Java Security on z/OS - The Complete View
An IBM Redbooks publication
Note: This is publication is now archived. For reference only.
Published on December 23, 2008, updated January 05, 2009
IBM Form #: SG24-7610-00
Authors: Patrick Kappeler, Jonathan Barney, Pierre Beda, Michael Buzzetti, Saheem Granados, Ebbe Molgaard Pedersen, Kin Ng, Michael Onghena, Eysha Powers, Martina Schmidt and Richard Schultz
This IBM Redbooks publication describes and explains which z/OS security services can be exploited by Java stand-alone applications executing on z/OS. It is intended for experienced z/OS users with a moderate knowledge of Java, and experienced Java users with some knowledge of z/OS. For experimentation and customization it provides use cases that were composed and tested on a z/OS platform at z/OS V1R10 and SDK 6 SR1.
The book describes the role of the major infrastructure components such as Security Manager, Access Controller, Class Loader and Byte Code Verifier. It addresses specific z/OS-provided facilities including the JZOS Toolkit and Java record I/O (JRIO), and explains how they fit within both security models. Java Authentication and Authorization Services (JAAS) is covered and practical examples illustrating its use in z/OS, including the LoginModules that interact with the SAF interface, are given. The relationship of these services to z/OS built-in security functions such as APF, Program Control, and so on is explained. The specific security-relevant services provided to Java applications executing on the z/OS platform are covered, along with practical examples of their setup and use.
Java SAF classes, the JSec API, exploitation of RACF PassTickets, and the use of the z/OS Enterprise Identity Mapping (EIM) infrastructure are explained. Exploitation of z/OS integrated hardware cryptography by Java applications is detailed, along with numerous practical examples of the use of these services. z/OS cryptographic key management features are also discussed. Finally, the book addresses two industry-class IBM Java products that exploit z/OS hardware cryptography, IBM Encryption Key Manager and IBM Encryption Facility for z/OS OpenPGP Support, and highlights the exploited functionalities and performance optimization.
Part 1. Java and Security
Ch. 1 Overview of Java on z/OS
Ch. 2 Java 2 authentication and authorization services
Part 2. Platform-level security with z/OS Java
Ch. 3 Introduction to z/OS Resource Access Control Facility
Ch. 4 System Authorization Facility interfaces in z/OS Java
Ch. 5 Java Security Administration
Ch. 6 RACF PassTickets generation and authorization by z/OS Java applications
Ch. 7 z/OS Enterprise Identity Mapping for Java applications
Part 3. z/OS Java cryptography
Ch. 8 Introduction to z/OS cryptography and Java
Ch. 9 Introduction to Java Cryptographic Extension Framework and API
Ch. 10 Simple examples of Java cryptography
Ch. 11 Java and key management on z/OS
Ch. 12 Usage examples - using Java keystores on z/OS
Part 4 Appendixes
App. A. z/OS integrated hardware cryptography setup details
App. B. SAF sample code
App. C. JSec sample code
App. D. JSec attributes
App. E. EIM example setup program
App. F. Basics of cryptography
App. G. Case study: IBM Encryption Key Manager
App. H. Performance case study: IBM Encryption Facility for z/OS OpenPGP support