Enable the IBM JCE Hybrid Provider for Liberty

The IBM JCE Hybrid Provider (IBMJCEHYBRID) is for applications that use cryptographic hardware and processors when they are available, but can continue without those cryptographic features when they are not available. Use the IBMJCEHYBRID provider enables an application that runs on z/OS to take advantage of JCE providers without having to include complex error handling for when cryptographic features are not available.

Ensure that the IBMJDK running on z/OS is at Java 7 SR3 or later.

The IBMJCEHYBRID provider does not do any cryptographic operations, but routes requests to JCE providers registered with the Java Security Framework. The IBMJCEHYBRID provider routes requests to, and provides failover for, JCE providers according to the security provider registrations done at JVM initialization. This function enables an application to take advantage of cryptographic features when they are available and to use a provider that does not depend on these features when they are not available. Avoid trouble: The IBMJCEHYBRID provider must be the first JCE provider in the active JVM provider list, which is initialized from the java.security provider list.

Add the provider to the java.security file with the hardware cryptographic provider.

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.ibmjcehybrid.provider.IBMJCEHYBRID
security.provider.3=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA	
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL

Configure the key ring in file server.xml to set the location to use safkeyringhybrid, and the type to JCEHYBRIDRACFKS. The following example shows the definition of a minimal SSL configuration keystore.