Sun JCE Vs. IBM JCE
How do I make use of Sun JCE in Websphere environment, where it enforces the use of IBM JCE. I had coded the crypting section using Sun JCE when the application was deployed in Tomcat. Now I am planning to move the same to Websphere.
This is being fixed by supplying the Sun JCE jar as a resource in the lib of the web application. The problem was, IBM websphere does use its own internal JDK that support IBM JCE and I don't know how to configure this to point to an external Jdk1.4 installation for default cryptography support. So, when the decryption/encryption task comes up, it ends up with an exception. Now, we are supplying the Sun JCE as part of the lib which is used to read the secret key file and rest is taken care of by IBM JCE. We are using DESkey. Thanks for the valuable input Grant. Still, I am not sure whether we can configure WSAD to point to an external jdk installation.
Similar Messages
-
Can the IBM JCE be used with the Sun JDK or does it require the IBM JDK?
Message was edited by:
shaneorourkeIt comes as part of the IBM version of the JDK, typically in the $JAVA_HOME/jre/lib/ext directory.
With the version of IBM JRE installed on my machine (Classic VM (build 1.4.2, J2RE 1.4.2 IBM build cxia32142ifx-20041203 (142SR1+80507) (JIT enabled: jitc)), some of the JCE provider files are:
ibmjcefips.jar
ibmjceprovider.jar
ibmjsseprovider2.jar
There are other files in that directory too, but the ibmjceprovider.jar is the one you're looking for. -
Difference Between Sun JVM and IBM JVM
Hi
Can some one let me on the difference between Sun JVM and IBM JVM
regs
Vivek NidhiSun's JVM is built on HotSpot technology: http://java.sun.com/docs/hotspot
and covers a broad range of OS/HW combinations: http://java.sun.com/j2se/1.5.0/system-configurations.html
Maybe you can be more specific in your question or in describing what you want to do.
-Alexis -
Incompatiility among the SUN JAVA and IBM JAVA
Hi,
There are Cryptographic policy files present in jre/lib/security. The
default policy files are not capable of using stronger encryption
algorithms like AES 256.
In order to use them we need to install unrestricted policy files.
The unrestricted policy files provided by Sun works fine but the Sun
JRE is not compatible to the IBM JRE from the following scenario.....
If I use the unrestricted policy files from IBM in the Sun JRE 1.6 the following exception occurs.....
Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
at javax.crypto.SunJCE_b.<clinit>(DashoA13*..)
... 9 more
Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed
by trusted signers!
at javax.crypto.SunJCE_b.a(DashoA13*..)
at javax.crypto.SunJCE_b.i(DashoA13*..)
at javax.crypto.SunJCE_b.g(DashoA13*..)
at javax.crypto.SunJCE_b$1.run(DashoA13*..)
at java.security.AccessController.doPrivileged(Native
Method)
... 10 more
So is Sun Java compatible to IBM java or not?If I use the unrestricted policy files from IBM in the Sun JRE 1.6Did somebody say you could do that?
So is Sun Java compatible to IBM java or not?Of course is it. But nobody said that if you combine elements of both of them, the result will work, did they?
I've deleted your four crossposts. -
Sun MQ on IBM P-series Linux machines
Don't have P handy so....
Will Sun MQ run on a IBM P-series Linux (RH AS 3.x). Would like to use it as the JMS provider for a J2EE container.
If not, shouldn't the doc. say x86 Linux-only (well, the prereqs DO say Pentium 2 or above for the processor....)
ThanksOracle supports the configuration you have planned.
We once thought about this combination but the advantages of running AIX 5.2/5.3 outweighed the benefits of running Linux on P Series. -
Compatibilty Between SUN Java and IBM Java
Hello all,
This is my 1st post in this Forum.
I build a Desktop application compiling my project with IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Linux Java.
The application runs on a windows pc that has the SUN Java version 1.5 installed, but it does not run on a pc that has the SUN Java version 1.6 installed.
I assume that there is a compatibility issue. Could it be the case that :
IBM Java Version 1.5 is only compatible with SUN Java 1.5 ?
Thanks,
HelenYou'll need to check the IBM site for a bug reports, I doubt Sun is going to be concered with a bug in IBM's implementation.
-
HI,
Unfortunatly we have an environment where the app-server (WLS 7.0) is
running on a AIX IBM box with IBM's JVM and the (fat-)clients are on NT
having their Sun JVM. Both JVM work quite well except some incompatibilties
e.g. the different implemented BigDecimal class (whitch can be serialized
betwean NT and AIX but the opsite way round it doesn't work).
As somebody a solution to this, Changeing the JVM on our NT boxes is not an
option.
Regards
TomyMaybe have a look at the System properties for instance "java.vendor"...
-
Signing message with certificate: JCE, IAIK or similar in IBM SDK 5.0
So, I'm in a very difficult problem.
Using Java:
I've an enterprise certificate (in .p12 format) altogether with its public key ("password" string). Also I've a text message which I've to sign in PKCS7 format. I've been reading a lot and I've realized that there's no STANDARD implementation to do what I want to do. There is the JCE/JCA API and the Certification API, but they are just API's, no implementation. Here are the facts:
-I've to run the application in the IBM JDK 5.0 (AS400 system).
-My application actually works in the SUN JDK 6.0 using the IAIK security provider, but not using JCE, its a very ugly code which I dont know really what it does, but it works. When I put it on the IBM JDK 5.0 it fails (java nullpointer blah blah).
-IAIK Documentation says that it works on JDK 5.0. Yeah, it works, but in SUN implementation, not in IBM's.
Today I don't know what the heck to do, really. What do you think it's the best solution?
-Trying to make the IAIK code work in IBM SDK 5.0 by test-and-error method.
-Trying to sign the message using JCE and the IBM JCE provider (this is what I'm actually trying to do). It would be very nice if somebody provides something to read about (I've read lot of IBM/SUN documentation and I couldnt find anything useful for now.
-Trying to put the SUN JDK 6.0 in the AS400. This would be the easy solution but my bosses said that this is impossible and very dangerous, and additionally this wouldn't work.
-Also I've another code which uses the BouncyCastle provider but this doesn't work. Would this be better to learn how to use? I prefer using standards, though.
In conclusion:
I've 4 security providers: IBM, SUN, IAIK and BouncyCastle (just IAIK works, and I need IBM), and
I've 4 SDK's: IBM 5.0, IBM 6.0, SUN 5.0 and SUN 6.0 (just SUN/IBM 6.0 works, and I need IBM 5.0).
I would like any documentation useful to read. I would provide any information which could be important to answer my question.But I hope this could fix it :(
My last code:
public static String firmar(String contenido, String certificado, String password)
throws Exception {
System.out.println(new Date() + ":: Signing using IAIK provider.");
boolean dettached = true;
boolean attributes = true;
boolean CRLF = true;
IAIK iaik = new IAIK();
Security.addProvider(iaik);
byte aByteInfoToSign[] = contenido.getBytes("UTF8");
if(aByteInfoToSign == null)
throw new IOException("Empty message.");
byte digest[] = SHA1(aByteInfoToSign);
String digestHEX = toHexString(digest);
KeyStore keystore = KeyStore.getInstance("PKCS12");
FileInputStream fileinputstream = new FileInputStream(certificado);
keystore.load(fileinputstream, password.toCharArray());
String alias = null;
Enumeration enumeration = keystore.aliases();
if(enumeration.hasMoreElements())
alias = enumeration.nextElement().toString();
else
throw new KeyStoreException("Firmador IAIK: Empty Keystore.");
Certificate certificate = keystore.getCertificate(alias);
PrivateKey privatekey = (PrivateKey)keystore.getKey(alias, password.toCharArray());
* Declared absolutely to avoid incompatibilities betwenn IAIK and Sun classes.
iaik.x509.X509Certificate ax509certificate[] = new iaik.x509.X509Certificate[1];
ax509certificate[0] = new iaik.x509.X509Certificate(certificate.getEncoded());
IssuerAndSerialNumber issuerandserialnumber = new IssuerAndSerialNumber(ax509certificate[0]);
SignerInfo asignerinfo[] = new SignerInfo[1];
asignerinfo[0] = new SignerInfo(issuerandserialnumber, AlgorithmID.sha1, AlgorithmID.rsaEncryption, privatekey);
Attribute aattribute[] = new Attribute[4];
aattribute[0] = new Attribute(ObjectID.contentType, new ASN1Object[] {
ObjectID.pkcs7_data
aattribute[1] = new Attribute(ObjectID.signingTime, new ASN1Object[] {
(new ChoiceOfTime()).toASN1Object()
ObjectID oid = new ObjectID("1.2.840.113549.3.2");
SEQUENCE seqRC2 = new SEQUENCE();
seqRC2.addComponent(oid,0);
seqRC2.addComponent(new INTEGER(40));
SEQUENCE seqEncrypAlgoritmos = new SEQUENCE();
seqEncrypAlgoritmos.addComponent(seqRC2);
Attribute atributo = new Attribute(ObjectID.symmetricCapabilities,
new ASN1Object[] {seqEncrypAlgoritmos});
aattribute[2] = atributo;
aattribute[3] = new Attribute(ObjectID.messageDigest, new ASN1Object[]{ new OCTET_STRING(digest) });
if(attributes)
asignerinfo[0].setAuthenticatedAttributes(aattribute);
byte byte0;
if(dettached)
byte0 = 2;
else
byte0 = 1;
SignedData signeddata = new SignedData(digestHEX.getBytes(), byte0);
signeddata.setCertificates(ax509certificate);
signeddata.addSignerInfo(asignerinfo[0]);
ContentInfo contentinfo = new ContentInfo(signeddata);
if(!contentinfo.hasContent())
throw new Exception("Couldn't create the sign");
ByteArrayOutputStream result = new ByteArrayOutputStream();
ByteArrayOutputStream source = new ByteArrayOutputStream();
contentinfo.writeTo(source); // <-- here is the error (line 136)
Base64OutputStream base64outputstream = new Base64OutputStream(result);
base64outputstream.write(source.toByteArray());
base64outputstream.flush();
base64outputstream.close();
String resFinal;
if(CRLF)
resFinal = result.toString();
else
resFinal = result.toString().replaceAll("[\r\n]+","");
// resFinal = sinCRLF(result.toString());
if(resFinal.equals(""))
throw new Exception("Couldn't create the sign");
* Restore the Security variable.
Security.removeProvider(iaik.getName());
return resFinal;
private static byte[] SHA1(byte abyte0[])
try
MessageDigest messagedigest = MessageDigest.getInstance("SHA-1");
byte abyte1[] = messagedigest.digest(abyte0);
messagedigest.reset();
return abyte1;
catch(NoSuchAlgorithmException nosuchalgorithmexception)
throw new Error("Configuration error", nosuchalgorithmexception);
private static String toHexString(byte abyte0[])
StringBuffer stringbuffer = new StringBuffer();
int i = abyte0.length;
for(int j = 0; j < i; j++)
byte2hex(abyte0[j], stringbuffer);
return stringbuffer.toString().toUpperCase();
private static void byte2hex(byte byte0, StringBuffer stringbuffer)
char ac[] = {
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
'a', 'b', 'c', 'd', 'e', 'f'
int i = (byte0 & 0xf0) >> 4;
int j = byte0 & 0xf;
stringbuffer.append(ac);
stringbuffer.append(ac[j]);
}Using the IBM SDK 5.0, the error:iaik.pkcs.PKCSException: iaik.asn1.CodingException: iaik.asn1.CodingException: Unable to encrypt digest: No installed provider supports this key: (null)
at iaik.pkcs.pkcs7.SignedData.toASN1Object(Unknown Source)
at iaik.pkcs.pkcs7.SignedDataStream.toASN1Object(Unknown Source)
at iaik.pkcs.pkcs7.ContentInfo.toASN1Object(Unknown Source)
at iaik.pkcs.pkcs7.ContentInfo.writeTo(Unknown Source)
at aeat.FirmadorIAIK.firmar(FirmadorIAIK.java:136)
... more irrelevant data... -
Unable to locate unrestricted policy files for the Sun JCE for download
My platform:
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Oracle JRockit(R) (build R28.1.4-7-144370-1.6.0_26-20110617-2130-windows-x86_64, compiled mode)
I am unable to locate the Unlimited Strength Jurisdiction JCE files.
According to BouncyCastle for Java 1.6:
..."you must download the unrestricted policy files for the Sun JCE if you want the provider to work properly. The policy files can be found at the same place as the JDK download. Further information on this can be found in the Sun documentation on the JCE."The version at the very bottom of http://www.oracle.com/technetwork/java/javase/downloads/index.html should work.
-
PEM to DER decoding using JCE API
Hi,
I need to convert PEM files to DER format within my
Java code (each PEM file is coming in as a String object).
Does anyone know of a way to do this using the Sun JCE
(or IBM provider)?
Thanks muchI figured out how to do this. In case someone else runs into
this problem in the future, here's one solution.
1. Strip the delimiters , i.e "-----BEGIN PRIVATE KEY-----"
and "-----END PRIVATE KEY-----" from the PEM file. You
will be left with the Base64 encode text.
2. Use a Base64 decoder class (e.g com.ibm.misc.BASE64Decoder)
to decode the Base64 back to the original DER bytes.
For example:
//privateKeyStr String contains the PEM data
int pemStartIndex = privateKeyStr.indexOf("\n") + 1;
int pemEndIndex = privateKeyStr.indexOf("-----END");
String pemStr = privateKeyStr.substring(pemStartIndex, pemEndIndex);
byte[] keyData = null;
com.ibm.misc.BASE64Decoder base64 = new com.ibm.misc.BASE64Decoder();
keyData = base64.decodeBuffer(pemStr); //keyData now contains DER data
That's it. -
Hello to all :)
I have to make a symmetric algorithm in Java and i need to have these three stuff in it
1) Sun Java Cryptography Extension (JCE)
2) JCE Unlimited Strength Jurisdiction Policy
3) Bouncycastle Provider
cause i need the packages
javax.crypto.*
java.security.*
what shall i download from the internet in order to have them and how do i place them in my region?
Thanks, in advance!Thanks for replying!
Well i haven't downloaded anything from the internet.
I have a region(login session -unix) in my university where the Java is already in, but the JCE is not included in it cause when i tried to make a simple problem using import javax.crypto.* and java.security.* i had some warnings saying that these are not used referring to these two imports, so maybe JCE is not in.
So, where shall i download this JCE and how shall i place it in my region and in which folder?
I'm sorry for my questions but i'm new at Java and i don't know how to fix the system for running my exercises :) -
Can we use JCE embedded into JAVA 1.5 outside USA and Canada?
Hello all,
in the old JCE 1.2.2 (http://java.sun.com/products/archive/jce/) where was a restriction: RESTRICTED TO THE UNITED STATES AND CANADA. If you do not reside in the United States or Canada, you will not be able to download this software.
Is there the same restriction also in the embedded JCE into java 1.5 ?
I can not see any restriction. is it correct?
Could you give me the link where I can find the restriction or the license and term of use about JCE embedded in JAVA 1.5?
Thanks
MatteoThose restrictions were lifted during the Clinton administration.
-
Differences between JCA und JCE
Can someone explain me the differences between JCA and JCE ?
I guess there are more features in JCE, but I don't see exactly what.
Thanks, ClaudeJCA gives you MessageDigest, Security, KeyFactory, KeyPair, SecureRandom, and Provider classes. JCE adds Cipher, CipherIn/OutputStream, KeyGenerator, SecretKeyFactory, SealedObject, KeyAgreement and Mac classes.
[url http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html]JCA Docs
[url http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html]JCE Docs
Grant -
JCE/JWS Conflicting Signature Requirements
I'm trying to use a JCE cryptography provider in a Java Web Start application, and I'm running into a conflict with JAR signatures:
Using a plugin JCE cryptography provider requires a JAR signed by a certificate chain rooted at Sun's self-signed JCE certificate.
Java Web Start (JWS), on the other hand (if you want full client-side permissions), requires that every JAR be signed by exactly one certificate, and that the certificate be root-trusted according to the cert library that ships with Java (Verisign, etc.).
Unfortunately, as far as I can tell, this means that either:
* JCE's requirement for signature by Sun's JCE chain needs to be waived, or
* I have to load the classes for JCE outside of JWS's resource-loading mechanisms.
Has anyone else faced this? Did you find a solution? Did you just have to load the JCE crypto provider classes outside of Java Web Start?
Bonus question: what is the motivation for requiring exactly one signature (as opposed to two, which is still validatable in my experience) on a JAR file in Java Web Start?dear bill & all,
my JWS application also employs bouncycastle as the JCE provider. although i can make the application load successfully by specifiying an extension for the JCE resource in the master jnlp file, i still get the warning message returned from JWS' security manager saying the bouncycastle's signature cannot be verified and it recommends the user NOT to install and run the code. The following is the exact message that i got from JWS:
"This library is requesting unrestricted access to your local machine and network.
Do you want to install and run: Versitech e-Form Filler v2.0
Signed and distributed by: The Legion of the Bouncy Castle
Warning: Failed to verify the authenticity of this certificate. No assertions can be made of the origin or validity of the code.
It is highly recommended not to install and run this code"
this is because the bouncycastle provider is signed by a codesigning cert that is issued by SUN whose root CA is not included in the default CA list of JWS.
although one can always ignore such message and continue to launch the application, this is not acceptable by my client who requires strict error/warning-free installation.
does anyone has any clue to solve this problem and make JCE and JWS a true integration?
--matchy -
Hi,
I am cross posting this, I didnot get any reply so I was thinking I posted in the wring category. So here is my post again in security. Hopefully I get some directions here.
I am recently trying to enable SSL support for OAS which I sucessfully managed. As a next step I wanted to get mutual authentication up and running. Which also I got setup. After this my issues started to popup.
I used the oracle wallet manager to create self signed certificates to use in the setup. Java's JCE I found is no good with PKCS12 that oracle wallet manager uses. So I went for an alternative from Bouncy Castle (BC). It works fine but only for a wierd case which is completely wrong. What goes wrong with BC is that is does not find the truststore in the client wallet (although it is there). But if as a truststore I give the path to the server's wallet which contains the server's certificate, everything works fine. Any idea what could be causing this. I just figured it must be some other format of the pKCS12 certificate the Oracle wallet manager generates and the BC JCE is reading.
Then I found out at java forums someone saying that phaos was excellent for PKCS12 certificates. Going there I found out its oracle's sdk now and seeing that I though using oracle's JCE will solve all my incompatability problem. Anyways turns out the Oracle JCE uses the JCE 1.2.1 framework which works with the JDK 1.2 uptil 1.3. Any when I use it with the my JDK 5.0, I get a Stackoverflow exception. I need to use jdk 5 and I need a solution for https. Any suggestions of how should I proceed.
Regards,
AhsanHi,
Using eclipse I changed the jre environment to 1.2 and 1.3 to see if that was really the problem. But I still get the stack overflow exception. I paste a portion of this exception as below :
Exception in thread "main" java.lang.StackOverflowError
at sun.reflect.GeneratedConstructorAccessor2.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
at java.lang.Class.newInstance0(Class.java:350)
at java.lang.Class.newInstance(Class.java:303)
at java.security.Provider$Service.newInstance(Provider.java:1130)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
at java.security.SecureRandom.getInstance(SecureRandom.java:251)
at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:187)
at java.security.SecureRandom.<init>(SecureRandom.java:150)
at com.phaos.crypto.SREntropySource.<init>(SREntropySource)
at com.phaos.crypto.EntropySource.getDefault(EntropySource)
at com.phaos.jce.provider.PhaosSecureRandomSpi.<init>(Unknown Source)
at com.phaos.jce.provider.MD5SecureRandomSpi.<init>(Unknown Source)
at sun.reflect.GeneratedConstructorAccessor2.newInstance(Unknown Source)
at java.lang.Class.newInstance(Class.java:303)
at java.security.Provider$Service.newInstance(Provider.java:1130)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
at java.security.SecureRandom.getInstance(SecureRandom.java:251)
at java.security.SecureRandom.getDefaultPRNG(SecureRandom.java:187)
at java.security.SecureRandom.<init>(SecureRandom.java:150)
at com.phaos.crypto.SREntropySource.<init>(SREntropySource)
at com.phaos.crypto.EntropySource.getDefault(EntropySource)
at com.phaos.jce.provider.PhaosSecureRandomSpi.<init>(Unknown Source)
at com.phaos.jce.provider.MD5SecureRandomSpi.<init>(Unknown Source)
at sun.reflect.GeneratedConstructorAccessor2.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
at java.lang.Class.newInstance0(Class.java:350)
Any ideas what I am doing wrong.
Regards,
Ahsan.
Maybe you are looking for
-
What is "Missing Port Information" error?
Setting FINEST log level on JAXRPC in the AS8 2004Q04 Beta reveals nothing. Searches on this forum provides only 3 matches for "Missing port information" (this one makes 4). In http://forum.java.sun.com/thread.jsp?forum=136&thread=508958 the same pro
-
How can i have my brothers itouch 5 to appear on the mac so i can import songs in it
please help
-
Two PR Line items for the TAB Item category
Hi, We have created a sales order with TAB item category. In MD04 we found two line items of the same firmed PR. Any idea why two lines of PR are generated? Regards, Vengat
-
Changes visible in BOM although ECM not released yet
Hi, I have a BOM which has been updated together with a change number. The change number still has status "in work" and not released. When I go to CS03, with all dates removed on the selection screen, I see the changes in there with the change number
-
Netgear AC1750 1300 Mbps 4-Port Gigabit Wireless AC Router (R6300)
If I buy one of these will it work with FIOS?