Note: Before using this information and the product it supports, read the general information under Notices.
This edition of the User Guide applies to:
and to all subsequent releases and modifications until otherwise indicated in new editions.
(c) Copyright Sun Microsystems, Inc. 1997, 2004, 901 San Antonio Rd., Palo Alto, CA 94303 USA. All rights reserved.
(c) Copyright International Business Machines Corporation, 1999, 2007. All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
The security components described in this User Guide are shipped with the SDK and are not extensions. They provide a wide range of security services through standard Java(TM) APIs (except iKeyman). The security components contain the IBM(R) implementation of various security algorithms and mechanisms. IBM does not provide support for any of the IBM Java security components when used with a non-IBM JVM or with non-IBM security providers when used with the IBM JVM.
|The IBM SDK also provides a FIPS 140-2 certified cryptographic |module, IBMJCEFIPS, implemented as a JCE provider. Applications can comply |with the FIPS 140-2 requirements by using the IBMJCEFIPS module.
The CertPath component provides PKIX-compliant certification path building and validation.
The JGSS component provides a generic API that can be plugged in by different security mechanisms. IBM JGSS uses Kerberos V5 as the default mechanism for authentication and secure communication.
The JAAS component provides a means for principal-based authentication and authorization
The JCE framework has two providers: IBMJCE is the pre-registered default provider; IBMJCEFIPS is optional.
|JSSE is the Java implementation of the SSL and TLS protocols. |The JSSE pre-registered default provider is IBMJSSE2.
|IBM Java Simple Authentication and Security Layer, or |SASL, is an Internet standard (RFC 2222) that specifies a protocol for authentication |and optional establishment of a security layer between client and server applications.
The Java security configuration file does not refer to the Sun provider. The IBM JCE provider has replaced the Sun provider. The JCE supplies all the signature handling message digest algorithms that were previously supplied by the Sun provider. It also supplies the IBM secure random number generator, IBMSecureRandom, which is a real Random Number Generator. SHA1PRNG is a Pseudo Random Number Generator and is supplied for code compatibility. SHA1PRNG is not guaranteed to produce the same output as the SUN SHA1PRNG.
In the IBM SDK v1.4.1, the following options were added to the java.security.debug property to help you debug Java Cryptography Architecture (JCA)-related problems:
An example of a valid option string is "provider, algorithm:stack".
In this guide, you'll see a 'What's new' section for each component. This information is provided to help you with migration.
The IBM SDK v5.0 has been tested with the following default security providers:
You can add other IBM security providers either statically or from within your Java application's code. To add a new provider statically, edit a java security properties file (for example, java.security). To add a new provider from your application's code, use the methods of the java.security.Security class (for example, java.security.Security.addProvider()).
You can also add this IBM security provider, com.ibm.crypto.fips.provider.IBMJCEFIPS.
Note that code written for the IBMJSSE Provider might not compile or execute in exactly the same way for IBMJSSE2. For details, see IBMJSSE2 Provider.
The iKeyman utility is a tool for managing your digital certificates. With iKeyman, you can:
|There are no changes for v5.0 over v1.4.2.
There are no changes in v1.4.2 over v1.4.1.
The following change was added in v1.4.1:
The iKeyman User Guide is on the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.
The Sun Microsystems Java 2 platform provides a means to enforce access controls based on where code came from and who signed it. These access controls are needed because of the distributed nature of the Java platform where, for example, a remote applet can be downloaded over a public network and then run locally.
However, before SDK v1.4.0, the Java 2 platform did not provide a way to enforce similar access controls based on who runs the code. To provide this type of access control, the Java 2 security architecture requires the following:
The Java Authentication and Authorization Service (JAAS) framework provides these enhancements.
JAAS is supported on the following products:
The IBM version of JAAS differs from the Sun version in the following ways:
|There are no changes to JAAS in v5.0.
There are no changes in v1.4.2 over v1.4.1.
The original release of JAAS for Windows and the Java 2 Platform included the following login modules and principal classes:
The login modules called com.ibm.security.auth.module.NTLoginModule2000 and com.ibm.security.auth.module.NTActiveLoginModule2000 were added. These login modules have the same function as NTLoginModule and NTActiveLoginModule, but reference a different set of principals. Additional principal classes had been included to facilitate the writing of new login modules.
If you want to migrate applications to the different set of principals, most of the changes were in the JAAS policy and configuration files rather than in the applications. Refer to the following table for guidance.
| Original Class | Replaced by... |
|---|---|
| NTUserPrincipal | UsernamePrincipal |
| NTSidGroupPrincipal | GroupIDPrincipal |
| NTSidUserPrincipal | UserIDPrincipal |
| NTDomainPrincipal | DomainPrincipal |
| NTSidDomainPrincipal | DomainIDPrincipal |
| NTSidPrimaryGroupIDPrincipal | PrimaryGroupIDPrincipal |
| n/a | ServerPrincipal |
| n/a | WkstationPrincipal |
| NTLoginModule | NTLoginModule2000 |
| NTActiveLoginModule | NTActiveLoginModule2000 |
Principal classes are in the com.ibm.security.auth package. The login module is in the com.ibm.security.auth.module package. Check the JAAS API javadoc information for details of how to use the principal classes.
For example, this JAAS policy grant block:
grant Principal com.ibm.security.auth.NTUserPrincipal "bob",
Principal com.ibm.security.auth.NTSidUserPrincipal
"S-1-5-21-1202660629-764733703-839523458-1000",
Principal com.ibm.security.auth.NTSidGroupPrincipal
"S-1-1-0" {
permission java.util.PropertyPermission "java.home", "read";
};would be replaced by:
grant Principal com.ibm.security.auth.UsernamePrincipal "bob",
Principal com.ibm.security.auth.UserIDPrincipal
"S-1-5-21-1202660629-764733703-839523458-1000",
Principal com.ibm.security.auth.GroupIDPrincipal
"S-1-1-0" {
permission java.util.PropertyPermission "java.home", "read";
};
For detailed information, including API documentation and samples, see the developerWorks Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html.
The IBM version of JAAS for Windows contains an additional function called Active Login. Because Windows has an extensive security infrastructure, it is important on servers to allow a Java program to log in as a particular Windows user and run with the underlying operating system knowing the security identity on a particular thread. Without this extended support, JAAS would allow Java programs to know who the user is, strictly on a Java level. With this extended support, Java programs can log in as different users and have even non-Java programs (such as the Windows kernel) enforce security appropriately.
The following classes contain the additional support:
This class is the gateway to changing identities on an operating system thread level.
This class is specified in the login configuration file. If you construct a LoginContext using a string name that calls this LoginModule, and you supply a CallbackHandler that can supply a userid and password suitable for this Windows computer, you can log in.
This class is an implementation class, largely hidden from users.
These classes are described in the JAAS APIs.
To log in on Windows, an authorized program is required. The bin subdirectory of the directory where the Runtime Environment is installed contains a Windows service that can log in. To install the service and start it:
To stop the service and remove it from the Service Manager autostart list:
|The following error messages are associated with starting and removing JAASLogon:
|jaaslogon |Difficulty in starting JaasLogon, error code = 1063 | |Cause: Incorrect syntax. The correct syntax is jaaslogon -install | |
|jaaslogon -install |Difficulty in CreateService, error code = 1073 | |Cause: The service has already been started. | |
|jaaslogon -remove |In OpenService, error Code = 1060 | |Cause: The service cannot be removed since it was not started.
The Java Certification Path API provides interfaces and abstract classes for creating, building, and validating certification paths (also known as "certificate chains").
The IBM CertPath classes differ from the Sun version in the following ways:
|The following changes have been added in v5.0:
The following changes were added in v1.4.2:
The following changes were added in v1.4.1:
There were no changes in v1.4.1 over v1.4.0.
The following changes were added in v1.4.0:
For detailed information, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.
The Java Cryptography Extension (JCE) provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects. JCE supplements the Java 2 platform, which already includes interfaces and implementations of message digests and digital signatures.
You can obtain unrestricted jurisdiction policy files from http://www.ibm.com/developerworks/java/jdk/security/index.html.
|The v1.4.2 unrestricted (and restricted) jurisdiction policy |files are suitable for use with v5.0. The v1.4.1 files are not suitable.
The com.sun.* packages are reimplemented by IBM and renamed com.ibm.* packages.
The IBM version of JCE differs from the Sun version in the following ways:
|The following changes are made in v5.0:
The following changes were made in v1.4.2:
There were no changes in v1.4.1 from v1.4.0.
The following changes were made in v1.4.0:
For detailed information, including API documentation and samples, see the developerWorks Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html.
The Java Generic Security Service (JGSS) API provides secure exchange of messages between communicating applications.
The JGSS is an API framework that has Kerberos V5 as the underlying default security mechanism. The API is a standardized abstract interface under which you can plug different security mechanisms that are based on private-key, public-key, and other security technologies. JGSS shields secure applications from the complexities and peculiarities of the different underlying security mechanisms. JGSS provides identity and message origin authentication, message integrity, and message confidentiality. JGSS also features an optional Java Authentication and Authorization Service (JAAS) Kerberos login interface, and authorization checks. JAAS augments the access control features of Java 2, which is based on CodeSource with access controls based on authenticated principal identities.
The IBM version of JGSS differs from the Sun version in the following ways:
|The following change is added in v5.0 Service Refresh 1:
|The following changes are added in v5.0:
To use this feature, configure Krb5LoginModule |to use the ticket cache and set the newly introduced renewTGT option to true. Here is an example of a JAAS login configuration file |that requests TGT renewal:
|server {
| com.ibm.security.auth.module.Krb5LoginModule required
| principal=principal@your_realm
| useDefaultCcache=TRUE
| renewTGT=true;
|};
Note that if renewTGT is set to true, useDefaultCcache must also be set to true; otherwise, it results in a
|configuration error.
|The following changes were added in v1.4.2:
The following change was added in v1.4.1:
For detailed information about JGSS, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.
|The Java Secure Socket Extension (JSSE) is a Java package that |enables secure internet communications. It implements a Java version of SSL |(Secure Sockets Layer) and TLS (Transport Layer Security) protocols and includes |functions for data encryption, server authentication, message integrity, and |optional client authentication.
|By abstracting the complex underlying security algorithms and |"handshaking" mechanisms, JSSE minimizes the risk of creating subtle but dangerous |security vulnerabilities. Also, it simplifies application development by serving |as a building block that you can integrate directly into your applications. |Using JSSE, you can provide for the secure passage of data between a client |and a server running any application protocol (such as HTTP, Telnet, NNTP, |and FTP) over TCP/IP.
|In v5.0, the IBMJSSE2 Provider, which was introduced in the |v1.4.2 JVM, has replaced the IBMJSSE Provider. Although they are nearly equivalent, |there are differences between the two providers. See the next section for |details.
| | |The now-discontinued IBMJSSE Provider and the IBMJSSE2 Provider differ |in the following ways:
|The IBMJSSE2 Provider differs from the Sun JSSE in the following ways:
|The following change takes effect from v5.0 Service Refresh |5:
|The following changes have been added in v5.0
The IBMJSSE2 Provider was new for v1.4.2.
For detailed information, including API documentation and samples, see http://www.ibm.com/developerworks/java/jdk/security/index.html.
The IBMPKCS11Impl Provider uses the Java Cryptography Extension (JCE) and Java Cryptography Architecture (JCA) frameworks to add the ability to use hardware cryptography through the Public Key Cryptographic Standards #11 (PKCS #11) standard. This provider takes advantage of hardware cryptography within the existing JCE architecture and gives Java programmers the significant security and performance advantages of hardware cryptography with minimal changes to existing Java applications. Because the complexities of hardware cryptography are handled within the normal JCE, advanced security and performance using hardware cryptographic devices is available readily.
PKCS#11 is a standard that provides a common application interface to cryptographic services on various platforms through several hardware cryptographic devices. See the IBMPKCS11Impl provider user guide for a list of supported devices.
|The most significant difference between the SunPKCS11 provider |and the IBM PKCS11Impl provider is in the area of keystore. Sun has a keystore |named PKCS11 and IBM has one called IBMPKCS11KS. Sun requires that all trusted |certificates have the attribute CKA_TRUSTED set to true. |The IBM keystore assumes that any certificates on the device are trusted. |So, this assumption should allow IBM's keystore to work with data that was |saved using the Sun PKCS11 provider keystore, but not the other way around.
|The following changes were made in v5.0.
|IBMPKCS11Impl has been updated to allow more algorithms and |to allow the Sun 5.0 methods of initialization of the provider. The new algorithms |are:
|In v5.0, the ability to pass in a configuration file to the |provider is added. This configuration file can contain a significant amount |of information about the device; for example, what it should or should not |do. After the provider is created, the application can log in to the card |in different ways. Some devices allow you to perform some cryptographic functions |without logging into the device. The v1.4.2 ways to initialize the device |still work. However, you can no longer have more than one of these providers |at a time. Instead, with this release, you can initialize more than one IBMPKCS11Impl |provider using the 5.0 configuration file and login methods.
|The classes DESPKCS11KeyParameterSpec and DESedePKCS11KeyParameterSpec |have been deprecated. Use the GeneralPKCS11KeyParameterSpec class for all |symmetric key types (for instance, DES, DESede, AES, RC4, Blowfish).
The IBMPKCS11Impl Provider was new for v1.4.2.
For detailed information, including API documentation, see the developerWorks Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html.
The IBM Java JCE (Java Cryptographic Extension) FIPS Provider (IBMJCEFIPS) for multi-platforms is a scalable, multi-purpose cryptographic module that supports FIPS-approved cryptographic operations through Java APIs. The IBMJCEFIPS includes the following Federal Information Processing Standards (FIPS) 140-2 [Level 1] compliant components:
To meet the requirements specified in the FIPS publication 140-2, the encryption algorithms used by the IBMJCEFIPS Provider are isolated into the IBMJCEFIPS Provider cryptographic module, which you can access using the product code from the Java JCE framework APIs. Because the IBMJCEFIPS Provider uses the cryptographic module in an approved manner, the product complies with the FIPS 140-2 requirements.
| Type | Algorithm | Specification |
|---|---|---|
| Symmetric Cipher | AES (ECB, CBC, OFB, CFB and PCBC) | FIPS 197 |
| Symmetric Cipher |
Triple DES (ECB, CBC, OFB, CFB and PCBC) |
FIPS 46-3 |
| Message Digest |
|SHA1 |SHA-256 |SHA-384 |SHA-512 |HMAC-SHA1 |
|FIPS 180-2 | | | |FIPS 198a |
| Random Number Generator | FIPS 186-2 Appendix 3.1 | FIPS 186-2 |
| Digital Signature | DSA (512 - 1024) | FIPS 186-2 |
| Digital Signature | RSA (512 - 2048) | FIPS 186-2 |
In addition, the IBMJCEFIPS supports the following unapproved algorithms:
| Type | Algorithm | Specification |
|---|---|---|
| Asymmetric Cipher | RSA | PKCS#1 |
| Key Agreement | Diffie-Hellman | PKCS #3 (Allowed in Approved mode) |
| |Digital Signature | | DSAforSSL | |Allowed for use within the TLS protocol |
| |Digital Signature | | RSAforSSL | |Allowed for use within the TLS protocol |
| |Message Digest | | MD5 | |FIPS 180-2 |
| Random Number Generation | Universal Software Based Random Number Generator | Available upon request from IBM. Patented by IBM, EC Pat. No. EP1081591A2, U.S. pat. Pend. |
For more detailed information on the FIPS certified provider IBMJCEFIPS, see the IBM Java JCE FIPS 140-2 Cryptographic Module Security Policy. For usage information and details of the API, see the IBM Java JCE FIPS (IBMJCEFIPS) Cryptographic Module API document. These documents are available at http://www.ibm.com/developerworks/java/jdk/security/index.html.
Sun does not provide IBMJCEFIPS.
|No updates since v1.4.2.
For detailed information, including API documentation and Security Policy, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.
| | |Simple Authentication and Security Layer, or SASL, is an Internet standard |(RFC 2222) that specifies a protocol for authentication and optional establishment |of a security layer between client and server applications. SASL defines how |authentication data is to be exchanged but does not itself specify the contents |of that data. It is a framework into which specific authentication mechanisms |that specify the contents and semantics of the authentication data can fit.
|The Java SASL API defines classes and interfaces for applications that |use SASL mechanisms. It is defined to be mechanism-neutral: the application |that uses the API need not be hardwired into using any particular SASL mechanism. |The API supports both client and server applications. It allows applications |to select the mechanism to use based on desired security features, such as |whether they are susceptible to passive dictionary attacks or whether they |accept anonymous authentication. The Java SASL API also allows developers |to use their own, custom SASL mechanisms. SASL mechanisms are installed by |using the Java Cryptography Architecture (JCA).
|The IBMSASL provider supports the following client and server mechanisms.
|Only the package names, for example "com.ibm.security.sasl", and the provider |name are different from the Sun Implementation: com.ibm.security.sasl.IBMSASL
| |The IBM SASL Provider is new for v5.0
| |Detailed information, including API documentation and samples, is |on the developerWorks Web site, athttp://www.ibm.com/developerworks/java/jdk/security/index.html.
| | |The Key Certificate Management utilities make up a set of packages used |to:
|The Key Certificate Management utilities can:
|The Subject Key Identifier is specified in RFC 3820, Section 4.2.1.2, http://www.faqs.org/rfcs/rfc3820.html.
| |The Key Certificate Management utilities are new for Version 5.0, Service |Refresh 1.
| |The Key Certificate Management How-to Guide and |Javadoc are on the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM is a trademark of International Business Machines Corporation in the United States, or other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
This product is also based in part on the work of the FreeType Project. For more information about Freetype, see http://www.freetype.org.
This product includes software developed by the Apache Software Foundation http://www.apache.org/.