Service refresh 3
Read about the changes in service refresh 3, and subsequent fix packs.
Skip to Service refresh 3 fix pack 10
Skip to Service refresh 3 fix pack 20
Service refresh 3
IllegalStateException ("The maximum number of IV invocations for the current key have been exhausted.")
The
maximum number of iterations is 18,446,744,073,709,551,615. Service refresh 3 fix pack 10
This release contains a new version of the IBM® JCE FIPS provider, new system properties (one of which affects previous behavior), support for the IBMJCECCA provider for Linux® on IBM Z, and new aliases for the JCE provider.
- New version of the JCE FIPS provider
-
This release includes version 1.8 of the IBM JCE FIPS provider. There are behavior differences between this version and the previous version, 1.71. These differences might require you to modify your application code if you are using the IBMJCEFIPS provider or the JSSE provider in FIPS mode. For more information, see IBM JCE FIPS 140-2 Cryptographic Module Security Policy.
- Support for the IBMJCECCA provider for Linux on IBM Z
-
Java Cryptography Extension Common Cryptographic Architecture (IBMJCECCA) is a security provider that exploits hardware cryptography, and is used to supplement the Java Cryptography Extension (JCE). From this release, IBMJCECCA is supported for Linux on IBM Z as well as for z/OS®.
For more information, see: The IBMJCECCA provider.
- Matching the behavior of SSLContext.getInstance("TLS") to Oracle
-
Compared to the Oracle implementation, differences exist in the versions of TLS that are enabled when you set an SSL context object to enable the protocol. A new system property is available to match the behavior of SSLContext.getInstance("TLS") in the IBM SDK with the Oracle implementation. For more information, see Matching the behavior of SSLContext.getInstance("TLS") to Oracle.
- JGSS: Specifying Kerberos encryption types
-
You can now specify Kerberos encryption types by using the com.ibm.security.krb5.enctypes Java system property. For more information, see Some JGSS Used Java Properties.
- Security: New PBE alias names
-
Several AES-based, password-based encryption (PBE) aliases are added to the IBMJCE provider. These PBE aliases correspond to the algorithm names used by Oracle:
- PBEWithHmacSHA1AndAES_128
- PBEWithHmacSHA224AndAES_128
- PBEWithHmacSHA256AndAES_128
- PBEWithHmacSHA384AndAES_128
- PBEWithHmacSHA512AndAES_128
- PBEWithHmacSHA1AndAES_256
- PBEWithHmacSHA224AndAES_256
- PBEWithHmacSHA256AndAES_256
- PBEWithHmacSHA384AndAES_256
- PBEWithHmacSHA512AndAES_256
Service refresh 3 fix pack 20
This release contains updates to the IBMJCECCA provider (z/OS and Linux on IBM Z® only).
You can now use the hwkeytool command line utility to create an HMAC Java key object (com.ibm.crypto.hdwrCCA.provider.HMACKey) from an existing CKDS entry that contains a secure HMAC key, then store that key object in the IBMJCECCA keystore (JCECCAKS).
The IBMJCECCA provider now supports HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384, and HMACSHA512 SecretKeyFactory algorithms for creating a Java key object from a key specification that contains the label of an existing CKDS secure HMAC key entry.
The IBMJCECCA provider is also updated such that HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, and HMACSHA512 Mac algorithms now include support for key objects that represent secure HMAC keys.
For more information about JCECCA, see IBMJCECCA.