![[V9.0.0.0 Jun 2016]](ng900.gif)
Support for non-IBM JREs with AMS
From IBM® MQ 9.0, AMS is supported in non-IBM JREs in Java clients.
Advanced Message Security implements Cryptographic Message Syntax (CMS). The CMS syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content.
In previous releases of the product, Advanced Message Security support in the IBM MQ classes for Java and IBM MQ classes for JMS has been dependent on CMS support specifically provided by the IBM implementation of the Java Cryptography Extensions (JCE). Because of this restriction, the functionality was only available when using a Java runtime environment (JRE) which included the Java JCE provider.
Importantly, support on platforms such as Solaris required a hybrid JRE. That is, the standard JRE for the platform with additional IBM-provided elements; in particular, the IBM JCE provider was required rather than that provided by the standard JRE for the platform.
From IBM MQ 9.0, the AMS support in IBM MQ classes for Java and IBM MQ classes for JMS has been modified, and now uses the open-source Bouncy Castle packages to support CMS. This means that these classes can now support AMS operation when running with non-IBM JREs.
The necessary Bouncy Castle JAR file are included as part of the IBM MQ classes for Java and IBM MQ classes for JMS installation package.
- The "provider" jar, which is fundamental to Bouncy Castle operations.
- This jar is called bcprov-jdk15on-VER.jar where "VER" is a 3-digit version number, that represents the Bouncy Castle version number with no embedded periods. For example, the provider jar for Bouncy Castle version 1.5.2 is bcprov-jdk15on-152.jar.
- The "PKIX" jar, which is contains the support for CMS operations used by AMS .
- This is called bcpkix-jdk15on-VER.jar where "VER" represents the same 3-digit version number as the provider jar.
- In IBM MQ 9.0.3 and earlier releases, VER is 152.
![[V9.0.4 Oct 2017]](ng904.gif)
From IBM MQ 9.0.4, VER is 157.
![[Long Term Support]](nglts.gif)
For Long Term Support for IBM MQ 9.0.0 Fix Pack 6 and later, the Bouncy Castle JAR files used are the
following files: ![[V9.0.0.6 Mar 2019]](ng9006.gif)
From IBM MQ 9.0.0 Fix Pack 6: The provider JAR
file, which is fundamental to Bouncy Castle operations.- This JAR file is called bcprov-jdk15on.jar.
- From IBM MQ 9.0.0 Fix Pack 6: The "PKIX" JAR
file, which contains the support for CMS operations that are used by Advanced Message Security.
- This JAR file is called bcpkix-jdk15on.jar.
![[V9.0.0.12 Oct 2021]](ng90012.gif)
From IBM MQ 9.0.0 Fix Pack 12: The "UTIL" JAR
file, which contains classes used by the other Bouncy Castle APIs.- This JAR file is called bcutil-jdk15on.jar.
- There are no changes to AMS configuration
- The Bouncy Castle classes are used only for CMS operations. All other security-related
operations, for example keystore access, the actual encryption of data, and calculation of signature
checksums use the functionality provided by the JRE. Important: For this reason, the JRE used must include a JCE provider implementation.
- To use some strong encryption algorithms, you might need to install the
unrestricted policy files for the JRE's JCE implementation
Refer to the JRE documentation for more details.
- If you have enabled Java security:
- Add
java.security.SecurityPermissioninsertProvider.BCto the application, so that the Bouncy Castle classes can be used as a security provider. - Grant
java.security.AllPermissionto the Bouncy Castle JAR files, which are:- mq_install_dir/java/lib/bcutil-jdk15on.jar
- mq_install_dir/java/lib/bcpkix-jdk15on.jar
- mq_install_dir/java/lib/bcprov-jdk15on.jar
- Add