Security

The product contains components and tools that you can use to increase the security of your Java™ applications. Some product features affect the security of the runtime environment itself, others affect the security of applications that you run in the environment.

If a security vulnerability is found in the IBM® or Oracle code, it is documented in the Java SDK security vulnerabilities page in IBM Support and a fix provided on the Java SDK fixes page. If you want to receive security bulletins and fix notifications, subscribe to the My Notifications service, selecting the appropriate document types. You can also choose to receive notifications about other document types such as news and flash alerts. Security bulletins for all IBM products are published on the IBM Product Security Incident Response blog site.

The following sections describe the components of the SDK that have security aspects that you should be aware of.

Security providers and tools

The SDK provides security components that contain APIs and tools for securing your Java applications. These components cover areas such as cryptography, keys and certification, access control, secure communication, and authentication.

This release contains the default OpenJDK Java SE security implementation, with additional components.

The OpenJDK security components that are available with the SDK include the following providers:

Oracle SUN provider
Oracle SunEC provider
Oracle SunJCE provider
Oracle SunRsaSign provider
Oracle SunJSSE provider
XMLDSig provider
Oracle SunJGSS provider
Oracle SunSASL provider
Oracle JAAS providers
Oracle Certification Path provider

The following additional security providers are included:

OpenJCEPlus provider
IBMJCECCA provider
IBMJCEHYBRID provider
IBMZSecurity provider
ZERTJSSE provider
z/OS SunPKCS11 provider
JAAS z/OS extensions
System Authentication Facility (SAF) interface

The list of providers and their preference orders can be found in the java.security properties file.

For more information about these security components, see the Security guide.

Attach API

You can use the Java Attach API to connect an application to a different virtual machine. Security is handled by POSIX file permissions. Check and secure access to ensure that only authorized users or processes can connect to another virtual machine, or disable the Java Attach API capability by specifying a system property. For more information, see Java Attach API in the OpenJ9 user documentation.

Dump files

Be careful when handling dump files, because they can contain all the information from your application, some of which might be sensitive. For example, dump files can contain personal information or bank account details. For more information about dump files, see Diagnostic component in the J9 VM reference.

JConsole

JConsole is a graphical tool which you can use, through the X Window System, to monitor and manage the behavior of Java applications. You can specify options to disable password authentication and encryption, allowing any JMX agent to connect to your Java application. Use these non-secure options only in a development or testing environment. For more information, see Using JConsole in the J9 VM reference.

Shared classes

You can share class data between virtual machines by storing it in a cache, which can reduce virtual storage consumption and startup time for virtual machines. Access to the shared class cache is limited by operating system permissions and Java security permissions. You can also restrict access to the cache by specifying the cache location, the permissions for that location, and by including user names in cache names. For more information, see Creating a shared classes cache in the OpenJ9 user documentation.

If you are using the SecurityManager class, note that this class is deprecated and subject to removal in a future release.

Security Manager

The Security Manager, which was available in Java 11, is deprecated in Java 17 and subject to removal in a future release. There is no replacement for the Security Manager. See JEP 411 for discussion and alternatives.

Upgrading

An SDK upgrade can overwrite configuration files and security policy files. Back up these files in case you need to restore them after the upgrade.

Other

The following topics might also contain information relating to security:

Known issues and limitations
What's new
Migrating from earlier releases of IBM Semeru Certified Edition for z/OS
IBM Semeru Runtime Certified Edition for z/OS, Version 17: Supplementary documentation: support information that is not available at the time of publication of this documentation

The IBM SDK is based on Java Technology developed by Oracle Corporation, so also refer to the documentation available on the Oracle website. For example: