Front cover Java Security on z/OS - The Complete View Comprehensively describes z/OS security services for Java applications Provides use cases illustrated with Java program examples Discusses industry-class Java applications Patrick Kappeler Jonathan Barney Pierre Béda Michael Buzzetti Saheem Granados Ebbe Mølgaard Pedersen Kin Ng Michael Onghena Eysha Powers Martina Schmidt Richard Schultz ibm.com/redbooks International Technical Support Organization Java Security on z/OS - The Complete View December 2008 SG24-7610-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (December 2008) This edition applies to Version 1, Release 10 of z/OS (Program Number 5694-A01). © Copyright International Business Machines Corporation 2008. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team that wrote this book . xi Become a published author . xiii Comments welcome. xiii Part 1. Java and Security . 1 Chapter 1. Overview of Java on z/OS . 3 1.1 Why to choose Java . 4 1.1.1 Introduction to the Java programming language. 4 1.1.2 Java package . 4 1.2 Java Native Interface . 5 1.2.1 Basic elements of the Java Native Interface. 6 1.2.2 JNI and Security . 9 1.3 Accessing z/OS MVS datasets from Java. 9 1.3.1 Using the Java Record I/O API . 10 1.3.2 Using the JZOS toolkit API . 10 1.3.3 Running a Java program as a batch job . 11 1.3.4 Job management using the BPXBATCH and BPXBATSL utility programs . 11 1.4 Introduction to Java security . 13 1.4.1 The Java Virtual Machine Security framework components . 14 1.4.2 The byte code verifier . 14 1.4.3 SecurityManager and AccessController . 15 1.4.4 JAR file security . 16 1.5 Java and z/OS security . 17 1.5.1 Authorized programs. 18 1.5.2 Program Control . 20 1.5.3 APF, Program Control, and the z/OS JVM . 21 1.6 Exploiting System z hardware. 22 1.6.1 IBM System z Application Assist Processor . 22 1.6.2 Cryptographic hardware devices. 23 Chapter 2. Java 2 authentication and authorization services. 25 2.1 Introduction to Java Authentication and Authorization Service . 26 2.1.1 Differences between IBM JAAS on z/OS and Sun JAAS . 27 2.2 Authentication . 28 2.2.1 JAAS LoginModule Configuration . 29 2.2.2 JAAS sample application . 30 2.3 Authorization . 34 2.4 Performance issues . 42 Part 2. Platform-level security with z/OS Java . 45 Chapter 3. Introduction to z/OS Resource Access Control Facility . 47 3.1 What is RACF . 48 3.2 RACF infrastructure for identification, authentication, and authorization . 48 © Copyright IBM Corp. 2008. All rights reserved. iii 3.2.1 The System Authorization Facility interface . 50 3.2.2 RACF user, group, and resource profiles . 50 3.2.3 RACF commands . 52 3.3 Accessing RACF using the LDAP protocol . 53 3.3.1 Administering RACF users and groups through LDAP . 54 Chapter 4. System Authorization Facility interfaces in z/OS Java . 55 4.1 System Authorization Facility interfaces in Java - overview . 56 4.2 Installation of SAF classes . 56 4.3 The classes in detail . 56 4.3.1 PlatformAccessLevel . 57 4.3.2 PlatformReturned . 57 4.3.3 PlatformSecurityServer . 57 4.3.4 PlatformAccessControl . 58 4.3.5 PlatformThread . 59 4.3.6 PlatformUser . 59 Chapter 5. Java Security Administration . 61 5.1 Overview of Java Security Administration. 62 5.2 Installation . 63 5.3 Java classes used. 63 5.4 Interface definitions . 63 5.4.1 User . 64 5.4.2 UserGroup . 64 5.4.3 SecAdmin . 64 5.4.4 SecAdminException . 65 5.5 RACF implementing classes . 65 5.5.1 RACF_User. 65 5.5.2 RACF_Group . 66 5.5.3 RACF_SecAdmin . 67 5.5.4 RACF_remote . ..