Support for non-IBM JREs
IBM MQ classes for Java and IBM MQ classes for JMS support Advanced Message Security operation when running with non-IBM JREs.
Advanced Message Security (AMS) implements Cryptographic Message Syntax (CMS). The CMS syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content.
From Version 9.0, the Advanced Message Security support in IBM MQ classes for Java and IBM MQ classes for JMS uses the open source Bouncy Castle packages to support CMS. This means that these classes can support Advanced Message Security operation when running with non-IBM JREs.
Before Version 9.0, Advanced Message Security was not supported in non-IBM JREs in Java clients. Advanced Message Security support in the IBM MQ classes for Java and IBM MQ classes for JMS depended on CMS support specifically provided by the IBM implementation of the Java Cryptography Extensions (JCE). Because of this restriction, the functionality was only available when using a Java runtime environment (JRE) that included the Java JCE provider.
Location and version numbering for Bouncy Castle JAR files
The Bouncy Castle JAR files that are needed for support for non-IBM JREs are included as part of the IBM MQ classes for Java and IBM MQ classes for JMS installation package.
The Bouncy Castle JAR files used are the following files:
- The provider JAR file, which is fundamental to Bouncy Castle operations.
- This JAR file is called bcprov-jdk15on.jar.
- The "PKIX" JAR file, which is contains the support for CMS operations that are used by Advanced Message Security.
- This JAR file is called bcpkix-jdk15on.jar.
Dependencies
The Version 9.1 and later classes have been tested with IBM JREs and Oracle JREs. They are also likely to run successfully under any J2SE-compliant JRE. However, we should note the following dependencies:
- There are no changes to Advanced Message Security configuration.
- The Bouncy Castle classes are used only for CMS operations. All other security-related operations, for example keystore access, the actual encryption of data, and calculation of signature checksums use the functionality that is provided by the JRE. Important: For this reason, the JRE used must include a JCE provider implementation.
- To use some strong encryption algorithms, you might need to install the unrestricted policy files for the JRE's JCE implementation.
Refer to the JRE documentation for more details.
- If we have enabled Java security:
- Add java.security.SecurityPermissioninsertProvider.BC to the application so that the Bouncy Castle classes can be used as a security provider.
- Grant java.security.AllPermission to the Bouncy Castle JAR files, which are mq_install_dir/java/lib/bcpkix-jdk15on.jar and mq_install_dir/java/lib/bcprov-jdk15on.jar.
Related information