IBM 32-bit SDK for Windows, Java 2 Technology Edition, Version 1.4.1; Security Guide


Copyright information

Note: Before using this information and the product it supports, be sure to read the general information under Notices.

This edition of the User Guide applies to iKeyman, Java Authentication and Authorization Service (JAAS) v2.0, Java Certification Path (CertPath) v1.0, Java Cryptography Extension (JCE), Java Generic Security Service (JGSS) v1.0, and Java Secure Socket Extension (JSSE) v1.0.3, and to all subsequent releases and modifications until otherwise indicated in new editions.

(c) Copyright Sun Microsystems, Inc. 1997, 2003, 901 San Antonio Rd., Palo Alto, CA 94303 USA. All rights reserved.

(c) Copyright International Business Machines Corporation, 1999, 2003. All rights reserved.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.


Preface

The Java security configuration file does not refer to the Sun provider. The IBM(R) JCE provider has replaced the Sun provider. The JCE supplies all the signature handling message digest algorithms that were previously supplied by the Sun provider, excluding the secure random number generator, SHA1PRNG, which has been replaced by IBM's secure random number generator, IBMSecureRandom.

In the IBM 32-bit SDK for Windows, v1.4.1, new options have been added to the java.security.debug property to help you debug Java Cryptography Architecture (JCA)-related problems. The new options are:

An example of a valid option string is "provider, algorithm:stack".

In this release, the security components described in this document are shipped with the SDK instead of as optional extensions.


Contents

Copyright information

Preface

iKeyman tool

  • What's new?
  • Documentation
  • Java Authentication and Authorization Service (JAAS) V2.0 for Windows

  • Differences between IBM and Sun versions of JAAS
  • What's new?
  • Documentation
  • What has been added on Windows?
  • Using JAAS Active Login
  • Java Certification Path (CertPath)

  • Differences between IBM and Sun versions of CertPath
  • What's new?
  • Documentation
  • Java Cryptography Extension (JCE)

  • Differences between IBM and Sun versions of JCE
  • What's new?
  • Documentation
  • Java Generic Security Service (JGSS)

  • Differences between IBM and Sun versions of JGSS
  • What's new?
  • Documentation
  • Java Secure Socket Extension (JSSE)

  • Differences between IBM and Sun versions of JSSE
  • What's new?
  • Documentation
  • Anonymous ciphers
  • Notices

  • Trademarks

  • iKeyman tool

    The iKeyman utility is a tool for managing your digital certificates. With iKeyman, you can:

    The iKeyman utility allows you to store and retrieve keys and certificates to an installed cryptographic adapter . To access the adapter:

    1. Start iKeyman.
    2. Open a database.
      1. Select fileOpen -> Cryptographic Token.
      2. Specify the location and name of the dll.
      3. Specify the slot number.
      4. Enter the password.

    What's new?

    An iKeyman wrapper that invokes the correct tool class.


    Documentation

    Go to http://www.ibm.com/developerworks/java/jdk/security/index.html to download the file iKeymanDocs.zip that contains the iKeyman documentation.

    Table 1. Contents of iKeymanDocs.zip
    File Contains
    ikmuserguide.pdf iKeyman User Guide

    Java Authentication and Authorization Service (JAAS) V2.0 for Windows

    The Sun Microsystems Java 2 platform provides a means to enforce access controls based on where code came from and who signed it. These access controls are needed because of the distributed nature of the Java platform where, for example, a remote applet can be downloaded over a public network and then run locally.

    However, before JDK 1.4.0, the Java 2 platform did not provide a way to enforce similar access controls based on who runs the code. To provide this type of access control, the Java 2 security architecture requires the following:

    The Java Authentication and Authorization Service (JAAS) framework provides these enhancements.

    JAAS is supported on the following products:

    For a general overview of JAAS, see the Sun Web site: http://java.sun.com/products/jaas.


    Differences between IBM and Sun versions of JAAS

    The IBM(R) version of JAAS differs from the Sun version in the following ways:


    What's new?

    The original release of JAAS for Windows and the Java 2 Platform included the following login modules and principal classes:

    The original platform-dependent principal classes will be replaced by a set of platform-independent principal classes in future releases of JAAS for Windows. To ease migration, this version of JAAS contains both the original set and the new set of principal classes. Also included are new login modules called com.ibm.security.auth.module.NTLoginModule2000 and com.ibm.security.auth.module.NTActiveLoginModule2000. These new login modules have the same function as NTLoginModule and NTActiveLoginModule, but reference the new set of principals. Additional principal classes have been included to facilitate the writing of new login modules.

    You are encouraged to use the new set of principals when developing applications that use JAAS. Previously developed applications will be compatible with this version as well as future versions of JAAS released for the Developer Kit Version 1.4.1.

    If you want to migrate applications to the new set of principals, most of the changes you will encounter will be in JAAS policy and configuration files rather than in the applications. Refer to the following table for guidance.

    Table 2. New Principal class names.
    Original Class Replaced by...
    NTUserPrincipal UsernamePrincipal
    NTSidGroupPrincipal GroupIDPrincipal
    NTSidUserPrincipal UserIDPrincipal
    NTDomainPrincipal DomainPrincipal
    NTSidDomainPrincipal DomainIDPrincipal
    NTSidPrimaryGroupIDPrincipal PrimaryGroupIDPrincipal
    n/a ServerPrincipal
    n/a WkstationPrincipal
    NTLoginModule NTLoginModule2000
    NTActiveLoginModule NTActiveLoginModule2000

    Principal classes are found in the com.ibm.security.auth package. The login module is found in the com.ibm.security.auth.module package. Check the JAAS API information generated by javadoc for more information on the new principal classes.

    For example, this JAAS policy grant block:

    grant Principal com.ibm.security.auth.NTUserPrincipal "bob",
          Principal com.ibm.security.auth.NTSidUserPrincipal 
              "S-1-5-21-1202660629-764733703-839523458-1000",
          Principal com.ibm.security.auth.NTSidGroupPrincipal 
              "S-1-1-0" {
       permission java.util.PropertyPermission "java.home", "read";
    };
    

    would be replaced by:

    grant Principal com.ibm.security.auth.UsernamePrincipal "bob",
          Principal com.ibm.security.auth.UserIDPrincipal  
               "S-1-5-21-1202660629-764733703-839523458-1000",
          Principal com.ibm.security.auth.GroupIDPrincipal 
               "S-1-1-0" {
       permission java.util.PropertyPermission "java.home", "read";
    };
    

    Documentation

    To use the JAAS APIs, download the JaasDocs.jar file from the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html, and expand the file. The files that are extracted contain the following information:

    Table 3. Contents of the compressed files.
    File Contains
    api.html JAAS API reference guide
    login.html Authentication module reference guide
    HelloWorld.tar Sample code
    apidocs/index.html JAAS API information generated by javadoc

    What has been added on Windows?

    The IBM version of JAAS for Windows contains an additional function called Active Login. Because Windows has an extensive security infrastructure, it is important on servers to allow a Java program to log in as a particular Windows user and run with the underlying operating system knowing the security identity on a particular thread. Without this extended support, JAAS would allow Java programs to know who the user is, strictly on a Java level. With this extended support, Java programs can log in as different users and have even non-Java programs (such as the Windows kernel) enforce security appropriately.

    The following classes contain the additional support:

    These classes are described in the JAAS APIs.


    Using JAAS Active Login

    To log in on Windows, an authorized program is required. The bin subdirectory of the directory where the Runtime Environment is installed contains a Windows service that can log in. To install the service and start it:

    1. Log in as an Administrator on the computer where you want to install and start the service.
    2. Change directories to the bin directory.
    3. Type either of the following commands at a command prompt:

    The _g version of the service is for debugging, and writes extensive output to the Application Event Log. To capture the most recent information, set this log to wrap, rather than fill up and stop.

    To stop the service and remove it from the Service Manager autostart list:

    1. Change directories to the bin directory.
    2. Type either of the following commands at a command prompt:


    Java Certification Path (CertPath)

    The Java Certification Path API provides interfaces and abstract classes for creating, building, and validating certification paths (also known as "certificate chains").


    Differences between IBM and Sun versions of CertPath

    The IBM CertPath classes differ from the Sun version in the following ways:


    What's new?

    There is nothing new in 1.4.1 over 1.4.0. However, the following changes were added in 1.4.0:


    Documentation

    For detailed information, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html. Download and expand the file certpathDocs.zip.

    Table 4. Contents of certpathDocs.zip
    File Contains
    samples/ Sample source code
    API_users_guide.html API user guide

    Java Cryptography Extension (JCE)

    The Java Cryptography Extension (JCE) provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects. JCE supplements the Java 2 platform, which already includes interfaces and implementations of message digests and digital signatures.

    You can obtain unrestricted jurisdiction policy files from http://www.ibm.com/developerworks/java/jdk/security/index.html


    Differences between IBM and Sun versions of JCE

    The com.sun.* packages are reimplemented by IBM and renamed com.ibm.* packages.

    The IBM version of JCE differs from the Sun version in the following ways:


    What's new?

    There are no changes in v1.4.1 from v1.4.0.

    The following items were new in v1.4.0:


    Documentation

    For detailed information, including API documentation and samples, see the developerWorks Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html. Download and expand the file jceDocs.zip.

    Table 5. Contents of jceDocs.zip
    File Contains
    api/ JCE API reference guide
    samples/ JCE sample source code
    api_users_guide.html JCE reference guide
    CryptoSpec.html JCA reference guide
    HowToImplAProvider.html Guide to implementing a JCE provider
    JCEAlgorithms.java Utility program to list all supported JCE algorithms and aliases
    MyProvider.java Example provider source file

    Java Generic Security Service (JGSS)

    The Java Generic Security Service (JGSS) API provides secure exchange of messages between communicating applications.

    The JGSS is an API framework that has Kerberos V5 as the underlying default security mechanism. The API is a standardized abstract interface under which you can plug different security mechanisms that are based on private-key, public-key, and other security technologies. JGSS shields secure applications from the complexities and peculiarities of the different underlying security mechanisms. JGSS provides identity and message origin authentication, message integrity, and message confidentiality. JGSS also features an optional Java Authentication and Authorization Service (JAAS) Kerberos login interface, and authorization checks. JAAS augments the access control features of Java 2, which is based on CodeSource with access controls based on authenticated principal identities.


    Differences between IBM and Sun versions of JGSS

    The IBM version of JGSS differs from the Sun version in the following ways:


    What's new?

    Wrappers have been added for the klist, kinit, and ktab Java tools. These wrappers invoke the relevant tool classes so that you do not have to remember the full package name.


    Documentation

    For detailed information about JGSS, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html. Download and expand the file jgssDocs.zip.

    Table 6. Contents of jgssDocs.zip
    File Contains
    api/ JGSS API reference guide
    samples/ JGSS Sample source code
    developers_guide.jgss.ibm.html JGSS Developers reference guide
    users_guide.jgss.ibm.html JGSS User guide

    Java Secure Socket Extension (JSSE)

    The Java Secure Socket Extension (JSSE) is a Java package that enables secure Internet communications. It implements a Java version of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols and includes functions for data encryption, server authentication, message integrity, and optional client authentication.

    By abstracting the complex underlying security algorithms and "handshaking" mechanisms, JSSE minimizes the risk of creating subtle but dangerous security vulnerabilities. Also, it simplifies application development by serving as a building block that you can integrate directly into your applications. Using JSSE, you can provide for the secure passage of data between a client and a server running any application protocol (such as HTTP, Telnet, NNTP, and FTP) over TCP/IP.


    Differences between IBM and Sun versions of JSSE

    The IBM version of JSSE differs from the Sun version in the following ways:


    What's new?

    There are no changes in v1.4.1 from v1.4.0.

    The following changes were added in v1.4.0:


    Documentation

    For detailed information, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html. Download and expand the file JSSEDocs.jar.

    Table 7. Contents of the JSSEDocs.jar.
    File Contains
    api/ JSSE API reference guide
    samples/ JSSE Sample source code
    JSSERefGuide.html JSSE Reference guide

    Anonymous ciphers

    The IBM JSSE Provider default implementation does not allow anonymous ciphers. However, someone can override the default implementation, by writing a special TrustManager that allows anonymous ciphers.


    Notices

    This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

    IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

    For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

    The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

    INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

    This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice.

    Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

    IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

    Licensees of this program who wish to have information about it for the purpose of enabling (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

    Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

    The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

    Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

    Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.


    Trademarks

    IBM is a trademark of International Business Machines Corporation in the United States, or other countries, or both.

    Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

    Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

    Other company, product, or service names may be trademarks or service marks of others.