I would like to configure the Oracle JDK to use IBM's FIPS-compliant JCE/JSSE security providers. What JAR files do I need and where should they be installed? What should the provider list in the java.security file look like?
Asked
Active
Viewed 7,178 times
4
user987339
- 10,519
- 8
- 40
- 45
Rob H
- 14,502
- 8
- 42
- 45
-
I'm pretty sure this would be non-compliant configuration (eg. not tested) – Albert T. Wong Apr 15 '11 at 22:50
-
This [web page](http://www.ibm.com/developerworks/java/jdk/security/60/FIPShowto.html) speaks about how to enable them on IBM's JDK, but does not say anything about how to do this on non-IBM SDKs. – Paŭlo Ebermann Apr 16 '11 at 20:22
3 Answers
4
I'm using IBMJCE on sun jdk5 and it works fine. It may be similar to fips, I guess
You need ibmjceprovider.jar, ibmpkcs.jar, ibmjcefips.jar
You can find them in ibm jre
The code like this
static{
//install ibm's provider
java.security.Security.addProvider(new IBMJCE());
}
public byte[] encrypt(byte[] input)throws SecurityException{
KeyGenerator kg = KeyGenerator.getInstance("DES");
//call ibm's provider
SecureRandom sr = SecureRandom.getInstance("IBMSecureRandom", new IBMJCE());
sr.setSeed(str.getBytes());
kg.init(sr);
Key key = kg.generateKey();
Cipher cipher = Cipher.getInstance("DES");
cipher.init(1, key);
byte[] ret = cipher.doFinal(input);
return ret;
}
1
According this IBM document, FIPS-approved providers are only available with IBM SDK.
Another clue (because I first thought WebSphere on Solaris runs on Oracle JVM): in WebSphere MQ requirements on Solaris a note clearly states that
FIPS compliance is only supported on IBM SDK
In fact, on Solaris platform, the IBM SDK is built on Sun/Oracle JVM but with many changes (ORB and security...).
Yves Martin
- 10,217
- 2
- 38
- 77