TLS implementations

The system contains multiple TLS implementations. Each implementation implements one or more versions of the TLS protocols according to the industry definitions.

The implementations must interoperate with other implementations according to the Internet Engineering Task Force (IETF) specifications for each protocol version. Each implementation has unique characteristics and provides different sets of optional functionality.

The set of APIs used determines which implementation is used for each secure application on the system. With Java™, the configured JSSE provider determines the implementation since the Java interfaces are standardized. An application can also embed an implementation that is only known to the application.

These implementations are available to develop applications with on the IBM i.

  • System TLS

    ILE applications use System TLS. Certificate management is performed with the Digital Certificate Manager (DCM) and the certificate store type is Certificate Management Services (CMS) with a file extension of *.KDB. Java applications can use System TLS, however it is not typical. The most obscure case, would be a Java application that uses System TLS while also using a Java Keystore.

  • IBMJSSE2 (IBMJSSEProvider2)

    This Java Secure Socket Extension (JSSE) provider contains a pure Java implementation of the TLS protocols and is available on multiple platforms. This implementation is known as the com.ibm.jsse2.IBMJSSEProvider2 in the java.security provider list. Most Java applications on the system use this JSSE since it is the default provider for all JDK versions. The certificates are typically found in a Java keystore file (JKS) and are managed by using the Java keytool command or IBM Key Management (iKeyman) utility.

    For general JSSE information on the system, see Java Secure Socket Extension (JSSE)

    For specific details, see the IBMJSSE2 platform independent documentation for the appropriate JDK version. For JDK8, see Security Reference for IBM® SDK, Java Technology Edition, Version 8.

  • OpenSSL

    OpenSSL is an Open Source toolkit that implements TLS protocols and a full-strength general-purpose cryptography library. It is only available in the IBM Portable Application Solutions Environment for i (PASE for i). The certificates are typically found in PEM files and are managed with OpenSSL commands.

    Common Information Model Object Manager is an application that uses this implementation. For more information, see Common Information Model.

Application embedded implementations:
  • Domino for i

    Uses its own native TLS implementation that is embedded in the product. Configuration and certificate management is provided by the application.

    Domino HTTP can be configured to use System TLS with DCM certificates, but by default uses the Domino native implementation.