Known Differences between the IBMJSSE2 Provider and the Oracle JSSE Provider
The known differences between the IBM JSSE and the Oracle JSSE implementation are
as follows. They do not affect API specifications or JSSE architecture.
See the appropriate sections of the document for details.
- IBM JSSE
provider is called
com.ibm.jsse2.IBMJSSEProvider2
. - IBM KeyManagerFactory
is called
IbmX509
. - IBM TrustManagerFactory
is called
IbmX509
orIbmPKIX
. - IBM HTTPS
protocol handler is called
com.ibm.net.ssl.www2.protocol.Handler
. - The IBMJSSE2 provider does not support the com.sun.net.ssl framework. Use the javax.net.ssl framework instead.
- PKIK revocation checking can be used by setting the system property
com.ibm.jsse2.checkRevocation
to true. - IBM and Oracle support different ciphers. See Protocols and Cipher Suites for list of ciphers the IBM JSSE supports.
- The IBM JSSE TrustManager does not allow anonymous ciphers. In order to handshake on an anonymous cipher, a custom TrustManager that allows anonymous ciphers must be provided. See Accepting Anonymous Cipher Suites for information about creating your own X509TrustManager.
- When a null KeyManager is passed to SSLContext, the IBM JSSE KeyManagerFactory implemention will check system properties, then jssecacerts, if it exists, and finally use cacerts file to find the key material. The Oracle JSSE will create an empty KeyManager. See KeyManager Class for further information.
- The IBM JSSE X509TrustManager and X509KeyManager will throw an exception if the TrustStore or KeyStore that is specified by system properties does not exist, of if the password is incorrect or the keystore type is inappropriate for the actual keystore. The Oracle X509TrustManager will create a default TrustManager or KeyManager with an empty keystore.
- When you use the IBMX509TrustManager, the IBM JSSE implementation will verify the entire server or client certificate chain, including trusted certificates. For example, if a trusted certificate has expired, the handshake will fail, even though the expired certificate is trusted. The Oracle JSSE will verify the certificate chain up to the trusted certificate. Verification will stop when it reaches a trusted certificate and the trusted certificate and beyond will not be verified. Note that the default trust manager in the SDK is the PKIX trust manager; this is the recommended manager because it is the one that is maintained and updated.
- Oracle does not provide a JSSE that supports FIPS.