Enabling a Java security manager

By default, Java™ applications have no security restrictions placed on activities requested of the Java API. To use Java security to protect a Java application from performing potentially unsafe actions, you can enable a security manager for the JVM in which the application runs.

About this task

The security manager enforces a security policy, which is a set of permissions (system access privileges) that are assigned to code sources. A default policy file is supplied with the Java platform. However, to enable Java applications to run successfully in CICS® when Java security is active, you must specify an additional policy file that gives CICS the permissions it requires to run the application.

You must specify this additional policy file for each kind of JVM that has a security manager enabled. CICS provides some examples that you can use to create your own policies.

Notes: Enabling a Java security manager is not supported in a Liberty JVM server.
  • The OSGi security agent example creates an OSGi middleware bundle called com.ibm.cics.server.examples.security in your project that contains a security profile. This profile applies to all OSGi bundles in the framework in which it is installed.
  • The example.permissions file contains permissions that are specific to running applications in a JVM server, including a check to ensure that applications do not use the System.exit() method.
  • CICS must have read and execute access to the directory in zFS where you deploy the OSGi bundle.

For applications that run in the OSGi framework of a JVM server:


  1. Create a plug-in project in the CICS Explorer® SDK and select the supplied OSGi security agent example.
  2. In the project, select the example.permissions file to edit the permissions for your security policy.
    1. Validate that the CICS zFS and DB2® installation directories are correctly specified.
    2. Add other permissions as necessary.
  3. Deploy the OSGi bundle to a suitable directory in zFS such as /u/bundles.
  4. Edit the JVM profile for the JVM server to add the OSGi bundle to the OSGI_BUNDLES option before any other bundles:
    • OSGI_BUNDLES=/u/bundles/com.ibm.cics.server.examples.security_1.0.0.jar
  5. Start of changeAdd the following Java property to the JVM profile to enable security.
    • -Djava.security.policy=all.policy
    End of change
  6. Add the following Java environment variable to the JVM profile to enable security in the OSGi framework:
    • org.osgi.framework.security=osgi
  7. Start of changeTo allow the OSGi framework to start with Java 2 security, add the following policy:
    • grant { permission java.security.AllPermission; };
    End of change
  8. Save your changes and enable the JVMSERVER resource to install the middleware bundle in the JVM server.
  9. Optional: Activate Java 2 security.
    1. To activate a Java 2 security policy mechanism, add it to the appropriate JVM profile. You must also edit your Java 2 security policy to grant appropriate permissions.
    2. To use JDBC or SQLJ from a Java application with a Java 2 security policy mechanism active, use the IBM® Data Server Driver for JDBC and SQLJ.
    3. To activate a Java 2 security policy mechanism, edit the JVM profile. Enabling a Java security manager describes how to set up a Java 2 security policy.
    4. Edit the Java 2 security policy to grant permissions to the JDBC driver, by adding the lines that are shown in Example 1. In place of db2xxx, specify a directory below which all your DB2 libraries are located. The permissions are applied to all the directories and files below this level. This enables you to use JDBC and SQLJ.
    5. Edit the Java 2 security policy to grant read permissions, by adding the lines that are shown in Example 2. If you do not add read permission, running a Java program produces AccessControlExceptions and unpredictable results. You can use JDBC and SQLJ with a Java 2 security policy.
    Example 1:
    grant codeBase "file:/usr/lpp/db2xxx/-" {
      permission java.security.AllPermission;
    Example 2:
    grant {
    // allows anyone to read properties
    permission java.util.PropertyPermission "*", "read";


When the Java application is called, the JVM determines the code source for the class and consults the security policy before granting the class the appropriate permissions.