Common INCORRECT JAVA(TM) Security Errors
 Technote (FAQ)
 
Problem
IBM JAVA Cryptography Extension (IBMJCE), replaces IBMJCA. IBMJCE is shipped in PTF SR11 for JAVA 1.3 (APAR PQ52841/PTF UQ99325). Cryptography Extension is used to integrate Cryptography seamlessly into JAVA2.
 
 
Solution
Common problems:
  • Not specifying the correct name for the JCE provider in the java.security file. The provider name is com.ibm.crypto.hdwrCCA.provider.IBMJCE4758 and must come after the SUN(TM) provider in the list.
  • Having the wrong policy file set in the lib/ext directory.
  • Having the ibmjca4758.jar file in the lib/ext directory or in the classpath.
  • The sample file SampleX.509Verification.java fails to verify a signature in the DSA based certificate. This will be resolved in JAVA PTF SR12.
  • The Keys used/created by JCE4758 are not CLEAR keys, but a hardware token and therefore can NOT be used by other providers.
  • The keystores are hardware based and therefore can not be moved from machine to machine.

Related information

Sample code can be found at:

http://www-1.ibm.com/servers/eserver/zseries/software/java/j2pcont.html

  • JSSE (Secure sockets function)
Sample code: $JAVA_HOME/demo/jsse
  • JAAS (User authentication and security)
Sample code: $JAVA_HOME/demo/jaas/samples390.jar
  • JCE (Cryptography function)
Sample code: demo/jce/src

IBMJCE4758 extends JCE to seamlessly add the capability to use hardware cryptography via the IBM Common Cryptographic Architecture (CCA) interfaces.

Sample code: demo/jce/src

Software Prerequisites:

  • OS/390 V2R9 level or higher, with at least one CCF
  • IBM4758 PCI card
  • ICSF (Integrated Cryptographic Service Facility) must be up and running.
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS > Security
Operating system(s): z/OS
Software version: 4.0.1
Software edition:
Reference #: 1164921
IBM Group: Software Group
Modified date: Mar 31, 2004