IBM(R) JavaTM PKCS 11 Supported Devices
Introduction
The IBMPKCS11Impl provider uses the Java Cryptography Extension (JCE) and Java Cryptography Architecture (JCA) frameworks to seamlessly add the capability to use hardware cryptography using the Public Key Cryptogaphic Standards # 11(PKCS#11) standard. This new provider takes advantage of hardware cryptography within the existing JCE architecture and gives Java 2 programmers significant security and performance advantages of hardware cryptography with minimal changes to existing Java applications. As the complexities of hardware cryptography are taken care of within the normal JCE, advanced security and performance using hardware cryptographic devices is made easily available.
PKCS#11 is a standard that provides a common application interface to cryptographic services on various platforms using various hardware cryptographic devices.
On non-z/OS platforms, the IBMPKCS11Impl provider provides for: Message Digest using the MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 algorithms. It also provides the symmetric algorithms AES,DES, triple DES (also known as DESede), RC4, Blowfish and the asymmetric algorithm RSA for encryption and decryption. It further provides digital signature and verification using the RSA, DSA and ECDSA algorithms. Hash based Message Authentication Codes are supported for MD5, SHA1, SHA-256, SHA-384, and SHA-512. This implementation also includes random number generation, key generation using key factories, key and certificate generation, and key and certificate management using the ikeyman application. (see the IBM Java PKCS 11 Implementation Provider for more information).
On the z/OS platform, the IBMPKCS11Impl provider provides for: Message Digest using the MD5, SHA-1, and SHA-256 algorithms. It also provides the symmetric algorithms AES, DES, and triple DES (also known as DESede) and the asymmetric algorithm RSA for encryption, decryption, digital signature and verification using the RSA algorithms. This implementation also includes random number generation, key generation using key factories, and key and certificate generation. The z/OS platform also utilizes virtual PKCS#11 tokens, protected by RACF, which allows for application key separation. See the z/OS IBMPKCS11Impl Guide on the Java 2 for more information.
Note: On the z/OS platform, the IBMJCECCA provider provides similar function using the IBM CCA interface to the hardware devices. (see the documentation for IBMJCECCA for more information).
Supported Platforms
The PKCS11Impl provider supports a subset of the platforms that the JVM supports at the 6.0 level (See the IBM JVM for 6.0 specific documentation for the supported operating systems and any other JVM specific requirements). The list of supported platforms for Java 6.0 are:
- Win 32
- AIX 5.2/5.3 (32/64 bit)
- Linux (PPC 32/64 bit)
- Linux (Intel 32)
- Solaris (32/64 bit) Sparc only
- Linux for System z (32/64 bit)
- z/OS
Support for these cards through the IBMPKCS11Impl provider begins after the card, its driver and any manufacturer's support software has been installed and is functioning properly. Any issues regarding installation and configuration of these cards and software should be referred to the manufacturer.
- The following cards are supported on Windows (32bit), AIX, Solaris 9 (32/64bit;Sparc only), Linux:
- nCipher nForce 4000 PCI(OB4033P-4K0)
- nCipher nForce 1600 PCI(nC3033P-1k6)
- nCipher nForce 150 PCI(nc3033P-150)
- nCipher nShield 800 PCI(nC4033P-800)
- nCipher nShield 150 SCSI(nc4032W-150) Note: This card is going out of support.
- nCipher nShield 150 SCSI(nF300KM-1c) Note: This card is going out of support.
- nCipher netHSM 1600 (nH1956)
- Eracom Orange (CSA8000)
- SafeNet Luna SA
- The following cards are supported on AIX and Linux for System z:
- IBM 4758 PCI Cryptographic Coprocessor (4758-002/023) Note: This card has gone out of service.
- IBM e-business Cryptographic Accelerator (4960, PCICA).
- IBM PCI-X Cryptographic Coprocessor (4764, PCIXCC) .
- On z/OS the above cards are supported through the IBMJCECCA provider. See the documentation for this provider for more information.
- The following cards are supported on Windows (32bit), AIX, Solaris 9 (32/64bit;Sparc only), Linux. These specific model cards have not been tested by IBM, but support is assumed since other cards in the same family have been tested successfully.
- nCipher nForce 300 PCI
- nCipher nForce 400 PCI
- nCipher nForce 400 SCSI
- nCipher nShield 400 SCSI
- nCipher nShield 150 PCI
- nCipher nShield 300 PCI
- nCipher netHSM 300 PCI
- nCipher netHSM 800 PCI
- To use the IBMPKCS11Impl provider on the z/OS platform, you must have the following:
- A system at the z/OS V1R9 level with one of the following:
- On a z800 or z900 processor, a CCF and a PCICC card
- On a z890 or z990 processor, a CPACF and a PCIXCC card
- On a z890 or z990 processor, a CPACF and a CEX2C card
- On a z9 processor, a CPACF and a CEX2C or CEX2A card
- ICSF must be running
See the z/OS V1R9 Cryptographic Services Integrated Cryptographic Services Facility (ICSF) documentation for a description of the functions available for each of the configurations.
The following cards have observations that a user may be interested in:
-
IBM e-business Cryptographic Accelerator (4960, PCICA)
-
IBM 4758 PCI Cryptographic Coprocessor (4758-002/023)
-
IBM PCI-X Cryptographic Coprocessor (4764, PCIXCC)
-
Eracom Orange
-
SafeNet Luna
-
nCipher nForce and nShield
The following sections descibe the observations for each card.
This card can translate only CRT RSA keys and cannot translate plain RSA keys. RSA keys can wrap DES and DESede keys, but DES and DESede keys cannot wrap an RSA key. Signature encoding issues on this card are fixed by an update:
-
AIX 5.2 it is IY53096 which puts bos.pkcs11 at 5.2.0.30,
-
AIX 5.1 it is IY54784 which puts bos.pkcs11 at 5.1.0.28 and
-
Linux for System z it is the OpenCryptoki 2.1.5 update .
The RSA signature encoding issue on this card was fixed by Version 2.42 of the microcode, on Linux for System z OpenCryptoki 2.1.5 fixes this issue. RSA keys can wrap DES and DESede keys, but DES and DESede keys cannot wrap an RSA key. Also plain RSA keys cannot be translated, but RSA CRT keys can be. The card does not create a ShortBufferException for buffers that are too small.
PTFs U810490 and U890491 are the pre-req which upgrade the library from 3.27 to 3.27.1. This card does not create a ShortBufferException for buffers that are too small.
No issues observed.
Software keys cannot be translated using this card. Key wrapping does not work work with the default configuration of the device. Setting a seed for the random number generator is not allowed. This device wasn't creating a ShortBufferException for buffers that are too small, which has been fixed by lastest version.
RSA key can wrap a DES or DESede key, but DES and DESede key cannot wrap an RSA key. Also, public keys cannot be wrapped. Translation of plain RSA keys is not supported, but is supported for RSA CRT keys.
In addition, you must set the environment variable CKNFAST_OVERRIDE_SECURITY_ASSURANCES to tokenkeys if the card you are running is a Generation 2 card.
|
