DOCSLIB.ORG

Java Security and Z/OS

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Java Security and Z/OS Front cover Java Security on z/OS - The Complete View Comprehensively describes z/OS security services for Java applications Provides use cases illustrated with Java program examples Discusses industry-class Java applications Patrick Kappeler Jonathan Barney Pierre Béda Michael Buzzetti Saheem Granados Ebbe Mølgaard Pedersen Kin Ng Michael Onghena Eysha Powers Martina Schmidt Richard Schultz ibm.com/redbooks International Technical Support Organization Java Security on z/OS - The Complete View December 2008 SG24-7610-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (December 2008) This edition applies to Version 1, Release 10 of z/OS (Program Number 5694-A01). © Copyright International Business Machines Corporation 2008. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team that wrote this book . xi Become a published author . xiii Comments welcome. xiii Part 1. Java and Security . 1 Chapter 1. Overview of Java on z/OS . 3 1.1 Why to choose Java . 4 1.1.1 Introduction to the Java programming language. 4 1.1.2 Java package . 4 1.2 Java Native Interface . 5 1.2.1 Basic elements of the Java Native Interface. 6 1.2.2 JNI and Security . 9 1.3 Accessing z/OS MVS datasets from Java. 9 1.3.1 Using the Java Record I/O API . 10 1.3.2 Using the JZOS toolkit API . 10 1.3.3 Running a Java program as a batch job . 11 1.3.4 Job management using the BPXBATCH and BPXBATSL utility programs . 11 1.4 Introduction to Java security . 13 1.4.1 The Java Virtual Machine Security framework components . 14 1.4.2 The byte code verifier . 14 1.4.3 SecurityManager and AccessController . 15 1.4.4 JAR file security . 16 1.5 Java and z/OS security . 17 1.5.1 Authorized programs. 18 1.5.2 Program Control . 20 1.5.3 APF, Program Control, and the z/OS JVM . 21 1.6 Exploiting System z hardware. 22 1.6.1 IBM System z Application Assist Processor . 22 1.6.2 Cryptographic hardware devices. 23 Chapter 2. Java 2 authentication and authorization services. 25 2.1 Introduction to Java Authentication and Authorization Service . 26 2.1.1 Differences between IBM JAAS on z/OS and Sun JAAS . 27 2.2 Authentication . 28 2.2.1 JAAS LoginModule Configuration . 29 2.2.2 JAAS sample application . 30 2.3 Authorization . 34 2.4 Performance issues . 42 Part 2. Platform-level security with z/OS Java . 45 Chapter 3. Introduction to z/OS Resource Access Control Facility . 47 3.1 What is RACF . 48 3.2 RACF infrastructure for identification, authentication, and authorization . 48 © Copyright IBM Corp. 2008. All rights reserved. iii 3.2.1 The System Authorization Facility interface . 50 3.2.2 RACF user, group, and resource profiles . 50 3.2.3 RACF commands . 52 3.3 Accessing RACF using the LDAP protocol . 53 3.3.1 Administering RACF users and groups through LDAP . 54 Chapter 4. System Authorization Facility interfaces in z/OS Java . 55 4.1 System Authorization Facility interfaces in Java - overview . 56 4.2 Installation of SAF classes . 56 4.3 The classes in detail . 56 4.3.1 PlatformAccessLevel . 57 4.3.2 PlatformReturned . 57 4.3.3 PlatformSecurityServer . 57 4.3.4 PlatformAccessControl . 58 4.3.5 PlatformThread . 59 4.3.6 PlatformUser . 59 Chapter 5. Java Security Administration . 61 5.1 Overview of Java Security Administration. 62 5.2 Installation . 63 5.3 Java classes used. 63 5.4 Interface definitions . 63 5.4.1 User . 64 5.4.2 UserGroup . 64 5.4.3 SecAdmin . 64 5.4.4 SecAdminException . 65 5.5 RACF implementing classes . 65 5.5.1 RACF_User. 65 5.5.2 RACF_Group . 66 5.5.3 RACF_SecAdmin . 67 5.5.4 RACF_remote . ..
Load more

Recommended publications
  • Security on the Mainframe Stay Connected to IBM Redbooks
    Front cover Security on the IBM Mainframe Operating system and application security IBM Security Blueprint and Framework IBM mainframe security concepts Karan Singh Lennie Dymoke-Bradshaw Thomas Castiglion Pekka Hanninen Vincente Ranieri Junior Patrick Kappeler ibm.com/redbooks International Technical Support Organization Security on the IBM Mainframe April 2010 SG24-7803-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (April 2010) This edition applies to the IBM System z10 Enterprise Class server, the IBM System z10 Business Class server, and Version 1, Release 11, Modification 0 of z/OS (product number 5694-A01). © Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team who wrote this book . xi Now you can become a published author, too! . xii Comments welcome. xii Stay connected to IBM Redbooks . xiii Part 1. Introduction . 1 Chapter 1. Introduction. 3 1.1 IBM Security Framework. 4 1.1.1 People and identity . 5 1.1.2 Data and information. 5 1.1.3 Application and process . 5 1.1.4 Network, server, and endpoint . 5 1.1.5 Physical Infrastructure . 6 1.2 Framework and Blueprint . 7 1.3 IBM Security Blueprint. 7 Chapter 2. Security of the IBM Mainframe: yesterday and today . 13 2.1 Operating systems . 14 2.1.1 z/OS operating system family . 14 2.1.2 z/VM Hypervisor family .
    [Show full text]
  • A Java Security Scanner for Eclipse
    Colby College Digital Commons @ Colby Honors Theses Student Research 2005 JeSS – a Java Security Scanner for Eclipse Russell Spitler Colby College Follow this and additional works at: https://digitalcommons.colby.edu/honorstheses Part of the Databases and Information Systems Commons, Other Computer Engineering Commons, Programming Languages and Compilers Commons, and the Systems Architecture Commons Colby College theses are protected by copyright. They may be viewed or downloaded from this site for the purposes of research and scholarship. Reproduction or distribution for commercial purposes is prohibited without written permission of the author. Recommended Citation Spitler, Russell, "JeSS – a Java Security Scanner for Eclipse" (2005). Honors Theses. Paper 567. https://digitalcommons.colby.edu/honorstheses/567 This Honors Thesis (Open Access) is brought to you for free and open access by the Student Research at Digital Commons @ Colby. It has been accepted for inclusion in Honors Theses by an authorized administrator of Digital Commons @ Colby. JeSS – a Java Security Scanner for Eclipse Russell Spitler Senior Honors Thesis Spring 2005 Colby College Department of Computer Science Advisor: Dale Skrien Contents Chapter 1 Introduction 1 Chapter 2 Secure Coding and Java Security 2.1 – Secure Coding 3 2.2 – Java Security 7 Chapter 3 Java Security Holes 3.1 – Don’t depend on initialization 13 3.2 – Make everything final 14 3.3 – Make your code unserializable and undeserializable 16 3.4 – Make your class non-Cloneable 19 3.5 – Don’t rely on
    [Show full text]
  • Eu-19-Zhang-New-Exploit-Technique
    New Exploit Technique In Java Deserialization Attack • Yang Zhang • Yongtao Wang Keyi Li “在此键⼊引⽂。• ” • Kunzhe Chai –Johnny Appleseed New Exploit Technique In Java Deserialization Attack Back2Zero Team BCM Social Corp. BCM Social Group Who are we? Yang Zhang(Lucas) • Founder of Back2Zero Team & Leader of Security Research Department in BCM Social Corp. • Focus on Application Security, Cloud Security, Penetration Testing. • Spoke at various security conferences such as CanSecWest, POC, ZeroNights. Keyi Li(Kevin) • Master degree majoring in Cyber Security at Syracuse University. • Co-founder of Back2Zero team and core member of n0tr00t security team. • Internationally renowned security conference speaker. –Johnny Appleseed Who are we? Yongtao Wang • Co-founder of PegasusTeam and Leader of Red Team in BCM Social Corp. • Specializes in penetration testing and wireless security. • Blackhat, Codeblue, POC, Kcon, etc. Conference speaker. Kunzhe Chai(Anthony) • Founder of PegasusTeam and Chief Information Security Officer in BCM Social Corp. • Author of the well-known security tool MDK4. • Maker of China's first Wireless Security Defense Product Standard and he also is the world's first inventor of Fake Base Stations defense technology–Johnny Appleseed Agenda • Introduction to Java Deserialization • Well-Known Defense Solutions • Critical vulnerabilities in Java • URLConnection • JDBC • New exploit for Java Deserialization • Takeaways 2015: Chris Frohoff and Gabriel Lawrence presented their research into Java object deserialization vulnerabilities ultimately resulting in what can be readily described as the biggest wave of RCE bugs in Java history. Introduction to Java Deserialization Java Deserialization Serialization • The process of converting a Java object into stream of bytes. Databases Deserialization Serialization • A reverse process of creating a Java object from stream of bytes.
    [Show full text]
  • Apache Harmony Project Tim Ellison Geir Magnusson Jr
    The Apache Harmony Project Tim Ellison Geir Magnusson Jr. Apache Harmony Project http://harmony.apache.org TS-7820 2007 JavaOneSM Conference | Session TS-7820 | Goal of This Talk In the next 45 minutes you will... Learn about the motivations, current status, and future plans of the Apache Harmony project 2007 JavaOneSM Conference | Session TS-7820 | 2 Agenda Project History Development Model Modularity VM Interface How Are We Doing? Relevance in the Age of OpenJDK Summary 2007 JavaOneSM Conference | Session TS-7820 | 3 Agenda Project History Development Model Modularity VM Interface How Are We Doing? Relevance in the Age of OpenJDK Summary 2007 JavaOneSM Conference | Session TS-7820 | 4 Apache Harmony In the Beginning May 2005—founded in the Apache Incubator Primary Goals 1. Compatible, independent implementation of Java™ Platform, Standard Edition (Java SE platform) under the Apache License 2. Community-developed, modular architecture allowing sharing and independent innovation 3. Protect IP rights of ecosystem 2007 JavaOneSM Conference | Session TS-7820 | 5 Apache Harmony Early history: 2005 Broad community discussion • Technical issues • Legal and IP issues • Project governance issues Goal: Consolidation and Consensus 2007 JavaOneSM Conference | Session TS-7820 | 6 Early History Early history: 2005/2006 Initial Code Contributions • Three Virtual machines ● JCHEVM, BootVM, DRLVM • Class Libraries ● Core classes, VM interface, test cases ● Security, beans, regex, Swing, AWT ● RMI and math 2007 JavaOneSM Conference | Session TS-7820 |
    [Show full text]
  • Java Security, 2Nd Edition
    Table of Contents Preface..................................................................................................................................................................1 Who Should Read This Book?.................................................................................................................1 Versions Used in This Book....................................................................................................................2 Conventions Used in This Book..............................................................................................................2 Organization of This Book.......................................................................................................................3 What's New in This Edition.....................................................................................................................5 How to Contact Us...................................................................................................................................5 Acknowledgments....................................................................................................................................6 Feedback for the Author..........................................................................................................................6 Chapter 1. Java Application Security...............................................................................................................7 1.1 What Is Security?...............................................................................................................................7
    [Show full text]
  • Java(8$ Andrew$Binstock,$Editor$In$Chief,$Dr.Dobbs$
    Java$Update$and$Roadmap$ November(2014( Tomas$Nilsson$ Senior$Principal$Product$Manager$ Java$SE$ Copyright$©$2014,$Oracle$and/or$its$affiliates.$All$rights$reserved.$$|$ Safe$Harbor$Statement$ The$following$is$intended$to$outline$our$general$product$direcNon.$It$is$intended$for$ informaNon$purposes$only,$and$may$not$be$incorporated$into$any$contract.$It$is$not$a$ commitment$to$deliver$any$material,$code,$or$funcNonality,$and$should$not$be$relied$upon$ in$making$purchasing$decisions.$The$development,$release,$and$Nming$of$any$features$or$ funcNonality$described$for$Oracle’s$products$remains$at$the$sole$discreNon$of$Oracle.$ Copyright$©$2014,$Oracle$and/or$its$affiliates.$All$rights$reserved.$$|$ Agenda$ 1( Oracle$and$Java$ 2( Java$SE$8$Overview$ 3( Java$SE$9$and$Beyond$ Copyright$©$2014,$Oracle$and/or$its$affiliates.$All$rights$reserved.$$|$ 1( Oracle$and$Java$ 2( Java$SE$8$Overview$ 3( Roadmap$ Copyright$©$2014,$Oracle$and/or$its$affiliates.$All$rights$reserved.$$|$ Oracle$and$Java$ • Oracle$has$used$Java$since$the$beginning$of$Nme$(eg$1990s)$ • Acquired$JAVA$(Sun$Microsystems)$in$2010,$including$Java$IP,$trademarks$ • Embraced$OpenJDK,$open$community,$open$JCP$ – Welcomed$IBM,$Apple,$SAP,$ARM,$AMD,$Intel,$Twi\er,$Goldman$Sachs,$Microso^$and$many$others$ – Made$OpenJDK$official$Java$SE$reference$implementaNon$ – Ongoing$move$towards$open$development,$governance,$transparency$ • JDK$development:$Oracle$and$community$ – Oracle$focus$on$modernizaNon,$security,$big$Ncket$R&D$and$commercial$value$to$Oracle$ – Community$contributes$based$on$interest$and$ability,$examples:$
    [Show full text]
  • Artisynth Installation Guide for Macos
    ArtiSynth Installation Guide for MacOS John Lloyd, Sebastian Kazenbroot-Guppy, and Antonio Sánchez Last updated: March, 2018 ArtiSynth Installation Guide for MacOS 2 Contents 1 Introduction 4 2 Prerequisites 4 3 Downloading a Prepacked Release 5 3.1 Downloadingandunpackingthezipfile . ................... 5 4 Cloning from Github 5 4.0.1 Cloningusingthecommandline . ............... 5 4.0.2 CloningusingEclipse . ............. 5 4.1 Downloadingthelibraries. .................. 5 5 Building ArtiSynth 6 5.1 BuildingwithEclipse. .... .... .... ... .... .... .... ................ 6 5.2 Buildingfromthecommandline . ................. 6 6 Running ArtiSynth 6 6.1 Runningfromthecommandline . ................ 6 6.2 Runningfromthefilebrowser . ................ 6 6.3 Commandlinearguments. ............... 7 6.4 RunningusingEclipse .... .... .... ... .... .... .... .. ............... 7 6.5 LoadingandRunningModels . ............... 7 7 Installing External Models and Packages 7 7.1 Downloading ..................................... ............ 8 7.2 Building........................................ ............ 8 7.2.1 BuildingwithEclipse. .............. 8 7.2.2 Buildingfromthecommandline. ............... 8 7.3 Running......................................... ........... 8 7.3.1 Adding external classes using the Eclipse Classpath . ........................ 8 7.3.2 AddingexternalclassesusingEXTCLASSPATH . .................. 8 7.3.3 AddingexternalclassesusingCLASSPATH . .................. 8 8 Updating ArtiSynth 9 8.1 Libraryupdates .................................
    [Show full text]
  • Chapter 9: Java
    ,ch09.6595 Page 159 Friday, March 25, 2005 2:47 PM Chapter 9 CHAPTER 9 Java Many Java developers like Integrated Development Environments (IDEs) such as Eclipse. Given such well-known alternatives as Java IDEs and Ant, readers could well ask why they should even think of using make on Java projects. This chapter explores the value of make in these situations; in particular, it presents a generalized makefile that can be dropped into just about any Java project with minimal modification and carry out all the standard rebuilding tasks. Using make with Java raises several issues and introduces some opportunities. This is primarily due to three factors: the Java compiler, javac, is extremely fast; the stan- dard Java compiler supports the @filename syntax for reading “command-line param- eters” from a file; and if a Java package is specified, the Java language specifies a path to the .class file. Standard Java compilers are very fast. This is primarily due to the way the import directive works. Similar to a #include in C, this directive is used to allow access to externally defined symbols. However, rather than rereading source code, which then needs to be reparsed and analyzed, Java reads the class files directly. Because the symbols in a class file cannot change during the compilation process, the class files are cached by the compiler. In even medium-sized projects, this means the Java com- piler can avoid rereading, parsing, and analyzing literally millions of lines of code compared with C. A more modest performance improvement is due to the bare mini- mum of optimization performed by most Java compilers.
    [Show full text]
  • Evaluating the Flexibility of the Java Sandbox
    Evaluating the Flexibility of the Java Sandbox Zack Coker, Michael Maass, Tianyuan Ding, Claire Le Goues, and Joshua Sunshine Carnegie Mellon University {zfc,mmaass}@cs.cmu.edu, [email protected], {clegoues,sunshine}@cs.cmu.edu ABSTRACT should protect both the host application and machine from The ubiquitously-installed Java Runtime Environment (JRE) malicious behavior. In practice, these security mechanisms provides a complex, flexible set of mechanisms that support are problematically buggy such that Java malware is often the execution of untrusted code inside a secure sandbox. able to alter the sandbox's settings [4] to override security However, many recent exploits have successfully escaped the mechanisms. Such exploits take advantage of defects in either sandbox, allowing attackers to infect numerous Java hosts. the JRE itself or the application's sandbox configuration to We hypothesize that the Java security model affords devel- disable the security manager, the component of the sandbox opers more flexibility than they need or use in practice, and responsible for enforcing the security policy [5, 6, 7, 8]. thus its complexity compromises security without improving In this paper, we investigate this disconnect between theory practical functionality. We describe an empirical study of the and practice. We hypothesize that it results primarily from ways benign open-source Java applications use and interact unnecessary complexity and flexibility in the design and with the Java security manager. We found that developers engineering of Java's security mechanisms. For example, regularly misunderstand or misuse Java security mechanisms, applications are allowed to change the security manager at that benign programs do not use all of the vast flexibility runtime, whereas static-only configuration of the manager afforded by the Java security model, and that there are clear would be more secure.
    [Show full text]
  • Migration-Guide.Pdf
    Java Platform, Standard Edition Oracle JDK Migration Guide Release 15 F30923-01 September 2020 Getting Started The purpose of this guide is to help you identify potential issues and give you suggestions on how to proceed as you migrate your existing Java application to JDK 15. The guide also highlights the significant changes and enhancements done in JDK 15. This guide contains the following sections: • Significant Changes in the JDK • Preparing For Migration • Migrating From JDK 8 to Later JDK Releases • Next Steps Note: • Check the Oracle JDK Certified System Configurations for the latest supported platforms and operating system versions. • See Removed APIs, Tools, and Components before you start the migration process. Significant Changes in the JDK Before migrating your application to the latest JDK release, you must understand what the updates and changes are between it and the previous JDK release. If you are migrating from JDK 8, you should also be familiar with the differences between JDK 8 and later releases that are described in Migrating From JDK 8 to Later JDK Releases. See the following sections to learn about some of the significant changes in latest JDK releases. 1 Significant Changes in JDK 15 Release See JDK 15 Release Notes for the complete list of new features and enhancements in JDK 15. The following are some of the updates in Java SE 15 and JDK 15: • Text Blocks, first previewed in Java SE 13, is a permanent feature in this release and can be used without enabling preview features. Text blocks are multiline string literals that avoid the need for most escape sequences, automatically format the string in a predictable way, and give the developer control over the format when desired.
    [Show full text]
  • Java Programming Course Name: Mca – 5Th Semester Course Code: Mca18501cr
    University of Kashmir Department of Computer Science JAVA PROGRAMMING COURSE NAME: MCA – 5TH SEMESTER COURSE CODE: MCA18501CR Teacher Incharge: Dr. Shifaa Basharat Contact: [email protected] 1 University of Kashmir Department of Computer Science PACKAGES: Package in Java is a mechanism to encapsulate a group of classes, sub packages and interfaces. Packages are used for: Re-usability: The classes contained in the packages of another program can be easily reused Name Conflicts: Packages help us to uniquely identify a class, for example, we can have two classes with the name Employee in two different packages, company.sales.Employee and company.marketing.Employee. Controlled Access: Offers access protection such as protected classes, default classes and private class. Protected and default have package level access control. A protected member is accessible by classes in the same package and its subclasses. A default member (without any access specifier) is accessible by classes in the same package only. Data Encapsulation: They provide a way to hide classes, preventing other programs from accessing classes that are meant for internal use only Maintenance: With packages, you can organize your project better and easily locate related classes Thus, package is a container of a group of related classes where some of the classes are accessible and are exposed and others are kept for internal purpose. We can reuse existing classes from the packages as many time as we need it in our program. Package names and directory structure are closely related. For example if a package name is college.staff.csc, then there are three directories, college, staff and csc such that csc is present in staff and staff is present college.
    [Show full text]
  • CA ACF2 for Z/OS Quick Reference Guide
    CA ACF2™ for z/OS Quick Reference Guide r12 Third Edition This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational purposes only and are subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be used or disclosed by you except as may be permitted in a separate confidentiality agreement between you and CA. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
    [Show full text]