Support for non-IBM JREs with AMS

IBM® MQ classes for Java and IBM MQ classes for JMS support Advanced Message Security operation when running with non-IBM JREs.

Advanced Message Security (AMS) implements Cryptographic Message Syntax (CMS). The CMS syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content.

From IBM MQ 9.0, the Advanced Message Security support in IBM MQ classes for Java and IBM MQ classes for JMS uses the open source Bouncy Castle packages to support CMS. This means that these classes can support Advanced Message Security operation when running with non-IBM JREs.

Before IBM MQ 9.0, Advanced Message Security was not supported in non-IBM JREs in Java clients. Advanced Message Security support in the IBM MQ classes for Java and IBM MQ classes for JMS depended on CMS support specifically provided by the IBM implementation of the Java Cryptography Extensions (JCE). Because of this restriction, the functionality was only available when using a Java runtime environment (JRE) that included the Java JCE provider.

[Solaris]Importantly, support on platforms such as Solaris required a hybrid JRE, that is, the standard JRE for the platform with additional elements provided by IBM. In particular, the IBM JCE provider was required rather than the JCE provider provided by the standard JRE for the platform.

Location and version numbering for Bouncy Castle JAR files

The Bouncy Castle JAR files that are needed for support for non-IBM JREs are included as part of the IBM MQ classes for Java and IBM MQ classes for JMS installation package.

The Bouncy Castle JAR files used are the following files:
The provider JAR file, which is fundamental to Bouncy Castle operations.
This JAR file is called bcprov-jdk15on.jar.
The "PKIX" JAR file, which contains the support for CMS operations that are used by Advanced Message Security.
This JAR file is called bcpkix-jdk15on.jar.
[V9.1.0.9 Aug 2021]The "util" JAR file, which contains classes used by the other Bouncy Castle JAR files.
This JAR file is called bcutil-jdk15on.jar.

Dependencies

The IBM MQ 9.1 and later classes have been tested with IBM JREs and Oracle JREs. They are also likely to run successfully under any J2SE-compliant JRE. However, you should note the following dependencies:
  • There are no changes to Advanced Message Security configuration.
  • The Bouncy Castle classes are used only for CMS operations. All other security-related operations, for example keystore access, the actual encryption of data, and calculation of signature checksums use the functionality that is provided by the JRE.
    Important: For this reason, the JRE used must include a JCE provider implementation.
  • To use some strong encryption algorithms, you might need to install the unrestricted policy files for the JRE's JCE implementation.

    Refer to the JRE documentation for more details.

  • If you have enabled Java security:
    • Add java.security.SecurityPermissioninsertProvider.BC to the application so that the Bouncy Castle classes can be used as a security provider.
    • Grant java.security.AllPermission to the Bouncy Castle JAR files, which are:
      • [V9.1.0.9 Aug 2021]mq_install_dir/java/lib/bcutil-jdk15on.jar
      • mq_install_dir/java/lib/bcpkix-jdk15on.jar
      • mq_install_dir/java/lib/bcprov-jdk15on.jar