Skip to content

Enhancements to OpenJDK security

Eclipse OpenJ9™ includes the following enhancements to the OpenJDK security components.

Start of content that applies to Java 11 (LTS) and later Support for PKCS#11 token labels

(z/OS® and Linux on IBM Z® only)

On z/OS and Linux on IBM Z, OpenJ9 supports the use of an extra attribute, tokenlabel, in the SunPKCS11 configuration file. Use this attribute to assign a label to a PKCS#11 token.

The number of slots and their order depend on the number of tokens in the ICSF token database, their values, and the SAF CRYPTOZ class protection profiles that are currently defined. The ICSF PKCS#11 support ensures that a token resides in its current slot only for the duration of a PKCS#11 session (if the token is not deleted). If you restart an application, or tokens are created or removed, the token might move to a different slot. An application that uses the slot or slotListIndex attributes might fail if it doesn’t first check which slot the token is in. You can avoid this issue by using the tokenlabel attribute instead.

You can specify only one of the attributes - slot, slotListIndex, or tokenlabel. If you do not specify any of these attributes, the default behavior is that the slotListIndex attribute is set to 0.

For more information about the SunPKCS11 configuration file, see PKCS#11 Reference Guide.