Security guide

Detailed information, example code, and ancillary files related to the security components in the IBM® Semeru Runtime Certified Edition for z/OS®, 17. This documentation covers IBM-specific features of IBM's offerings.

The security components and utilities that are described here are shipped with the IBM Semeru Runtime Certified Edition for z/OS. The security components contain the IBM implementation of various security algorithms and mechanisms.

Default security providers

In addition to the default Oracle security providers, the SDK also includes the following security providers:

OpenJCEPlus security provider: The OpenJCEPlus cryptographic provider is intended to supersede the IBMJCE provider that existed in version 8. The newer provider has similar functions to its older equivalent while also providing the following features: support for newer algorithms (some of which are required for TLS 1.3), additional hardware-accelerated cryptographic capabilities (where supported), and performance enhancements.
IBMZSecurity provider: The IBMZSecurity provider is used to provide the JCERACFKS keystore implementation that was provided by the IBMJCE provider in version 8. The provider is added to the default security provider list, so it is enabled by default.

The full list can be found in the JAVA_HOME/conf/security/java.security file, as shown in the following example:


security.provider.1=OpenJCEPlus
security.provider.2=IBMZSecurity
security.provider.3=SUN
security.provider.4=SunRsaSign
security.provider.5=SunEC
security.provider.6=SunJSSE
security.provider.7=SunJCE
security.provider.8=SunJGSS
security.provider.9=SunSASL
security.provider.10=XMLDSig
security.provider.11=SunPCSC
security.provider.12=JdkLDAP
security.provider.13=JdkSASL
security.provider.14=SunPKCS11

Configuration for JCE providers

When you encounter issues with multiple JCE providers, particularly IBM ones like IBMJCECCA and OpenJCEPlus, add the IBMJCEHYBRID provider to the java.security file and place it higher on the list, prior to all the other JCE providers.

If you are using the Security.insertProviderAt() API to add custom providers, ensure that IBMJCEHYBRID is inserted ahead of any other IBM JCE providers. This will ensure that IBMJCEHYBRID is used preferentially over other IBM JCE providers by placing it ahead in the active JVM provider list.

After making the necessary changes to both the java.security file and the active JVM provider list, restart your Java application for the updates to take effect.

For information about advantages of IBMJCEHYBRID provider, see IBMJCEHYBRID.