[Updated in August 2013]
This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

Enabling the IBM JCE Hybrid Provider for Liberty

The IBM JCE Hybrid Provider IBMJCEHYBRID, is for use by an application that is designed to use cryptographic hardware and processors when they are available, but continues without those cryptographic features when they are not available. Using the IBMJCEHYBRID provider enables an application to take advantage of JCE providers without having to include complex error handling for when cryptographic features are not available.

Before you begin

Ensure that the IBMJDK running on z/OS is at Java 7 SR3 or later.

About this task

The IBMJCEHYBRID provider does not do any cryptographic operations, but routes requests to JCE providers registered with the Java Security Framework. The IBMJCEHYBRID provider must be the first JCE provider in the active JVM provider list, which is initialized from the java.security provider list. The IBMJCEHYBRID provider routes requests to, and provides failover for, JCE providers according to the security provider registrations done at JVM initialization. This function enables an application to take advantage of cryptographic features when they are available and to use a provider that does not depend on these features when they are not available.

Procedure

  1. Add the provider to the java.security file with the hardware cryptographic provider.
    security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.2=com.ibm.crypto.ibmjcehybrid.provider.IBMJCEHYBRID
    security.provider.3=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA	
    security.provider.4=com.ibm.crypto.provider.IBMJCE
    security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.6=com.ibm.security.cert.IBMCertPath
    security.provider.7=com.ibm.security.sasl.IBMSASL
  2. Configure the keyring in file server.xml to set the location to use safkeyringhybrid, and the type to JCEHYBRIDRACFKS. The following example shows the definition of a minimal SSL configuration keystore.
    <keyStore id="defaultKeyStore" location="safkeyringhybrid:///mykeyring" type="JCEHYBRIDRACFKS" 
    password="{<u>xor</u>}Lz4sLCgwTs=" fileBased="false" readOnly="true"/>

Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=twlp_hybrid_saf
File name: twlp_hybrid_saf.html

[Updated in August 2013]