Determining application compatibility: security

In this release, the OpenJDK security implementation replaces most of the components in the IBM security implementation. Differences between these implementations might require code changes to your applications.

OpenJDK contains a Java™ cryptographic implementation that includes TLSv1.3. This protocol is enabled by default and contains significant differences to earlier TLS implementations. For more information about TLS v1.3, including which algorithms are no longer allowed, see JEP 332.

RSA hardware keys previously used with the IBMJCECCA provider for key exchange over TLSv1.2 are no longer supported and cannot be used because TLS defaults to version 1.3 in this release. For more information, see RSA Hardware Keys over TLSv1.3.

The security certificates aolrootca1 and aolrootca2 that were present in IBM® SDK, Java Technology Edition, V8 are no longer included.

The OpenJDK security providers have different names to the IBM security providers. If your application uses hardcoded IBM provider names, you must update your application code. The following table shows the equivalent OpenJDK provider names, their implementation class, and the Java module in which the class belongs.
Table 1. Comparable OpenJDK security providers
IBM security provider OpenJDK security provider Implementation class Java module
IBMJSSE2 The SunJSSE provider sun.security.ssl.SunJSSE java.base
IBMJCE (see note 1) The Sun provider sun.security.provider.Sun java.base
The SunEC provider sun.security.ec.SunEC jdk.crypto.ec
The SunJCE provider com.sun.crypto.provider.SunJCE java.base
The SunRsaSign provider sun.security.rsa.SunRsaSign java.base
IBM JGSS The SunJGSS provider sun.security.jgss.SunProvider java.security.jgss
IBM Certification Path Oracle Certification Path sun.security.provider.Sun java.base
IBM SASL The SunSASL provider com.sun.security.sasl.Provider java.security.sasl
IBM JAAS Oracle JAAS com.sun.security.auth jdk.security.auth
IBMSecureRandom (see note 2) - - -
XML Digital Signature (see note 3) The XMLDSig provider org.jcp.xml.dsig.internal.dom.XMLDSigRI java.xml.crypto
XML Digital Encryption (see note 4) - - -
Notes:

  1. Much of the function of the IBMJCE provider is covered by the OpenJCEPlus provider. This provider was known as the IBMJCEPlus provider in version 8 and was intended to eventually replace the IBMJCE provider.

    The SDK does not include the SunEC provider's native library and therefore some algorithms are not supported. For more information, see the SunEC provider documentation.

    Start of changes for 11.0.15.0The IBMZSecurity provider is added in this release to provide the JCERACFKS keystore implementation that was provided by the IBMJCE provider in version 8.End of changes for 11.0.15.0

  2. OpenJDK does not have an equivalent version of the IBMSecureRandom provider.
  3. The Oracle XML Digital Signature provider and implementation class is identical to the IBM provider (JSR105).
  4. OpenJDK does not have an XML Encryption provider (JSR106).
  5. By default, OpenJDK allows the use of unsigned third-party cryptographic providers. However, IBM Semeru Runtime Certified Edition for z/OS®, 11 disables the use of unsigned third-party cryptographic providers.

To assist you with migration, differences between the IBM providers and the OpenJDK providers that replace them are captured in the topics that follow.

The following IBM security components are also included with the SDK:
  • OpenJCEPlus JCE provider
  • System Authentication Facility (SAF)