TLS implementations

Edit online

The system contains multiple TLS implementations. Each implementation implements one or more versions of the TLS protocols according to the industry definitions.

The implementations must interoperate with other implementations according to the Internet Engineering Task Force (IETF) specifications for each protocol version. Each implementation has unique characteristics and provides different sets of optional functionality.

The set of APIs used determines which implementation is used for each secure application on the system. With Java™, the configured JSSE provider determines the implementation since the Java interfaces are standardized. An application can also embed an implementation that is only known to the application.

These implementations are available to develop applications with on the IBM i.

  • System TLS

    ILE applications use System TLS. Certificate management is performed with the Digital Certificate Manager (DCM) and the certificate store type is Certificate Management Services (CMS) with a file extension of *.KDB. Java applications can use System TLS, however it is not typical. The most obscure case, would be a Java application that uses System TLS while also using a Java Keystore.

  • IBMJSSE2 (IBMJSSEProvider2)

    This Java Secure Socket Extension (JSSE) provider contains a pure Java implementation of the TLS protocols and is available on multiple platforms. This implementation is known as the com.ibm.jsse2.IBMJSSEProvider2 in the java.security provider list. This is the default provider for Java 8. The certificates are typically found in a Java keystore file (JKS) and are managed by using the Java keytool command or IBM Key Management (iKeyman) utility.

    For general JSSE information on the system, see Java Secure Socket Extension (JSSE).

    For specific details, see the IBMJSSE2 platform independent documentation for the appropriate JDK version. For JDK8, see Security Reference for IBM® SDK, Java Technology Edition, Version 8.

  • Oracle Java

    This JSSE provider contains Oracle's pure Java implementation of the TLS protocols. This implementation is known as SunJSSE in the java.security provider list. This is the default provider for Java 11.

    For general JSSE information on the system, see Java Secure Socket Extension (JSSE).

    For specific details about this JDK11 provider, see The SunJSSE Provider in the JDK Providers Documentation section of the Oracle Security Developer's Guide.

  • OpenSSL

    OpenSSL is an Open Source toolkit that implements TLS protocols and a full-strength general-purpose cryptography library. It is only available in the IBM Portable Application Solutions Environment for i (PASE for i). The certificates are typically found in PEM files and are managed with OpenSSL commands.

    Common Information Model Object Manager is an application that uses this implementation. For more information, see Common Information Model.