Tuning Web services security for Version 6.1 applications

The Java Cryptography Extension (JCE) is integrated into the software development kit (SDK) Version 1.4.x and is no longer an optional package. However, the default JCE jurisdiction policy file shipped with the SDK enables you to use cryptography to enforce this default policy.

About this task

Due to export and import regulations, the default JCE jurisdiction policy file shipped with the SDK enables you to use strong, but limited, cryptography only. To enforce this default policy, WebSphere Application Server uses a JCE jurisdiction policy file that might introduce a performance impact. The default JCE jurisdiction policy might have a performance impact on the cryptographic functions that are supported by Web services security. If you have Web services applications that use transport level security for XML encryption or digital signatures, you might encounter performance degradation over previous releases of WebSphere Application Server. However, IBM and Sun Microsystems provide versions of these jurisdiction policy files that do not have restrictions on cryptographic strengths. If you are permitted by your governmental import and export regulations, download one of these jurisdiction policy files. After downloading one of these files, the performance of JCE and Web services security might improve.

Attention: Fix packs that include updates to the Software Development Kit (SDK) might overwrite unrestricted policy files. Back up unrestricted policy files before you apply a fix pack and reapply these files after the fix pack is applied.
Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, you must check the laws of your country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
For WebSphere Application Server platforms using IBM Developer Kit, Java Technology Edition Version 5, you can obtain unlimited jurisdiction policy files by completing the following steps:
  1. Go to the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html
  2. Click J2SE 5.0
  3. Scroll down and click IBM SDK Policy files.

    The Unrestricted JCE Policy files for the SDK Web site is displayed.

  4. Click Sign in and provide your IBM intranet ID and password or register with IBM to download the files.
  5. Select the appropriate Unrestricted JCE Policy files and then click Continue.
  6. View the license agreement and then click I Agree.
  7. Click Download Now.

[iSeries] For i5/OS operating system (both V5R3 and V5R4) and IBM Software Development Kit Version 1.5, the restricted JCE jurisdiction policy files are configured, by default. You can download the unrestricted JCE jurisdiction policy files from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/50:

[iSeries] Note: If Java 2 Standard Edition (J2SE) 32-bit for i5/OS is the enabled Java virtual machine (JVM) for your profile, substitute /QOpenSys/QIBM/ProdData/JavaVM/jdk50/32bit/jre for /QIBM/ProdData/Java400/jdk15 as the path name in the following steps.

[iSeries] To configure the unrestricted jurisdiction policy files for the i5/OS operating system and the IBM Software Development Kit Version 1.5, complete the following steps:

Procedure [iSeries]

  1. Make backup copies of these files:
    /QIBM/ProdData/Java400/jdk15/lib/security/local_policy.jar
    /QIBM/ProdData/Java400/jdk15/lib/security/US_export_policy.jar
    
  2. Download the unrestricted policy files from http://www.ibm.com/developerworks/java/jdk/security/index.html to the /QIBM/ProdData/Java400/jdk15/lib/security directory.
  3. Go to the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html
    1. Click J2SE 5.0
    2. Scroll down and click IBM SDK Policy files. The Unrestricted JCE Policy files for the SDK Web site is displayed.
    3. Click Sign in and provide your IBM intranet ID and password.
    4. Select the appropriate Unrestricted JCE Policy files and then click Continue.
    5. View the license agreement and then click I Agree.
    6. Click Download Now.
  4. Use the DSPAUT command to ensure that *PUBLIC is granted *RX data authority but that object authority is not provided to either of the local_policy.jar and US_export_policy.jar files, which are located in the /QIBM/ProdData/Java400/jdk15/lib/security directory. For example:
    DSPAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar')
  5. Use the CHGAUT command to change authorization, if needed. For example:
    CHGAUT OBJ('/qibm/proddata/java400/jdk15/lib/security/local_policy.jar') 
    USER(*PUBLIC) DTAAUT(*RX) OBJAUT(*NONE)

Results [AIX HP-UX Linux Solaris Windows]

After following these steps, two Java Archive (JAR) files are placed in the JVM jre/lib/security/ directory.

What to do next

In IBM WebSphere Application Server Version 6.1 and later, Web services security supports the use of cryptographic hardware devices. There are two ways in which to use hardware cryptographic devices with Web services security. See Hardware cryptographic device support for Web Services Security for more information.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 4:28:44 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-mp&topic=twbs_tunev6wss
File name: twbs_tunev6wss.html