By default, Java™ applications have no security
restrictions placed on activities requested of the Java API.
To use Java security to protect a Java application from performing potentially unsafe actions, you can enable a
security manager for the JVM in which the application runs.
About this task
The security manager enforces a security policy, which is a set of permissions (system access
privileges) that are assigned to code sources. A default policy file is supplied with the Java platform. However, to enable Java applications to run successfully in CICS® when Java security is active, you must specify an additional policy
file that gives CICS the permissions it requires to run the
application.
You must specify this additional policy file for each kind of JVM that has a security manager
enabled. CICS provides some examples that you can use to
create your own policies.
Notes: Enabling a Java security
manager is not supported in a Liberty JVM server.
- The OSGi security agent example creates an OSGi middleware bundle called
com.ibm.cics.server.examples.security in your project that contains a security
profile. This profile applies to all OSGi bundles in the framework in which it is installed.
- The example.permissions file contains permissions that are specific to
running applications in a JVM server, including a check to ensure that applications do not use the
System.exit() method.
- CICS must have read and execute access to the directory
in zFS where you deploy the OSGi bundle.
For applications that run in the OSGi framework of a JVM server:
Procedure
-
Create a plug-in project in the IBM® CICS SDK for Java and select the supplied OSGi
security agent example.
-
In the project, select the example.permissions file to edit the
permissions for your security policy.
-
Validate that the CICS zFS and Db2® installation directories are correctly specified.
-
Add other permissions as necessary.
-
Deploy the OSGi bundle to a suitable directory in zFS such as
/u/bundles.
-
Edit the JVM profile for the JVM server to add the OSGi bundle to the
OSGI_BUNDLES option before any other bundles:
OSGI_BUNDLES=/u/bundles/com.ibm.cics.server.examples.security_1.0.0.jar
-
Add the following Java property to the JVM profile to
enable security.
-Djava.security.policy=all.policy
-
Add the following Java environment variable to the JVM
profile to enable security in the OSGi framework:
org.osgi.framework.security=osgi
-
To allow the OSGi framework to start with Java 2
security, add the following policy:
grant { permission java.security.AllPermission; };
-
Save your changes and enable the JVMSERVER resource to install the middleware bundle in the JVM
server.
- Optional:
Activate Java 2 security.
-
To activate a Java 2 security policy mechanism, add it to
the appropriate JVM profile. You must also edit your Java 2
security policy to grant appropriate permissions.
-
To use JDBC or SQLJ from a Java application with a Java 2 security policy mechanism active, use the IBM Data Server Driver for JDBC and SQLJ.
-
To activate a Java 2 security policy mechanism, edit the
JVM profile.
-
Edit the Java 2 security policy to grant permissions to
the JDBC driver, by adding the lines that are shown in Example 1. In place of
db2xxx, specify a directory below which all your Db2 libraries are located. The permissions are applied to all the
directories and files below this level. This enables you to use JDBC and SQLJ.
-
Edit the Java 2 security policy to grant read
permissions, by adding the lines that are shown in Example 2. If you do not add read permission,
running a Java program produces AccessControlExceptions and
unpredictable results. You can use JDBC and SQLJ with a Java 2
security policy.
Example
1:grant codeBase "file:/usr/lpp/db2xxx/-" {
permission java.security.AllPermission;
};
Example
2:grant {
// allows anyone to read properties
permission java.util.PropertyPermission "*", "read";
};
Results
When the Java application is called, the JVM
determines the code source for the class and consults the security policy before granting the class
the appropriate permissions.