In general, Java Cryptography Extension in the Java 2 Platform Standard Edition (JCE in J2SE) provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects. JCE in J2SE supplements the Java 2 platform, which already includes interfaces and implementations of message digests and digital signatures.
This IBMJCECCA implementation extends JCE seamlessly to add the capability to use hardware cryptography via the IBM Common Cryptographic Architecture (CCA) interfaces. This provider takes advantage of hardware cryptography within the existing JCE architecture and gives Java 2 programmers the significant security and performance advantages of hardware cryptography with minimal changes to existing Java applications. Just as the complexities of hardware cryptography are taken care of within the normal Java Cryptography Architecture, IBMJCECCA makes advanced security and performance easily available using hardware cryptographic devices.
IBM CCA is a set of software elements that provide common application interfaces to secure, high-speed cryptographic services on various platforms via hardware cryptographic devices. These devices include the IBM CCA PCI Cryptographic Coprocessor and the Cryptographic Coprocessor. The amount and type of hardware cryptographic services available depends on your platform and hardware device. For more information refer to your platform's hardware cryptography information and service/support organization and "Configuring and using hardware cryptographic devices" for more information.
IBMJCECCA uses hardware cryptography to implement those engines that can use the hardware function available through IBM CCA. Thus some of the JCE function will be available through this hardware implementation (IBMJCECCA) and others, those that the CCA hardware cannot perform will only be available through a software cryptography provider like IBMJCE.
IBMJCECCA provides for all the engine classes available in Java Cryptographic Extensions (JCE) including Message Digest, Signature and KeyFactory classes. This makes Message Digests available through the MD2, MD5 and SHA-1 algorithms. It further provides digital signature and verification via the RSA and DSA algorithms. IBMJCECCA also includes true random number generation, key generation via key factories, key/certificate generation and key/certificate management via a keytool application. This hardware capable implementation provides the symmetric algorithms DES, triple DES (also known as DESede), HMAC and PBE. It also provides the asymmetric algorithms RSA encryption and decryption with zero padding, and PKCS 1 type 2 padding.
For information on the IBMJCECCA package and classes, see the online documentation section.
To download a copy of the documentation for the IBMJCECCA provider, see the jceccaDocs.jar file. This jar file contains the JCE reference guide as well as the z/OS specific security reference guide. We have had reports of occasional download problems with older levels of browsers; if you have trouble downloading the jar file, please try another level of the browser or a different browser.
To extract the documentation from the downloaded .jar file, place the .jar file at the directory location where you would like the documentation (typically the ${java-home}/docs directory) and issue the following command:
jar xvf jceccaDocs.jar
For a general overview of JCE, visit Java Cryptography Extension (JCE) Web site. The documents at this Web site contain links to many other Web-based information sources.
The IBMJCECCA provider package includes:
- An implementation of the Digital Signature Algorithm (DSA), described in NIST FIPS186.
- An implementation of RSA, described in PKCS #1.
- An implementation of the MD2 (RFC1319), MD5 (RFC 1321) and SHA-1 (NIST FIPS 180-1) message digest algorithms.
- An implementation of the HmacMD2, HmacMD5 and HmacSHA1 hashing message authentication code algorithms.
- An implementation of the DES cipher algorithm.
- An implementation of the TripleDES cipher algorithm.
- An implementation of the following PBE algorithms:
- PBEWithMD2AndDES
- PBEWithMD2AndTripleDES
- PBEWithMD5AndDES
- PBEWithMD5AndTripleDES
- PBEWithSHA1AndDES
- PBEWithSHA1AndTripleDES
- PBEWithSHAAnd2KeyTripleDES
- PBEWithSHAAnd3KeyTripleDES
- A DSA key pair generator for generating a pair of public and private keys suitable for the DSA algorithm.
- A RSA key pair generator for generating a pair of public and private keys suitable for the RSA algorithm.
- A DES key generator for generating a key suitable for the DES algorithm.
- A TripleDES key generator for generating a key suitable for the TripleDES algorithm.
- A HmacMD2 key generator for generating a key suitable for the HmacMD2 algorithm.
- A HmacMD5 key generator for generating a key suitable for the HmacMD5 algorithm.
- A HmacSHA1 key generator for generating a key suitable for the HmacSHA1 algorithm.
- A DSA algorithm parameter generator.
- A DSA algorithm parameter manager.
- A DES algorithm parameter manager.
- A TripleDES algorithm parameter manager.
- An implementation of the proprietary "IBMSecureRandom" random number generation algorithm.
- A "certificate factory" for X.509 certificates and Certificate Revocation Lists (CRLs).
- Keystore implementations for the proprietary keystore types named "JCECCAKS" and "JCECCARACFKS".
For a description of the differences between IBMJCECCA and IBMJCE please refer to the following:
To use the IBMJCECCA provider, you must specify the following in your java.security file in the ${java-home}/lib/security directory:
security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
security.provider.2=com.ibm.crypto.provider.IBMJCE
It is also necessary to start ICSF before attempting to use IBMJCECCA. If IBMJCECCA is the first JCE in your provider list and ICSF is not started some cryptographic operations may fail.
Specifying Full Function versus Limited Key Size Cryptography
Files US_export_policy.jar and local_policy.jar, in directory ${java-home}/lib/security, give you the ability to do limited function cryptography and are installed by default.
For full function cryptography you need an unrestricted policy that gives the ability to do full function cryptography. The policy files, which are the same for SDK 1.4.2 and SDK 5, may be downloaded here. Replace US_export_policy.jar and local_policy.jar in the ${java-home}/lib/security directory with the new files.
To use IBMJCECCA, you must have the following:
- A system at the z/OS V1R6 level or higher with one of the following:
- On a z800 or z900 processor, a CCF and a PCICC card
- On a z890 or z990 processor, a CPACF and a PCIXCC card
- On a z890 or z990 processor, a CPACF and a CEX2C card
- On a z9-109 processor, a CPACF and a CEX2C or CEX2A card
- ICSF must be running
|
