To enable a Java security manager for a JVM and specify additional policy files that you want the security manager to use, you need to customize the JVM properties file for the JVM. The JVM properties file specifies the system properties for a JVM, including the security manager and policy files. It is associated with the JVM profile for a JVM. How CICS creates JVMs explains what JVM profiles and JVM properties files are, and how CICS uses them when it starts up a JVM. Setting up JVM profiles and JVM properties files contains full information on how to choose and customize JVM profiles and JVM properties files for a JVM.
To summarize the essential information from those topics, a JVM profile is a text file stored on HFS, which contains options that determine the characteristics of a JVM. When an application wants to run a Java program in a JVM, it requests a JVM with a particular profile by specifying that JVM profile in the JVMPROFILE attribute of the PROGRAM definition that relates to the Java program. For enterprise beans and IIOP applications, this is the PROGRAM definition for the initial program used by the request processor transaction definition (which is by default CIRP). This program definition is usually DFJIIRP, and the JVMPROFILE that it specifies is usually the CICS-supplied sample JVM profile DFHJVMCD. When you install CICS, the sample JVM profiles are placed in the HFS directory /usr/lpp/cicsts/cicsts31/JVMProfiles, where cicsts31 is your chosen value for the CICS_DIRECTORY symbol.
The JVM profile references a JVM properties file, which is another text file stored on HFS, containing the system properties for the JVM. The JVMPROPS option on the JVM profile names the JVM properties file that CICS uses when setting up a JVM with that profile. The CICS-supplied sample JVM properties file associated with DFHJVMCD is called dfjjvmcd.props. When you install CICS, the sample JVM properties files are placed in the HFS directory /usr/lpp/cicsts/cicsts31/props.
java.security.manager=default
or java.security.manager=""
or java.security.manager=
All these statements have the effect of enabling the default
security manager. If you do not include the java.security.manager system
property in your JVM properties file, then the JVM runs without Java 2 security
enabled. If you need to disable Java 2 security for a JVM, comment out this
system property.java.security.policy=/usr/lpp/cicsts/cicsts31/lib/security/dfjejbpl.policy
where cicsts31 is
your chosen value for the USSDIR installation parameter that you defined when
you installed CICS TS. The CICS-supplied enterprise beans policy file, dfjejbpl.policy has more
information about dfjejbpl.policy.If you need to give any of your applications further permissions, you can modify the CICS-supplied enterprise beans policy file, or create and specify your own additional policy file. Policy files are stored in text format, so you can display or modify them using any standard text editing tool. In particular, if you want to use JDBC or SQLJ from enterprise beans, you need to modify the enterprise beans policy file that you have specified, to grant permissions to the JDBC driver. The CICS® DB2® Guide tells you how to do this.
It is recommended that policy files are made secure, with update authority restricted to system administrators.
When you specify a policy file in the JVM properties file, the policy file is used for JVMs that are built using JVM profiles which reference that JVM properties file. As an alternative, you can specify a policy file to be used for all the JVMs in your system for which you have enabled a Java security manager, whatever JVM properties file they have. For example, you could specify the CICS-supplied enterprise beans policy file, dfjejbpl.policy, to be used for all your JVMs. To do this, instead of including the java.security.policy system property in the JVM properties file, use the alternative method described in Specifying policy files to apply to all JVMs. If you specify a policy file to be used for all JVMs, remember that to activate Java 2 security for your JVMs, you still need to add the java.security.manager system property to your JVM properties files to enable a Java security manager.