Configuring Cryptographic Features (Sun B2B Suite AS2 Protocol Manager User's Guide)

Sun B2B Suite AS2 Protocol Manager User's Guide

Configuring Cryptographic Features

Your use of the AS2 protocol assumes you are also using its cryptographic features (encryption, decryption, signatures, and verifications). Additional configuration steps are required in setting up the eXchange Service to use these features. The eXchange Secure Messaging Extension With Keystore (SME/KS) feature enables protected transmission of messages over public domains by providing message encryption, decryption, digital signing, and signature verification.

Note –

For more information on this feature, see Chapter 3, Using SME/KS With AS2 PM.

You must associate encryption information with each XDC eXchange Service. For complete information on setting up an eXchange Service with cryptographic features for protocol managers, see the eXchange Integrator User’s Guide.

Note –

For specific examples of this operation, see the encryption setup used in the sample scenario explained in Chapter 6, AS2 PM Sample Scenario Tutorial.

The rest of this section describes and explains how to install necessary files that allow SME/KS to operate with your AS2 PM system.

Java Cryptography Extension Framework

The Java Cryptography Extension (JCE) framework includes the ability to enforce restrictions on the cryptographic algorithms and strengths. These restrictions are specified in jurisdiction policy files. These files are necessary to enable operation of SME/KS features.

Import control restrictions imposed by some governments require that the default jurisdiction policy files packaged with the Java Run-time Environment (JRE) specify that only strong but limited cryptography may be used. An unlimited strength policy file with no restrictions on cryptographic strength is available for most countries. However, only the strong but limited version can be readily imported into those countries where the governments restrict cryptography. In your JRE environment, the strong but limited default policy files are located as follows:

<java-home>/lib/security/local_policy.jar
<java-home>/lib/security/US_export_policy.jar

Where, <java-home> is the JRE directory within your Java Development Kit (JDK) environment, or the top-level directory of the JRE. The unlimited strength version of these policy files are downloaded from a Java Download web page (see To Download and Install the Policy Files).

The JCE framework has been through the U.S. export review process and is certified for export. Consult with your export/import control authority to determine your policy requirements.

Installing Policy JAR Files for SME/KS

Before you can implement security using SME/KS, you must replace the existing policy files. You will download different files based on the version of your JRE and your operating system. See Table 2–1 to determine which JRE is running on your logical hosts.

Table 2–1 JRE Versions Listed by Operating System


Operating System	JRE	URL
Solaris, Windows, Linux, HP-UX, Tru64	1.5.0	`http://java.sun.com/j2se/1.5.0/download.html`
AIX	1.4.1	`http://java.sun.com/products/archive/j2se/1.4.1_07/index.html`

To download the files, go to the appropriate URL for your operating system and follow the instructions under To Download and Install the Policy Files.

Note –

Some governments may allow certain applications to be exempt from cryptographic restrictions, that is, exempt applications may implement stronger encryption than nonexempt applications. For an application to be recognized as exempt at run time, it must meet the following criteria:

The application must have its policy file bundled with it in a .jar file.
The .jar file containing the application and the policy file must be signed using a code-signing certificate issued after the application was designated exempt.

To Download and Install the Policy Files

Open your browser.

Based on your operating system, do one of the following actions:
- For Solaris, Windows, Linux, HP-UX, and Tru64 (JRE 1.5.0) , go to:
```
http://java.sun.com/j2se/1.5.0/download.html
```
- For AIX (JRE 1.4.1) , go to:
```
http://java.sun.com/products/archive/j2se/1.4.1_07/index.html
```

For Solaris, Windows, Linux, HP-UX, or Tru64, do the following operation:
1. On the JSE 1.5.0 web page, scroll down to Other Downloads.
2. Click Download for Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0 and download jse_policy-1_5_0.zip (8.64 kilobytes, including two .jar files each somewhat less than 2500 bytes).
3. After downloading the archive file, extract the following .jar files:
  - local.policy.jar
  - US_export_policy.jar
4. For each of your Logical Hosts, replace the existing policy file in the following directory:
```
 
Logical Host/jre/lib/security/
```

For AIX, do the following operation:
1. On the Archive-Java Technology Products Download page, scroll down to Other Downloads.
2. Click the Download link for Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.1 and download jce_policy-1.4.1.zip (9.48 kilobytes, contains two files approximately 4300 bytes each).
3. After downloading the archive file, extract the following .jar files:
  - local.policy.jar
  - US_export_policy.jar
4. For each of your logical hosts, replace the existing policy files in the following directories:
  - ```
  Logical Host/jre/lib/security/
```
- ```
Logical Host/jre/1.4.1/security
```