Introduction

The security components and utilities described here are shipped with the IBM® SDK, Java™ Technology Edition. The security components contain the IBM implementation of various security algorithms and mechanisms.

Cross-component documentation

IBMJCEFIPS provider
Information about using the IBM Java FIPS approved providers IBMJSSEFIPSProvider and IBMJCEFIPS.
The IBM Hardware Cryptographic Providers for Java
How to use the hardware cryptographic providers with iKeyman, the IBMPKCS11 provider, and configuration files.

Certification path

The Java Certification Path defines a set of classes and interfaces to create, build, and validate digital certification paths. A digital certificate is a data structure of the binding between a subject, and a public key signed by a Certification Authority (CA).

Java Authentication and Authorization Service (JAAS)

JAAS allows you to enforce access controls, based on the user who runs an application. This function is missing from the standard implementations of Java 2. JAAS Active Logon is not supported on 64-bit Vista at this time.
The following platform-specific API documentation and sample code is available:
AIX® 32-bit
AIX 64-bit
Linux IA® 32-bit
Linux IA 64-bit
Linux PPC 32-bit
Linux PPC 64-bit
Linux on IBM Z® 31-bit
Linux on IBM Z 64-bit
Windows 32-bit
Windows 64-bit

Java Cryptographic Extension (JCE)

The JCE provides a framework and implementations for encryption, key generation, and key agreement, as well as Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects. JCE supplements the Java platform, which already includes interfaces and implementations of message digests and digital signatures.

Java Cryptographic Extension (JCE) FIPS

The IBM JCE FIPS provider (IBMJCEFIPS) version 1.2 for multi-platforms is a scalable, multi-purpose cryptographic module that supports FIPS approved cryptographic operations by means of the Java Application Programming Interfaces (APIs). The IBM JCE FIPS provider is certified at Federal Information Processing Standards (FIPS) 140-2 [Level 1].

IBM SDK Policy files

The IBM SDKs ship with both limited as well as unlimited strength JCE jurisdiction policy files. You can control which policy files to use. The unlimited jurisdiction policy files are used by default. For more information, see SDK Security policy files.

Java Generic Security Services (JGSS)

JGSS is used to exchange messages securely between communicating applications. The Java GSS-API contains the Java bindings for the Generic Security Services Application Program Interface (GSS-API) defined in RFC 2853. GSS-API offers application programmers uniform access to security services built on a variety of underlying security mechanisms, including Kerberos.

IBM Java Secure Socket Extension 2 (IBMJSSE2)

The IBMJSSE2 provider is a Java package enabling secure internet communications. The extension implements a Java version of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes function for data encryption, server authentication, message integrity, and client authentication. The new JSSE provider has improved serviceability, can be configured to use hardware cryptographic cards, and uses IBM's JCE providers for its cryptography.

iKeyman

IKeyman is a GUI tool for managing Java keystores.

PKCS 11 Implementation Provider

The IBMPKCS11Impl provider uses the Java Cryptography Extension (JCE) and Java Cryptography Architecture (JCA) frameworks to add the ability to use hardware cryptography using the Public Key Cryptographic Standards #11 (PKCS#11) standard. This provider takes advantage of hardware cryptography within the existing JCE architecture, and gives Java programmers the significant security and possible performance advantages of hardware cryptography, with minimal changes to existing Java applications. Because the complexities of hardware cryptography are taken care of in the normal JCE, advanced security and performance using hardware cryptographic devices is made readily available.
Start of changes for service refresh 5 fix pack 10

IBMJCEPlus and IBMJCEPlusFIPS providers

The IBMJCEPlus and IBMJCEPlusFIPS cryptographic providers are intended to supercede the IBMJCE and IBMJCEFIPS providers. The newer providers have similar functionality to their older equivalents, although currently the IBMJCEPlus provider does not support key management or use of the keytool utility. The newer providers offer: support for newer algorithms (some of which are required for TLS 1.3), additional hardware-accelerated cryptographic capabilities (where supported), and performance enhancements. IBMJCEPlusFIPS also has later FIPS certification, which will continue to be renewed when needed; the certificate for IBMJCEFIPS will not be renewed nor will new enhancements be added, so you should use the newer providers where possible.

End of changes for service refresh 5 fix pack 10

Simple Authentication and Security Layer (SASL)

IBMSASL is a Java package enabling secure internet communications. Simple Authentication and Security Layer, or SASL, is an Internet standard (RFC 2222) that specifies a protocol for authentication and optional establishment of a security layer between client and server applications. SASL defines how authentication data is to be exchanged, but does not specify the contents of that data.

IBM Key Certificate Management

The Key Certificate Management is a set of packages used to access keys and certificates stored in any format, extract information from a KeyStore given a Subject Key Identifier (SKI), create a self-signed certificate, generate a CertificateRequest to send manually or use Java PKI to send it to a CA and obtain the signed certificate and revoke a certificate.

Keytool

The KeyTool user guide introduces the key and certificate management utility. The KeyTool utility enables users to administer their own public or private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. The utility also allows users to cache the public keys, in the form of certificates, of their communicating peers.

Java XML Digital Signature

Java XML Digital Signature provides a standard set of APIs for XML digital signature services. XML Digital Signature can be used to perform detached, enveloped, and enveloping signatures as well as to sign arbitrary binary data and include this within an XML document. The result of encrypting data is an XML Signature element, which contains or references the signature data.

Java XML Encryption

The Java XML Encryption provides a standard set of APIs for XML digital encryption serivces. XML Encryption can be used to perform fine-grained, element-based encryption of fragments within an XML Document as well as encrypt arbitrary binary data and include this within an XML document. The result of encrypting data is an XML Encryption element which contains or references the cipher data.

IBM SecureRandom provider

IBM SecureRandom provides cryptographically strong random number generation as an alternative to the IBM JCE SecureRandom provider.

IBM Common Access Card (CAC) provider

The IBM Common Access Card (IBMCAC) provider enables applications to use standard APIs to access the United States Department of Defense Common Access Card. This provider is available only on the Windows platform.