Start of changes for service refresh 5 fix pack 10

Enabling the IBMJCEPlus and IBMJCEPlusFIPS providers

The ibmjceplus.jar file contains a FIPS-compliant provider (IBMJCEPlusFIPS) and a non-FIPS provider (IBMJCEPlus). Start of changes for service refresh 7 From service refresh 7, the IBMJCEPlus provider is the default JCE provider except on z/OS®. End of changes for service refresh 7 In earlier releases and for z/OS, you enable these providers by editing the JAVA_HOME/jre/lib/security/java.security file.

Before you begin

The IBMJCEPlus and IBMJCEPlusFIPS providers are supported on AIX®, Linux®, and Windows operating systems. Start of changes for service refresh 6 fix pack 25 From service refresh 6, fix pack 25, the IBMJCEPlus provider is also supported on z/OS (the IBMJCEPlusFIPS provider is not yet supported on z/OS). End of changes for service refresh 6 fix pack 25 .

On Linux on IBM® POWER® (Little Endian), libc must be version 2.19 or later; the IBMJCEPlus and IBMJCEPlusFIPS providers require later versions of the C standard library than the standard system requirements.

Start of changes for service refresh 8 fix pack 20

When the JVM is in FIPS 140-2 mode and the IBMJCEPlusFIPS provider is used the following message is displayed:

The IBMJCEPlusFIPS provider is configured for FIPS 140-2. Please note that the 140-2 configuration may be removed in the future.

To turn off the display of this message, set the system property, -Dcom.ibm.fips.silentUsage=true on the command line. End of changes for service refresh 8 fix pack 20

End of changes for service refresh 8 fix pack 20

For more information about FIPS compliance for the IBMJCEPlusFIPS provider, see Certificate #3064.

About this task

The SDK comes with a pre-defined list of security providers, ordered by preference, in the JAVA_HOME/jre/lib/security/java.security file. You can edit this file to control which providers you want to use. For example, in service refresh 7 on most supported operating systems, the relevant part of the java.security file looks as follows.

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
...

IBMJCEPlus is number 2 in the list, so it is already enabled and used by default instead of IBMJCE, which is number 3 (a lower preference). In this way, the list also provides fail-over capability.

Note: You can also use Java™ code to dynamically specify the provider to use. For more information about specifying providers with Java code or with the java.security property file, see Installing Providers for JCE.

The presence and position of the IBMJCEPlus provider line in the java.security file changed since the IBMJCEPlus and IBMJCEPlusFIPS providers were introduced in service refresh 5, fix pack 10. Therefore, the edit required to the java.security file to enable the IBMJCEPlus provider depends on your release and your operating system, as summarized in the following table.

Table 1. The edit required to the java.security file to enable IBMJCEPlus
Release and operating system	IBMJCEPlus provider is in file	IBMJCEPlus provider is before IBMJCE provider in file	Edit required to enable IBMJCEPlus provider
SR7 and later, on AIX, Linux, and Windows	Yes	Yes	None
SR7 and later, on z/OS	Yes	No	Move to before IBMJCE
SR6 FP25 and later fix packs	Yes	No	Move to before IBMJCE
SR5 FP10 through SR6 FP20	No	-	Add to before IBMJCE

The IBMJCEPlusFIPS provider was never in the java.security file by default. If you want to use this provider, you must add it to the file before any other JCE provider.

Procedure

If your application contains hardcoded references to a provider name instead of using the provider list and provider fail-over mechanisms, ensure that your code specifies the name of the provider that you want to use.
Edit the JAVA_HOME/jre/lib/security/java.security file to add or move the IBMJCEPlus or IBMJCEPlusFIPS provider and change its preference number as required.
For example:
- If you are on service refresh 7 or later on AIX, you do not have to do anything; the IBMJCEPlus provider is already before the IBMJCE provider in the file so is used by default. If you are on service refresh 7 or later on z/OS though, the IBMJCEPlus provider is not the default; you must move it to before the IBMJCE provider in the file.
- If you are on service refresh 6, fix pack 25 or later and you want to use the IBMJCEPlus provider, move the existing line to before the IBMJCE provider and update the preference numbers accordingly:
```
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
...
```
- If you are on an earlier release and you want to use the IBMJCEPlus provider, add the line security.provider.n=com.ibm.crypto.plus.provider.IBMJCEPlus, where n is the preference number, to the file before the IBMJCE provider and update the preference numbers accordingly.
- On any release or operating system, if you want to use the IBMJCEPlusFIPS provider (for example when you are configuring the IBMJSSE2 provider to run in FIPS mode), add it to the file before any other JCE provider and update the preference numbers accordingly.

Results

When enabled, the IBMJCEPlus and IBMJCEPlusFIPS providers operate with hardware acceleration always on, where this is supported.

End of changes for service refresh 5 fix pack 10