Secure the "z"

Hello all,

I wanted to spread around some knowledge about the Java Security IBMJCECCA provider on z/OS. This keystore gives Java users access to unique z/OS functionality. I've written up a small article that talks a bit about the Java KeyStores. This should help you become more aware with how IBMJCECCA keystores interact with z/OS.

What is a Keystore

A Java KeyStore is used to store encryption keys and certificates, represented by Java key objects, so that they will persist between sessions The generic Java KeyStore is backed by a file protected with a password. However, with the IBMJCECCA provider, the KeyStore can be backed by the RACF database. In this case, the RACF profiles make password protection unnecessary.

IBMJCECCA Keystores

The IBMJCECCA provider, developed by the z/OS Java Security Team, offers several types of KeyStores. IBMJCECCA KeyStores enable a Java program to exploit the unique cryptography and security functionality on z/OS.

JCECCAKS

A JCECCAKS KeyStore enables a Java Program to use the unique z/OS hardware keys provided in the ICSF component. The types are CKDS (for symmetric), PKDS (for asymmetric), PROTECTED (symmetric) and CLEAR.

For CKDS/PKDS types, the actual keys are stored in RACF protected data sets and the key bytes may be encrypted by the master key. The Java key object for a key of either of these types contains the label for the key in the data set. These key types offer great protection. In particular, when the key is encrypted using the host master key, the key material never appears in memory in clear form.

The two other types of keys, PROTECTED and CLEAR, do not reside in a data set. Unlike CKDS/PKDS keys, where only the label is stored in the Java key object, PROTECTED and CLEAR key objects contain the actual key material. The key material for a PROTECTED key is encrypted using the host master key. The key material in a CLEAR key object is not encrypted. Thus, the key material is in the 'clear'.

To specify the key type, use a CCAAlgorithmParameterSpec for symmetric keys and a KeyParameterSpec for RSA keys.

The JCECCAKS KeyStore enables a user to take advantage of the added security mechanisms for key management on z/OS.

JCECCARACFKS

In addition to JCECCAKS file backed KeyStores, users can choose a KeyStore backed by a RACF key ring. This is done by specifying a JCECCARACFKS KeyStore. Key rings containing RSA Private keys and certificates are accessed using this type of KeyStore and a RACFInputStream and RACFOutputStream .

To learn more about these KeyStore types, the key types they contain, or the IBMJCECCA provider, visit this webpage:

ftp://public.dhe.ibm.com/s390/java/java7/zOSHWCryptoRefGuide.html

Now you know more about IBMJCECCA KeyStores and should be able to get started working with them and the provider. Feel free to post up any comments or questions about this or IBMJCECCA.

James Simone

Secure the "z"

The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.