Security information

The following pages contain documentation, example code, and ancillary files relating to IBM's SDKs. The documentation covers IBM-specific features of IBM's offerings. A platform-specific Security User Guide is included in each download. For information about the SDK for z/OS product and security components specific to that platform, see this Web site.

Before you can download code, you will need an IBM Registration ID. You can read about IBM Registration here.

Introduction

The IBMPKCS11Impl provider uses the Java Cryptography Extension (JCE) and Java Cryptography Architecture (JCA) frameworks to seamlessly add the capability to use hardware cryptography using the Public Key Cryptogaphic Standards # 11(PKCS#11) standard. This new provider takes advantage of hardware cryptography within the existing JCE architecture and gives Java 2 programmers significant security and performance advantages of hardware cryptography with minimal changes to existing Java applications. As the complexities of hardware cryptography are taken care of within the normal JCE, advanced security and performance using hardware cryptographic devices is made easily available.

PKCS#11 is a standard that provides a common application interface to cryptographic services on various platforms using various hardware cryptographic devices.

The IBMPKCS11Impl provider provides for: Message Digest using the MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 algorithms. It also provides the symmetric algorithms AES,DES, triple DES (also known as DESede), RC4, Blowfish and the asymmetric algorithm RSA for encryption and decryption. It further provides digital signature and verification using the RSA and DSA algorithms. Hash based Message Authentication Codes are supported for MD5, SHA1, SHA-256, SHA-384, and SHA-512. This implementation also includes random number generation, key generation using key factories, key and certificate generation, and key and certificate management using the ikeyman application. (see the IBM Java PKCS 11 Implementation Provider for more information).

Note: On the z/OS platform, the IBMJCECCA provider provides similar function using the IBM CCA interface to the hardware devices. (see the documentation for IBMJCECCA for more information).

Supported Platforms

The PKCS11Impl provider supports a subset of the platforms that the JVM supports at the 5.0 level (See the IBM JVM for 5.0 specific documentation for the supported operating systems and any other JVM specific requirements). The list of supported platforms for Java 5.0 are:

• Win 32
• AIX 5.2/5.3 (32/64 bit)
• Linux (PPC 32/64 bit)
• Linux (Intel 32)
• Solaris (32/64 bit) Sparc only
• Linux on System z (32/64 bit)

Supported Hardware Cryptographic Cards for Java 5.0

Support for these cards through the IBMPKCS11Impl provider begins after the card, its driver and any manufacturer's support software has been installed and is functioning properly. Any issues regarding installation and configuration of these cards and software should be referred to the manufacturer.

• The following cards are supported on Windows (32bit), AIX, Solaris 9 (32/64bit;Sparc only), Linux:
  • nCipher nForce 4000 PCI(OB4033P-4K0)
  • nCipher nForce 1600 PCI(nC3033P-1k6)
  • nCipher nForce 150 PCI(nc3033P-150)
  • nCipher nShield 2000 PCI (nC4033P-2k0)
  • nCipher nShield 500 PCI (nC4033P-500)
  • nCipher nShield 800 PCI(nC4033P-800)
  • nCipher nShield 150 SCSI(nc4032W-150)
  • nCipher nShield 150 SCSI(nF300KM-1c)
  • nCipher netHSM 1600 (nH1956)
  • Eracom Orange (CSA8000) Note: Eracom Technologies was acquired by SafeNet.
  • SafeNet Luna SA
• The following cards are supported on AIX and Linux on System z:
  • IBM 4758 PCI Cryptographic Coprocessor (4758-002/023)
  • IBM e-business Cryptographic Accelerator (4960, PCICA)
  • IBM PCI-X Cryptographic Coprocessor (4764, PCIXCC)
  • On z/OS the above cards are supported through the IBMJCECCA provider. See the documentation for this provider for more information.
• The following cards are supported on Windows (32bit), AIX, Solaris 9 (32/64bit;Sparc only), Linux. These specific model cards have not been tested by IBM, but support is assumed since other cards in the same family have been tested successfully.
  • nCipher nForce 300 PCI
  • nCipher nForce 400 PCI
  • nCipher nForce 400 SCSI
  • nCipher nShield 4000 PCI (nC4033P-4000)
  • nCipher nShield 400 SCSI
  • nCipher nShield 150 PCI
  • nCipher nShield 300 PCI
  • nCipher netHSM 300
  • nCipher netHSM 800
  • nCipher netHSM 500 (nC4333N-500)
  • nCipher netHSM 2000 (nC4333N-2k0)

Supported key Management for Java 5.0

• KAS-EPL (Solaris) software end-point
• KAH-EP-HSM1 (Linux, AIX) hardware end-point based on nShield 500 hardware
• KAH-EP-HSM2 (Linux, AIX) hardware end-point based on nShield 2000 hardware
  (The EP are supported on a wider range of OS including Windows, Solaris, Linux, AIX and HP-UX but not all permutations have been tested, e.g. the nShield 4000 should also work)

The above end-points are supported with both:

• nCipher keyAuthority Starter System 1.x (KAH-SS), and,
• nCipher keyAuthority Distributed System 1.x (KAH-MS, KAH-PS, KAH-MC)

Card Observations

The following cards have observations that a user may be interested in:

• IBM e-business Cryptographic Accelerator (4960, PCICA)

• IBM 4758 PCI Cryptographic Coprocessor (4758-002/023)

• Eracom Orange

• SafeNet Luna

• nCipher nForce and nShield

The following sections descibe the observations for each card.

IBM e-business Cryptographic Accelerator (4960, PCICA)

This card can translate only CRT RSA keys and cannot translate plain RSA keys. RSA keys can wrap DES and DESede keys, but DES and DESede keys cannot wrap an RSA key. Signature encoding issues on this card are fixed by an update:

• AIX 5.2 it is IY53096 which puts bos.pkcs11 at 5.2.0.30,

• AIX 5.1 it is IY54784 which puts bos.pkcs11 at 5.1.0.28 and

• Linux on System z it is the OpenCryptoki 2.1.5 update

  .

IBM 4758 PCI Cryptographic Coprocessor (4758-002/023)

The RSA signature encoding issue on this card was fixed by Version 2.42 of the microcode, on Linux on System z OpenCryptoki 2.1.5 fixes this issue. RSA keys can wrap DES and DESede keys, but DES and DESede keys cannot wrap an RSA key. Also plain RSA keys cannot be translated, but RSA CRT keys can be. The card does not create a ShortBufferException for buffers that are too small.

IBM PCI-X Cryptographic Coprocessor (4764, PCIXCC)

PTFs U810490 and U890491 are the pre-req which upgrade the library from 3.27 to 3.27.1. This card does not create a ShortBufferException for buffers that are too small.

Eracom Orange

No issues observed.

SafeNet Luna SA

Software keys cannot be translated using this card. Key wrapping does not work work with the default configuration of the device. Setting a seed for the random number generator is not allowed. This device also doesn't create a ShortBufferException for buffers that are too small.

nCipher nForce and nShield

RSA key can wrap a DES or DESede key, but DES and DESede key cannot wrap an RSA key. Also, public keys cannot be wrapped. Translation of plain RSA keys is not supported, but is supported for RSA CRT keys. This device does not allow seeding of the random number generator. Also, it doesn't create a ShortBufferException for buffers that are too small.

In addition, you must set the environment variable CKNFAST_OVERRIDE_SECURITY_ASSURANCES to tokenkeys if the card you are running is a Generation 2 card.