Start of changes for 11.0.15.0

IBMJCECCA

The IBMJCECCA provider extends Java™ Cryptography Extension (JCE) and Java Cryptography Architecture (JCA) seamlessly to add support for hardware cryptography by using IBM Common Cryptographic Architecture (CCA) interfaces on the z/OS® operating system.

The IBMJCECCA provider implements the existing JCE architecture, taking advantage of hardware cryptography to give Java programmers the significant security and performance advantages of hardware cryptography with minimal changes to existing Java applications. Because the complexities of hardware cryptography are handled within the normal JCE APIs, the advanced security and performance of hardware cryptographic devices are made easily available.

IBM CCA is a set of software elements that provide common application interfaces to secure, high-speed cryptographic services on various platforms by using hardware cryptographic devices. On z/OS, access to hardware cryptographic devices is controlled by the Integrated Cryptographic Service Facility (ICSF). This software package provides IBM CCA interfaces to hardware devices that are used by the IBMJCECCA provider. One or more of these hardware cryptography features must be installed to use the IBMJCECCA provider.

For more information about the cryptographic features that are supported by your hardware, refer to the IBM Z® machine's reference or technical guide and your service or support organization.

The IBMJCECCA provider supports the following items:

  • Message Digest by using the MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512 algorithms
  • Signature and KeyFactory classes
  • The symmetric algorithms AES, DES, triple DES (also known as DESede), HMAC (HMAC using secure keys is available with the HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384, and HMACSHA512 algorithms), and PBE
  • The asymmetric algorithms RSA encryption and decryption with zero padding and PKCS 1 type 2 padding
  • Digital signature creation and verification by using RSA, DSA, and ECDSA algorithms (note that DSA is only supported on IBM® eServer™ zSeries 800 (z800) and IBM eServer zSeries 900 (z900) hardware; ECDSA is only supported on Crypto Express 3 Coprocessor (CEX3C) and newer cryptographic coprocessor cards)
  • True random number generation
  • Key generation by using key factories
  • Generation and management of keys and certificates by using the hwkeytool application
  • Symmetric key wrapping and unwrapping by using hardware AES and Triple DES transport keys (also known as key encrypting keys)
  • Symmetric key export and import by using Triple DES transport keys (also known as key encrypting keys) and the key exchange mechanism that is described in the ANSI TR-31 Key Block specification
  • Start of changes for 11.0.22.0The quantum-safe algorithms CRYSTALS-Kyber and CRYSTALS-DilithiumEnd of changes for 11.0.22.0

Keystore support

The IBMJCECCA provider supports four keystore types: JCECCAKS, JCE4758KS, JCECCARACFKS, and JCE4758RACFKS. The JCECCARACFKS and JCE4758RACFKS keystore types are only supported on z/OS. The JCECCAKS keystore uses strong encryption (triple DES) to protect the keys when stored in a file. The JCECCARACF®KS keystore handles keys and certificates that are stored in RACF key rings. The JCE4758KS and JCE4758RACFKS keystores are included for compatibility with earlier versions. The JCECCAKS keystore extends and replaces the JCE4758KS keystore. The JCECCARACFKS keystore extends and replaces the JCE4758RACFKS keystore.

JCECCAKS supports the migration of keys from other keystores by using normal keystore interfaces. The following keys are supported by JCECCAKS keystores for migration and for storage:

  • RSAPrivateHWKey
  • DSAPrivateHWKey
  • ECPrivateHWKey
  • RSAPrivateKey
  • RSAPrivateCrtKey
  • DSAPrivateKey
  • ECPrivateKey
  • Any SecretKey

If you want to migrate a software key into a JCECCAKS hardware keystore, you can use the com.ibm.crypto.hdwrCCA.provider.WrapperKey class. An instance of this class is a wrapper that contains a software key and the hardware attributes to associate with the key when it is imported into the hardware keystore.

The following example illustrates wrapping a software key, SoftwareKey, and inserting it into the okeyStore keystore:

byte storeType = KeyHWAttributeValues.PKDS;
byte keyUsage = KeyHWAttributeValues.KEYMANAGEMENT;
keyAttribs = new RSAKeyHWAttributes(storeType, keyUsage);

WrapperKey wrappedKey = new WrapperKey((java.security.PrivateKey)SoftwareKey, keyAttribs);

okeyStore.setKeyEntry(alias, wrappedKey, istorePass, certs);

Default keystore for IBMJCECCA

The default JCE keystore is named .keystore and is located in the user's home directory. The default JCECCAKS keystore is named .HWkeystore and is located in the user's home directory.

The default home directory (user.home) is /home/userid. For example, the default home directory of the U23LPTQ user is /home/U23LPTQ.

End of changes for 11.0.15.0