IBM SDK for Linux platforms, Java Technology Edition

Security User Guide

Version 6

Copyright International Business Machines Corporation 2003, 2009.
US Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents

Preface
General information about IBM security providers
iKeyman tool
Java Authentication and Authorization Service (JAAS) V2.0
History of changes
Java Certification Path (CertPath)
History of changes
Java Cryptography Extension (JCE)
History of changes
Java Generic Security Service (JGSS)
History of changes
IBMJSSE2 Provider
Differences between the IBMJSSE Provider and the IBMJSSE2 Provider
Differences between the IBMJSSE2 Provider and Sun's version of JSSE
History of changes
IBMPKCS11Impl Provider
History of changes
IBMJCEFIPS Provider
IBM SASL Provider
Key Certificate Management utilities
Java XML Encryption and signatures
Notices
Trademarks

Preface

The security components described in this user guide are shipped with the SDK and are not extensions. They provide a wide range of security services through standard Java™ APIs (except iKeyman). The security components contain the IBM® implementation of various security algorithms and mechanisms. IBM does not provide support for any of the IBM Java security components when used with a non-IBM JVM or with non-IBM security providers when used with the IBM JVM.

The IBM SDK also provides a FIPS 140-2 certified cryptographic module, IBMJCEFIPS, implemented as a JCE provider. Applications can comply with the FIPS 140-2 requirements by using the IBMJCEFIPS module.

The CertPath component provides PKIX-compliant certification path building and validation.

The JGSS component provides a generic API that can be plugged in by different security mechanisms. IBM JGSS uses Kerberos V5 as the default mechanism for authentication and secure communication.

The JAAS component provides a means for principal-based authentication and authorization.

The JCE framework has two providers: IBMJCE is the pre-registered default provider; IBMJCEFIPS is optional.

JSSE is the Java implementation of the SSL and TLS protocols. The JSSE pre-registered default provider is IBMJSSE2.

IBM Java Simple Authentication and Security Layer, or SASL, is an Internet standard (RFC 2222) that specifies a protocol for authentication and optional establishment of a security layer between client and server applications.

The Java security configuration file does not refer to the Sun provider. The IBM JCE provider has replaced the Sun provider. The JCE supplies all the signature handling message digest algorithms that were previously supplied by the Sun provider. It also supplies the IBM secure random number generator, IBMSecureRandom, which is a real Random Number Generator. SHA1PRNG is a Pseudo Random Number Generator and is supplied for code compatibility. SHA1PRNG is not guaranteed to produce the same output as the SUN SHA1PRNG.

In the IBM SDK v1.4.1, the following options were added to the java.security.debug property to help you debug Java Cryptography Architecture (JCA)-related problems:

provider
Displays each provider request and load, provider add, and provider remove. It also displays the related exception when a provider load fails.
algorithm
Displays each algorithm request, which provider has supplied the algorithm, and the implementing class name.
:stack
You can append this option to either of algorithm - or provider. When you request an algorithm, a stack trace is displayed. Use this stack trace to determine the code that has requested the algorithm. This option also prints the stack trace for exceptions that are caught or converted.
:thread
Adds the thread id to all debug message lines. You can use this option together with all the other debug options.

An example of a valid option string is "provider, algorithm:stack".

In this guide, there is a 'What's new' section for each component. This information is provided to help you with migration.

General information about IBM security providers

Overview of the security providers tested with the IBM SDK.

The IBM SDK v6 has been tested with the following default security providers:

You can add other IBM security providers either statically or from inside your Java application's code. To add a new provider statically, edit a Java security properties file (for example, java.security). To add a new provider from your application's code, use the methods of the java.security.Security class (for example, java.security.Security.addProvider()).

You can also add this IBM security provider, com.ibm.crypto.fips.provider.IBMJCEFIPS.

iKeyman tool

The iKeyman utility is a tool for key databases containing digital certificates and keys.

With iKeyman, you can:

To load a Java cryptographic token on SLES10 using iKeyman, you must rename the cryptography library from /usr/lib/opencryptoki/libopencryptoki.so.0.0.0:0 to /usr/lib/opencryptoki/libopencryptoki.so. If /usr/lib/opencryptoki/libopencryptoki.so is already linked, you must delete it before the renaming.

History of changes

Version 6
Improved error messages and command help.

PKCS#11 access provided by IBMPKCS11Impl Provider rather than IBMPKCS11 Provider and a native library.

Support for symmetric key management (only supported by JCEKS and PKCS#11 key databases).

Use of the Java CMS Provider for CMS key databases rather than a native library.

Documentation

For more information, including information about the iKeyman GUI, see the iKeyman User Guide at: http://www.ibm.com/developerworks/java/jdk/security/index.html.

Java Authentication and Authorization Service (JAAS) V2.0

The Sun Microsystems Java platform provides a means to enforce access controls based on where code came from and who signed it. These access controls are needed because of the distributed nature of the Java platform where, for example, a remote applet can be downloaded over a public network and then run locally.

However, before SDK v1.4.0, the Java platform did not provide a way to enforce similar access controls based on who runs the code. To provide this type of access control, the Java security architecture requires the following:

The Java Authentication and Authorization Service (JAAS) framework provides these enhancements.

For a general overview of JAAS, see the Sun Web site: http://java.sun.com/products/jaas.

Differences between IBM and Sun versions of JAAS

IBM implementations are contained in the com.ibm.* package instead of the com.sun.* package.

Further reading

For detailed information, including API documentation and samples, see the developerWorks® Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html. This site contains the LoginModule Developer's Guide and sample code in "HelloWorld.tar".

History of changes

A history of the changes to the Java Authentication and Authorization Service (JAAS) since it was added to the SDK.

Changes for Version 6

Added a new JAAS login module which enables users to perform authentication using credentials stored in an LDAP directory service. The new module provides LDAP support for existing JAAS-enabled applications.

Original release

New to the IBM 32-bit SDK for Linux® on Intel® architecture

The original release of JAAS for Linux and the Java Platform included the following login module and principal classes:

These original platform-dependent principal classes will be replaced by a set of platform-independent principal classes in future releases of JAAS for Linux. To ease migration, this version of JAAS contains the original set as well as the new set of principal classes. Also included is a new login module called com.ibm.security.auth.module.LinuxLoginModule2000, which has the same function as LinuxLoginModule but references the new set of principals. Additional principal classes have been included to facilitate the writing of new login modules.

You are encouraged to use the new set of principals when developing applications that use JAAS. Previously developed applications will be compatible with this version as well as future versions of JAAS released for the SDK v1.4.0.

If migrating applications to the new set of principals is desired, then most changes encountered will be in JAAS policy and configuration files rather than in the applications. Refer to the following table for guidance.

Table 1. New class names
Original class Replaced by
LinuxPrincipal UsernamePrincipal
LinuxNumericGroupPrincipal GroupIDPrincipal  PrimaryGroupIDPrincipal
LinuxNumericUserPrincipal UserIDPrincipal
n/a DomainPrincipal
n/a DomainIDPrincipal
n/a ServerPrincipal
n/a WkstationPrincipal
LinuxLoginModule LinuxLoginModule2000

Principal classes are found in the com.ibm.security.auth package while the login module is found in the com.ibm.security.auth.module package. Check the JAAS API documentation (Javadoc information) for more information on the new principal classes.

For example, this JAAS policy grant block:

grant Principal com.ibm.security.auth.LinuxPrincipal "bob",
      Principal com.ibm.security.auth.LinuxNumericUserPrincipal 
           "727",
      Principal com.ibm.security.auth.LinuxNumericGroupPrincipal 
           "12" {
   permission java.util.PropertyPermission "java.home", "read";
};

is replaced by:

grant Principal com.ibm.security.auth.UsernamePrincipal "bob",
      Principal com.ibm.security.auth.UserIDPrincipal "727",
      Principal com.ibm.security.auth.GroupIDPrincipal "12" {
   permission java.util.PropertyPermission "java.home", "read";
};

Java Certification Path (CertPath)

The Java Certification Path API provides interfaces and abstract classes for creating, building, and validating certification paths (also known as "certificate chains").

Differences between IBM and Sun versions of CertPath

The IBM CertPath classes differ from the Sun version in the following ways:

Documentation

For detailed information, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.

History of changes

A history of the changes to CertPath since it was added to the SDK.

Changes for Version 6

Changes for Version 5.0

Changes for Version 1.4.2

Changes for Version 1.4.1, Service Refresh 1

Changes for Version 1.4.0

Java Cryptography Extension (JCE)

The Java Cryptography Extension (JCE) provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects. JCE supplements the Java platform, which already includes interfaces and implementations of message digests and digital signatures.

You can obtain unrestricted jurisdiction policy files from http://www.ibm.com/developerworks/java/jdk/security/index.html. The policy files are replaced with restricted policy files when you upgrade your SDK. Before upgrading your SDK, make a backup of your policy files. After upgrading your SDK, install your backup policy files if you need an unrestricted policy.

The v1.4.2 unrestricted (and restricted) jurisdiction policy files are suitable for use with v5.0 and later. The v1.4.1 files are not suitable.

Differences between IBM and Sun versions of JCE

The com.sun.* packages are reimplemented by IBM and renamed com.ibm.* packages.

The IBM version of JCE differs from the Sun version in the following ways:

Documentation

For detailed information, including API documentation and samples, see the developerWorks Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html.

History of changes

A history of the changes to the Java Cryptography Extension (JCE) since it was added to the SDK.

Changes for Version 6

Changes for Version 5.0, Service Refresh 4

Changes for Version 5.0

Changes for Version 1.4.2

Changes for Version 1.4.0

Java Generic Security Service (JGSS)

Java Generic Security Service (JGSS) API provides secure exchange of messages between communicating applications.

JGSS is an API framework that uses Kerberos V5 as the underlying default security mechanism. The API is a standardized abstract interface under which you can plug different security mechanisms that are based on private-key, public-key, and other security technologies.

JGSS shields secure applications from the complexities and peculiarities of the different underlying security mechanisms. JGSS provides identity and message origin authentication, message integrity, and message confidentiality. JGSS also features an optional Java Authentication and Authorization Service (JAAS) Kerberos login interface, and authorization checks. JAAS augments the access control features of Java, which is based on CodeSource with access controls based on authenticated principal identities.

Differences between IBM and Sun versions of JGSS

The IBM version of JGSS differs from the Sun version in the following ways:

Documentation

For detailed information about JGSS, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.

History of changes

A history of the changes to the Java Generic Security Service (JGSS) since it was added to the SDK.

Change for Version 6

Added CipherTextStealing mode.

Changes for Version 5.0, Service Refresh 1

Added AES as a supported algorithm type
These additional algorthims can be set in the krb5.conf file under [libdefault] as follows:
default_tkt_enctypes = aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96

default_checksum = hmac-sha1-96-aes128
default_checksum = hmac-sha1-96-aes256

Changes for Version 5.0

TCP or UDP Preference Configuration
Added JSE support for the udp_preference_limit property in the Kerberos configuration file (krb5.ini). When sending a message to the KDC, the JSE Kerberos library will use TCP if the size of the message is above udp_preference_list. If the message is smaller than udp_preference_list, UDP will be tried up to three times. If the KDC indicates that the request is too big, the JSE Kerberos library will use TCP.
IPv6 support in Kerberos
Added JSE support for IPv6 addresses in Kerberos tickets. Before v5.0, only IPv4 addresses were supported in tickets.
TGT Renewals
Added support for Ticket Granting Ticket (TGT) renewal to the Java Authentication and Authorization Server (JAAS) Kerberos login module, Krb5LoginModule. This support allows long-running services to renew their TGTs automatically without user interaction or requiring the services to restart. With this feature, if Krb5LoginModule obtains an expired ticket from the ticket cache, the TGT will be automatically renewed and be added to the Subject of the caller who requested the ticket. If the ticket cannot be renewed for any reason, Krb5LoginModule will use its configured callback handler to retrieve a username and password to acquire a new TGT.

To use this feature, configure Krb5LoginModule to use the ticket cache and set the newly introduced renewTGT option to true. Here is an example of a JAAS login configuration file that requests TGT renewal:

server {
  com.ibm.security.auth.module.Krb5LoginModule required
        principal=principal@your_realm
		useDefaultCcache=TRUE
		 renewTGT=true;
};
Note that if renewTGT is set to true, useDefaultCcache must also be set to true; otherwise, it results in a configuration error.

Changes for Version 1.4.2

Configurable Kerberos Settings
You can provide the name and realm settings for the Kerberos Key Distribution Center (KDC) either from the Kerberos configuration file or by using the system properties files java.security.krb5.kdc and java.security.krb5.realm. You can also specify the boolean option refreshKrb5Config in the entry for Krb5LoginModule in the JAAS configuration file. If you set this option to true, the configuration values will be refreshed before the login method of the Krb5LoginModule is called.
Added support for Slave Kerberos Key Distribution Center
Kerberos uses slave KDCs so that, if the master KDC is unavailable, the slave KDCs will respond to your requests. In previous releases, Kerberos tried the master KDC only and gave up if there was no response in the default KDC timeout period.
Added support for TCP for Kerberos Key Distribution Center Transport
Kerberos uses UDP transport for ticket requests. In cases where Kerberos tickets exceed the UDP packet size limit, Kerberos supports automatic fallback to TCP. If a Kerberos ticket request using UDP fails and the KDC returns the error code KRB_ERR_RESPONSE_TOO_BIG, TCP becomes the transport protocol.
Kerberos Service Ticket in the Subject's Private Credentials
The Kerberos service ticket is stored in the Subject's private credentials. This gives you access to the service ticket so that you can use it outside the JGSS (for example, in native applications or for proprietary uses). In addition, you can reuse the service ticket if the application tries to establish a security context to the same service again. The service ticket should be valid for it to be reusable.

Changes for Version 1.4.1

IBMJSSE2 Provider

The Java Secure Socket Extension (JSSE) is a Java package that enables secure internet communications. It implements a Java version of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols and includes functions for data encryption, server authentication, message integrity, and optional client authentication.

By abstracting the complex underlying security algorithms and "handshaking" mechanisms, JSSE minimizes the risk of creating subtle but dangerous security vulnerabilities. Also, it simplifies application development by serving as a building block that you can integrate directly into your applications. Using JSSE, you can provide for the secure passage of data between a client and a server running any application protocol (such as HTTP, Telnet, NNTP, and FTP) over TCP/IP.

The FIPS provider included with the SDK is undergoing certification with the US Government. The certification progress is available on the CSRC Web site: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf.

Documentation

For detailed information, including API documentation and samples, see http://www.ibm.com/developerworks/java/jdk/security/index.html.

Differences between the IBMJSSE Provider and the IBMJSSE2 Provider

The IBMJSSE2 Provider, which was introduced in the v1.4.2 SDK, has replaced the IBMJSSE Provider. Although they are nearly equivalent, there are differences between the two providers.

The now-discontinued IBMJSSE Provider and the IBMJSSE2 Provider differ in the following ways:

Differences between the IBMJSSE2 Provider and Sun's version of JSSE

Although they are nearly equivalent, there are differences between the IBMJSSE2 Provider and the Sun JSSE Provider.

The IBMJSSE2 Provider differs from the Sun JSSE in the following ways:

History of changes

A history of the changes to the IBMJSSE2 Provider since it was added to the SDK.

Changes for Version 6

Changes for Version 5.0, Service Refresh 5

Changes for Version 5.0

Changes for Version 1.4.2.

The IBMJSSE2 Provider is new for Version 1.4.2.

IBMPKCS11Impl Provider

The IBMPKCS11Impl Provider uses the Java Cryptography Extension (JCE) and Java Cryptography Architecture (JCA) frameworks to add the ability to use hardware cryptography through the Public Key Cryptographic Standards #11 (PKCS #11) standard.

This provider takes advantage of hardware cryptography in the existing JCE architecture and gives Java programmers the significant security and performance advantages of hardware cryptography with minimal changes to existing Java applications. Because the complexities of hardware cryptography are handled in the normal JCE, advanced security and performance using hardware cryptographic devices is available readily.

PKCS#11 is a standard that provides a common application interface to cryptographic services on various platforms through several hardware cryptographic devices. See the IBMPKCS11Impl provider user guide for a list of supported devices.

Remember: Use the correct PKCS11 configurations files for Version 6 of the SDK. You can download sample configuration files from http://www.ibm.com/developerworks/java/jdk/security/60/.

Differences between IBM and Sun versions of IBMPKCS11Impl

Documentation

For detailed information, including API documentation, see the developerWorks Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html.

History of changes

A history of the changes to the IBMPKCS11Impl Provider since it was added to the SDK.

Changes for Version 6

Changes for Version 5.0

Updated IBMPKCS11Impl to allow more algorithms and to allow the Sun 5.0 methods of initialization of the provider. The new algorithms are:

Added the ability to pass in a configuration file to the provider. This configuration file can contain a significant amount of information about the device; for example, what it should or should not do. After the provider is created, the application can log in to the card in different ways. Some devices allow you to perform some cryptographic functions without logging into the device. The v1.4.2 ways to initialize the device still work. However, you can no longer have more than one of these providers at a time. Instead, with this release, you can initialize more than one IBMPKCS11Impl provider using the 5.0 configuration file and login methods.

Deprecated the classes DESPKCS11KeyParameterSpec and DESedePKCS11KeyParameterSpec. Use the GeneralPKCS11KeyParameterSpec class for all symmetric key types (for instance, DES, DESede, AES, RC4, Blowfish).

Changes for Version 1.4.2

The IBMPKCS11Impl Provider was new for v1.4.2.

IBMJCEFIPS Provider

The IBM Java JCE (Java Cryptographic Extension) FIPS Provider (IBMJCEFIPS) for multi-platforms is a scalable, multi-purpose cryptographic module that supports FIPS-approved cryptographic operations through Java APIs.

The IBMJCEFIPS includes the following Federal Information Processing Standards (FIPS) 140-2 [Level 1] compliant components:

To meet the requirements specified in the FIPS publication 140-2, the encryption algorithms used by the IBMJCEFIPS Provider are isolated into the IBMJCEFIPS Provider cryptographic module, which you can access using the product code from the Java JCE framework APIs. Because the IBMJCEFIPS Provider uses the cryptographic module in an approved manner, the product complies with the FIPS 140-2 requirements.

Type Algorithm Specification
Symmetric Cipher AES (ECB, CBC, OFB, CFB and PCBC) FIPS 197
Symmetric Cipher Triple DES (ECB, CBC, OFB, CFB and PCBC) FIPS 46-3
Message Digest
SHA1
SHA-256
SHA-384
SHA-512
HMAC-SHA1
FIPS 180-2



FIPS 198a
Random Number Generator FIPS 186-2 Appendix 3.1 FIPS 186-2
Digital Signature DSA (512 - 1024) FIPS 186-2
Digital Signature RSA (512 - 2048) FIPS 186-2

In addition, the IBMJCEFIPS supports the following unapproved algorithms:

Type Algorithm Specification
Asymmetric Cipher RSA PKCS#1
Key Agreement Diffie-Hellman PKCS #3 (Allowed in Approved mode)
Digital Signature DSAforSSL Allowed for use inside the TLS protocol
Digital Signature RSAforSSL Allowed for use inside the TLS protocol
Message Digest MD5 FIPS 180-2
Random Number Generation Universal Software Based Random Number Generator Available upon request from IBM. Patented by IBM, EC Pat. No. EP1081591A2, U.S. pat. Pend.
Important: The com.ibm.crypto.fips.provider.IBMJCEFIPS class does not include a keystore (such as JKS or JCEKS) because of FIPS requirements and algorithms. Therefore, if you are using com.ibm.crypto.fips.provider.IBMJCEFIPS and require JKS, you must specify the com.ibm.crypto.provider.IBMJCE in the provider list.

For more detailed information on the FIPS certified provider IBMJCEFIPS, see the IBM Java JCE FIPS 140-2 Cryptographic Module Security Policy. For usage information and details of the API, see the IBM Java JCE FIPS (IBMJCEFIPS) Cryptographic Module API document. These documents are available at http://www.ibm.com/developerworks/java/jdk/security/index.html.

Differences between IBM and Sun versions of IBMJCEFIPS

Sun does not provide IBMJCEFIPS.

History of changes

Version 1.4.2
IBMJCEFIPS is new for Version 1.4.2.

Documentation

For detailed information, including API documentation and Security Policy, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.

IBM SASL Provider

Simple Authentication and Security Layer, or SASL, is an Internet standard (RFC 2222) that specifies a protocol for authentication and optional establishment of a security layer between client and server applications. SASL defines how authentication data is to be exchanged but does not itself specify the contents of that data. It is a framework into which specific authentication mechanisms that specify the contents and semantics of the authentication data can fit.

The Java SASL API defines classes and interfaces for applications that use SASL mechanisms. It is defined to be mechanism-neutral: the application that uses the API need not be hardwired into using any particular SASL mechanism. The API supports both client and server applications. It allows applications to select the mechanism to use based on desired security features, such as whether they are susceptible to passive dictionary attacks or whether they accept anonymous authentication. The Java SASL API also allows developers to use their own, custom SASL mechanisms. SASL mechanisms are installed by using the Java Cryptography Architecture (JCA).

The IBMSASL provider supports the following client and server mechanisms.

Client mechanisms
Server mechanisms

Differences between Sun and IBM SASL Provider

Only the package names, for example com.ibm.security.sasl, and the provider name are different from the Sun Implementation: com.ibm.security.sasl.IBMSASL.

History of changes

Version 5.0
The IBM SASL Provider is new for v5.0.

Documentation

Detailed information, including API documentation and samples, is on the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.

Key Certificate Management utilities

Uses of the Key Certificate Management utilities.

The Key Certificate Management utilities make up a set of packages used to:

The Key Certificate Management utilities can:

The Subject Key Identifier is specified in RFC 3820, Section 4.2.1.2, http://www.faqs.org/rfcs/rfc3820.html.

History of changes

Version 5.0, Service Refresh 1
The Key Certificate Management utilities is new for Version 5.0, Service Refresh 1.

Documentation

The Key Certificate Management How-to Guide and Javadoc information are on the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.

Java XML Encryption and signatures

Java XML Encryption provides a standard set of APIs for XML digital encryption services and digital signature services.

You can use XML Encryption to perform fine-grained, element-based encryption of fragments in an XML Document. You can encrypt arbitrary binary data and include it in an XML document. The result of encrypting data is an XML Encryption element that contains or references the cipher data.

The IBM provider implementation of Java XML Encryption supports these algorithms:

You can use XML Digital Signature to perform detached, enveloped, and enveloping signatures and to sign arbitrary binary data and include this in an XML document. The result of encrypting data is an XML Signature element that contains or references the signature data.

The IBM provider implementation of Java XML Digital Signature supports these algorithms:

History of changes

Version 6
The Java XML Encryption and Java XML Digital Signature is new for Version 6.

Documentation

The user guide and Javadoc information are on the developerWorks Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html

Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area.

Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml.

Intel is a trademark of Intel Corporation in the United States, other countries, or both.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Other company, product and service names may be trademarks or service marks of others.