Before using this information and the product it supports, read the information in Notices.
This edition of the user guide applies to the security components included with the IBM SDK for Java.
Note: Before using this information and the product it supports, read the general information under Notices.
This edition of the user guide applies to:
and to all subsequent releases and modifications until otherwise indicated in new editions.
© Copyright Sun Microsystems, Inc. 1997, 2007, 901 San Antonio Rd., Palo Alto, CA 94303 USA. All rights reserved.
The security components described in this user guide are shipped with the SDK and are not extensions. They provide a wide range of security services through standard Java™ APIs (except iKeyman). The security components contain the IBM® implementation of various security algorithms and mechanisms. IBM does not provide support for any of the IBM Java security components when used with a non-IBM JVM or with non-IBM security providers when used with the IBM JVM.
The IBM SDK also provides a FIPS 140-2 certified cryptographic module, IBMJCEFIPS, implemented as a JCE provider. Applications can comply with the FIPS 140-2 requirements by using the IBMJCEFIPS module.
The CertPath component provides PKIX-compliant certification path building and validation.
The JGSS component provides a generic API that can be plugged in by different security mechanisms. IBM JGSS uses Kerberos V5 as the default mechanism for authentication and secure communication.
The JAAS component provides a means for principal-based authentication and authorization.
The JCE framework has two providers: IBMJCE is the pre-registered default provider; IBMJCEFIPS is optional.
JSSE is the Java implementation of the SSL and TLS protocols. The JSSE pre-registered default provider is IBMJSSE2.
IBM Java Simple Authentication and Security Layer, or SASL, is an Internet standard (RFC 2222) that specifies a protocol for authentication and optional establishment of a security layer between client and server applications.
The Java security configuration file does not refer to the Sun provider. The IBM JCE provider has replaced the Sun provider. The JCE supplies all the signature handling message digest algorithms that were previously supplied by the Sun provider. It also supplies the IBM secure random number generator, IBMSecureRandom, which is a real Random Number Generator. SHA1PRNG is a Pseudo Random Number Generator and is supplied for code compatibility. SHA1PRNG is not guaranteed to produce the same output as the SUN SHA1PRNG.
In the IBM SDK v1.4.1, the following options were added to the java.security.debug property to help you debug Java Cryptography Architecture (JCA)-related problems:
An example of a valid option string is "provider, algorithm:stack".
In this guide, there is a 'What's new' section for each component. This information is provided to help you with migration.
Overview of the security providers tested with the IBM SDK.
The IBM SDK v5.0 has been tested with the following default security providers:
You can add other IBM security providers either statically or from within your Java application's code. To add a new provider statically, edit a Java security properties file (for example, java.security). To add a new provider from your application's code, use the methods of the java.security.Security class (for example, java.security.Security.addProvider()).
You can also add this IBM security provider, com.ibm.crypto.fips.provider.IBMJCEFIPS.
Note that code written for the IBMJSSE Provider might not compile or execute in exactly the same way for IBMJSSE2. For details, see IBMJSSE2 Provider.
The iKeyman utility is a tool for key databases containing digital certificates and keys.
With iKeyman, you can:
For more information, including information about the iKeyman GUI, see the iKeyman User Guide at: http://www.ibm.com/developerworks/java/jdk/security/index.html.
The Sun Microsystems Java platform provides a means to enforce access controls based on where code came from and who signed it. These access controls are needed because of the distributed nature of the Java platform where, for example, a remote applet can be downloaded over a public network and then run locally.
However, before SDK v1.4.0, the Java platform did not provide a way to enforce similar access controls based on who runs the code. To provide this type of access control, the Java security architecture requires the following:
The Java Authentication and Authorization Service (JAAS) framework provides these enhancements.
For a general overview of JAAS, see the Sun Web site: http://java.sun.com/products/jaas.
IBM implementations are contained in the com.ibm.* package instead of the com.sun.* package. IBM has also added Active Login to JAAS.
See JAAS Active Login for more information about Active Login.
For detailed information, including API documentation and samples, see the developerWorks® Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html. This site contains the LoginModule Developer's Guide and sample code in "HelloWorld.tar".
A history of the changes to the Java Authentication and Authorization Service (JAAS) since it was added to the SDK.
The IBM version of JAAS for Windows® contains an additional function called Active Login. Because Windows has an extensive security infrastructure, it is important on servers to allow a Java program to log on as a particular Windows user and run with the underlying operating system knowing the security identity on a particular thread.
Without this extended support, JAAS would allow Java programs to know who the user is, strictly on a Java level. With this extended support, Java programs can log in as different users and have even non-Java programs (such as the Windows kernel) enforce security appropriately.
The following classes contain the additional support for Active Login:
These classes are described in the JAAS APIs that are included with the Java SDK.
To log on to Windows, an authorized program is required. The Runtime Environment contains a Windows service that can perform the login operation. This task will show you how to use the service.
The following error messages are associated with starting and removing JAASLogon:
jaaslogon Difficulty in starting JaasLogon, error code = 1063 Cause: Incorrect syntax. The correct syntax is jaaslogon -install
jaaslogon -install Difficulty in CreateService, error code = 1073 Cause: The service has already been started.
jaaslogon -remove In OpenService, error Code = 1060 Cause: The service cannot be removed since it was not started.
The Java Certification Path API provides interfaces and abstract classes for creating, building, and validating certification paths (also known as "certificate chains").
The IBM CertPath classes differ from the Sun version in the following ways:
For detailed information, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.
A history of the changes to CertPath since it was added to the SDK.
public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey, byte[] nameConstraints); public final X500Principal getCA();
public X500Principal getIssuer(); public void setIssuer(X500Principal issuer); public X500Principal getSubject(); public void setSubject(X500Principal subject);
public void setIssuers(Collection issuers); public void addIssuer(X500Principal issuer); public Collection getIssuers();
The Java Cryptography Extension (JCE) provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects. JCE supplements the Java platform, which already includes interfaces and implementations of message digests and digital signatures.
You can obtain unrestricted jurisdiction policy files from http://www.ibm.com/developerworks/java/jdk/security/index.html. |The policy files are replaced with restricted |policy files when you upgrade your SDK. Before upgrading your SDK, |make a backup of your policy files. After upgrading your SDK, install |your backup policy files if you need an unrestricted policy.
The v1.4.2 unrestricted (and restricted) jurisdiction policy files are suitable for use with v5.0 and later. The v1.4.1 files are not suitable.
The com.sun.* packages are reimplemented by IBM and renamed com.ibm.* packages.
The IBM version of JCE differs from the Sun version in the following ways:
Blowfish
DES
El Gamal
Mars
ARCFOUR
PBE with MD2 and DES
PBE with MD2 and Triple DES
PBE with MD2 and RC2
PBE with MD5 and DES
PBE with MD5 and Triple DES
PBE with MD5 and RC2
PBE with SHA1 and DES
PBE with SHA1 and TripleDES
PBE with SHA1 and RC2
PBE with SHA1 and 40-bit RC2
PBE with SHA1 and 128-bit RC2
PBE with SHA1 and 40-bit RC4
PBE with SHA1 and 128-bit RC4
PBE with SHA1 and 2-key Triple DES
PBE with SHA1 and 3-key Triple DES
RC2
RC4
RSA encryption/decryption
RSA encryption/decryption with OAEP Padding
Seal
Triple DES
SHA2 with RSA
SHA3 with RSA
SHA5 with RSA
MD5 with RSA
MD2 with RSA signature
SHA1 with DSA signature
SHA2
SHA3
SHA5
MD5
MD2
Hmac/MD5
Hmac/SHA2
Hmac/SHA3
Hmac/SHA5
IBM SHA1PRNG
JKS
PKCS12KS
For detailed information, including API documentation and samples, see the developerWorks Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html.
A history of the changes to the Java Cryptography Extension (JCE) since it was added to the SDK.
Java Generic Security Service (JGSS) API provides secure exchange of messages between communicating applications.
JGSS is an API framework that uses Kerberos V5 as the underlying default security mechanism. The API is a standardized abstract interface under which you can plug different security mechanisms that are based on private-key, public-key, and other security technologies.
JGSS shields secure applications from the complexities and peculiarities of the different underlying security mechanisms. JGSS provides identity and message origin authentication, message integrity, and message confidentiality. JGSS also features an optional Java Authentication and Authorization Service (JAAS) Kerberos login interface, and authorization checks. JAAS augments the access control features of Java, which is based on CodeSource with access controls based on authenticated principal identities.
The IBM version of JGSS differs from the Sun version in the following ways:
For detailed information about JGSS, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.
A history of the changes to the Java Generic Security Service (JGSS) since it was added to the SDK.
To use this feature, configure Krb5LoginModule to use the ticket cache and set the newly introduced renewTGT option to true. Here is an example of a JAAS login configuration file that requests TGT renewal:
server { com.ibm.security.auth.module.Krb5LoginModule required principal=principal@your_realm useDefaultCcache=TRUE renewTGT=true; };Note that if renewTGT is set to true, useDefaultCcache must also be set to true; otherwise, it results in a configuration error.
The Java Secure Socket Extension (JSSE) is a Java package that enables secure internet communications. It implements a Java version of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols and includes functions for data encryption, server authentication, message integrity, and optional client authentication.
By abstracting the complex underlying security algorithms and "handshaking" mechanisms, JSSE minimizes the risk of creating subtle but dangerous security vulnerabilities. Also, it simplifies application development by serving as a building block that you can integrate directly into your applications. Using JSSE, you can provide for the secure passage of data between a client and a server running any application protocol (such as HTTP, Telnet, NNTP, and FTP) over TCP/IP.
The FIPS provider included with the SDK is undergoing certification with the US Government. The certification progress is available on the CSRC Web site: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf.
For detailed information, including API documentation and samples, see http://www.ibm.com/developerworks/java/jdk/security/index.html.
The IBMJSSE2 Provider, which was introduced in the v1.4.2 SDK, has replaced the IBMJSSE Provider. Although they are nearly equivalent, there are differences between the two providers.
The now-discontinued IBMJSSE Provider and the IBMJSSE2 Provider differ in the following ways:
Although they are nearly equivalent, there are differences between the IBMJSSE2 Provider and the Sun JSSE Provider.
The IBMJSSE2 Provider differs from the Sun JSSE in the following ways:
A history of the changes to the IBMJSSE2 Provider since it was added to the SDK.
The IBMJSSE2 Provider is new for Version 1.4.2.
The IBM Java JCE (Java Cryptographic Extension) FIPS Provider (IBMJCEFIPS) for multi-platforms is a scalable, multi-purpose cryptographic module that supports FIPS-approved cryptographic operations through Java APIs.
The IBMJCEFIPS includes the following Federal Information Processing Standards (FIPS) 140-2 [Level 1] compliant components:
To meet the requirements specified in the FIPS publication 140-2, the encryption algorithms used by the IBMJCEFIPS Provider are isolated into the IBMJCEFIPS Provider cryptographic module, which you can access using the product code from the Java JCE framework APIs. Because the IBMJCEFIPS Provider uses the cryptographic module in an approved manner, the product complies with the FIPS 140-2 requirements.
Type | Algorithm | Specification |
---|---|---|
Symmetric Cipher | AES (ECB, CBC, OFB, CFB and PCBC) | FIPS 197 |
Symmetric Cipher | Triple DES (ECB, CBC, OFB, CFB and PCBC) | FIPS 46-3 |
Message Digest |
SHA1 SHA-256 SHA-384 SHA-512 HMAC-SHA1 |
FIPS 180-2 FIPS 198a |
Random Number Generator | FIPS 186-2 Appendix 3.1 | FIPS 186-2 |
Digital Signature | DSA (512 - 1024) | FIPS 186-2 |
Digital Signature | RSA (512 - 2048) | FIPS 186-2 |
In addition, the IBMJCEFIPS supports the following unapproved algorithms:
Type | Algorithm | Specification |
---|---|---|
Asymmetric Cipher | RSA | PKCS#1 |
Key Agreement | Diffie-Hellman | PKCS #3 (Allowed in Approved mode) |
Digital Signature | DSAforSSL | Allowed for use within the TLS protocol |
Digital Signature | RSAforSSL | Allowed for use within the TLS protocol |
Message Digest | MD5 | FIPS 180-2 |
Random Number Generation | Universal Software Based Random Number Generator | Available upon request from IBM. Patented by IBM, EC Pat. No. EP1081591A2, U.S. pat. Pend. |
For more detailed information on the FIPS certified provider IBMJCEFIPS, see the IBM Java JCE FIPS 140-2 Cryptographic Module Security Policy. For usage information and details of the API, see the IBM Java JCE FIPS (IBMJCEFIPS) Cryptographic Module API document. These documents are available at http://www.ibm.com/developerworks/java/jdk/security/index.html.
Sun does not provide IBMJCEFIPS.
For detailed information, including API documentation and Security Policy, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.
Simple Authentication and Security Layer, or SASL, is an Internet standard (RFC 2222) that specifies a protocol for authentication and optional establishment of a security layer between client and server applications. SASL defines how authentication data is to be exchanged but does not itself specify the contents of that data. It is a framework into which specific authentication mechanisms that specify the contents and semantics of the authentication data can fit.
The Java SASL API defines classes and interfaces for applications that use SASL mechanisms. It is defined to be mechanism-neutral: the application that uses the API need not be hardwired into using any particular SASL mechanism. The API supports both client and server applications. It allows applications to select the mechanism to use based on desired security features, such as whether they are susceptible to passive dictionary attacks or whether they accept anonymous authentication. The Java SASL API also allows developers to use their own, custom SASL mechanisms. SASL mechanisms are installed by using the Java Cryptography Architecture (JCA).
The IBMSASL provider supports the following client and server mechanisms.
Only the package names, for example com.ibm.security.sasl, and the provider name are different from the Sun Implementation: com.ibm.security.sasl.IBMSASL.
Detailed information, including API documentation and samples, is on the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.
Uses of the Key Certificate Management utilities.
The Key Certificate Management utilities make up a set of packages used to:
The Key Certificate Management utilities can:
The Subject Key Identifier is specified in RFC 3820, Section 4.2.1.2, http://www.faqs.org/rfcs/rfc3820.html.
The Key Certificate Management How-to Guide and Javadoc are on the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml.
Intel is a trademark of Intel Corporation in the United States, other countries, or both.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Other company, product and service names may be trademarks or service marks of others.