Changes to IBM Developer Kit for Java Technology Edition Version 1.4.x

WebSphere Application Server, Version 5.1 includes the IBM Developer Kit, Java Technology Edition Version 1.4.x, which contains changes to the IBM Developer Kit, Java Technology Edition Version 1.3.x. This document is intended to assist application developers and system administrators in understanding the changes.

Security packaging changes in IBM Developer Kit, Java Technology Edition Version 1.4.x

In IBM Developer Kit, Java Technology Edition Version 1.4.x, many of the security technologies have been included in the core of the IBM Developer Kit, Java Technology Edition Version 1.4.x. Because of the packaging changes, we are supporting specific java.security configurations for each platform. This document discusses the impact these java.security configuration changes have on each platform.

Security providers for the Windows, Linux, and AIX platforms [Windows] [Linux] [AIX]

The Windows, Linux, and AIX platforms use all of the IBM security provider implementations, which is similar to how IBM Developer Kit, Java Technology Edition Version 1.3.x shipped. Because the security technologies in IBM Developer Kit, Java Technology Edition Version 1.3.x, were not part of the core, these technologies were shipped in the java/jre/lib/ext directory and provided more flexibility in implementing the technologies. Only those Java Secure Sockets Extension (JSSE) providers configured by WebSphere Application Server are supported.

The following list shows the providers and sequence of how these providers are supported on the Windows, Linux, and AIX platforms. Add any additional providers at the end of this list of providers. The IBMJSSE and IBMJSSE2 providers are the only Secure Sockets Layer (SSL) providers supported on these platforms. You must configure HTTP and Java Message Service (JMS) transports to use the IBMJSSE2 providers because they use the channel framework, asynchronous network I/O (NIO) application programming interfaces (APIs), from Java SDK 1.4.2). The NIO APIs only work with the IBMJSSE2 provider and the channel framework.

security.provider.1=com.ibm.crypto.provider.IBMJCE
security.provider.2=com.ibm.jsse.IBMJSSEProvider
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11

Security providers for the Sun Solaris environment [Solaris]

In the Sun Solaris environment, by default, we are using the JSSE framework classes. These classes enable you to plug-in the IBMJSSE and IBMJSSE2 providers. You must configure HTTP and JMS transports to use the IBMJSSE2 providers because they use the channel framework, asynchronous network I/O (NIO) application programming interfaces (APIs), from Java SDK 1.4.2). The NIO APIs only work with the IBMJSSE2 provider and the channel framework.

The following list shows thee default provider lists for the Sun Solaris environment. Add any additional providers to the end of this list.

security.provider.1=com.ibm.security.jgss.IBMJGSSProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=sun.security.provider.Sun
security.provider.4=com.ibm.jsse.IBMJSSEProvider
security.provider.5=com.ibm.security.cert.IBMCertPath

Note: You only need to uncomment the IBMPKCS11 provider when using iKeyman to access a cryptographic token device. The WebSphere Application Server runtime now uses the IBMPKCS11Impl provider for cryptographic token access, instead of the IBMPKCS11 provider. To get more information on this provider, see Security: Resources for learning.

Security providers for the HP-UX platform [HP-UX]

In the HP-UX environment, by default, IBM JSSE framework classes are used. These classes enable you to plug-in the IBMJSSE and IBMJSSE2 providers. You must configure HTTP and JMS transports to use the IBMJSSE2 providers because they use the channel framework, asynchronous network I/O (NIO) application programming interfaces (APIs), from Java SDK 1.4.2). The NIO APIs only work with the IBMJSSE2 provider and the channel framework.

security.provider.1=com.ibm.security.jgss.IBMJGSSProvider
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=sun.security.provider.Sun
security.provider.4=com.ibm.jsse.IBMJSSEProvider
security.provider.5=com.ibm.security.cert.IBMCertPath

Note: You must uncomment the IBMPKCS11 provider when using iKeyman to access a cryptographic token device. The WebSphere Application Server runtime now uses the IBMPKCS11Impl provider for cryptographic token access, instead of the IBMPKCS11 provider. To obtain more information about this provider, see Security: Resources for learning.

Changes to the CertPath API package name

In IBM Developer Kit, Java Technology Edition Version 1.3.x, the package for CertPath APIs was javax.security.cert.*. However, in IBM Developer Kit, Java Technology Edition Version 1.4.x, the package has changed to java.security.cert.*. While your applications might still work using javax.security.cert.* due to the oldcertpath.jar packaged in ${WAS_INSTALL_ROOT}/java/jre/lib/ext/oldcertpath.jar file, change your applications to use the new package name for CertPath from this point forward. In this release, either package name should work, but it is recommended that you use the correct package, which is java.security.cert.*.

Known problems with IBM Developer Kit, Java Technology Edition Version 1.4.x

For a list of known problems with the various platforms related to the IBM Developer Kit, Java Technology Edition Version 1.4.x changes, review the release notes for WebSphere Application Server, Version 5.1.

There are some known issues with the IBMJSSE2 provider:
  • When configuring a cryptographic token device, you must use the IBMJSSE2 provider. There is a dependency on the new IBMPKCS11Impl provider for cryptographic token support. This provider can only be initialized once in a JVM, and is done programmatically by the WebSphere Application Server runtime when a cryptographic token device is configured. The user of the IBMPKCS11Impl provider in applications is not supported unless the cryptographic token device is not configured for use by WebSphere Application Server.
  • Any transport using the channel framework, including HTTP and JMS, must use the IBMJSSE2 provider.
  • To use AES_256 ciphers for IBMJSSE2, you must download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy.
  • IBMJSSE2 provider's HTTPS protocol handler is "com.ibm.net.ssl.www2.protocol.Handler". The package to add to the package handler property is "com.ibm.net.ssl.www2.protocol".



Related tasks
Configuring Secure Sockets Layer (SSL)
Related reference
Security: Resources for learning
Reference topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 9:00:59 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-dist&topic=rsec_devkit14x
File name: rsec_devkit14x.html