Java™ Cryptography Extension V1.2.1, Hardware Cryptography IBMJCE4758 Overview



Table of Contents

Overview

In general, Java Cryptography Extension (JCE) 1.2.1 provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects. JCE 1.2.1 supplements the Java 2 platform, which already includes interfaces and implementations of message digests and digital signatures. That is JCE includes all of the function of JCA plus a great deal of additional function.

This IBMJCE4758 implementation extends JCE to seamlessly add the capability to use hardware cryptography via the IBM Common Cryptographic Architecture (CCA) interfaces. This new provider takes advantage of hardware cryptography within the existing JCE architecture and gives Java 2 programmers the significant security and performance advantages of hardware cryptography with minimal changes to existing Java applications. Just as the complexities of hardware cryptography are taken care of within the normal Java Cryptography Architecture, IBMJCE4758 makes advanced security and performance easily available using hardware cryptographic devices.

IBM CCA is a set of software elements that provide common application interfaces to secure, high-speed cryptographic services on various platforms via hardware cryptographic devices. These devices include the IBM 4758 PCI Cryptographic Coprocessor and the Cryptographic Coprocessor. The amount and type of hardware cryptographic services available depends on your platform and hardware device. For more information please refer to your platform's hardware cryptography information and service/support organization and "Configuring and using hardware cryptographic devices" for more information.

IBMJCE4758 uses hardware cryptography to implement those engines that can use the hardware function available through IBM CCA. Thus some of the JCE function will be available through this hardware implementation (IBMJCA4758) and others, those that the CCA hardware cannot perform, will only be available through a software cryptography provider like IBMJCE.

IBMJCE4758 provides for all the engine classes available in Java Cryptographic Architecture (JCA) including Message Digest, Signature and KeyFactory classes. This makes Message Digests available through the MD2, MD5 and SHA-1 algorithms. It further provides digital signature and verification via the RSA and DSA algorithms. IBMJCE4758 also includes true Random number generation, key generation via key factories, key/certificate generation and key/certificate management via a keytool application. This hardware capable implementation also provides the symmetric algorithms, DES, triple DES (also known as DESede), HMAC and PBE. It also provides the asymmetric algorithms, RSA encryption and decryption with zero padding, and PKCS 1 type 2 padding.

For information on the IBMJCE4758 package and classes, see the online documentation section.

Online documentation

To download a copy of the documentation for the IBMJCE4758 provider, see the jce4758Docs14.jar (JAR, 432KB) file. This jar file contains the JCE reference guide as well as the z/OS specific security reference guide. We have had reports of occasional download problems with older levels of browsers; if you have trouble downloading the jar file, please try another level of the browser or a different browser.

To extract the documentation from the downloaded .jar file, place the .jar file at the directory location where you would like the documentation (typically the ${java-home}/docs directory) and issue the following command:

    jar xvf jce4758Docs14.jar

For a general overview of JCE, visit Java Cryptography Extension (JCE) Web site. The documents at this Web site contain links to many other Web-based information sources.

Differences between IBMJCE4758 and IBMJCE

The IBMJCE4758 Provider package includes:

For a more detailed description of the differences between IBMJCE4758 and IBMJCE please refer to the following:

Using IBMJCE4748

To use the IBMJCE4758 provider, you must specify the following in your java.security file in the ${java-home}/lib/security directory:

security.provider.1=com.ibm.crypto.hdwrCCA.provider.
   IBMJCE4758
security.provider.2=com.ibm.crypto.provider.IBMJCE

Also please be sure to have ICSF started before attempting to use IBMJCE4758. If IBMJCE4758 is ahead of IBMJCE in the provider list and ICSF is not started all cryptographic operations will fail.

Specifying Full Function versus Limited Key Size Cryptography

Files US_export_policy.jar and local_policy.jar pre-installed in directory ${java-home}/lib/security give you the ability to do limited function cryptography and are installed by default. If you want to get unrestricted policy that give the ability to do full function cryptography, get the policy files and replace US_export_policy.jar and local_policy.jar in the ${java-home}/lib/security directory with the new files.

Software prerequisites

To use IBMJCE4748, you must have the following:


Browse z/OS