. However, to enable Java applications to run successfully
in CICS® when Java security is active, you must specify an
additional policy file that gives CICS the
permissions it requires to run the application.
You must specify
this additional policy file for each kind of JVM that has a security
manager enabled. CICS provides
some examples that you can use to create your own policies.
Notes: Enabling a Java security manager is not supported in a
Liberty JVM server.
- The OSGi security agent example creates an OSGi middleware bundle
called com.ibm.cics.server.examples.security in
your project that contains a security profile. This profile applies
to all OSGi bundles in the framework in which it is installed.
- The example.permissions file contains permissions
that are specific to running applications in a JVM server, including
a check to ensure that applications do not use the System.exit() method.
- CICS must have read and
execute access to the directory in zFS where you deploy the OSGi bundle.
For applications that run in the OSGi framework of
a JVM server:
Procedure
- Create a plug-in project in the CICS Explorer® SDK and
select the supplied OSGi security agent example.
- In the project, select the example.permissions file
to edit the permissions for your security policy.
- Validate that the CICS zFS
and DB2® installation directories
are correctly specified.
- Add other permissions as necessary.
- Deploy the OSGi bundle to a suitable directory in zFS such
as
/u/bundles
.
- Edit the JVM profile for the JVM server to add the OSGi
bundle to the OSGI_BUNDLES option before any other
bundles:
OSGI_BUNDLES=/u/bundles/com.ibm.cics.server.examples.security_1.0.0.jar
- Add the following Java property
to the JVM profile to enable security.
-Djava.security.policy=all.policy
- Add the following Java environment
variable to the JVM profile to enable security in the OSGi framework:
org.osgi.framework.security=osgi
- To allow the OSGi framework to start with Java 2 security, add the following
policy:
grant { permission java.security.AllPermission; };
- Save your changes and enable the JVMSERVER resource to
install the middleware bundle in the JVM server.
- Optional: Activate Java 2 security.
- To activate a Java 2
security policy mechanism, add it to the appropriate JVM profile.
You must also edit your Java 2
security policy to grant appropriate permissions.
- To use JDBC or SQLJ from a Java application
with a Java 2 security
policy mechanism active, use the IBM® Data
Server Driver for JDBC and SQLJ.
- To activate a Java 2
security policy mechanism, edit the JVM profile. Enabling a Java security manager describes how to set up a Java 2 security policy.
- Edit the Java 2
security policy to grant permissions to the JDBC driver, by
adding the lines that are shown in Example 1. In place of
db2xxx, specify a directory
below which all your DB2 libraries
are located. The permissions are applied to all the directories
and files below this level. This enables you to use JDBC and
SQLJ.
- Edit the Java 2
security policy to grant read permissions, by adding the lines
that are shown in Example 2. If you do not add read permission,
running a Java program produces
AccessControlExceptions and unpredictable results. You can
use JDBC and SQLJ with a Java 2
security policy.
Example 1:grant codeBase "file:/usr/lpp/db2xxx/-" {
permission java.security.AllPermission;
};
Example 2:grant {
// allows anyone to read properties
permission java.util.PropertyPermission "*", "read";
};
Results
When the Java application
is called, the JVM determines the code source for the class and consults
the security policy before granting the class the appropriate permissions.