Using the native IBM i JSSE provider
The native IBM® i JSSE provider offers the full suite of JSSE classes and interfaces including implementations of the JSSE KeyStore class and the SSLConfiguration class.
Protocol values for the SSLContext.getInstance method
The following table identifies and describes the protocol values for the SSLContext.getInstance method of the native IBM i JSSE provider.
The supported SSL protocols may be limited by the system values set on your system. For more details, see the Security system values: Secure Sockets Layer protocols subtopic in the Systems management information.
| Protocol value | Supported SSL protocols |
|---|---|
| SSL | SSL version 3 and TLS version 1.0. Will accept SSLv3 or TLSv1 hello encapsulated in an SSLv2 format hello. |
| SSLv3 | SSL version 3 protocol. Will accept SSLv3 hello encapsulated in a SSLv2 format hello. |
| TLS | TLS version 1.0 protocol, defined in Request for Comments (RFC) 2246. Will accept TLSv1 hello encapsulated in an SSLv2 format hello. |
| TLSv1 | TLS version 1.0 protocol, defined in Request for Comments (RFC) 2246. Will accept TLSv1 hello encapsulated in an SSLv2 format hello. |
| SSL_TLS | SSL version 3 and TLS version 1.0. Will accept SSLv3 or TLSv1 hello encapsulated in an SSLv2 format hello. |
| TLSv1.1 | TLS version 1.1 protocol, defined in Request for Comments (RFC) 4346. Will accept TLSv1 hello encapsulated in an SSLv2 format hello |
| TLSv1.2 | TLS version 1.2 protocol, defined in Request for Comments (RFC) 5246. |
| SSL_TLSv2 | TLS version 1.2, 1.1, 1.0 and SSL version 3. Will accept SSLv3 or TLSv1 hello encapsulated in an SSLv2 format hello but not TLSv1.2. |
Native IBM i KeyStore implementations
- IbmISeriesKeyStore
- The contents of the keystore are based on a particular application identifier or keyring file, password, and label. JSSE loads the keystore entries from the Digital Certificate Manager. To load the entries, JSSE uses the appropriate application identifier or keyring information when your application makes the first attempt to access keystore entries or keystore information. You cannot modify the keystore, and you must make all configuration changes by using the Digital Certificate Manager.
- IBMi5OSKeyStore
- The contents of this keystore are based on an i5OS certificate
store file and the password to access that file. This KeyStore class
allows the modification of the certificate store. You can make changes
without using the Digital Certificate Manager.
The IBMi5OSKeyStore implementation conforms to the Oracle America, Inc. specification for the Java™ KeyStore API. You can find more information in the Keystore javadoc information by Sun Microsystems, Inc.
For more information on how to manage keystores through DCM, see the Digital Certificate Manager topic.