Support for non-IBM JREs with AMS
IBM® MQ classes for Java and IBM MQ classes for JMS support Advanced Message Security operation when running with non-IBM JREs.
Advanced Message Security (AMS) implements Cryptographic Message Syntax (CMS). The CMS syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content.
From IBM MQ 9.0, the Advanced Message Security support in IBM MQ classes for Java and IBM MQ classes for JMS uses the open source Bouncy Castle packages to support CMS. This means that these classes can support Advanced Message Security operation when running with non-IBM JREs.
Before IBM MQ 9.0, Advanced Message Security was not supported in non-IBM JREs in Java clients. Advanced Message Security support in the IBM MQ classes for Java and IBM MQ classes for JMS depended on CMS support specifically provided by the IBM implementation of the Java Cryptography Extensions (JCE). Because of this restriction, the functionality was only available when using a Java runtime environment (JRE) that included the Java JCE provider.
Importantly, support on platforms such as Solaris required a hybrid JRE, that is, the standard JRE for the platform with additional elements provided by IBM. In particular, the IBM JCE provider was required rather than the JCE provider provided by the standard JRE for the platform.
Location and version numbering for Bouncy Castle JAR files
The Bouncy Castle JAR files that are needed for support for non-IBM JREs are included as part of the IBM MQ classes for Java and IBM MQ classes for JMS installation package.
- The provider JAR file, which is fundamental to Bouncy Castle operations.
- This JAR file is called bcprov-jdk15on.jar.
- The "PKIX" JAR file, which contains the support for CMS operations that are used by Advanced Message Security.
- This JAR file is called bcpkix-jdk15on.jar.
- The "util" JAR file, which contains classes used by the other Bouncy Castle JAR files.
- This JAR file is called bcutil-jdk15on.jar.
Dependencies
- There are no changes to Advanced Message Security configuration.
- The Bouncy Castle classes are used only for CMS operations. All other security-related
operations, for example keystore access, the actual encryption of data, and calculation of signature
checksums use the functionality that is provided by the JRE. Important: For this reason, the JRE used must include a JCE provider implementation.
- To use some strong encryption algorithms, you might need to install the
unrestricted policy files for the JRE's JCE implementation.
Refer to the JRE documentation for more details.
- If you have enabled Java security:
- Add
java.security.SecurityPermissioninsertProvider.BC
to the application so that the Bouncy Castle classes can be used as a security provider. - Grant
java.security.AllPermission
to the Bouncy Castle JAR files, which are:- mq_install_dir/java/lib/bcutil-jdk15on.jar
- mq_install_dir/java/lib/bcpkix-jdk15on.jar
- mq_install_dir/java/lib/bcprov-jdk15on.jar
- Add