IBMJCEFIPS provider

The IBM® JCE (Java™ Cryptographic Extension) IBMJCEFIPS provider is a scalable, multi-purpose cryptographic module that supports FIPS-approved cryptographic operations through the Java Application Programming Interfaces (APIs).

Note: The FIPS 140-2 cryptographic module certification for the IBMJCEFIPS provider, as documented in Cryptographic Module Validation Program CMVP, Certificate #2715, expired on 21 August 2021 and will not be renewed. The ibmjcefips.jar file will remain part of the SDK however you should upgrade to service refresh 7 or later and use the IBMJCEPlusFIPS JCE cryptographic provider to achieve FIPS 140-2 compliance of applications in future. (The IBMJCEPlusFIPS provider was added in service refresh 6, fix pack 10 but was signed with the SHA256withRSA signature algorithm in service refresh 7, for enhanced security.)

The IBMJCEFIPS provider provides cryptographic functions to the IBM JSSE2 provider when the latter is used in FIPS mode, which you can enable if you want to use only FIPS-certified cryptography. For more information, see Running IBMJSSE2 in FIPS mode. This separation of function enables improvements and enhancements in IBM JSSE2 without affecting FIPS certification.

The following versions of the IBMJCEFIPS provider are compliant to Federal Information Processing Standards (FIPS) 140-2 [Level 1], and are supported on the listed operating systems:

IBMJCEFIPS v1.1, v1.2, v1.31, v1.7, v1.71, v1.8: These versions are supported on Windows, AIX®, z/OS®, IBMi, Linux® (Red Hat and SuSE), and Solaris.

In order to meet the requirements specified in the FIPS publication 140-2, the algorithms utilized by IBMJCEFIPS are isolated into the provider cryptographic module itself. The cryptographic module is accessed by the product code through the Java JCE framework API. The IBMJCEFIPS provider utilizes the cryptographic module in an approved manner. When properly configured, the product complies with the FIPS 140-2 requirements.

This documentation describes how to move from the non-FIPS JCE provider and how to use the FIPS approved cryptographic modules to retain FIPS compliance.

Using the IBMJCEFIPS provider

To use the IBMJCEFIPS provider, add it to the provider list in the VM java.security file. This example shows the entry needed in this file:

security.provider.n=com.ibm.crypto.fips.provider.IBMJCEFIPS

where n is a number representing the priority of the provider in the list. This list defines which providers the applications have access to and the order in which the algorithms that an application requests are searched.

The APIs that are used to access the module are defined by the JCE framework APIs (see Java Cryptographic Extension (JCE) FIPS and Java Cryptography Extension (JCE) API references for more information). This framework makes the transition from the non-FIPS versions relatively easy. The main difference between the non-FIPS approved and the FIPS-approved version is the provider name IBMJCEFIPS. Further differences are described in Programming Practices.

Note: If you are using the IBMJCEFIPS provider for TLS, add

RSASSA-PSS,
RSAPSS

to the jdk.tls.disabledAlgorithms system property in the java.security file, otherwise you might see the following error:

java.lang.NullPointerException
at com.ibm.crypto.fips.provider.RSAPSSSignature.b(Unknown Source)

This action is required because the IBMJCEFIPS provider is no longer being recertified; it is intended that the IBMJCEPlusFIPS provider will eventually supersede the IBMJCEFIPS provider.