Java Version 6.0 migration considerations

Edit online

Consider these points when migrating to Java™ Version 6.0.

The Java Version 6.0 64-bit SDK was installed by removing the Java Version 5.0 RPMs and installing the Java Version 6.0 RPMs. Removing Java Version 5.0 is optional, and it is possible to have multiple Java versions installed at the same time.

There are changes to be made to the Java Version 6.0 java.security file different from the changes that were made for Java Version 5.0:
  • The PKCS11 provider is no longer used. Instead, use the com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl provider.
  • The key database for IBMPKCS11Impl is now named PKCS11Direct or PKCS11Config.

For software encryption using cipher AES-256, the local_policy.jar file is needed. For software encryption using cipher AES-256 in the United States, the US_export_policy.jar file is also needed. Without the correct versions of these files, a NoSuchAlgorithmException error message is generated for this cipher.

For more information, consult the guide for iKeyman under Java Version 6 at:

https://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdf

It is also important to modify the PKCS11 configuration file after installing Java 6. More encryption mechanisms were added to the standard that are not yet supported in hardware. These need to be present in the disabled mechanisms list in the PKCS11 configuration file. The current list for Java 6 is:
disabledmechanisms {
CKM_SHA_1
CKM_MD5
CKM_MD5_HMAC
CKM_SHA_1_HMAC
CKM_SSL3_MASTER_KEY_DERIVE
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_SSL3_PRE_MASTER_KEY_GEN
}

For the latest information about Java security and Java Secure Socket Extensions, see:

https://www.ibm.com/docs/en/i/7.5?topic=security-java-secure-socket-extension