Set up the java.security file for hardware encryption

The java.security file for Java™ Version 5.0 must be present and customized on both the JSSE server and client LPARs for the JSSE study.

The java.security file contains a list of providers that implement a certain set of ciphers. When searching a provider for a cipher, the first one on this list that supports the cipher is chosen. The only provider of the full cryptographic hardware support is the IBMPKCS11Impl provider. Therefore, the default java.security file must be modified so that this provider is the first provider in that list (see Figure 1).

The modified java.security file must be temporarily changed when the iKeyman utility runs. For the iKeyman steps, the IBMPKCS11Impl provider is commented out, and the currently commented-out provider IBMPKCS11 is uncommented. Different versions and levels of Java might provide different java.security files for different security providers. The java.security file example in Figure 1 shows IBMPKCS11Impl in the first position in front of the IBMJCE provider. This order ensures that hardware encryption is used by default instead of software encryption.

cat /usr/lib64/jvm/java-1_5_0-ibm-1.5.0_sr7/jre/lib/security/java.security

security.provider.1=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl <pkcs11 configuration file>
#security.provider.1=com.ibm.crypto.pkcs11.provider.IBMPKCS11  
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2  
security.provider.3=com.ibm.crypto.provider.IBMJCE  
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider  
security.provider.5=com.ibm.security.cert.IBMCertPath  
security.provider.6=com.ibm.security.sasl.IBMSASL 

The PKCS configuration file specified here is described in PKCS11 configuration file. The support for having the IBMPKCS11Impl provider as the first provider in the java.security file is incomplete at the moment. At the time of the test, the Java application is required to load the IBMPKCS11Impl provider explicitly.