Changes to IBM Developer Kit for Java Technology Edition V1.4.x

WebSphere Application Server, V5.1 includes the IBM Developer Kit, Java Technology Edition V1.4.x, which contains changes to the IBM Developer Kit, Java Technology Edition V1.3.x. This document is intended to assist application developers and system administrators in understanding the changes.

 

Security packaging changes in IBM Developer Kit, Java Technology

Edition V1.4.x

In IBM Developer Kit, Java Technology Edition V1.4.x, many of the security technologies have been included in the core of the IBM Developer Kit, Java Technology Edition V1.4.x. Because of the packaging changes, we are supporting specific java.security configurations for each platform. This document discusses the impact these java.security configuration changes have on each platform.

 

Security providers for the Windows, Linux, and AIX platforms

The Windows, Linux, and AIX platforms use all of the IBM security provider implementations, which is similar to how IBM Developer Kit, Java Technology Edition Version 1.3.x shipped. Because the security technologies in IBM Developer Kit, Java Technology Edition V1.3.x, were not part of the core, these technologies were shipped in the java/jre/lib/ext directory and provided more flexibility in implementing the technologies. Only those JSSE providers configured by WAS are supported.

The following list shows the providers and sequence of how these providers are supported on the Windows, Linux, and AIX platforms. Add any additional providers at the end of this list of providers. The IBMJSSE and IBMJSSE2 providers are the only SSL providers supported on these platforms. You must configure HTTP and JMS transports to use the IBMJSSE2 providers because they use the channel framework (asynchronous network I/O (NIO) APIs from Java SDK 1.4.2). The NIO APIs only work with the IBMJSSE2 provider and the channel framework.

security.provider.1=com.ibm.crypto.provider.IBMJCE
security.provider.2=com.ibm.jsse.IBMJSSEProvider
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11

 

Security providers for the Sun Solaris environment

In the Sun Solaris environment, by default, we are using the IBM JSSE framework classes. These classes enable you to plug-in the IBMJSSE and IBMJSSE2 providers. You must configure HTTP and JMS transports to use the IBMJSSE2 providers because they use the channel framework (asynchronous network I/O (NIO) APIs from Java SDK 1.4.2). The NIO APIs only work with the IBMJSSE2 provider and the channel framework.

The following list shows thee default provider lists for the Sun Solaris environment. Add any additional providers to the end of this list.

security.provider.1=com.ibm.security.jgss.IBMJGSSProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.jsse.IBMJSSEProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
# security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11

Note: You only need to uncomment the IBMPKCS11 provider when using IKeyMan to access a cryptographic token device. The WAS run time now uses the IBMPKCS11Impl provider for cryptographic token access, instead of the IBMPKCS11 provider. To get more information on this provider, see Security: Resources for learning.

 

Security providers for the HP-UX platform

In the

HP-UX environment, by default, IBM JSSE framework classes are used. These classes enable you to plug-in the IBMJSSE and IBMJSSE2 providers. You must configure HTTP and JMS transports to use the IBMJSSE2 providers because they use the channel framework (asynchronous network I/O (NIO) APIs from Java SDK 1.4.2). The NIO APIs only work with the IBMJSSE2 provider and the channel framework.

security.provider.1=com.ibm.security.jgss.IBMJGSSProvider
security.provider.2=sun.security.provider.Sun
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.jsse.IBMJSSEProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
# security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11

Note: You must uncomment the IBMPKCS11 provider when using IKeyMan to access a cryptographic token device. The WAS run time now uses the IBMPKCS11Impl provider for cryptographic token access, instead of the IBMPKCS11 provider. To obtain more information about this provider, see Security: Resources for learning.

 

Changes to the CertPath API package name

In IBM Developer Kit, Java Technology Edition V1.3.x, the package for CertPath APIs was javax.security.cert.*. However, in IBM Developer Kit, Java Technology Edition V1.4.x, the package has changed to java.security.cert.*. While your applications might still work using javax.security.cert.* due to the oldcertpath.jar packaged in ${WAS_INSTALL_ROOT}/java/jre/lib/ext/oldcertpath.jar file, change your applications to use the new package name for CertPath from this point forward. In this release, either package name should work, but it is recommended that you use the correct package, which is java.security.cert.*.

 

Known problems with IBM Developer Kit, Java Technology Edition

V1.4.x

For a list of known problems with the various platforms related to the IBM Developer Kit, Java Technology Edition V1.4.x changes, please review the release notes for WebSphere Application Server, Version 5.1.

There are some known issues with the the IBMJSSE2 provider:

  • When configuring a cryptographic token device, use the IBMJSSE2 provider. There is a dependency on the new IBMPKCS11Impl provider for cryptographic token support. This provider can only be initialized once in a JVM, and is done programmatically by the WAS runtime when a cryptographic token device is configured. The user of the IBMPKCS11Impl provider in applications is not supported unless the cryptographic token device is not configured for use by WebSphere Application Server.

  • Any transport using the channel framework, including HTTP and JMS, must use the IBMJSSE2 provider.

  • Any transport using the channel framework, including HTTP and JMS, must use the IBMJSSE2 provider.

  • To use AES_256 ciphers for IBMJSSE2, download the JCE Unlimited Strength Jurisdiction Policy.

  • IBMJSSE2 provider's HTTPS protocol handler is "com.ibm.net.ssl.www2.protocol.Handler". The package to add to the package handler property is "com.ibm.net.ssl.www2.protocol".


 

See Also


Security: Resources for learning