Secure transports with JSSE and JCE programming interfaces
You can learn more detailed information about transport security using Java™ Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE) programming interfaces. Within this topic, there is a description of the IBM® version of the Java Cryptography Extension Federal Information Processing Standard (IBMJCEFIPS).
Java Secure Socket Extension
JSSE provides the transport security for WebSphere® Application Server. JSSE provides the application programming interface (API) framework and the implementation of the APIs for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, including functionality for data encryption, message integrity, and authentication.
JSSE
APIs are integrated into the Java 2
SDK, Standard Edition (J2SDK), Version 5. The API package for JSSE
APIs is javax.net.ssl.*
. Documentation for using
JSSE APIs can be found in the J2SE 6 API documentation that is located
at http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html.
Several JSSE providers ship with the Java 2 SDK Version 5 that comes with WebSphere Application Server. The IBMJSSE provider is used in previous WebSphere Application Server releases.
For more information on the new IBMJSSE2 provider, please review the documentation located at https://www.ibm.com/developerworks/java/jdk/security/60/.
Customizing Java Secure Socket Extension
Customizable item | Default | How to customize |
---|---|---|
X509Certificate | X509Certificate implementation from IBM | The cert.provider.x509v1 security property |
HTTPS protocol | Implementation from IBM | The java.protocol.handler.pkgs system property |
Cryptography Package Provider | IBMJSSE2 | A security.provider.n= line in security properties file. See description. |
Default keystore | None | The * javax.net.ssl.keyStore system property |
Default truststore | jssecacerts, if it exists. Otherwise, cacerts | The * javax.net.ssl.trustStore system property |
Default key manager factory | IbmX509 | The ssl.KeyManagerFactory.algorithm security property |
Default trust manager factory | IbmX509 | The ssl.TrustManagerFactory.algorithm security property |
For aspects that you can customize by setting a system property, statically set the system property by using the -D option of the Java command. You can set the system property using the administrative console, or set the system property dynamically by calling the java.lang.System.setProperty method in your code: System.setProperty(propertyName,"propertyValue").
For aspects that you can customize by setting a Java security property, statically specify a security property value in the java.security properties file. The security property is propertyName=propertyValue. Dynamically set the Java security property by calling the java.security.Security.setProperty method in your code.
The java.security properties file is located in the following directory:
app_server_root/java/jre/lib/security directory.
app_server_root/properties directory.
profile_root/properties directory.
Application Programming Interface for JSSE
- Sockets and SSL sockets
- Factories to create the sockets and SSL sockets
- Secure socket context that acts as a factory for secure socket factories
- Key and trust manager interfaces
- Secure HTTP URL connection classes
- Public key certificate API
You can find more information in the Java SDK documentation.
Samples using Java Secure Socket Extension
- Version 1.6
- Access the https://www.ibm.com/developerworks/java/jdk/security/ website.
- Click Java 1.6.
- Click jssedocs_samples.zip in the Java Secure Socket Extension (JSSE) Guide section.
Files | Description |
---|---|
ClientJsse.java | Demonstrates a simple client and server interaction using JSSE. All enabled cipher suites are used. |
OldServerJsse.java | Back-level samples |
ServerPKCS12Jsse.java | Demonstrates a simple client and server interaction using JSSE with the PKCS12 keystore file. All enabled cipher suites are used. |
ClientPKCS12Jsse.java | Demonstrates a simple client and server interaction using JSSE with the PKCS12 keystore file. All enabled cipher suites are used. |
UseHttps.java | Demonstrates accessing an SSL or non-SSL web server using the Java protocol handler of the com.ibm.net.ssl.www.protocol class. The URL is specified with the http or https prefix. The HTML that is returned from this site is displayed. |
Permissions for Java 2 security
- java.util.PropertyPermission "java.protocol.handler.pkgs", "write"
- java.lang.RuntimePermission "writeFileDescriptor"
- java.lang.RuntimePermission "readFileDescriptor"
- java.lang.RuntimePermission "accessClassInPackage.sun.security.x509"
- java.io.FilePermission "${user.install.root}${/}etc${/}.keystore", "read"
- java.io.FilePermission "${user.install.root}${/}etc${/}.truststore", "read"
- java.security.SecurityPermission "putProviderProperty.IBMJSSE"
- java.security.SecurityPermission "insertProvider.IBMJSSE"
- java.security.SecurityPermission "putProviderProperty.SunJSSE"
- java.security.SecurityPermission "insertProvider.SunJSSE"
Debugging
By configuring through the javax.net.debug system property, JSSE provides the following dynamic debug tracing: -Djavax.net.debug=true.
A value of true turns on the trace facility, provided that the debug version of JSSE is installed.
A value of true turns on the trace facility. Use the administrative console to set the system property for debugging the application server.
Documentation for JSSE
See the Security: Resources for learning topic for documentation references to JSSE.
JCE
Java Cryptography Extension (JCE) provides cryptographic, key and hash algorithms for WebSphere Application Server. JCE provides a framework and implementations for encryption, key generation, key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block and stream ciphers.
IBMJCE
- Cipher algorithm (AES, DES, TripleDES, PBEs, Blowfish, and so on)
- Signature algorithm (SHA1withRSA, MD5withRSA, SHA1withDSA)
- Message digest algorithm (MD5, MD2, SHA1, SHA-256, SHA-384, SHA-512)
- Message authentication code (HmacSHA1, HmacMD5)
- Key agreement algorithm (DiffieHellman)
- Random number generation algorithm (IBMSecureRandom, SHA1PRNG)
- Key store (JKS, JCEKS, PKCS12, JCERACFKS [z/OS only])
For further information, see the information on JCE on the following website: https://www.ibm.com/developerworks/java/jdk/security/60/.
IBMJCEFIPS
- Signature algorithms (SHA1withDSA, SHA1withRSA)
- Cipher algorithms (AES, TripleDES, RSA)
- Key agreement algorithm (DiffieHellman)
- Key (pair) generator (DSA, AES, TripleDES, HmacSHA1, RSA, DiffieHellman)
- Message authentication code (MAC) (HmacSHA1)
- Message digest (MD5, SHA-1, SHA-256, SHA-384, SHA-512)
- Algorithm parameter generator (DiffieHellman, DSA)
- Algorithm parameter (AES, DiffieHellman, DES, TripleDES, DSA)
- Key factory (DiffieHellman, DSA, RSA)
- Secret key factory (AES, TripleDES)
- Certificate (X.509)
- Secure random (IBMSecureRandom)
Application Programming Interface for JCE
- Symmetric bulk encryption, such as DES, RC2, and IDEA
- Symmetric stream encryption, such as RC4
- Asymmetric encryption, such as RSA
- Password-based encryption (PBE)
- Key agreement
- Message authentication codes
There is more information documented for the JCE APIs on the https://www.ibm.com/developerworks/java/jdk/security/ website.
Samples using Java Cryptography Extension
File | Description |
---|---|
SampleDSASignature.java | Demonstrates how to generate a pair of DSA keys (a public key and a private key) and use the key to digitally sign a message using the SHA1withDSA algorithm |
SampleMarsCrypto.java | Demonstrates how to generate a Mars secret key, and how to do Mars encryption and decryption |
SampleMessageDigests.java | Demonstrates how to use the message digest for MD2 and MD5 algorithms |
SampleRSACrypto.java | Demonstrates how to generate an RSA key pair, and how to do RSA encryption and decryption |
SampleRSASignatures.java | Demonstrates how to generate a pair of RSA keys (a public key and a private key) and use the key to digitally sign a message using the SHA1withRSA algorithm |
SampleX509Verification.java | Demonstrates how to verify X509 certificates |