IBM(R) JavaTM PKCS 11 Supported Devices
Introduction
The IBMPKCS11Impl provider uses the Java Cryptography Extension (JCE) and Java Cryptography Architecture (JCA) frameworks to add the capability to use hardware cryptography that supports the Public Key Cryptographic Standards # 11(PKCS#11) standard. The IBMPKCS11Impl provider takes advantage of hardware cryptography within the existing JCE architecture, and gives Java 2 programmers the significant security and performance advantages of hardware cryptography, with minimal changes to existing Java applications. The complexities of hardware cryptography are addressed within the normal JCE, so that advanced security and performance using hardware cryptographic devices is made available easily and seamlessly.
The PKCS#11 standard provides a common application interface to cryptographic services on different platforms, using various hardware cryptographic devices.
On non-z/OS platforms, the IBMPKCS11Impl provider includes the following support:
| Capability |
Implementation |
| Message digest |
MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 algorithms |
| Symmetric encryption and decryption |
AES, DES, triple DES (also known as DESede), RC4, and Blowfish algorithms |
| Asymmetric encryption and decryption |
RSA algorithm |
| Digital signature and verification |
RSA, DSA and ECDSA algorithms |
| Hash-based Message Authentication Codes |
MD5, SHA1, SHA-256, SHA-384, and SHA-512 algorithms |
| Random number generation, key generation using key factories, key and certificate generation, and key and certificate management |
The ikeyman application. |
See the IBM Java PKCS 11 Implementation Provider for more information. On the z/OS platform, the IBMPKCS11Impl provider includes the following support:
| Capability |
Implementation |
| Message digest |
MD5, SHA-1, and SHA-256 algorithms |
| Symmetric encryption and decryption |
AES, DES, and triple DES (also known as DESede) algorithms |
| Asymmetric encryption and decryption |
RSA algorithm |
| Digital signature and verification |
RSA algorithm |
| Random number generation, key generation using key factories, key and certificate generation, and key and certificate management |
The ikeyman application. |
| Application key separation |
Virtual PKCS#11 tokens, protected by RACF |
See the z/OS IBMPKCS11Impl Guide on Java 2 for more information. Note: On the z/OS platform, the IBMJCECCA provider provides similar function using the IBM CCA interface to the hardware devices. (see the documentation for IBMJCECCA for more information).
Supported Platforms
The PKCS11Impl provider supports a subset of the platforms that the JVM supports at the 6.0 level. See the IBM JVM for 6.0 specific documentation for the supported operating systems and any other JVM specific requirements. The supported platforms for Java 6.0 are:
- Microsoft Windows 32
- AIX 5.2/5.3 (32-bit/64-bit)
- Linux (PPC 32-bit/64-bit)
- Linux (Intel 32-bit)
- Solaris (32-bit/64-bit) Sparc only
- Linux on System z (32-bit/64-bit)
- z/OS
Support for these cards through the IBMPKCS11Impl provider begins after the card, its driver, and any manufacturer's support software has been installed and is functioning properly. Any issues regarding installation and configuration of these cards and software should be referred to the manufacturer.
- The following cards are supported on Microsoft Windows (32-bit), AIX, Solaris 9 (32-bit and 64-bit, Sparc only), Linux:
- nCipher nForce 4000 PCI(OB4033P-4K0)
- nCipher nForce 1600 PCI(nC3033P-1k6)
- nCipher nForce 150 PCI(nc3033P-150)
- nCipher nShield 800 PCI(nC4033P-800)
- nCipher nShield 150 SCSI(nc4032W-150) Note: This card is going out of support.
- nCipher nShield 150 SCSI(nF300KM-1c) Note: This card is going out of support.
- nCipher netHSM 1600 (nH1956)
- Eracom Orange (CSA8000)
- SafeNet Luna SA
- The following cards are supported on AIX and Linux on System z:
- IBM 4758 PCI Cryptographic Coprocessor (4758-002/023) Note: This card has gone out of support.
- IBM e-business Cryptographic Accelerator (4960, PCICA).
- IBM PCI-X Cryptographic Coprocessor (4764, PCIXCC).
On z/OS the above cards are supported through the IBMJCECCA provider. See the documentation for this provider for more information.
- The following is supported on Solaris 10 (32-bit and 64-bit, Sparc only):
- The on-chip cryptography in the Sun Ultra-SPARC T2 CMT processor.
- The following cards are supported on Microsoft Windows (32-bit), AIX, Solaris 9 (32-bit and 64-bit, Sparc only), Linux. These specific models have not been tested by IBM, but support is assumed because other cards in the same family have been tested successfully.
- nCipher nForce 300 PCI
- nCipher nForce 400 PCI
- nCipher nForce 400 SCSI
- nCipher nShield 4000 PCI (nC4033P-4000)
- nCipher nShield 400 SCSI
- nCipher nShield 150 PCI
- nCipher nShield 300 PCI
- nCipher netHSM 300 PCI
- nCipher netHSM 800 PCI
- nCipher netHSM 500 (nC4333N-500)
- nCipher netHSM 2000 (nC4333N-2K0)
- To use the IBMPKCS11Impl provider on the z/OS platform, you must have the following:
- A system at the z/OS V1R9 level with one of the following:
- On a z800 or z900 processor, a CCF and a PCICC card.
- On a z890 or z990 processor, a CPACF and a PCIXCC card.
- On a z890 or z990 processor, a CPACF and a CEX2C card.
- On a z9 processor, a CPACF and a CEX2C or CEX2A card.
- ICSF must be running.
See the z/OS V1R9 Cryptographic Services Integrated Cryptographic Services Facility (ICSF) documentation for a description of the functions available for each of the configurations.
- The following adapter is supported on Linux for System z (32-bit and 64-bit)
- The IBM Crypto Express 2 crypto adapter (configured as an ICA token)
The following cards have observations that might be of interest:
The following sections descibe the observations for each card.
This card can translate only CRT RSA keys. It cannot translate plain RSA keys. RSA keys can wrap DES and DESede keys, but DES and DESede keys cannot wrap an RSA key. Signature encoding issues on this card are fixed by the following updates:
- AIX 5.2 IY53096 puts bos.pkcs11 at 5.2.0.30.
- AIX 5.1 IY54784 puts bos.pkcs11 at 5.1.0.28.
- Linux on System z OpenCryptoki 2.1.5 update.
The RSA signature encoding issue on this card was fixed by Version 2.42 of the microcode. In addition, OpenCryptoki 2.1.5 fixes this issue for Linux on System z. RSA keys can wrap DES and DESede keys, but DES and DESede keys cannot wrap an RSA key. Plain RSA keys cannot be translated. RSA CRT keys can be translated. The card does not create a ShortBufferException for buffers that are too small.
PTFs U810490 and U890491 are the pre-requisites that upgrade the library from 3.27 to 3.27.1. This card does not create a ShortBufferException for buffers that are too small.
No issues observed.
Software keys cannot be translated using this card. Key wrapping does not work work with the default configuration of the device. Setting a seed for the random number generator is not allowed. This device was not creating a ShortBufferException for buffers that are too small; this has been fixed by the latest version.
RSA keys can wrap a DES or DESede key, but DES and DESede key cannot wrap an RSA key. Public keys cannot be wrapped. Translation of plain RSA keys is not supported. RSA CRT keys can be translated.
In addition, you must set the environment variable CKNFAST_OVERRIDE_SECURITY_ASSURANCES to tokenkeys if you are using a Generation 2 card.
RSA keys can wrap a DES or DESede key, but DES and DESede key cannot wrap an RSA key. The Blowfish algorithm is not supported.
The n2cp device driver supports the cryptographic operations that are built into the Ultra-SPARC T2 CMT processor. The version of the n2cp device driver tested is VERSION 11.10.0,REV=2007.07.08.21.44.
The version of Suns native pkcs11 libraries (/usr/lib/libpkcs11.so.1 and /usr/lib/sparcv9/libpkcs11.so.1) tested is VERSION 11.10.0,REV=2005.01.21.15.53.
32-bit support for the Sun Ultra-SPARC T2 CMT processor is introduced in IBM 6.0 JRE/JDK Service Refresh 5, and in IBM 5.0 JRE/JDK Service Refresh 10. 64-bit support for the Sun Ultra-SPARC T2 CMT processor is introduced in IBM 6.0 JRE/JDK Service Refresh 6.
The Blowfish algorithm is not supported. HMACwithSHA1 is not supported.
Testing for the IBM Crypto Express 2 was performed on SUSE Linux Enterprise Server 10 (SLES 10). The SLES 10 version of the opencryptoki library (currently version 2.2.4-0.7) does not support SHA-256. The SLES 11 version of the opencryptoki library (currently version 2.2.6) is expected to support SHA-256, however, this has not yet been tested.
Testing for the IBM Crypto Express 2 on SLES 10 identified updates that needed to be made to the opencryptoki library. These updates are expected in SUSE Linux Enterprise Server 10 (SUSE 10) Service Pack 3, and in SUSE Linux Enterprise Server 11 (SUSE 11) Service Pack 1.
Support for the IBM Crypto Express 2 crypto adapter is introduced in IBM 6.0 JRE/JDK Service Refresh 6, and in IBM 5.0 JRE/JDK Service Refresh 10.
|
