Specifying policy files to apply to all JVMs

As an alternative to using the java.security.policy system property in a JVM properties file to specify additional policy files, you can name the additional policy files in the JVM default security properties file, which applies to all JVMs. This file is where the default Java 2 security manager looks for the name of the default policy file, which it always uses to determine the security policy for a JVM.

The default security properties file is called java.security. It is provided by CICS in:
/usr/lpp/java142/J1.4/lib/security/java.security
where the java142/J1.4 subdirectory names are the default values when you install the IBM® Software Developer Kit for z/OS®, Java™ 2 Technology Edition, Version 1.4.2.

The default security properties file already includes the name of the default policy file, /usr/lpp/java142/J1.4/lib/security/java.policy. You can add the names of additional policy files, and the security manager will then use these files, as well as the default policy file, to determine the security policy for all JVMs. The security manager will also refer to any policy files that you have specified in the JVM properties file for a particular type of JVM.

In the default security properties file java.security, policy files are specified in the form:
policy.url.n=URL 
where n represents the precedence number for the order in which the policies should be loaded. The location of a policy file is specified as a URL, so policy files do not need to be stored in the local file system.

Note that the precedence numbers must be serial and continuous. For example, if policy.url.1 and policy.url.3, are present, but policy.url.2 is missing, then policy.url.3 is ignored and only policy.url.1 is considered.

The default security properties file java.security contains these two entries:
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
To specify the CICS-supplied enterprise beans policy file, dfjejbpl.policy, as an additional policy file to be used for all JVMs, add the entry:
policy.url.3=file:/usr/lpp/cicsts/cicsts31/lib/security/dfejbpl.policy 
where cicsts31 is your chosen value for the USSDIR installation parameter that you defined when you installed CICS TS. It is specified as policy.url.3 because two other policy files are already specified. You can substitute the path to your own policy file in place of dfjejbpl.policy, or add further entries to specify additional policy files.
It is possible to bypass the default security properties file java.security for a JVM. You can do this by specifying your own policy file on the java.security.policy system property in the JVM properties file for the JVM, and inserting a double equals sign (= =). For example, if you include the system property:
java.security.policy==/usr/lpp/cicsts/cicsts31/lib/security/dfejbpl.policy 
then the security manager ignores any policy files that are specified in the java.security file, and uses only dfjejbpl.policy to determine the security policy for the JVM. However, you should bear in mind that if you bypass the default security properties file, the security manager will not grant any permissions that are specified in that file; it will only grant the permissions that are specified in your own policy file.