Support for non-IBM JREs
From Version 9.0, AMS is supported in non-IBM® JREs in Java clients.
Advanced Message Security implements Cryptographic Message Syntax (CMS). The CMS syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content.
In previous releases of the product, Advanced Message Security support in the IBM MQ classes for Java and IBM MQ classes for JMS has been dependent on CMS support specifically provided by the IBM implementation of the Java Cryptography Extensions (JCE). Because of this restriction, the functionality was only available when using a Java runtime environment (JRE) which included the Java JCE provider.
Importantly, support on platforms such as Solaris required a hybrid JRE. That is, the standard JRE for the platform with additional IBM-provided elements; in particular, the IBM JCE provider was required rather than that provided by the standard JRE for the platform.
From Version 9.0, the AMS support in IBM MQ classes for Java and IBM MQ classes for JMS has been modified, and now uses the open-source Bouncy Castle packages to support CMS. This means that these classes can now support AMS operation when running with non-IBM JREs.
The necessary Bouncy Castle jar files are included as part of the IBM MQ classes for Java and IBM MQ classes for JMS installation package.
For Version 9.0.x Continuous Delivery, and for Long Term Support for Version 9.0.0, Fix Pack 5 and earlier, the Bouncy Castle jar files used are the following files:
- The "provider" jar, which is fundamental to Bouncy Castle operations.
- This jar is called bcprov-jdk15on-VER.jar where "VER" is a 3-digit version number, that represents the Bouncy Castle version number with no embedded periods. For example, the provider jar for Bouncy Castle version 1.5.2 is bcprov-jdk15on-152.jar.
- The "PKIX" jar, which is contains the support for CMS operations used by AMS .
- This is called bcpkix-jdk15on-VER.jar where "VER" represents the same 3-digit version number as the provider jar.
The version of the Bouncy Castle jar files varies by IBM MQ release.
- In Version 9.0.3 and earlier releases, VER is 152.
- From Version 9.0.4, VER is 157.
For Long Term Support for Version 9.0.0, Fix Pack 6 and later, the Bouncy Castle jar files used are the
following files:
- The provider JAR file, which is fundamental to Bouncy Castle operations.
- This JAR file is called bcprov-jdk15on.jar.
- The "PKIX" JAR file, which is contains the support for CMS operations that are used by Advanced Message Security.
- This JAR file is called bcpkix-jdk15on.jar.
The modified classes have been tested with IBM JREs and Oracle JREs. They are also likely to run successfully under any J2SE-compliant JRE. However, you should note the following dependencies:
- There are no changes to AMS configuration
- The Bouncy Castle classes are used only for CMS operations. All other security-related operations, for example keystore access, the actual encryption of data, and calculation of signature checksums use the functionality provided by the JRE. Important: For this reason, the JRE used must include a JCE provider implementation.
- To use some strong encryption algorithms, you might need to install the
unrestricted policy files for the JRE's JCE implementation
Refer to the JRE documentation for more details.
- If we have enabled Java security:
- Add java.security.SecurityPermissioninsertProvider.BC to the application, so that the Bouncy Castle classes can be used as a security provider.
- Grant java.security.AllPermission to the Bouncy Castle jar files, which are mq_install_dir/java/lib/bcpkix-jdk15on-VER.jar and mq_install_dir/java/lib/bcprov-jdk15on-VER.jar For more information about the value of VER, see Bouncy Castle jar files.