IBM Support

Semeru Runtimes security migration guide

General Page

This guide contains security considerations for users who are migrating from IBM® SDK, Java™ Technology Edition, version 8 to version 11 of the IBM Semeru Runtimes.
 

IBM Semeru Runtimes security migration guide

IBM SDK, Java Technology Edition, version 8 contains the IBM security implementation. However, version 11 of the IBM Semeru Runtime™ Open Edition and IBM Semeru Runtime™ Certified Edition contain the OpenJDK security implementation. Differences between these implementations might require code changes to your applications.

OpenJDK contains a Java cryptographic implementation that includes TLS v1.3 since JDK11. This protocol is enabled by default and contains significant differences to earlier TLS implementations. For more information about TLS v1.3, including which algorithms are no longer allowed, see JEP 332.

IBM Semeru Runtimes can utilize OpenSSL to enhance cryptographic acceleration. For more information related to this acceleration and behavior see OpenSSL.

The security certificates aolrootca1 and aolrootca2 that were present in IBM SDK, Java Technology Edition, V8 are no longer included.

Note: IBM Semeru Runtimes can leverage FIPS 140-3 capabilities for production workloads. Starting with versions 8.0.352, 11.0.16, and 17.0.4, IBM Semeru Runtimes includes FIPS support, by using the NSS library in Red Hat Enterprise Linux 8 or later. For more information, see FIPS certified cryptography in IBM Semeru Runtimes FIPS.

IBM Semeru Runtime Certified Edition for z/OS

Information in this security migration guide does not apply for the IBM Semeru Runtime Certified Edition for z/OS. Refer to these resources:

 

Security providers

The OpenJDK security providers have different names to the IBM Security providers. If your application uses hardcoded IBM provider names, you must update your application code. The following table shows the equivalent OpenJDK provider names, their implementation class, and the Java module in which the class belongs. If you want to learn more about the differences between providers, click the links in the IBM Security provider column.

Note that the ikeyman and ikeycmd tools which were available in IBM SDK, Java Technology Edition, version 8, are not available in versions 11 and above of the IBM Semeru Runtimes. Use the Keytool command to perform certificate and key operations.

Also note that, the IBM Key Certificate Management utility (ibmkeycert.jar) is no longer shipped with the IBM Semeru SDKs. As an alternative, for key and certificate management, use one of the following tools:

  • Use zseckeytool utility for JCERACFKS (RACF Software) keystore management
  • Use hwkeytool utility to manage keystores, which contain private keys and their associated X.509 certificate chains
  • Use keytool utility for general use keystore management
  • Use Bouncy Castle for programmatic solutions
IBM Security providerOpenJDK/Oracle security providerImplementation classJava module
IBM JSSE2The SunJSSE providersun.security.ssl.SunJSSEjava.base
IBM JCE
(see Note 1)		The SUN providersun.security.provider.Sunjava.base
The SunEC Providersun.security.ec.SunECjdk.crypto.ec
The SunJCE providercom.sun.crypto.provider.SunJCEjava.base
The SunRsaSign providersun.security.rsa.SunRsaSignjava.base
IBM JGSSThe sunJGSS providersun.security.jgss.SunProviderjava.security.jgss
IBM Certification PathOpenJDK Certification Pathsun.security.provider.Sunjava.base
IBM SASLThe sunSASL providercom.sun.security.sasl.Providerjava.security.sasl
IBM JAASOpenJDK JAAScom.sun.security.authjdk.security.auth
IBMSecureRandom
(see Note 2)		---
XML Digital Signature
(see Note 3)		The XMLDSig providerorg.jcp.xml.dsig.internal.dom.XMLDSigRIjava.xml.crypto
XML Digital Encryption
(see Note 4)		---

Table: IBM security provider to OpenJDK security provider mapping

Notes:

  1. OpenJDK contains an (optional) LGPL native module, which implements part of sun.security.ec.SunEC. For more information, see the file legal/jdk.crypto.ec/ecc.mdd.
  2. OpenJDK does not have an equivalent version of the IBMSecureRandom provider. For alternative functionality, see IBMSecureRandom.
  3. The OpenJDK XML Digital Signature provider and implementation class is identical to the IBM provider (JSR105).
  4. OpenJDK does not implement the Java XML Digital Encryption Specification (JSR 106). If your application uses the IBM security class com.ibm.xml.enc.IBMXMLEncProvider, you must update your application code to remove it.
  5. OpenJDK allows the use of unsigned third-party cryptographic providers.
 

JSSE provider differences

If your application uses hardcoded IBM provider, protocol, or algorithm names, you must update your application code.

The following table shows some key differences for JSSE:

Aspect of JSSEIBM SDK, Java Technology Edition, version 8IBM Semeru Runtimes, version 11
IBM JSSE providercom.ibm.jsse2.IBMJSSEProvider2sun.security.ssl.SunJSSE
IBM HTTPS protocol handlercom.ibm.net.ssl.www2.protocol.Handlersun.net.www.protocol.https.Handler
KeyManagerFactory algorithmIbmX509 or NewIbmX509sunX509 or NewSunX509
TrustManagerFactory algorithmIbmX509 or IbmPKIXSunX509 or SunPKIX

Table: Key differences for JSSE

System properties

The following system properties are no longer supported:

  • com.ibm.jsse2.extended.renegotiation.indicator
  • com.ibm.jsse2.sp800-131
  • com.ibm.jsse2.suiteB
  • com.ibm.jsse2.usefipsprovider=true
  • com.ibm.jsse2.JSSEFIPS

To enable PKIX revocation checking, you should now set the com.sun.net.ssl.checkRevocation system property to true, instead of the com.ibm.jsse2.checkRevocation system property.

If the DHKeySize is not specified in the jdk.tls.disabledAlgorithms property, a minimum DHKeySize is no longer set.

SSL settings

To enable SSLv3, you no longer need to set the system property com.ibm.jsse2.disableSSLv3 to false. However, you still need to remove SSLv3 from jdk.tls.disabledAlgorithms in the java.security file.

SSLContext.getInstance("TLS") now enables TLS versions up to 1.3 with the following implications:

 

  • When you specify TLS with SSLContext.getInstance("TLS"), TLS versions 1.0, 1.1, 1.2, and 1.3 are now all enabled. By contrast, in previous releases that use the IBM JSSE2 provider, only TLS version 1.0 is enabled.
  • In this release, you can also use SSLContext.getInstance("TLSv1.1") to enable TLS versions 1.0 and 1.1. By contrast, in previous releases that use the IBM JSSE2 provider, only TLS version 1.1 is enabled.

Protocol aliases SSL_TLS and SSL_TLSv2 are no longer supported in this release.

Key managers and key stores

Key managers and key stores are affected in the following ways:

  1. Certificate chain verification now stops when a trusted certificate is reached, with the following implications:
    • The OpenJDK SunX509 KeyManager replaces the IBMX509 KeyManager. When you use the SunX509 KeyManager, it verifies the certificate chain up to the trusted certificate. Verification stops when it reaches a trusted certificate. In contrast, the IBMX509 KeyManager verifies the entire server or client certificate chain, including trusted certificates. For example, if a trusted certificate is expired, then the handshake fails, even though the expired certificate is trusted. This change does not affect the PKIX TrustManager.

  2. When SSLContext.init() is called with a null KeyManager array, IBM Java 8 selects a valid KeyManager from the highest priority KeyManagerFactory in the configured security providers. In contrast, OpenJDK and Semeru create a DummyX509KeyManager which never returns any keys. This might cause TLS client authentication to fail silently in Semeru.

    When migrating from IBM Java 8 to Semeru, developers must explicitly provide a valid KeyManager to use TLS client authentication or use SSLContext.getDefault() to obtain an SSLContext initialized with a default KeyManager which respects the javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword system properties. For more information, see OpenJDK Bug JDK-8292574.

  3. X509TrustManager now handles some exceptions differently. Instead of producing an error, X509TrustManager now creates a default TrustManager or KeyManager with an empty KeyStore in the following situations:
    • The TrustStore or KeyStore that is specified by the system properties does not exist.
    • The password is incorrect.
    • The KeyStore type is inappropriate for the KeyStore.

Ciphers, cipher suites, and certificates

Ciphers, cipher suites, and certificates are affected in the following ways:

  • Anonymous cipher suites are now allowed by JSSE TrustManager.
  • Servers with DSA certificates must use specific cipher suites. If the server has a DSA certificate only, then these certificates can only use cipher suites with *_DH*_* in the name. Previously, if the server has a DSA certificate only, and only RSA*
  • The SSL_* or TLS_* prefix in cipher suite names can no longer be used interchangeably. You should update your applications to use the prefix that is specified by OpenJDK. For a complete list of OpenJDK cipher suites, see: SunJSSE Cipher Suites
 

JCE provider differences

This release contains the OpenJDK JCE provider, instead of the IBM JCE provider. Differences between these implementations might require code changes to your applications.

Some IBM JCE provider functions do not have an equivalent in the OpenJDK providers. Equivalent functions, if available, come from multiple OpenJDK providers as shown in the following table:

OpenJDK providersFunctions
SUNCertificateFactory (X.509), KeyStore (PKCS12, JKS, DKS), and MessageDigest (*)
SunECElliptic Curve algorithms
SunJCEDiffie-Hellman algorithms, KeyStore (JCEKS), KeyGenerator (*), Mac (*), and SecretKeyFactory (*)
SunRSASignRSA signature algorithms and RSA key generation using KeyFactory or KeyPairGenerator

Table: Equivalent JCE function for OpenJDK providers

Type AlgorithmParameters

IBMJCE algorithm or alias
Equivalent OpenJDK algorithm
(from the SunJCE provider)
AESGCMGCM
3DESDESede 1
MarsNone
PBEWithHmacSHA1And128BitAESPBEWithHmacSHA1AndAES_128
PBEWithHmacSHA1And256BitAESPBEWithHmacSHA1AndAES_256
PBEWithHmacSHA224And128BitAESPBEWithHmacSHA224AndAES_128
PBEWithHmacSHA224And256BitAESPBEWithHmacSHA224AndAES_256
PBEWithHmacSHA256And128BitAESPBEWithHmacSHA256AndAES_128
PBEWithHmacSHA256And256BitAESPBEWithHmacSHA256AndAES_256
PBEWithHmacSHA384And128BitAESPBEWithHmacSHA384AndAES_128
PBEWithHmacSHA384And256BitAESPBEWithHmacSHA384AndAES_256
PBEWithHmacSHA512And128BitAESPBEWithHmacSHA512AndAES_128
PBEWithHmacSHA512And256BitAESPBEWithHmacSHA512AndAES_256
PBEWithMD2AndDESNone
PBEWithMD2AndRC2None
PBEWithMD2AndTripleDES
PBEWithMD2And3DES
PBEWithMD2AndDESede
None
PBEWithMD5AndRC2None
PBEWithSHAAndDES
PBEWithSHA-1AndDES
PBEWithSHA1AndDES
None
PBEWithSHA-1And3DES
PBEWithSHA-1AndDESede
PBEWithSHA-1AndTripleDES
PBEWithSHA1And3DES
PBEWithSHA1AndTripleDES
PBEWithSHAAnd3DES
PBEWithSHAAndDESede
PBEWithSHAAndTripleDES
PBEWithSHA1AndDESede
1.2.840.113549.1.12.1.3
OID.1.2.840.113549.1.12.1.3
PBEWithSHA1AndDESede 2
PBEWithSHAAnd3KeyTripleDES
PBEWithSHAAnd3Key3DES
PBEWithSHAAnd3KeyDESede
PBEWithSHA-1And3Key3DES
PBEWithSHA-1And3KeyDESede
PBEWithSHA-1And3KeyTripleDES
PBEWithSHA1And3Key3DES
PBEWithSHA1And3KeyDESede
PBEWithSHA1And3KeyTripleDES
PBEWithSHA1AndDESede
PBEWithSHAAnd2KeyTripleDES
PBEWithSHAAnd2Key3DES
PBEWithSHAAnd2KeyDESede
PBEWithSHA-1And2Key3DES
PBEWithSHA-1And2KeyDESede
PBEWithSHA-1And2KeyTripleDES
PBEWithSHA1And2Key3DES
PBEWithSHA1And2KeyDESede
PBEWithSHA1And2KeyTripleDES
None
PBEWithSHAAnd40BitRC2
PBEWithSHA-1And40BitRC2
PBEWithSHA1And40BitRC2
PBEWithSHA1AndRC2_40
PBEWithSHAAnd128BitRC2
PBEWithSHA-1And128BitRC2
PBEWithSHA1And128BitRC2
PBEWithSHA1AndRC2_128
PBEWithSHAAnd40BitRC4
PBEWithSHA-1And40BitRC4
PBEWithSHA1And40BitRC4
PBEWithSHA1AndRC4_40
PBEWithSHAAnd128BitRC4
PBEWithSHA-1And128BitRC4
PBEWithSHA1And128BitRC4
PBEWithSHA1AndRC4_128
PBM
1.2.840.113533.7.66.13
OID.1.2.840.113533.7.66.13
PasswordBasedMac
None

Table: Type AlgorithmParameters

 

Table notes:

  1. Non-standard aliases that are available from the IBMJCE provider are not available from OpenJDK providers. Use a standard algorithm name instead.
  2. The IBMJCE provider maps these object identifiers to PBEWithSHAAnd3KeyTripleDES. The OpenJDK equivalent maps these object identifiers to PBEWithSHA1AndDESede.

Type Cipher

IBMJCE algorithm or alias
Equivalent OpenJDK algorithm
(from the SunJCE provider)
2.16.840.1.102.3.4.1.28
2.16.840.1.101.3.4.1.48
2.16.840.1.101.3.4.1.8
OID.2.16.840.1.102.3.4.1.28
OID.2.16.840.1.101.3.4.1.48
OID.2.16.840.1.101.3.4.1.8
AESWrap 1
ElGamalNone
MarsNone
PBEWithHmacSHA1And128BitAESPBEWithHmacSHA1AndAES_128
PBEWithHmacSHA1And256BitAESPBEWithHmacSHA1AndAES_256
PBEWithHmacSHA224And128BitAESPBEWithHmacSHA224AndAES_128
PBEWithHmacSHA224And256BitAESPBEWithHmacSHA224AndAES_256
PBEWithHmacSHA256And128BitAESPBEWithHmacSHA256AndAES_128
PBEWithHmacSHA256And256BitAESPBEWithHmacSHA256AndAES_256
PBEWithHmacSHA384And128BitAESPBEWithHmacSHA384AndAES_128
PBEWithHmacSHA384And256BitAESPBEWithHmacSHA384AndAES_256
PBEWithHmacSHA512And128BitAESPBEWithHmacSHA512AndAES_128
PBEWithHmacSHA512And256BitAESPBEWithHmacSHA512AndAES_256
PBEWithMD2AndDESNone
PBEWithMD2AndRC2None
PBEWithMD2AndTripleDES
PBEWithMD2And3DES
PBEWithMD2AndDESede
None
PBEWithMD5AndRC2None
PBEWithMD5And3DES
PBEWithMD5AndDESede
PBEWithMD5AndTripleDES
PBEWithSHA1AndDES
PBEWithSHA-1AndDES
PBEWithSHAAndDES
OID.1.2.840.113549.1.5.10
None
PBEWithSHA-1And3DES
PBEWithSHA-1AndDESede
PBEWithSHA-1AndTripleDES
PBEWithSHA1And3DES
PBEWithSHA1AndTripleDES
PBEWithSHAAnd3DES
PBEWithSHAAndDESede
PBEWithSHAAndTripleDES
PBEWithSHA1AndDESede
1.2.840.113549.1.12.1.3
OID.1.2.840.113549.1.12.1.3
PBEWithSHA1AndDESede 2
PBEWithSHAAnd3KeyTripleDES
PBEWithSHAAnd3Key3DES
PBEWithSHAAnd3KeyDESede
PBEWithSHA-1And3Key3DES
PBEWithSHA-1And3KeyDESede
PBEWithSHA-1And3KeyTripleDES
PBEWithSHA1And3Key3DES
PBEWithSHA1And3KeyDESede
PBEWithSHA1And3KeyTripleDES
PBEWithSHA1AndDESede
PBEWithSHAAnd2KeyTripleDES
PBEWithSHAAnd2Key3DES
PBEWithSHAAnd2KeyDESede
PBEWithSHA-1And2Key3DES
PBEWithSHA-1And2KeyDESede
PBEWithSHA-1And2KeyTripleDES
PBEWithSHA1And2Key3DES
PBEWithSHA1And2KeyDESede
PBEWithSHA1And2KeyTripleDES
None
PBEWithSHA1AndRC2
PBEWithSHA-1AndRC2
PBEWithSHAAndRC2
OID.1.2.840.113549.1.5.11
None
PBEWithSHAAnd40BitRC2
PBEWithSHA-1And40BitRC2
PBEWithSHA1And40RC2
PBEWithSHA1AndRC2_40
PBEWithSHAAnd128BitRC2
PBEWithSHA-1And128BitRC2
PBEWithSHA1And128BitRC2
PBEWithSHA1AndRC2_128
PBEWithSHAAnd40BitRC4
PBEWithSHA-1And40BitRC4
PBEWithSHA1And40BitRC4
PBEWithSHA1AndRC4_40
PBEWithSHAAnd128BitRC4
PBEWithSHA-1And128BitRC4
PBEWithSHA1And128BitRC4
PBEWithSHA1AndRC4_128
RSAwithNoPadRSA/ECB/NoPadding
RSAforSSL RSA/SSL/PKCS1PaddingRSA/ECB/PKCS1Padding
SealNone

Table: Type Cipher

 

Table notes:

  1. The IBMJCE provider maps these object identifiers to Cipher.AESWrap. The OpenJDK equivalent does not have these object identifiers.
  2. The IBMJCE provider maps these object identifiers to PBEWithSHAAnd3KeyTripleDES. The OpenJDK equivalent maps these object identifiers to PBEWithSHA1AndDESede.

Type KeyFactory

IBMJCE algorithm or aliasEquivalent OpenJDK algorithmOpenJDK providerNotes
DSAKeyFactoryDSASUNNon-standard aliases that are available from the IBMJCE provider are not available from OpenJDK providers. Use a standard algorithm name instead.
1.2.840.10045.2.1
OID.1.2.840.10045.2.1
ECSunECThe IBMJCE provider maps these object identifiers to EC. OpenJDK does not have these object identifiers.
1.2.5.8.1.1 1.2.840.113549.1.1.1
OID.1.2.5.8.1.1
OID.1.2.840.113549.1.1.1
RSASunRsaSignThe IBMJCE provider maps these object identifiers to RSA. OpenJDK does not have these object identifiers. Both the IBMJCE provider and the OpenJDK equivalent have object identifiers for 1.2.840.113549.1.1 and OID.1.2.840.113549.1.1.

Table: Type KeyFactory

Type KeyGenerator

IBMJCE algorithm or alias
Equivalent OpenJDK algorithm
(from the SunJCE provider)
2.16.840.1.101.3.4.1
OID.2.16.840.1.101.3.4.1
AES 1
3DESDESede 2
HmacMD2
HMACwithMD2
None
HMACwithMD5HmacMD5 2
HMACwithSHA1HmacSHA1 2
HMACwithSHA224HmacSHA224 2
HMACwithSHA256HmacSHA256 2
HMACwithSHA384HmacSHA384 2
HMACwithSHA512HmacSHA512 2
MarsNone
SealNone

Table: Type KeyGenerator

 

Table notes:

  1. IBMJCE maps these object identifiers to AES. OpenJDK does not have these object identifiers.
  2. Non-standard aliases that are available from the IBMJCE provider are not available from OpenJDK providers. Use a standard algorithm name instead.

Type KeyPairGenerator

IBMJCE algorithm or aliasEquivalent OpenJDK algorithmOpenJDK providerNotes
OID.1.3.14.3.2.121.3.14.3.2.12SUNThis object identifier maps to KeyPairGenerator.DSA. Alternatively, you can use 1.2.840.10040.4.1 or DSA.
1.2.840.10045.2.1
OID.1.2.840.10045.2.1
ECSunECThe IBMJCE provider maps these object identifiers to EC. OpenJDK does not have these object identifiers.
1.2.5.8.1.1
OID.1.2.5.8.1.1
RSASunRsaSignIBMJCE maps these object identifiers to RSA. OpenJDK does not have these object identifiers. Both the IBMJCE provider and the OpenJDK equivalent have object identifiers for 1.2.840.113549.1.1 and OID.1.2.840.113549.1.1.

Table: Type KeyPairGenerator

Type KeyStore

IBMJCE algorithm or aliasEquivalent OpenJDK algorithmOpenJDK providerNotes
JCERACFKSNone  
PKCS12
PKCS12KS
PKCS12SUNThe IBM JCE implementation of PKCS12 is the same as the OpenJDK implementation of PKCS12.
PKCS12JarSignerNone  
PKCS12S2PKCS12SUNThe IBM JCE implementation of PKCS12S2 is the same as the OpenJDK implementation of PKCS12.

Table: Type KeyStore

Type Mac

IBMJCE algorithm or alias
Equivalent OpenJDK algorithm
(from the SunJCE provider)
AUTH_HMAC_SHA_256_128None
AUTH_HMAC_SHA_512_256None
HmacMD2
HMACwithMD2
None
HMACwithMD5HmacMD5 1
HMACwithSHA1HmacSHA1 1
HMACwithSHA224HmacSHA224 1
HMACwithSHA256HmacSHA256 1
HMACwithSHA384HmacSHA384 1
HMACwithSHA512HmacSHA512 1
PBM
1.2.840.113533.7.66.13
OID.1.2.840.113533.7.66.13
PasswordBasedMac
None

Table: Type Mac

 

Table notes:

  1. Non-standard aliases that are available from the IBMJCE provider are not available from OpenJDK providers. Use a standard algorithm name instead.

Type MessageDigest

IBMJCE algorithm or alias
Equivalent OpenJDK algorithm
(from the SUN provider)
MD4None
SHA224SHA-224 1
SHA2
SHA-2
SHA256
SHA-256 1
SHA3
SHA-3
SHA384
SHA-384 1
SHA5
SHA-5
SHA512
SHA-512 1

Table: Type MessageDigest

 

Table notes:

  1. Non-standard aliases that are available from the IBMJCE provider are not available from OpenJDK providers. Use a standard algorithm name instead.

Type SecretKeyFactory

IBMJCE algorithm or alias
Equivalent OpenJDK algorithm
(from the SunJCE provider)
AES
2.16.840.1.101.3.4.1
OID.2.16.840.1.101.3.4.1
None
3DESDESede 1
MarsNone
PBEWithHmacSHA1And128BitAESPBEWithHmacSHA1AndAES_128
PBEWithHmacSHA1And256BitAESPBEWithHmacSHA1AndAES_256
PBEWithHmacSHA224And128BitAESPBEWithHmacSHA224AndAES_128
PBEWithHmacSHA224And256BitAESPBEWithHmacSHA224AndAES_256
PBEWithHmacSHA256And128BitAESPBEWithHmacSHA256AndAES_128
PBEWithHmacSHA256And256BitAESPBEWithHmacSHA256AndAES_256
PBEWithHmacSHA384And128BitAESPBEWithHmacSHA384AndAES_128
PBEWithHmacSHA384And256BitAESPBEWithHmacSHA384AndAES_256
PBEWithHmacSHA512And128BitAESPBEWithHmacSHA512AndAES_128
PBEWithHmacSHA512And256BitAESPBEWithHmacSHA512AndAES_256
PBEWithMD2AndDESNone
PBEWithMD2AndRC2None
PBEWithMD2AndTripleDES
PBEWithMD2And3DES
PBEWithMD2AndDESede
None
PBEWithMD5AndRC2None
PBEWithMD5And3DES
PBEWithMD5AndDESede
PBEWithMD5AndTripleDES
PBEWithSHAAndDES
PBEWithSHA-1AndDES
PBEWithSHA1AndDES
None
PBEWithSHA-1And3DES
PBEWithSHA-1AndDESede
PBEWithSHA-1AndTripleDES
PBEWithSHA1And3DES
PBEWithSHA1AndTripleDES
PBEWithSHAAnd3DES
PBEWithSHAAndDESede
PBEWithSHAAndTripleDES
PBEWithSHA1AndDESede
1.2.840.113549.1.12.1.3
OID.1.2.840.113549.1.12.1.3
PBEWithSHA1AndDESede 2
PBEWithSHAAnd3KeyTripleDES
PBEWithSHAAnd3Key3DES
PBEWithSHAAnd3KeyDESede
PBEWithSHA-1And3Key3DES
PBEWithSHA-1And3KeyDESede
PBEWithSHA-1And3KeyTripleDES
PBEWithSHA1And3Key3DES
PBEWithSHA1And3KeyDESede
PBEWithSHA1And3KeyTripleDES
PBEWithSHA1AndDESede
PBEWithSHA1AndRC2
PBEWithSHA-1AndRC2
PBEWithSHAAndRC2
None
PBEWithSHAAnd40BitRC2
PBEWithSHA-1And40BitRC2
PBEWithSHA1And40RC2
PBEWithSHA1AndRC2_40
PBEWithSHAAnd128BitRC2
PBEWithSHA-1And128BitRC2
PBEWithSHA1And128BitRC2
PBEWithSHA1AndRC2_128
PBEWithSHAAnd40BitRC4
PBEWithSHA-1And40BitRC4
PBEWithSHA1And40BitRC4
PBEWithSHA1AndRC4_40
PBEWithSHAAnd128BitRC4
PBEWithSHA-1And128BitRC4
PBEWithSHA1And128BitRC4
PBEWithSHA1AndRC4_128
PBKDF1None
PBKDF2None
PKCS5KeyNone
RC2None
RC4None
SealNone

Table: Type SecretKeyFactory

 

Table notes:

  1. Non-standard aliases that are available from the IBMJCE provider are not available from OpenJDK providers. Use a standard algorithm name instead.
  2. The IBMJCE provider maps these object identifiers to PBEWithSHAAnd3KeyTripleDES. The OpenJDK equivalent maps these object identifiers to PBEWithSHA1AndDESede.

Type SecureRandom

IBMJCE algorithm or aliasEquivalent OpenJDK algorithm
HASHDRBGDRBG
IBMSecureRandomNone
SHA256DRBG
SHA2DRBG
None
SHA512DRBG
SHA5DRBG
None

Table: Type SecureRandom

Type Signature

IBMJCE algorithm or aliasEquivalent OpenJDK algorithmOpenJDK provider
DSAforSSLNONEWithDSA 1SUN
ECDSALforSSLNONEWithECDSA 1SunEC
1.3.14.3.2.24
MD2/RSA
OID.1.3.14.3.2.24
MD2withRSA 1SunRsaSign
1.3.14.3.2.25
MD5/RSA
OID.1.3.14.3.2.25
MD2withRSA 1SunRsaSign
RSAPSS
1.2.840.113549.1.1.10
OID1.2.840.113549.1.1.10
None 
RSAforSSLNONEWithRSA 1Usually SunEC 2
OID.1.3.14.3.2.13
OID.1.3.14.3.2.27
SHA-1withDSA
SHA1withDSA 1SUN
SHA-1/ECDSA
SHA-1withECDSA
SHA/ECDSA
SHAwithECDSA
SHA1withECDSA 1SunEC
1.3.14.3.2.26
RSA
SHA/RSA
SHA-1/RSA
SHA1/RSA
SHAwithRSA
SHA-1withRSA
SHA1withRSA 1SunRsaSign
SHA-2/DSA
SHA-256withDSA
SHA-2withDSA
SHA2/DSA
SHA2withDSA
SHA256withDSA 1SUN
SHA2/RSA
SHA2withRSA
SHA256withRSA 1SunRsaSign
SHA2withECDSA
SHA2/ECDSA
SHA256withECDSA 1SunEC
SHA3withECDSA
SHA3/ECDSA
SHA384withECDSA 1SunEC
SHA3witRDSA
SHA3/RSA
SHA384withRSA 1SunRsaSign
SHA5withECDSA
SHA5/ECDSA
SHA512withECDSA 1SunEC
SHA5withRSA
SHA5/RSA
SHA512withRSA 1SunRsaSign

Table: Type Signature

 

Table notes:

  1. Non-standard aliases that are available from the IBMJCE provider are not available from OpenJDK providers. Use a standard algorithm name instead.

  2. The NONEWithRSA algorithm is unique in that you supply your own MessageDigest object as the data to be signed. A Signature object that does not compute a message digest is therefore required for a provider to service the algorithm. The OpenJDK java.security.Signature class locates a security provider to service the NONEWithRSA algorithm. If you specify, on your getInstance() call, a particular provider to service the NONEWithRSA algorithm, the java.security.Signature class returns one of the following objects:

    1. An instance of a NONEWithRSA signature object, if the specified provider supports that algorithm
    2. A special NONEWithRSA signature object, if the specified provider supports the RSA/ECB/PKCS1Padding Cipher

    If you do not specify a provider on your getInstance() call, the java.security.Signature class manufactures a NONEWithRSA signature object from an RSA/ECB/PKCS1Padding Cipher object from the first cryptographic provider that offers that cipher algorithm, which is usually SunJCE. The order of preference of providers is determined by the list that is stored in the java.Security class. You can get the list by using the java.Security.getProviders() method.

Keys

The following differences exist for keys:

  • IBM DH KeyPairGenerator and AlgorithmParameterGenerator support key sizes between 256 and 2048 bits, that are a multiple of 64. The OpenJDK equivalents support key sizes between 512 and 2048 bits, that are a multiple of 64.
  • IBM DH KeyPairGenerator defaults to a key size of 1024 bits. The OpenJDK equivalent defaults to 2048 bits.
  • IBM DSA KeyPairGenerator defaults to a key size of 2048 bits. The OpenJDK equivalent defaults to 1024 bits.
  • IBM RSA KeyFactory recognizes the com.ibm.crypto.provider.restrictRSAExponent property. The corresponding OpenJDK RSA KeyFactory recognizes the sun.security.rsa.restrictRSAExponent property.
  • The OpenJDK security implementation does not support RFC5915-encoded EC private keys.
  • Before IBM SDK, Java Technology Edition Version 8, service refresh 1, fix pack 10, the IBM PKCS12S2 keystore type was equivalent to the OpenJDK PKCS12 keystore type, but the IBM PKCS12 keystore type was different. In later fix packs, the IBM PKCS12 and PKCS12S2 keystore types are modified to use a shared implementation. This shared implementation is forwards and backwards compatible with older IBM and older OpenJDK PKCS12 implementations. However, the OpenJDK 11 PKCS12 Keystore type is not compatible with these IBM PKCS12 and PKCS12S2 keystore types.
  • Oracle recommend that you upgrade your keystores to use the OpenJDK 11 PKCS12 keystore type.

Ciphers

IBM RSA Cipher recognizes the com.ibm.crypto.provider.DoRSATypeChecking property. When this property is set, the runtime environment checks that RSA public keys are not used for decryption, and that RSA private keys are not used for encryption. There is no equivalent function in the OpenJDK security implementation.

Mask generation

The IBM and OpenJDK implementations differ in the default mask generation function (MGF1) that is used when performing RSA OAEP operations. The OpenJDK implementation always uses SHA-1 whereas the IBMJCE provider uses a mask generation function that corresponds to the OAEP hash algorithm.

Hardware acceleration

The IBMJCE provider supports hardware acceleration for some ciphers, if hardware acceleration is supported on that platform. The OpenJDK JCE implementation does not have this support.

JGSS provider differences

This release contains the OpenJDK JGSS provider, instead of the IBM JGSS provider.

The following table shows the equivalent functionality in the IBM and OpenJDK JGSS providers.

Attributes and system propertiesIBMOpenJDK
JGSS provider nameIBMJGSSProviderSunJGSS
Package containing the JGSS providercom.ibm.security.jgsssun.security.jgss.SunProvider
Package containing the SPNEGO mechanismcom.ibm.security.jgss.mech.spnego 
Package containing the Kerberos mechanismcom.ibm.security.jgss.mech.krb5 
System property javax.security.auth.useSubjectCredsOnlyThe original purpose of the OpenJDK Java property is extended to facilitate undocumented WebSphere support".No Oracle equivalent
Support for Kerberos utilities (kinit, klist, and ktab)Supported on all platforms.Supported only on Windows platforms. On other platforms, use native Kerberos utilities.
kinit -c FILEPermits only the owner to access the cache file.Permits access to the cache file based on the user's umask value.
LoginModule in the JAAS configuration filecom.ibm.security.auth.module.Krb5LoginModulecom.sun.security.auth.module.Krb5LoginModule
Initiate/accept configuration declaration in the JAAS configuration filecom.ibm.security.jgss.krb5.initiate/acceptcom.sun.security.jgss.krb5.initiate/accept
KerberosTokenProfile (WSSKrbToken.jar)Available only in version 8, not version 11. Used only by WebSphere Application Server.No Oracle equivalent

Table: Functional differences between IBM and OpenJDK JGSS providers

System properties

The following table shows the equivalent system properties in the IBM and OpenJDK JGSS providers.

IBMOpenJDK
com.ibm.security.jgss.debug,
com.ibm.security.krb5.Krb5Debug		sun.security.krb5.debug sun.security.spnego.debug
com.ibm.security.krb5.acceptor.subkeysun.security.krb5.acceptor.subkey
com.ibm.security.krb5.autodeducerealmsun.security.krb5.autodeducerealm
com.ibm.security.krb5.rcachesun.security.krb5.rcache
com.ibm.security.spnego.msinteropsun.security.spnego.msinterop
com.ibm.security.krb5.msinterop.kstringsun.security.krb5.msinterop.kstring

Table: Differences in system properties between IBM and OpenJDK JGSS providers

The following table shows the system properties that exist only in the IBM JGSS provider, which have no OpenJDK equivalent.

System propertyIBM
com.ibm.security.jgss.internal.authenticatorControlUsed only by WebSphere Application Server. It is not documented for public consumption.
com.ibm.security.jgss.spnegoA8: YesSPNEGO has RFC 2478 behavior
com.ibm.security.krb5.ignoreConfIgnore Kerberos config file
ibm.security.krb5.msinterop.des.s2kcharsetSet charset for string-to-key encoding
javax.security.auth.useAllCredsUsed only by WebSphere Application Server. It is not documented for public consumption.
os400.credentials.ebcdicOS400 charset

Table: System properties that exist only in the IBM JGSS provider

 

JAAS options for Kerberos login

The following table shows the equivalent functionality in the IBM and OpenJDK JGSS providers.

 IBMOpenJDK
InitiatorcredsType = initiator (default)isInitiator = true (default)
AcceptorcredsType = acceptorisInitiator = false
Initiator & acceptorcredsType = bothNot available
Use default ticket cacheuseDefaultCache = true (default is false)
credsType must be initiator or both

Search sequence:
1. The file cache location specified by system property KRB5CCNAME.

2. <user_home><file_seperator>krb5cc_<user_name>

3. The local security authority (LSA) on Windows platforms		useTicketCache = true (default is false)
ticketCache is not set

Search sequence:
1. On Linux and Solaris platforms, when useTicketCache is set to true, searches /tmp/krb5cc_uid

2. <user_home><file_separator>krb5cc_<user_name>

3. The local security authority (LSA) on Windows platforms
Specify ticket cacheuseCcache = <URL> useDefaultCache must not be set to trueuseTicketCache = true
ticketCache = <URL>
Use default keytabuseDefaultKeyTab = true (default is false)
credsType must be acceptor or both

Default keytab search sequence:
1. Java property KRB5_KTNAME

2. <default_keytab_name> in libdefaults in the Kerberos configuration file

3. <user_home><file_seperator>krb5.keytab

4. <user_directory><file_seperator>krb5.keytab		useKeyTab = true (default is false)
keyTab is not set

Default keytab search sequence:
1. <default_keytab_name> in libdefaults in the Kerberos configuration file

2. <user_home><file_seperator>krb5.keytab

3. <user_directory><file_seperator>krb5.keytab
Specify keytabuseKeytab = <URL>
useDefaultKeyTab  must not be set to true		useKeyTab = true
keyTab = <URL>
Forwardable, proxiable, or renewable TGTforwardable|proxiable|renewable = true (default is false)Not available
Display login module bannermoduleBanner = true (default is false)Not available
Store credentials(principals & ticket & key) in shared statestoreSharedStateCredentials = true (default is false)Not available
Store user name and password in shared stateNot availablestorePass = true (default is false)
Clear user name and password in shared stateNot availableclearPass = true (default is false))
Do not prompt for passwordNot availabledoNotPrompt = true (default is false)
Store key in principal’s private credentialsNot availablestoreKey = true
Use password saved in shared stateuseFirstPass = true or tryFirstPass = true (defaults are both false)useFirstPass = true or tryFirstPass = true (defaults are both false)
Renew TGTrenewTGT = true (default is false)renewTGT = true (default is false)
Refresh Krb5 configuration filerefreshKrb5Config = true (default is false)refreshKrb5Config = true (default is false)
Output debug messagesdebug = true (default is false)debug = true (default is false)

Table: Comparison between IBM and OpenJDK JGSS provider function for Kerberos login

 

IBM Certification Path provider differences

This release contains the OpenJDK Certification Path provider, instead of the IBM Certification Path provider. Attributes and system properties that are available in IBM Certification Path (CertPath) provider might not be available, or might have different names, in the OpenJDK providers.

Attributes and system propertiesIBMOpenJDK
Package containing the CertPath providercom.ibm.security.certsun.security.provider.certpath
CertPath provider namecom.ibm.security.cert.IBMCertPathNo separate provider for CertPath. It is incorporated into the OpenJDK provider sun.security.provider.Sun.
System property used to enable CRL Distribution Points extension checkingcom.ibm.security.enableCRLDPcom.sun.security.enableCRLDP
System property used for support of processing both complete CRLs and delta CRLs

com.ibm.security.enableDELTACRL, set to true or false

  • True: both delta CRLs and complete CRLs are used, if revocation checking is requested by the caller.
  • False (or not set): only complete CRLs are used.
No OpenJDK equivalent
System property used to define a timeout value for the connection to a certificate's CRL distribution point, or to a URICertStore objectcom.ibm.security.crls.timeoutcom.sun.security.crl.timeout
System property used to set the lifetime of entries in the memory cache of an LDAP CertStoreibm.security.certpath.ldap.cache.lifetimeNo OpenJDK equivalent
System property that determines whether CertPath checks revocation only on the end-entity certificate of the certificate chain, or on all the certificates of the certificate chain except for the trusted root certificate (TrustAnchor)com.ibm.security.onlyCheckRevocationOfEECertNo OpenJDK equivalent. However, the same behavior can be specified within the PKIXRevocationChecker class for either IBM or OpenJDK.
Strict CRL validationSupportedNot supported
Reverse buildingSupportedNot supported

Table: Functional comparison between IBM and OpenJDK Certification path providers

 

SASL provider differences

This release contains the OpenJDK SASL provider, instead of the IBM SASL provider. Differences between these providers might require code changes to your applications.

The following table lists IBM SASL classes that are different to equivalent OpenJDK SASL providers.

IBMSASL classOpenJDK SASL class
com.ibm.security.auth.callback.TextCallbackHandlercom.sun.security.auth.callback.TextCallbackHandler

Table: Differences for IBM SASL and OpenJDK SASL classes

 

JAAS provider differences

This release contains the OpenJDK JAAS provider, instead of the IBM JAAS provider. Differences between these providers might require code changes to your applications.

JAAS Active Login

In this release, JAAS Active Login is removed. There is no OpenJDK equivalent.

 

JAAS equivalent classes

The following table lists IBM JAAS provider classes and equivalent OpenJDK JAAS provider classes.

IBM JAAS provider classOracle JAAS provider class
com.ibm.security.auth.callback.TextCallbackHandlercom.sun.security.auth.callback.TextCallbackHandler
com.ibm.security.auth.login.ConfigFilecom.sun.security.auth.login.ConfigFile
com.ibm.security.auth.module.KeyStoreLoginModulecom.sun.security.auth.module.KeyStoreLoginModule
com.ibm.security.auth.module.Krb5LoginModulecom.sun.security.auth.module.Krb5LoginModule
com.ibm.security.auth.module.LdapLoginModulecom.sun.security.auth.module.LdapLoginModule
com.ibm.security.auth.module.NTLoginModule
com.ibm.security.auth.module.NTLiginModule2000
com.ibm.security.auth.module.Win64LoginModule
com.ibm.security.auth.JAASLoginModule		com.sun.security.auth.module.NTLoginModule
com.ibm.security.auth.module.NTSystem
com.ibm.security.auth.module.Win64System		com.sun.security.auth.module.NTSystem
com.ibm.security.auth.module.AIXLoginModule
com.ibm.security.auth.module.AIXLoginModule2000
com.ibm.security.auth.module.AIX64LoginModule
com.ibm.security.auth.module.LinuxLoginModule
com.ibm.security.auth.module.LinuxLoginModule2000
com.ibm.security.auth.JAASLoginModule		com.sun.security.auth.module.UnixLoginModule
com.ibm.security.auth.module.AIXSystem
com.ibm.security.auth.module.AIX64System
com.ibm.security.auth.module.LinuxSystem		com.sun.security.auth.module.UnixSystem
com.ibm.security.auth.LdapPrincipalcom.sun.security.auth.LdapPrincipal
com.ibm.security.auth.NTDomainPrincipal
com.ibm.security.auth.DomainPrincipal		com.sun.security.auth.NTDomainPrincipal
com.ibm.security.auth.NTNumericCredentialcom.sun.security.auth.NTNumericCredential
com.ibm.security.auth.NTSidcom.sun.security.auth.NTSid
com.ibm.security.auth.NTSidDomainPrincipal
com.ibm.security.auth.DomainIDPrincipal		com.sun.security.auth.NTSidDomainPrincipal
com.ibm.security.auth.NTSidGroupPrincipal
com.ibm.security.auth.GroupIDPrincipal		com.sun.security.auth.NTSidGroupPrincipal
com.ibm.security.auth.NTSidPrimaryGroupPrincipal
com.ibm.security.auth.PrimaryGroupIDPrincipal		com.sun.security.auth.NTSidPrimaryGroupPrincipal
com.ibm.security.auth.NTSidUserPrincipal
com.ibm.security.auth.UserIDPrincipal		com.sun.security.auth.NTSidUserPrincipal
com.ibm.security.auth.NTUserPrincipal
com.ibm.security.auth.UsernamePrincipal		com.sun.security.auth.NTUserPrincipal
com.ibm.security.auth.PolicyFilecom.sun.security.auth.PolicyFile
com.ibm.security.auth.PrincipalComparatorcom.sun.security.auth.PrincipalComparator
com.ibm.security.auth.AIXNumericGroupPrincipal
com.ibm.security.auth.GroupIDPrincipal
com.ibm.security.auth.PrimaryGroupIDPrincipal
com.ibm.security.auth.LinuxNumericGroupPrincipal		com.sun.security.auth.UnixNumericGroupPrincipal
com.ibm.security.auth.AIXNumericUserPrincipal
com.ibm.security.auth.UserIDPrincipal
com.ibm.security.auth.LinuxNumericUserPrincipal		com.sun.security.auth.UnixNumericUserPrincipal
com.ibm.security.auth.AIXPrincipal
com.ibm.security.auth.UsernamePrincipal
com.ibm.security.auth.LinuxPrincipal		com.sun.security.auth.UnixPrincipal
com.ibm.security.auth.UsernamePrincipalcom.sun.security.auth.UserPrincipal
com.ibm.security.auth.X509Principalcom.sun.security.auth.X509Principal
com.ibm.security.auth.callback.DiaglogCallbackHandler
com.ibm.security.auth.DomainPrincipal
com.ibm.security.auth.DomainIDPrincipal
com.ibm.security.auth.ServerPrincipal
com.ibm.security.auth.WkstationPrincipal
com.ibm.security.auth.NTSidPrimaryGroupIDPrincipal
com.ibm.security.auth.NumericCredential
com.ibm.security.auth.JAASPrincipal		No Oracle equivalents

Table: Differences for IBM JAAS and OpenJDK JAAS provider classes

 

IBM SecureRandom provider

The IBMSecureRandom provider is not available in this release. However, most of the functionality is available in the OpenJDK SUN provider.

If your application uses the IBMSecureRandom provider, use the following table to find equivalent OpenJDK SUN functionality.

IBM SecureRandom functionEquivalent function in the SUN provider
SecureRandom.SHA1PRNG algorithmSecureRandom.SHA1PRNG algorithm
SecureRandom.IBMSecureRandom algorithmNone. Use the default SecureRandom algorithm, or specify a different algorithm if required.
MessageDigest.MD5 and MessageDigest.SHA-1 algorithmsMessageDigest.MD5 and MessageDigest.SHA-1 algorithms. The OpenJDK SUN provider also provides matching aliases of SHA and SHA1 for the MessageDigest.SHA-1 algorithm.

Table: IBMSecureRandom equivalent function in the SUN provider

Note for Unix systems: The default seed source for the SecureRandom class in Version 8 was the random number generator /dev/urandom. In Version 11, the default changed to /dev/random, which blocks threads until sufficient entropy is available. This new default might therefore be a slower source of random values.

XML Digital Signature services (JSR105)

This release contains the reference implementation of JSR 105 XML Digital Signature services, which is identical to the IBM implementation provided in IBM SDK, Java Technology Edition, version 8.

The implementation class for the JSR105 XML Digital Signature provider is org.jcp.xml.dsig.internal.dom.XMLDSigRI, which can be found in the java.xml.crypto module.

The IBM implementation is the IBMXMLCrypto provider. If your application uses the IBM security class com.ibm.xml.crypto.IBMXMLCryptoProvider, you must update your application code to use the JSR 105 class instead.

Notice about plans, directions and intent

Statements by IBM regarding its plans, directions, and intent are subject to change or withdrawal without notice at the sole discretion of IBM. Information regarding potential future products is intended to outline general product direction and should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for IBM products remain at the sole discretion of IBM.

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"ARM Category":[],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"11.0.0"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA3RN","label":"IBM Semeru Runtimes"},"ARM Category":[],"Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"11.0.0"}]

Document Information

Modified date:
16 December 2025

UID

ibm16411285

Page Feedback