+

Search Tips   |   Advanced Search

Enable the IBM JCE Hybrid Provider for the Liberty profile

The IBM JCE Hybrid Provider IBMJCEHYBRID, is for use by an application designed to use cryptographic hardware and processors when they are available, but continues without those cryptographic features when they are not available. Using the IBMJCEHYBRID provider enables an application to take advantage of JCE providers without having to include complex error handling for when cryptographic features are not available.

Ensure that the IBMJDK running on z/OS is at Java 7 SR3 or later.

The IBMJCEHYBRID provider does not do any cryptographic operations, but routes requests to JCE providers registered with the Java Security Framework. The IBMJCEHYBRID provider must be the first JCE provider in the active JVM provider list, which is initialized from the java.security provider list. The IBMJCEHYBRID provider routes requests to, and provides failover for, JCE providers according to the security provider registrations done at JVM initialization. This function enables an application to take advantage of cryptographic features when they are available and to use a provider that does not depend on these features when they are not available.

  1. Add the provider to the java.security file with the hardware cryptographic provider. 
    security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.ibmjcehybrid.provider.IBMJCEHYBRID
security.provider.3=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA 
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL

  2. Configure the keyring in file server.xml to set the location to use safkeyringhybrid, and the type to JCEHYBRIDRACFKS. The following example shows the definition of a minimal SSL configuration keystore. 
    <keyStore id="defaultKeyStore" location="safkeyringhybrid:///mykeyring" type="JCEHYBRIDRACFKS" 
password="{<u>xor</u>}Lz4sLCgwTs=" fileBased="false" readOnly="true"/>


Parent topic: Enable SSL communication