Security has been a major design goal and a key architectural feature of Java™ technology since its inception. The security capabilities of Java technology have two roots:

• The Java Runtime Environment (JRE), a ready-made platform on which applications can run in a secure fashion
  
  
• Security tools and services APIs, which provide a security infrastructure by serving as building blocks in developing secure systems

Several Java security components are responsible for providing security services. The components were developed based on a set of design principles -- implementation independence and interoperability, algorithm independence and extensibility -- that were first introduced in the Java Cryptography Architecture (JCA) framework. They all follow the JCA framework architecture, which is a service provider-based architecture that allows you to plug in multiple security mechanisms through the Service Provider Interface (SPI). But the components have different purposes and security operations, and each one supports a different set of algorithms and protocols.

Each Java Software Development Kit (SDK) has a default list of security providers preregistered in the Java security configuration located in /jre/lib/security/java.security. You simply request a particular security service through Java APIs. This shields you from the complexity of the underlying implementation of the security operations, while allowing the Java security components to support an increasing number of algorithms and security mechanisms.

The IBM® 1.4.2 SDK is the most comprehensive security offering available from IBM for the Java 2 platform. It differs from the Sun 1.4.2 JDK in that IBM has implemented providers for all the Java security components. Previous versions of the JRE (1.2.x and 1.3.x) came with a default Sun provider. In the IBM 1.4 environment, a number of new providers replace that default provider.

IBM's Java security configuration includes four default security providers and several optional providers you can register and configure to use for your applications. We'll go through each of the providers in more detail and highlight the differences between the IBM and Sun providers.

The IBMJSSE provider
The Java Secure Socket Extension (JSSE) provides a standard Java API for encapsulating the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols, including functionality for data encryption, server authentication, message integrity, and optional client authentication. JSSE users can write to a standard API without worrying about the underlying SSL/TLS implementation. JSSE also supports HTTP encapsulated in the SSL protocol (HTTPS), which allows access to data such as Web pages using HTTPS. JSSE was an optional package to Java 1.2 and 1.3 and has been integrated into the JDK since Version 1.4. In the IBM 1.4.2 SDK, the JSSE framework allows additional JSSE providers; the Sun JSSE framework doesn't. The IBM SDK comes preinstalled with two additional JSSE providers -- IBMJSSEProvider2 and IBMJSSEFIPSProvider, which we'll discuss later in this article. IBMJSSE is the preregistered provider, and IBMJSSEProvider2 and IBMJSSEFIPSProviders are optional.

The IBMJSSE provider supports the following standard algorithms and types:

• SSLContext: SSLv2, SSLv3, SSL, TLSv1, TLS, and SSL_TLS
• KeyManagerFactory: IbmX509
• TrustManagerFactory: IbmX509
• Cipher suites:
  • SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, and SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

Differences from the Sun version
The JSSE documentation includes the complete set of differences between the IBM and Sun JSSE implementations. The major differences are detailed below:

Full text