ZERTJSSE

Overview

ZERTJSSE wraps the SunJSSE provider and notifies zERT when a change to the state of a secure session that is managed by SunJSSE occurs. ZERTJSSE does not implement any JSSE functionality. Instead, it uses the SunJSSE provider to run JSSE operations. ZERTJSSE merely monitors the secure sessions that are managed by SunJSSE; the flow of data between the user and the SunJSSE provider is unchanged. For more information about the underlying JSSE implementation, see SunJSSE provider documentation.

Dependencies

ZERTJSSE has the following stack dependencies:

• ZERTJSSE depends on the underlying SunJSSE provider to provide all JSSE functionality provided by ZERTJSSE. For more information on the underlying JSSE implementation, see the Documentation section.
• ZERTJSSE depends on the zERT Java API to notify the zERT Discovery, Recording component. For more information, see the Configuration section.

Limitations

Lack of support for SSLEngines

Since SSLEngines are transport-independent, ZERTJSSE has no way of associating the zERT information with a TCP connection. Therefore, the SSLEngines provided by ZERTJSSE do not include zERT support.

Renegotiation notification Timing Issues

Since renegotiation events are reported to zERT in separate threads, timing issues might occur where subsequent renegotiation triggers different threads that notify zERT out of order.

Clear communication under layered SSLSockets

A layered SSLSocket is created when an application wraps an existing Socket with a SSLSocket to create a secure connection. When a layered SSLSocket is created, the underlying Socket is still available to the application. If the application continues to transmit data through the underlying Socket, zERT might report the connection as secure when unencrypted data is still being transferred over the TCP connection.

Unavailable Attributes

The SECATTRi_TLS_Handshake_Type attribute that is requested by zERT has no way of being discovered by ZERTJSSE. Therefore, ZERTJSSE does report the SECATTRi_TLS_Handshake_Type attribute.

System properties

System properties that are used in SunJSSE are set upon loading of the ZERTJSSE provider. Any change in these system properties between being set in ZERTJSSE and SunJSSE might result in unexpected behavior.

Configuration

For zERT to be enabled for JSSE functionality, ZERTJSSE must be specified as the JSSE provider to use.

To make ZERTJSSE the default security provider, see Installing security providers.

ZERTJSSE Runtime JVM Arguments

ZERTJSSE requires specific runtime JVM arguments to have access to necessary java.base files. The following commands are required at runtime:

--add-exports java.base/sun.security.ssl=ibm.zertjsse

--add-opens java.base/sun.security.ssl=ibm.zertjsse

zERT Java API Configurations

ZERTJSSE requires the use of the zERT Java API that was released in APAR PH47010. This APAR must be installed on the system, and the application must meet the following requirements:

• The EZBCPPMJ.jar file must be included in the classpath. EZBCPPMJ.jar is installed in the directory /usr/include/java_classes.
• libEZBCPP64.so must be located in $LIBPATH so the JNI methods can be found. libEZBCPP64.so is installed in the directory /usr/lib.

SunJSSE Configurations

To configure JSSE functionality, follow the configuration options for SunJSSE. For more information about configuring SunJSSE, see the Documentation section.

Documentation

For the ZERTJSSE API documentation, see: ZERTJSSE Provider Class Documentation.

For documentation on the underlying JSSE functionality, see: SunJSSE Provider documentation.

For information about the JSSE Standard API, see: JSSE Standard API

For information about zERT, see: z/OS Encryption Readiness Technology (zERT).

For information about Java security providers, see: Security Guide.