|
Security User Guides:
The platform-specific Security User Guides linked here are also provided in the downloads. They contain
an overview of the security components shipped with the IBM 5 SDKs.
For an overview of z/OS security information, see
this web site (for 31-bit)
and this web site (for 64-bit).
Cross Component documentation:
How to use FIPS approved providers
tells you how to use the IBM Java FIPS approved Providers IBMJSSEFIPSProvider and IBMJCEFIPS.
How to use hardware crypto
provider
tells you how to use the IBM Java Hardware Cryptographic Providers.
Java
Certification Path (CertPath) Guide
The IBM Java CertPath API Guide linked above is supplemented by the
Javadoc HTML documentation for the CertPath API
and Java code samples in
certpathdocs_samples.zip. The Java Certification Path defines
a set of classes and interfaces to create, build, and validate digital certification paths. A digital certificate
is a data structure of the binding between a subject and a public key signed by a Certification Authority (CA).
Java Authentication and Authorization Service (JAAS):
JAAS API Guide
JAAS LoginModule Developer Guide
JAAS allows you to enforce access controls based on the user who runs an application. This function is missing
from standard implementations of Java 2. In addition to the guides linked above, the following
JAAS Javadoc HTML documentation and zip files contain code samples specific to each platform:
Java Cryptography Extension (JCE)
Cryptography Architecture Specification
Cryptography Extension Specification
How to implement a provider for the Java Cryptography Architecture
The IBM Java Cryptography Extension API Guides linked above are supplemented by the Javadoc HTML documentation for
the JCE API and code samples in
jceDocs_samples.zip.
The JCE provides a framework and implementations
for encryption, key generation, and key agreement, as well as Message Authentication Code (MAC) algorithms. Support for
encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and
sealed objects. JCE supplements the Java 2 platform, which already includes interfaces and implementations of message
digests and digital signatures.
Certified JCE FIPS Guide (PDF file)
The IBM Java JCE (Java Cryptographic Extension) FIPS provider (IBMJCEFIPS) version 1.2 for Multi-platforms is a scalable,
multi-purpose cryptographic module that supports FIPS approved cryptographic operations by means of the Java 2 Application
Programming Interfaces (APIs). The IBM Java JCE FIPS provider is certified at Federal Information Processing Standards
(FIPS) 140-2 [Level 1].
The Security Policy, linked above, is supplemented by Javadoc HTML documentation
for the module.
IBM SDK Policy files
IBM's SDKs ship with
strong but limited jurisdiction policy files. Unlimited jurisdiction policy files can be obtained from the link above. The ZIP
file should be unpacked and the two JAR files placed in the JRE's jre/lib/security/ directory.
These policy files are for use with IBM developed SDKs.
The same files are used for the Version 1.4 and Version 5 SDKs.
Details of downloads of unlimited jurisdiction policy files for the Solaris
and HP platforms can be found in the IBM Security Guide for those platforms.
Java Generic Security Services (JGSS)
JGSS User Guide
JGSS Developer Guide
The IBM Java Generic Security Services Guides linked above are supplemented by the Javadoc
HTML documentation for the JGSS
and code samples in
jgssdocs_sample.zip. JGSS is used to exchange messages securely between communicating
applications. The Java GSS-API contains the Java bindings for the Generic Security Services Application Program
Interface (GSS-API) defined in RFC 2853. GSS-API offers application programmers uniform access to security services
built on a variety of underlying security mechanisms, including Kerberos.
IBMJSSE2 Guide
The IBM new Java Secure Socket Extension Guide linked above is supplemented by the Javadoc
HTML documentation for the IBMJSSE2 and sample code in
jsse2docs_samples.zip. The IBMJSSE2 is a Java package enabling
secure internet communications. The extension implements a Java version of Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols and includes function for data encryption, server authentication, message integrity, and client
authentication. The new JSSE provider has improved serviceability, can be configured to use hardware cryptographic cards,
and uses IBM's JCE providers for its cryptography.
From Java 5.0 SR12, IBM JSSE2 includes support for RFC 5746 Transport Layer Security (TLS) - Renegotiation Indication Extension:
This update supercedes the JSSE2 PTF described in Transport Layer Security (TLS) handshake renegotiation weak security CVE-2009-3555 relative to the IBM SDK for Java.
IKeyman
This PDF file is version 7c of the IKeyman user guide. It tells you how to use IKeyman.
IKeyman is a GUI tool for managing Java keystores. It is provided to aid in the management of JSSE keystores.
PKCS 11 Implementation Provider
IBMPKCS11Impl Provider Guide
Supported Devices
The IBMPKCS11Impl Provider Guide linked above is supplemented by the Javadoc HTML
documentation for the Provider and sample configuration files
in PKCS11ImplConfigSamples.jar.
The IBMPKCS11Impl Provider uses the Java Cryptography Extension (JCE)
and Java Cryptography Architecture (JCA) frameworks to add the ability to use hardware cryptography using
the Public Key Cryptographic Standards #11 (PKCS#11) standard. This new provider takes advantage of hardware cryptography
within the existing JCE architecture and gives Java 2 programmers the significant security and possible performance
advantages of hardware cryptography with minimal changes to existing Java applications. Because the complexities of hardware
cryptography are taken care of in the normal JCE, advanced security and performance using hardware cryptographic devices is
made readily available.
IBM Java SASL Provider Guide
The Simple Authentication and Security Layer Guide linked above is supplemented by the
Javadoc HTML
documentation for the IBMSASL. The IBMSASL is a Java package enabling secure internet
communications. Simple Authentication and Security Layer, or SASL, is an Internet
standard (RFC 2222) that
specifies a protocol for authentication and optional establishment of a security layer between client
and server applications. SASL defines how authentication data is to be exchanged but does not itself
specify the contents of that data.
IBM Key Certificate Management How-To Guide
The Key Certificate Management How-To Guide linked above is supplemented by the
Javadoc HTML documentation for the IBM Key Certificate Management.
The Key Certificate Management is a set of packages used to access keys and certificates stored in any format,
extract information from a KeyStore given a Subject Key Identifier (SKI), create a self-signed certificate,
generate a CertificateRequest to send manually or use Java PKI to send it to a CA and obtain the signed
certificate and revoke a certificate.
KeyTool user guide
The KeyTool user guide introduces the key and certificate management utility. The KeyTool utility enables users to
administer their own public/private key pairs and associated certificates for use in self-authentication (where the user
authenticates himself/herself to other users/services) or data integrity and authentication services, using digital
signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.
|
