IBMJCEFIPS provider
The IBM® JCE (Java™ Cryptographic Extension) IBMJCEFIPS provider is a scalable, multi-purpose cryptographic module that supports FIPS-approved cryptographic operations through the Java Application Programming Interfaces (APIs).
The IBMJCEFIPS provider provides cryptographic functions to the IBM JSSE2 provider when the latter is used in FIPS mode, which you can enable if you want to use only FIPS-certified cryptography. For more information, see Running IBMJSSE2 in FIPS mode. This separation of function enables improvements and enhancements in IBM JSSE2 without affecting FIPS certification.
- IBMJCEFIPS v1.1, v1.2, v1.31, v1.7, v1.71, v1.8
- These versions are supported on Windows, AIX®, z/OS®, IBMi, Linux® (Red Hat and SuSE), and Solaris.
In order to meet the requirements specified in the FIPS publication 140-2, the algorithms utilized by IBMJCEFIPS are isolated into the provider cryptographic module itself. The cryptographic module is accessed by the product code through the Java JCE framework API. The IBMJCEFIPS provider utilizes the cryptographic module in an approved manner. When properly configured, the product complies with the FIPS 140-2 requirements.
This documentation describes how to move from the non-FIPS JCE provider and how to use the FIPS approved cryptographic modules to retain FIPS compliance.
Using the IBMJCEFIPS provider
To use the IBMJCEFIPS provider, add it to the provider list in the VM java.security file. This example shows the entry needed in this file:
security.provider.n=com.ibm.crypto.fips.provider.IBMJCEFIPS
where
n
is a number representing the priority of the provider in the list. This
list defines which providers the applications have access to and the order in which the algorithms
that an application requests are searched.RSASSA-PSS,
RSAPSS
to the jdk.tls.disabledAlgorithms
system property in the
java.security file, otherwise you might see the following
error:java.lang.NullPointerException
at com.ibm.crypto.fips.provider.RSAPSSSignature.b(Unknown Source)
This action is required
because the IBMJCEFIPS provider is no longer being recertified; it is intended that the IBMJCEPlusFIPS provider will eventually supersede the
IBMJCEFIPS provider.