IBM Support

Semeru Runtimes Security Guide

General Page

The Semeru Runtimes security guide details behavior changes and added features in security components over OpenJDK. Partial Brainpool RFC 8734 support in JSSE Provider is included from Java 17.0.13, 21.0.5, and 23.0.1 and higher versions.

IBM Semeru Runtimes Security Guide

JSSE Provider

Partial Brainpool RFC 8734 Support

Additional support was added to implement a portion of RFC 8734 in Java 17.0.13, 21.0.5, and 23.0.1 and higher versions of Semeru. This RFC defines the use of brainpool elliptic curves within the TLS version 1.3 protocol. Semeru supports both the brainpoolP512r1 signature scheme and the optional brainpoolP512r1 named group for key exchange.

Properties for Signature Schemes

To force applications to make use of only the ecdsa_brainpoolP512r1tls13_sha512 signature scheme, use the following properties in the JDK:

    -Djdk.tls.server.SignatureSchemes=ecdsa_brainpoolP512r1tls13_sha512 
-Djdk.tls.client.SignatureSchemes=ecdsa_brainpoolP512r1tls13_sha512

Please note that a brainpoolP512r1 certificate is expected to be configured by the client or server when these properties are set.

Enabling the brainpoolP512r1tls13 Key Exchange Mechanism

The OPTIONAL brainpoolP512r1tls13 key exchange mechanism can also be enabled with the following property. This value, if not specified, will default to another set of EC based curves for key exchange. To configure this specific brainpool named group set the following property:

    -Djdk.tls.namedGroups=brainpoolP512r1tls13

For this above support to work, the following assumptions are made:

  • OpenSSL is used for brainpool based cryptography.
  • The OpenSSL library present on the system must be version 1.1.1 or higher. Semeru versions 11.0.28, 17.016, and 21.0.8 and higher already include a bundled OpenSSL library version that meets this criteria.
  • The TLS protocol to be used must be TLS 1.3. 
  • TLS 1.2 is not supported.
  • Both the client and server must support RFC 8734. This support expects that both the server and client support the appropriate portions of RFC 8734. Specifically, the ecdsa_brainpoolP512r1tls13_sha512 signature scheme and / or the brainpoolP512r1tls13 named group.
  • A brainpoolP512r1 elliptic curve-based certificate must be available for use by the client and server when making use of brainpool signatures.

Semeru OpenJCEPlus provider support

IBM Semeru runtimes version 11 and higher includes support for the OpenJCEPlus provider. The OpenJCEPlus provider adds cryptographic acceleration along with support for numerous algorithms using the OpenCryptographyKitC project. For more information on how to install OpenJCEPlus in your environment along with supported services that are provided, see OpenJCEPlus documentation.

Semeru FIPS support through OpenJCEPlusFIPS

IBM Semeru runtimes version 11 and higher includes support for a FIPS 140-3 certified solution. For more information, see FIPS 140-3 cryptography in IBM Semeru Runtimes.

IBM Semeru runtimes version 8 and higher includes support for a FIPS 140-2 certified solution which is deprecated in favor of the FIPS 140-3 solution. For more information, see FIPS certified cryptography in IBM Semeru Runtimes.

Semeru native OpenSSL cryptographic acceleration

For more information regarding OpenSSL cryptographic acceleration support for Semeru, see OpenSSL.

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA3RN","label":"IBM Semeru Runtimes"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"17.0.0;and future releases"}]

Document Information

Modified date:
25 July 2025

UID

ibm17171766

Page Feedback