Start of changes for service refresh 5 fix pack 10

Enabling the IBMJCEPlus and IBMJCEPlusFIPS providers

The ibmjceplus.jar file contains a FIPS-compliant provider (IBMJCEPlusFIPS) and a non-FIPS provider (IBMJCEPlus). Start of changes for service refresh 7From service refresh 7, the IBMJCEPlus provider is the default JCE provider except on z/OS®.End of changes for service refresh 7 In earlier releases and for z/OS, you enable these providers by editing the JAVA_HOME/jre/lib/security/java.security file.

Before you begin

The IBMJCEPlus and IBMJCEPlusFIPS providers are supported on AIX®, Linux®, and Windows operating systems. Start of changes for service refresh 6 fix pack 25From service refresh 6, fix pack 25, the IBMJCEPlus provider is also supported on z/OS (the IBMJCEPlusFIPS provider is not yet supported on z/OS).End of changes for service refresh 6 fix pack 25.

On Linux on IBM® POWER® (Little Endian), libc must be version 2.19 or later; the IBMJCEPlus and IBMJCEPlusFIPS providers require later versions of the C standard library than the standard system requirements.

For more information about FIPS compliance for the IBMJCEPlusFIPS provider, see Certificate #3064.

About this task

The SDK comes with a pre-defined list of security providers, ordered by preference, in the JAVA_HOME/jre/lib/security/java.security file. You can edit this file to control which providers you want to use. For example, in service refresh 7 on most supported operating systems, the relevant part of the java.security file looks as follows.
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
...
IBMJCEPlus is number 2 in the list, so it is already enabled and used by default instead of IBMJCE, which is number 3 (a lower preference). In this way, the list also provides fail-over capability.
Note: You can also use Java™ code to dynamically specify the provider to use. For more information about specifying providers with Java code or with the java.security property file, see Installing Providers for JCE.
The presence and position of the IBMJCEPlus provider line in the java.security file changed since the IBMJCEPlus and IBMJCEPlusFIPS providers were introduced in service refresh 5, fix pack 10. Therefore, the edit required to the java.security file to enable the IBMJCEPlus provider depends on your release and your operating system, as summarized in the following table.
Table 1. The edit required to the java.security file to enable IBMJCEPlus
Release and operating system IBMJCEPlus provider is in file IBMJCEPlus provider is before IBMJCE provider in file Edit required to enable IBMJCEPlus provider
SR7 and later, on AIX, Linux, and Windows Yes Yes None
SR7 and later, on z/OS Yes No Move to before IBMJCE
SR6 FP25 and later fix packs Yes No Move to before IBMJCE
SR5 FP10 through SR6 FP20 No - Add to before IBMJCE
The IBMJCEPlusFIPS provider was never in the java.security file by default. If you want to use this provider, you must add it to the file before any other JCE provider.

Procedure

  • If your application contains hardcoded references to a provider name instead of using the provider list and provider fail-over mechanisms, ensure that your code specifies the name of the provider that you want to use.
  • Edit the JAVA_HOME/jre/lib/security/java.security file to add or move the IBMJCEPlus or IBMJCEPlusFIPS provider and change its preference number as required.
    For example:
    • If you are on service refresh 7 or later on AIX, you do not have to do anything; the IBMJCEPlus provider is already before the IBMJCE provider in the file so is used by default. If you are on service refresh 7 or later on z/OS though, the IBMJCEPlus provider is not the default; you must move it to before the IBMJCE provider in the file.
    • If you are on service refresh 6, fix pack 25 or later and you want to use the IBMJCEPlus provider, move the existing line to before the IBMJCE provider and update the preference numbers accordingly:
      security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
      security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlus
      security.provider.3=com.ibm.crypto.provider.IBMJCE
      security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
      ...
    • If you are on an earlier release and you want to use the IBMJCEPlus provider, add the line security.provider.n=com.ibm.crypto.plus.provider.IBMJCEPlus, where n is the preference number, to the file before the IBMJCE provider and update the preference numbers accordingly.
    • On any release or operating system, if you want to use the IBMJCEPlusFIPS provider (for example when you are configuring the IBMJSSE2 provider to run in FIPS mode), add it to the file before any other JCE provider and update the preference numbers accordingly.

Results

When enabled, the IBMJCEPlus and IBMJCEPlusFIPS providers operate with hardware acceleration always on, where this is supported.

End of changes for service refresh 5 fix pack 10