Securing Java Cryptography Encryption
During the B2B Advanced Communications installation, you select a compressed file that contains a Java™ Cryptography Extension (JCE) policy file to strengthen cryptographic operations.
You can choose your own JCE file or use the default JCE file that comes with the installation.
The installer extracts the JCE policy file from the compressed file and adds it to the install_dir\java\jre\lib\security JRE directory. The JCE policy file that you select must be compatible with the version of the IBM® JRE installed.
The JCE policy is an application programming interface (API) that supports and enhances security features in B2B Advanced Communications.
- XML Encryption
- Transforms data into a form that is unreadable by anyone who does not have the correct decrypting method, which provides message-level security.
- RSA algorithm
- A mathematical formula that is used for public-private key cryptography to encrypt transmissions. Private-public key cryptography is a method of securing communications that requires two separate keys, one public and one private. For asymmetric cryptography, each member of a communicating party has a public key and a private key. The two keys are mathematically related, but it is impossible to derive the private key from the public key. A message that is encrypted with a public key can be only decrypted with the associated private key. Alternatively, a server or user can sign a document with a private key. Then, they can use a public key to decrypt a digital signature, thus verifying the source of the document.
- Non-repudiation
- Provides proof that a transaction occurred, or that you sent or received a message. Non-repudiation is supported by the use of digital certificates and public key cryptography to sign messages.
- XML Digital signature
- The electronic equivalent to a personal signature on a written document to provide proof of the origin of a document and provide message-level security. The sender of a message signs the message by using the private key that is associated with a digital certificate. The recipient of the message uses the corresponding public key to decrypt the signature, which verifies the sender as the source.
- X.509 security token
- An X.509 digital certificate can be used as a binary security token to provide message integrity and confidentiality by signing and encrypting messages. Additionally, this certificate provides data confidentiality and authenticates the origin of the data.
- User name token
- Transmits basic authentication information by propagating a user name that is used to establish the identity of the user, and password information. Typically, the password is transmitted in plain text but the value can also be transmitted in digest hash format to obscure the password.
Typically, you use a JCE policy file to enable stronger cryptographic operations, such as:
- Ensuring data privacy
- Maintaining data integrity
- Authenticating one partner to another
- Preventing repudiation, which occurs when a partner refutes that they sent a message receipt
Attention: RC4 support in the JDK is disabled due to a security vulnerability. However,
if you must ignore the vulnerability due to your business requirements and enable RC4, complete the
following steps (you must have appropriate permissions to edit the security file):
- Open the security property file, <installation_root>/java/jre/lib/security/java.security in a text editor.
- Remove the line, property:jdk.tls.disabledAlgorithms=RC4.
- Save and close the property file.
- Stop and start all the members for the changes to the JDK to take effect.