Sun Java logo     Previous      Contents      Next     

Sun logo
Sun Java System Identity Pack 2005Q4M3 Installation  

E

Configuring JCE

This chapter details the steps necessary to configure the Java Cryptography Extension (JCE) to work with the application.

The JCE provides the application with the crypto ciphers that it uses for data encryption and decryption as well as MD5 hashing of private data.

What is JCE?

JCE is a set of packages that provides a framework and implementations for:

The software also supports secure streams and sealed objects.

JCE is designed so that other qualified cryptography libraries can be plugged in as service providers and new algorithms can be added seamlessly. Qualified providers are digitally signed by a trusted entity.

JCE has been integrated into the Java 2 SDK, Standard Edition, Version 1.4. In previous releases of the Java 2 SDK, Standard Edition, JCE was an optional extension package.

When to Implement JCE?

Administrators typically set up JCE to work with the application when:

Configuring the Application to Work with JCE

The following table identifies the actions you should take when Identity Install Pack is installed in the described environment.

Scenario

Action

JDK does not include an implementation of JCE

(Look in jre/lib or jre/lib/ext to confirm that you have JCE installed.)

No configuration changes are needed. The JCE framework and provider will be loaded at runtime from idm/WEB-INF/lib.

JDK does include an implementation of JCE 1.2.x

Follow the procedure outlined in When JDK Includes an Implementation of JCE 1.2x

Note  Java searches for classes to load at runtime in the following order:

  1. Java runtime (jre/lib/rt.jar)
  2. Java extensions directory (jre/lib/ext)
  3. Java application class path (for example, idm/WEB-INF/lib)

When the JDK Includes an Implementation of JCE 1.2.x

Use the following procedure when Identity Install Pack is installed in an environment where the JDK includes an implementation of JCE 1.2.x (in jre/lib or jre/lib/ext). Do not use the Cryptix JCE if you are using Java 1.4 or higher.

Note  The Cryptix jars are no longer included and no longer supported. You need to remove them if you haven't already. If you've customized your Waveset.properties file please make sure that security.jce.workaround property is set to false or removed. An exception will be thrown if this property is set to true because the intention of this property will not be fulfilled.

  1. Remove the Cryptix jars (cryptix-jce-api.jar and cryptix-jce-provider.jar) from the idm/WEB-INF/lib directory.
  2. Ensure that the jre/lib/security/java.security file contains at least one provider that implements the DESede cipher (triple DES). You can find this information in its list of providers to be searched when a crypto cipher is requested.

    3. If you are unsure, you can add the com.sun.crypto.provider.SunJCE file, which supports this cipher, to the java.security file as follows:

    security.provider.n=com.sun.crypto.provider.SunJCE

    where n is the next number in the list of providers to be searched. You can download this file from the Sun Web site.

    Put the provider that implements the DESede cipher in the jre/lib/ext directory so it can be loaded by the Java runtime class loader. If the JCE framework cannot find a provider that implements the DESede cipher, you will most likely see the following error message at Identity Install Pack server startup time.

    Error initializing Encryptor: Algorithm DESede not available

  3. Ensure that the two certificate files are in the same directory as the JCE provider. These certificate files are:

    4. local_policy.jar (US cert)

    US_export_policy.jar (exportable cert)

  4. If the application server is running Java 1.4 or higher, make sure that security.jce.workaround=true has not been added to the waveset.properties file. Delete this property if it exists.
  5. Restart the Web application server and your application.


Previous      Contents      Next     

Copyright 2006 Sun Microsystems, Inc. All rights reserved.