Known Differences between the IBMJSSE2 Provider and the Oracle JSSE Provider

The known differences between the IBM JSSE and the Oracle JSSE implementation are as follows. They do not affect API specifications or JSSE architecture. See the appropriate sections of the document for details.
  • IBM JSSE provider is called com.ibm.jsse2.IBMJSSEProvider2.
  • IBM KeyManagerFactory is called IbmX509.
  • IBM TrustManagerFactory is called IbmX509 or IbmPKIX.
  • IBM HTTPS protocol handler is called com.ibm.net.ssl.www2.protocol.Handler.
  • The IBMJSSE2 provider does not support the com.sun.net.ssl framework. Use the javax.net.ssl framework instead.
  • PKIK revocation checking can be used by setting the system property com.ibm.jsse2.checkRevocation to true.
  • IBM and Oracle support different ciphers. See Protocols and Cipher Suites for list of ciphers the IBM JSSE supports.
  • The IBM JSSE TrustManager does not allow anonymous ciphers. In order to handshake on an anonymous cipher, a custom TrustManager that allows anonymous ciphers must be provided. See Accepting Anonymous Cipher Suites for information about creating your own X509TrustManager.
  • When a null KeyManager is passed to SSLContext, the IBM JSSE KeyManagerFactory implemention will check system properties, then jssecacerts, if it exists, and finally use cacerts file to find the key material. The Oracle JSSE will create an empty KeyManager. See KeyManager Class for further information.
  • The IBM JSSE X509TrustManager and X509KeyManager will throw an exception if the TrustStore or KeyStore that is specified by system properties does not exist, of if the password is incorrect or the keystore type is inappropriate for the actual keystore. The Oracle X509TrustManager will create a default TrustManager or KeyManager with an empty keystore.
  • When you use the IBMX509TrustManager, the IBM JSSE implementation will verify the entire server or client certificate chain, including trusted certificates. For example, if a trusted certificate has expired, the handshake will fail, even though the expired certificate is trusted. The Oracle JSSE will verify the certificate chain up to the trusted certificate. Verification will stop when it reaches a trusted certificate and the trusted certificate and beyond will not be verified. Note that the default trust manager in the SDK is the PKIX trust manager; this is the recommended manager because it is the one that is maintained and updated.
  • Oracle does not provide a JSSE that supports FIPS.