IBM JCE Hybrid Provider, IBMJCEHYBRID

(Created May, 2012)



Table of Contents

Overview:

A platform with cryptographic hardware and cryptographic processors can be volatile. Changes in the availability of cryptographic hardware and cryptographic processors can have the effect of disabling or enabling (in part or completely) a Java provider that exploits the cryptographic features in the platform. For example, on z/OS cryptographic hardware and processors can be varied online and offline dynamically, that is, without restarting z/OS. This has the effect of enabling or disabling the IBMJCECCA provider, in part or completely.

IBMJCEHYBRID does not perform any cryptographic operations, but routes requests to JCE providers that have registered with the Java Security Framework. When IBMJCEHYBRID is the first JCE provider in the active JVM provider list (initialized using the java.security provider list), IBMJCEHYBRID routes requests to and provides failover for JCE providers according to the security provider registrations done at JVM initialization. This enables an application to take advantage of cryptographic features when they are available on the platform and to use a provider that does not depend on these features when they are not available.

IBMJCEHYBRID is designed for an application that prefers to use cryptographic hardware when it is available but to continue without hardware when it is not available.  IBMJCEHYBRID enables an application to take advantage of JCE providers with platform dependencies without the application needing to include complex error handling for when the platform's cryptographic features are not available.

Online documentation:

Using IBMJCEHYBRID:

To use the IBMJCEHYBRID provider, you must specify it in your java.security file in the ${java-home}/lib/security directory.  As discussed in the IBM JCE Hybrid Provider Reference Guide, it will have no effect unless it is the first JCE provider in the list.  If the provider list in your java.security file begins as follows, the IBMJCEHYBRID provider will direct requests to the IBMJCECCA provider and, if that fails, attempt failover to the IBMJCE provider.

.
.   
.
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.ibmjcehybrid.provider.IBMJCEHYBRID
security.provider.3=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
.
.   
.

For information about when the IBMJCEHYBRID can provider failover, see the IBM JCE Hybrid Provider Reference Guide.


Browse z/OS