Enhancements to OpenJDK security

Eclipse OpenJ9™ includes the following enhancements to the OpenJDK security components.

Support for PKCS#11 token labels

(z/OS® and Linux on IBM Z® only)

On z/OS and Linux on IBM Z, OpenJ9 supports the use of an extra attribute, tokenlabel, in the SunPKCS11 configuration file. Use this attribute to assign a label to a PKCS#11 token.

The number of slots and their order depend on the number of tokens in the ICSF token database, their values, and the SAF CRYPTOZ class protection profiles that are currently defined. The ICSF PKCS#11 support ensures that a token resides in its current slot only for the duration of a PKCS#11 session (if the token is not deleted). If you restart an application, or tokens are created or removed, the token might move to a different slot. An application that uses the slot or slotListIndex attributes might fail if it doesn’t first check which slot the token is in. You can avoid this issue by using the tokenlabel attribute instead.

You can specify only one of the attributes - slot, slotListIndex, or tokenlabel. If you do not specify any of these attributes, the default behavior is that the slotListIndex attribute is set to 0.

Note: To configure an ICSF token, add the ICSF token to openCryptoki by using the pkcsicsf utility. The openCryptoki library loads the tokens that provide hardware or software specific support for cryptographic functions. An openCryptoki token uses an RSA key pair of public and private keys to encrypt and decrypt data. You must have openCryptoki version 3.22 or later to generate RSA private keys with the ICA, CCA and EP11 tokens that openCryptoki supports.

For more information about the SunPKCS11 configuration file, see PKCS#11 Reference Guide.