Enhancements to OpenJDK security
Eclipse OpenJ9™ includes the following enhancements to the OpenJDK security components.
Support for PKCS#11 token labels
(z/OS® and Linux on IBM Z® only)
On z/OS and Linux on IBM Z, OpenJ9 supports the use of an extra attribute,
tokenlabel, in the SunPKCS11 configuration file. Use this attribute to assign a label to a PKCS#11 token.
The number of slots and their order depend on the number of tokens in the ICSF token database, their values, and the SAF CRYPTOZ class protection profiles that are currently defined. The ICSF PKCS#11 support ensures that a token resides in its current slot only for the duration of a PKCS#11 session (if the token is not deleted). If you restart an application, or tokens are created or removed, the token might move to a different slot. An application that uses the
slotListIndex attributes might fail if it doesn’t first check which slot the token is in. You can avoid this issue by using the
tokenlabel attribute instead.
You can specify only one of the attributes -
tokenlabel. If you do not specify any of these attributes, the default behavior is that the
slotListIndex attribute is set to 0.
For more information about the SunPKCS11 configuration file, see PKCS#11 Reference Guide.