Security information

The following pages contain documentation, example code, and ancillary files relating to IBM's SDKs. The documentation covers IBM-specific features of IBM's offerings. A platform-specific Security User Guide is included in each download. For information about the SDK for z/OS product and security components specific to that platform, see this Web site.

Before you can download code, you will need an IBM Registration ID. You can read about IBM Registration here.

IBM 64-bit SDK for Windows platforms, Java Technology Edition

Security User Guide

Preface

The IBM SDK also provides a FIPS 140-2 certified cryptographic module, IBMJCEFIPS, implemented as a JCE provider. Applications can comply with the FIPS 140-2 requirements by using the IBMJCEFIPS module.

The CertPath component provides PKIX-compliant certification path building and validation.

The JGSS component provides a generic API that can be plugged in by different security mechanisms. IBM JGSS uses Kerberos V5 as the default mechanism for authentication and secure communication.

The JAAS component provides a means for principal-based authentication and authorization.

The JCE framework has two providers: IBMJCE is the pre-registered default provider; IBMJCEFIPS is optional.

JSSE is the Java implementation of the SSL and TLS protocols. The JSSE pre-registered default provider is IBMJSSE2.

IBM Java Simple Authentication and Security Layer, or SASL, is an Internet standard (RFC 2222) that specifies a protocol for authentication and optional establishment of a security layer between client and server applications.

The Java security configuration file does not refer to the Sun provider. The IBM JCE provider has replaced the Sun provider. The JCE supplies all the signature handling message digest algorithms that were previously supplied by the Sun provider. It also supplies the IBM secure random number generator, IBMSecureRandom, which is a real Random Number Generator. SHA1PRNG is a Pseudo Random Number Generator and is supplied for code compatibility. SHA1PRNG is not guaranteed to produce the same output as the SUN SHA1PRNG.

In the IBM SDK v1.4.1, the following options were added to the java.security.debug property to help you debug Java Cryptography Architecture (JCA)-related problems:

provider

Displays each provider request and load, provider add, and provider remove. It also displays the related exception when a provider load fails.

algorithm

Displays each algorithm request, which provider has supplied the algorithm, and the implementing class name.

:stack

You can append this option to either of algorithm - or provider. When you request an algorithm, a stack trace is displayed. Use this stack trace to determine the code that has requested the algorithm. This option also prints the stack trace for exceptions that are caught or converted.

:thread

Adds the thread id to all debug message lines. You can use this option together with all the other debug options.

An example of a valid option string is "provider, algorithm:stack".

In this guide, there is a 'What's new' section for each component. This information is provided to help you with migration.

General information about IBM security providers

The IBM SDK v5.0 has been tested with the following default security providers:

• security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
• security.provider.2=com.ibm.crypto.provider.IBMJCE
• security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
• security.provider.4=com.ibm.security.cert.IBMCertPath
• security.provider.5=com.ibm.security.sasl.IBMSASL

You can add other IBM security providers either statically or from within your Java application's code. To add a new provider statically, edit a Java security properties file (for example, java.security). To add a new provider from your application's code, use the methods of the java.security.Security class (for example, java.security.Security.addProvider()).

You can also add this IBM security provider, com.ibm.crypto.fips.provider.IBMJCEFIPS.

Note that code written for the IBMJSSE Provider might not compile or execute in exactly the same way for IBMJSSE2. For details, see IBMJSSE2 Provider.

iKeyman tool

With iKeyman, you can:

• Create a new key database or a test digital certificate
• Add CA roots to your database
• Copy certificates from one database to another
• Request and receive a digital certificate from a CA
• Set default keys, and change passwords

History of changes

Version 1.4.1

Added an iKeyman wrapper that invokes the correct tool class.

Documentation

For more information, including information about the iKeyman GUI, see the iKeyman User Guide at: http://www.ibm.com/developerworks/java/jdk/security/index.html.

Java Authentication and Authorization Service (JAAS) V2.0

However, before SDK v1.4.0, the Java platform did not provide a way to enforce similar access controls based on who runs the code. To provide this type of access control, the Java security architecture requires the following:

• Additional support for authentication (determining who is actually running the code)
• Extensions to the existing authorization components to enforce new access controls based on who was authenticated

The Java Authentication and Authorization Service (JAAS) framework provides these enhancements.

For a general overview of JAAS, see the Sun Web site: http://java.sun.com/products/jaas.

Differences between IBM and Sun versions of JAAS

IBM implementations are contained in the com.ibm.* package instead of the com.sun.* package. IBM has also added Active Login to JAAS.

See JAAS Active Login for more information about Active Login.

Further reading

For detailed information, including API documentation and samples, see the developerWorks^(R) Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html. This site contains the LoginModule Developer's Guide and sample code in "HelloWorld.tar".

History of changes

JAAS Active Login

Without this extended support, JAAS would allow Java programs to know who the user is, strictly on a Java level. With this extended support, Java programs can log in as different users and have even non-Java programs (such as the Windows kernel) enforce security appropriately.

The following classes contain the additional support for Active Login:

com.ibm.security.auth.NTThreadSubject

This is the gateway to changing identities on an operating system thread level.

com.ibm.security.auth.module.Win64ActiveLoginModule

This is specified in the login configuration file. If you construct a LoginContext using a string name that calls this LoginModule, and you supply a CallbackHandler that can supply a valid user ID and password, you can log on.

com.ibm.security.auth.module.Win64ActiveSystem

This is an implementation class, largely hidden from users.

These classes are described in the JAAS APIs that are included with the Java SDK.

Using JAAS Active Login

1. Log on as an administrator.
2. Open a command prompt window. Select Start -> Programs -> Accessories -> Command Prompt. On Windows Vista, right-click on Command Prompt and select "Run as administrator".
3. Change to the bin directory of the Runtime Environment. Type cd C:\Program Files\IBM\Java50\jre\bin. Your Runtime Environment may be installed in a different directory.
4. Install or remove the service using the provided program.
   • Type jaaslogon -install to install the service.
   • Type jaaslogon -remove to remove the service.

The following error messages are associated with starting and removing JAASLogon:

 jaaslogon Difficulty in starting JaasLogon, error code = 1063  Cause:  Incorrect syntax.  The correct syntax is jaaslogon -install

jaaslogon -install Difficulty in CreateService, error code = 1073  Cause:  The service has already been started.  

jaaslogon -remove In OpenService, error Code = 1060  Cause:  The service cannot be removed since it was not started.

Java Certification Path (CertPath)

Differences between IBM and Sun versions of CertPath

The IBM CertPath classes differ from the Sun version in the following ways:

• The IBM CertPath provider is in the package com.ibm.security.cert.
• The IBM CertPath provider is called "IBMCertPath". Sun does not have a separate provider for CertPath; CertPath is already supported by the "SUN" provider.
• To enable CRL Distribution Points extension checking, use the system property com.ibm.security.enableCRLDP. The system property used by the Sun version is com.sun.security.enableCRLDP.
• When checking the certificate's CRL Distribution Points extension, Sun's version retrieves the CRL only if the CRL location is specified as an HTTP URL value inside the extension. The IBM provider recognizes both HTTP and LDAP URLs.

Documentation

For detailed information, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.

History of changes

Changes for Version 5.0

• Added support for checking a certificate's revocation status based on On-Line Certificate Status Protocol (OCSP).
• Added a new constructor and a public API in the TrustAnchor class:

  public TrustAnchor(X500Principal caPrincipal, PublicKey pubKey, byte[] nameConstraints);
  public final X500Principal getCA();

• Added new public APIs in X509CertSelector:

  public X500Principal getIssuer();
  public void setIssuer(X500Principal issuer);
  public X500Principal getSubject();
  public void setSubject(X500Principal subject);

• Added new public APIs in X509CRLSelector:

  public void setIssuers(Collection issuers);
  public void addIssuer(X500Principal issuer);
  public Collection getIssuers();

• Changed the PolicyQualifier class to non-final. The public APIs have changed to be final.

Changes for Version 1.4.2

• Improved the performance of the IBM CertPath provider.
• Added limited support for the CRL Distribution Points extension.
• Added caching to cache lookups in the IBM LDAP CertStore.

Changes for Version 1.4.1, Service Refresh 1

• The trusted certificate that acts as TrustAnchor can be an X.509 v1 certificate.
• When you specify the certificate's subject or issuer name as a String in X509CertSelector, the search for a matched certificate mechanism checks only the name value and ignores the tag type.

Changes for Version 1.4.0

• Certificates from CertificatePair entry can be retrieved from LDAP type certstore.
• Changed the framework package name from javax.security.cert to java.security.cert. The old framework package is still supported.

Java Cryptography Extension (JCE)

You can obtain unrestricted jurisdiction policy files from http://www.ibm.com/developerworks/java/jdk/security/index.html.

The v1.4.2 unrestricted (and restricted) jurisdiction policy files are suitable for use with v5.0 and later. The v1.4.1 files are not suitable.

Differences between IBM and Sun versions of JCE

The com.sun.* packages are reimplemented by IBM and renamed com.ibm.* packages.

The IBM version of JCE differs from the Sun version in the following ways:

• The com.sun.crypto.* packages are reimplemented by IBM and renamed com.ibm.crypto.* packages.
• The IBM JCE provider replaces the Sun providers sun.security.provider.Sun, com.sun.rsajca.Provider, and com.sun.crypto.provider.SunJCE.
• IBM provides more algorithms than Sun does:

  Cipher algorithms

  AES

  Blowfish

  DES

  El Gamal

  Mars

  ARCFOUR

  PBE with MD2 and DES

  PBE with MD2 and Triple DES

  PBE with MD2 and RC2

  PBE with MD5 and DES

  PBE with MD5 and Triple DES

  PBE with MD5 and RC2

  PBE with SHA1 and DES

  PBE with SHA1 and TripleDES

  PBE with SHA1 and RC2

  PBE with SHA1 and 40-bit RC2

  PBE with SHA1 and 128-bit RC2

  PBE with SHA1 and 40-bit RC4

  PBE with SHA1 and 128-bit RC4

  PBE with SHA1 and 2-key Triple DES

  PBE with SHA1 and 3-key Triple DES

  RC2

  RC4

  RSA encryption/decryption

  RSA encryption/decryption with OAEP Padding

  Seal

  Triple DES

  Signature algorithms

  SHA1 with RSA

  SHA2 with RSA

  SHA3 with RSA

  SHA5 with RSA

  MD5 with RSA

  MD2 with RSA signature

  SHA1 with DSA signature

  Message digest algorithms

  SHA1

  SHA2

  SHA3

  SHA5

  MD5

  MD2

  Message authentication code (MAC)

  Hmac/SHA1

  Hmac/MD5

  Hmac/SHA2

  Hmac/SHA3

  Hmac/SHA5

  Key agreement algorithm

  DiffieHellman

  Random number generation algorithms

  IBMSecureRandom

  IBM SHA1PRNG

  Key Store

  JCEKS

  JKS

  PKCS12KS

Documentation

For detailed information, including API documentation and samples, see the developerWorks Web site at http://www.ibm.com/developerworks/java/jdk/security/index.html.

History of changes

Changes for Version 5.0, Service Refresh 4

• Added the EL Gamal Cipher and supporting classes.

Changes for Version 5.0

• Added RSA with OAEP Padding.
• Added the SHA2withRSA, SHA3withRSA and SHA5withRSA signature algorithms.
• Added the HmacSHA2, HmacSHA3, HmacSH5 MAC algorithms.
• Added the ARCFOUR encryption algorithm.

Changes for Version 1.4.2

• Added the SHA2, SHA3 and SHA5 hashing algorithms.
• Added the SHA1PRNG algorithm for generating pseudo random numbers.

Changes for Version 1.4.0

• Added the AES cipher algorithm.
• Changed to strong cryptography by default. Unlimited cryptography is available.
• Provider authentication of the JCE framework no longer required.
• JCE is now shipped with the Java SDK v1.4 on all platforms.

Java Generic Security Service (JGSS)

JGSS is an API framework that uses Kerberos V5 as the underlying default security mechanism. The API is a standardized abstract interface under which you can plug different security mechanisms that are based on private-key, public-key, and other security technologies.

JGSS shields secure applications from the complexities and peculiarities of the different underlying security mechanisms. JGSS provides identity and message origin authentication, message integrity, and message confidentiality. JGSS also features an optional Java Authentication and Authorization Service (JAAS) Kerberos login interface, and authorization checks. JAAS augments the access control features of Java, which is based on CodeSource with access controls based on authenticated principal identities.

Differences between IBM and Sun versions of JGSS

The IBM version of JGSS differs from the Sun version in the following ways:

• The com.sun.* packages are reimplemented by IBM and renamed com.ibm.* packages.
• The format of the parameters passed to the Java tools kinit, ktab, and klist is different from Sun's equivalent tools.

Documentation

For detailed information about JGSS, including API documentation and samples, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.

History of changes

Changes for Version 5.0, Service Refresh 1

Added AES as a supported algorithm type

These additional algorthims can be set in the krb5.conf file under [libdefault] as follows:

default_tkt_enctypes = aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96

default_checksum = hmac-sha1-96-aes128
default_checksum = hmac-sha1-96-aes256

Changes for Version 5.0

TCP or UDP Preference Configuration

Added JSE support for the udp_preference_limit property in the Kerberos configuration file (krb5.ini). When sending a message to the KDC, the JSE Kerberos library will use TCP if the size of the message is above udp_preference_list. If the message is smaller than udp_preference_list, UDP will be tried up to three times. If the KDC indicates that the request is too big, the JSE Kerberos library will use TCP.

IPv6 support in Kerberos

Added JSE support for IPv6 addresses in Kerberos tickets. Before v5.0, only IPv4 addresses were supported in tickets.

TGT Renewals

Added support for Ticket Granting Ticket (TGT) renewal to the Java Authentication and Authorization Server (JAAS) Kerberos login module, Krb5LoginModule. This support allows long-running services to renew their TGTs automatically without user interaction or requiring the services to restart. With this feature, if Krb5LoginModule obtains an expired ticket from the ticket cache, the TGT will be automatically renewed and be added to the Subject of the caller who requested the ticket. If the ticket cannot be renewed for any reason, Krb5LoginModule will use its configured callback handler to retrieve a username and password to acquire a new TGT.

To use this feature, configure Krb5LoginModule to use the ticket cache and set the newly introduced renewTGT option to true. Here is an example of a JAAS login configuration file that requests TGT renewal:

server {
  com.ibm.security.auth.module.Krb5LoginModule required
        principal=principal@your_realm
		useDefaultCcache=TRUE
		 renewTGT=true;
};

Note that if renewTGT is set to true, useDefaultCcache must also be set to true; otherwise, it results in a configuration error.

Changes for Version 1.4.2

Configurable Kerberos Settings

You can provide the name and realm settings for the Kerberos Key Distribution Center (KDC) either from the Kerberos configuration file or by using the system properties files java.security.krb5.kdc and java.security.krb5.realm. You can also specify the boolean option refreshKrb5Config in the entry for Krb5LoginModule in the JAAS configuration file. If you set this option to true, the configuration values will be refreshed before the login method of the Krb5LoginModule is called.

Added support for Slave Kerberos Key Distribution Center

Kerberos uses slave KDCs so that, if the master KDC is unavailable, the slave KDCs will respond to your requests. In previous releases, Kerberos tried the master KDC only and would give up if there was no response within the default KDC timeout.

Added support for TCP for Kerberos Key Distribution Center Transport

Kerberos uses UDP transport for ticket requests. In cases where Kerberos tickets exceed the UDP packet size limit, Kerberos supports automatic fallback to TCP. If a Kerberos ticket request using UDP fails and the KDC returns the error code KRB_ERR_RESPONSE_TOO_BIG, TCP becomes the transport protocol.

Kerberos Service Ticket in the Subject's Private Credentials

The Kerberos service ticket is stored in the Subject's private credentials. This gives you access to the service ticket so that you can use it outside the JGSS (for example, in native applications or for proprietary uses). In addition, you can reuse the service ticket if the application tries to establish a security context to the same service again. The service ticket should be valid for it to be reusable.

Changes for Version 1.4.1

• Added wrappers for the klist, kinit, and ktab Java tools. These wrappers invoke the relevant tool classes so that you do not have to remember the full package name.

IBMJSSE2 Provider

By abstracting the complex underlying security algorithms and "handshaking" mechanisms, JSSE minimizes the risk of creating subtle but dangerous security vulnerabilities. Also, it simplifies application development by serving as a building block that you can integrate directly into your applications. Using JSSE, you can provide for the secure passage of data between a client and a server running any application protocol (such as HTTP, Telnet, NNTP, and FTP) over TCP/IP.

Documentation

For detailed information, including API documentation and samples, see http://www.ibm.com/developerworks/java/jdk/security/index.html.

Differences between the IBMJSSE Provider and the IBMJSSE2 Provider

The now-discontinued IBMJSSE Provider and the IBMJSSE2 Provider differ in the following ways:

• The IBMJSSE2 Provider is called com.ibm.jsse2.IBMJSSEProvider2.
• The HTTPS protocol handler for the IBMJSSE2 Provider is called com.ibm.net.ssl.www2.protocol.Handler. The com.ibm.net.ssl.internal.www.protocol.Handler and the com.ibm.net.ssl.www.protocol.Handler protocol handlers have been removed.
• The IBMJSSE2 Provider does not support the com.ibm.net.ssl framework. Use the javax.net.ssl framework instead.
• The IBMJSSE2 Provider does not support the SSL version 2 protocol. However, the server side of a JSSE2 connection does accept the SSLv2Hello protocol.
• The AES_256 ciphers require the installation of the JCE Unlimited Strength Jurisdiction Policy. The old IBMJSSE Provider did not use JCE for its cryptographic support and therefore did not require these files.
• The IBMJSSE2 Provider requires a JCE Provider for its cryptography.
• The IBMJSSE2 Provider does not build the server's private key certificate chain from the trusted keystore. The trusted certificates must be added to the server's private key to complete the chain. This is an incompatible change.
• The IBMJSSE2 Provider considers a certificate trusted if you have the private key.
• The HTTPS protocol handler for the IBMJSSE2 Provider performs hostname verification and rejects requests where the host to connect to and the server name from the certificate do not match. A HostnameVerification implementation called com.ibm.jsse2.HostnameVerifierIgnore is provided. com.ibm.jsse2.HostnameVerifierIgnore always accepts the connection even when a mismatch occurs.
• Tracing no longer requires a separate debug jar.
• The class com.ibm.jsse.SSLContext, which in IBMJSSE is used to access secure tokens, has been removed. Use the hardware crypto support in IBMJSSE2 instead. See the documentation on the developerWorks Web site http://www.ibm.com/developerworks/java/jdk/security/index.html for details.
• The IBMJSSEFIPS Provider has been removed. JSSE FIPS support is supported within the IBMJSSE2 Provider and no separate jar is required. See the documentation on the developerWorks Web site http://www.ibm.com/developerworks/java/jdk/security/index.html for instructions how to set up JSSE to run in FIPS mode.

Differences between the IBMJSSE2 Provider and Sun's version of JSSE

The IBMJSSE2 Provider differs from the Sun JSSE in the following ways:

• The IBM JSSE Provider is called com.ibm.jsse2.IBMJSSEProvider2.
• The IBM KeyManagerFactory is called IbmX509.
• The IBM TrustManagerFactory is called IbmX509 or IbmPKIX.
• The IBM HTTPS protocol handler is called com.ibm.net.ssl.www2.protocol.Handler.
• IBMJSSE2 does not support the com.sun.net.ssl framework; use the javax.net.ssl framework instead.
• You can use PKIK revocation checking by setting the system property com.ibm.jsse2.checkRevocation to "true".
• The IBM implementation supports the following protocols for the engine class SSLContext, for the api setEnabledProtocols in the SSLSocket, and for SSLServerSocket classes:
  • SSL
  • SSLv3
  • TLS
  • TLSv1
  • SSL_TLS
  The IBM implementation does not support the "SSLv2Hello" protocol. The IBM implementation supports the SSL v2 protocol. You can use the IBM SSLContext getInstance() factory method to control which protocols are enabled for an SSL connection. Using SSLContext's getInstance() or the setEnabledProtocols() methods provides the same result. With Sun's JSSE, the protocol is controlled through setEnabledProtocols().
• IBM and Sun support different cipher suites.
• The IBM JSSE TrustManager does not allow anonymous ciphers. To handshake with an anonymous cipher, a custom TrustManager that allows anonymous ciphers must be provided.
• When a null KeyManager is passed to SSLContext, the IBM JSSE KeyManagerFactory implemention will check system properties, then jssecacerts, if it exists, and finally uses the cacerts file to find the key material. Sun's JSSE creates an empty KeyManager.
• The IBM JSSE X509TrustManager and X509KeyManager throws an exception if the TrustStore or KeyStore specified by the system properties does not exist, if the password is incorrect, or if the keystore type is inappropriate for the actual keystore. Sun's X509TrustManager creates a default TrustManager or KeyManager with an empty keystore.
• The IBM JSSE implementation verifies the entire server or client certificate chain, including trusted certificates. For example, if a trusted certificate has expired, the handshake fails, even though the expired certificate is trusted. Sun's JSSE verifies the certificate chain up to the trusted certificate. Verification stops when it reaches a trusted certificate and the trusted certificate and beyond are not verified.
• The IBM JSSE implementation returns the same set of supported ciphers for the methods getDefaultCiphersSuites() and getSupportedCipherSuites(). Sun's JSSE getDefaultCipherSuites() returns the list of cipher suites that provide confidentiality protection and server authentication (that is, no anonymous cipher suites). Sun's getEnabledCipherSuites() returns the entire list of cipher suites that Sun supports.
• For Sun's implementation, DSA server certificates can use only *_DH*_* cipher suites. For the IBM implementation, if the server has a DSA certificate only and only RSA* ciphers are enabled, the connection succeeds with an RSA cipher. DSA will be used for authentication and ephemeral RSA will be used for the key exchange.
• The IBM SDK supports the NTLM authentication scheme. To switch off NTLM authentication, specify the system property com.ibm.NONTLM.
• To use a hardware keystore or truststore with IBM's hardware crypto provider by means of system properties, set the javax.net.ssl.keyStoreType and javax.net.ssl.trustStoreType system properties to "PKCS11IMPLKS". For the Sun implementation, the system property is set to "PKCS11".
• The IBM JSSE Provider can be enabled to run in FIPS mode. The Sun JSSE cannot.

History of changes

Changes for Version 5.0, Service Refresh 5

• When IBMJSSE2 is used as a server, if the SSLv3 protocol is to be used for the handshake, it will no longer agree to use any of the AES cipher suites. Previously, the selection of the cipher suite was independent of the protocol selected so you could do an old-style SSLv3 handshake with a more modern AES cipher suite. The TLS protocol is not affected by this change. This change was required to support Microsoft^(R) Vista clients.

Changes for Version 5.0

• Removed the IBMJSSE Provider. Use the IBMJSSE2 Provider instead.
• The IBMJSSE2 implementation supports only IBM hardware crypto providers. Applications that ran in v1.4.2 using the IBMPKCS11Impl provider will now be required to use a configuration file in order to run successfully.
• SSLEngine (non-blocking I/O) allows SSL/TLS applications to choose their own I/O and compute models.
• Enhanced TrustManager support for HTTP/HTTPS.
• New and updated Methods and Classes.
• Kerberos cipher suites are available, if supported by the operating system.

Changes for Version 1.4.2.

The IBMJSSE2 Provider is new for Version 1.4.2.

IBMJCEFIPS Provider

The IBMJCEFIPS includes the following Federal Information Processing Standards (FIPS) 140-2 [Level 1] compliant components:

• IBMJCEFIPS for Solaris,
• IBMJCEFIPS for HP
• IBMJCEFIPS for Windows
• IBMJCEFIPS for z/OS^(R)
• IBMJCEFIPS for AS/400^(R)
• IBMJCEFIPS for Linux^(R) (Red Hat and SUSE)

To meet the requirements specified in the FIPS publication 140-2, the encryption algorithms used by the IBMJCEFIPS Provider are isolated into the IBMJCEFIPS Provider cryptographic module, which you can access using the product code from the Java JCE framework APIs. Because the IBMJCEFIPS Provider uses the cryptographic module in an approved manner, the product complies with the FIPS 140-2 requirements.

In addition, the IBMJCEFIPS supports the following unapproved algorithms:

For more detailed information on the FIPS certified provider IBMJCEFIPS, see the IBM Java JCE FIPS 140-2 Cryptographic Module Security Policy. For usage information and details of the API, see the IBM Java JCE FIPS (IBMJCEFIPS) Cryptographic Module API document. These documents are available at http://www.ibm.com/developerworks/java/jdk/security/index.html.

Differences between IBM and Sun versions of IBMJCEFIPS

Sun does not provide IBMJCEFIPS.

History of changes

Version 1.4.2

IBMJCEFIPS is new for Version 1.4.2.

Documentation

For detailed information, including API documentation and Security Policy, see the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.

IBM SASL Provider

The Java SASL API defines classes and interfaces for applications that use SASL mechanisms. It is defined to be mechanism-neutral: the application that uses the API need not be hardwired into using any particular SASL mechanism. The API supports both client and server applications. It allows applications to select the mechanism to use based on desired security features, such as whether they are susceptible to passive dictionary attacks or whether they accept anonymous authentication. The Java SASL API also allows developers to use their own, custom SASL mechanisms. SASL mechanisms are installed by using the Java Cryptography Architecture (JCA).

The IBMSASL provider supports the following client and server mechanisms.

Client mechanisms

• PLAIN (RFC 2595). This mechanism supports cleartext username/password authentication.
• CRAM-MD5 (RFC 2195). This mechanism supports a hashed username/password authentication scheme.
• DIGEST-MD5 (RFC 2831). This mechanism defines how HTTP Digest Authentication can be used as a SASL mechanism.
• GSSAPI (RFC 2222). This mechanism uses the GSSAPI for obtaining authentication information. It supports Kerberos v5 authentication.
• EXTERNAL (RFC 2222). This mechanism obtains authentication information from an external channel (such as TLS or IPsec).

Server mechanisms

• CRAM-MD5
• DIGEST-MD5
• GSSAPI (Kerberos v5)

Differences between Sun and IBM SASL Provider

Only the package names, for example com.ibm.security.sasl, and the provider name are different from the Sun Implementation: com.ibm.security.sasl.IBMSASL.

History of changes

Version 5.0

The IBM SASL Provider is new for v5.0.

Documentation

Detailed information, including API documentation and samples, is on the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.

Key Certificate Management utilities

The Key Certificate Management utilities make up a set of packages used to:

• Access keys and certificates stored in any format
• Extract information from a KeyStore, given a Subject Key Identifier (SKI) and a set of certificate generation APIs, to create a self-signed certificate
• Generate a CertificateRequest
• Obtain a certificate signed by a CA

The Key Certificate Management utilities can:

• Generate a CertificateRequest, and submit the request to a CA using the Java Public Key Infrastructure (PKI) to sign a certificate and then receive the signed certificate
• Generate a PKCS10 request
• Generate a Self-Signed Certificate
• Revoke a signed certificate from a CA using the Java PKI
• Import certificates from the input stream to the KeyStore or export certificates from the KeyStore to the output stream
• Copy a keystore from one keystore format to another keystore format
• Extract information from a KeyStore given a Subject Key Identifier

The Subject Key Identifier is specified in RFC 3820, Section 4.2.1.2, http://www.faqs.org/rfcs/rfc3820.html.

History of changes

Version 5.0, Service Refresh 1

The Key Certificate Management utilities is new for Version 5.0, Service Refresh 1.

Documentation

The Key Certificate Management How-to Guide and Javadoc are on the developerWorks Web site, at http://www.ibm.com/developerworks/java/jdk/security/index.html.

Notices

Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

• IBM Director of Licensing
• IBM Corporation
• North Castle Drive, Armonk
• NY 10504-1758 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

• IBM World Trade Asia Corporation Licensing
• 2-31 Roppongi 3-chome, Minato-ku
• Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the information. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this information at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:

• JIMMAIL@uk.ibm.com
• [Hursley Java Technology Center (JTC) contact]

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Trademarks

IBM is a trademark of International Business Machines Corporation in the United States, or other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft, Windows and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.