The security of the enterprise beans container environment is protected by the Java™ 2 security policy mechanism and is independent of CICS® security. The security policy mechanism is one of the components that make up the Java 2 security model. The security policy mechanism is used to enforce the restrictions in the EJB specification concerning Java functions that may not be issued by enterprise beans.
By default, Java applications have no security restrictions placed on activities requested of the Java API; the Java API will do whatever it is asked. If you want to use Java 2 security to protect a Java application or enterprise bean from performing potentially unsafe actions, you need to enable a security manager for the Java virtual machine (JVM) in which the application or enterprise bean executes. If no security manager is enabled, then by default, the JVM runs without Java 2 security. A default security manager is supplied with the Java 2 platform. To prevent unauthorized access to system resources by enterprise beans, you are recommended to enable the default security manager.
The security manager enforces a security policy, which is a set of permissions (system access privileges) which are assigned to code sources. Every time the JVM executes code within a class, the JVM determines the code source for the class and consults the security policy before granting the class the appropriate permissions. Thus, if a piece of code requests access to a particular system resource while a security manager is active, the JVM grants the code access to that resource only if such an access is a privilege associated with that class.
When a JVM starts up, its security manager determines the security policy for the JVM by looking at one or more policy files that you have specified. The policy files contain details of the permissions that are granted to particular code sources. A default policy file is supplied with the Java 2 platform. If you enable the default security manager for a JVM, but do not specify any policy files, the security manager determines a security policy using the permissions given in the default policy file. You can specify one or more additional policy files containing permissions that you want to grant, and the security manager adds these permissions to the security policy. So although only one security policy is in effect for the JVM at any given time, this security policy can be the result of processing one or more policy files.
To enable Java applications and enterprise beans to run successfully in CICS when Java 2 security is active, you need to specify, as a minimum, an additional policy file that gives CICS the permissions it needs to run the enterprise beans container, and gives applications the permissions outlined in the Enterprise JavaBeans specification, Version 1. The CICS-supplied enterprise beans policy file, dfjejbpl.policy, contains the permissions that you need for this purpose. You need to specify this additional policy file for each kind of JVM that has a security manager enabled.
You enable the security manager for a JVM, and specify additional policy files, using the JVM properties file for the JVM. Enabling a Java security manager and specifying policy files for a JVM tells you how to do this.
If you need more information about Java 2 security than is provided here, refer to the Java 2 documentation.
To use JDBC or SQLJ from enterprise beans that execute in a JVM with a Java 2 security policy mechanism active, you must use the JDBC 2.0 driver provided by DB2® Version 7 or later. The JDBC 1.2 driver provided by DB2 does not support Java 2 security, and will fail with a security exception unless you disable the mechanism (by deactivating the security manager for the JVM). You will also need to modify your additional policy file to grant permissions to the JDBC driver. Enabling a Java security manager and specifying policy files for a JVM tells you more about this.