35 Using JCE Providers with WebLogic Server
Using the RSA JCE Provider
The RSA JCE provider is included with WebLogic Server. The RSA JCE provider is located in cryptoj.jar
, which is in the WebLogic Server classpath by default. You can use the RSA JCE provider in non-FIPS or FIPS mode.
Note:
This section describes using the RSA JCE provider in non-FIPS mode. To use the RSA JCE provider in FIPS mode, see Enabling FIPS Mode.
Using the following URL, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK. These Java policy JAR files affect cipher key sizes greater than 128 bits.
https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
Note:
You can skip this step if you are running WebLogic Server on JDK 8u161 or later. On JDK 8u161 and later, stronger cryptographic algorithms are available by default.Open the .ZIP distribution and update local_policy.jar
and US_export_policy.jar
in JAVA_HOME
/jre/lib/ security
. See the README.txt
file in the .ZIP distribution for more information and installation instructions.
The RSA CryptoJ documentation describes at least two ways to use the RSA's JCE Provider:
-
Static registration (for example, by editing
java.security
).security.provider.1=com.rsa.jsafe.provider.JsafeJCE
-
Dynamic registration at runtime.
// Create a Provider object Provider jceProvider = new com.rsa.jsafe.provider.JsafeJCE(); // Add the JCE Provider class to the current list of providers available on the system. Security.insertProviderAt (jceProvider, 1);
Using the JDK JCE Provider
WebLogic Server supports the use of the JDK JCE provider (SunJCE
). The JCA framework includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations).
For more information about the features in SunJCE
, see the Java™ Cryptography Architecture (JCA) Reference Guide at http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html
.
The restrictions regarding cryptographic algorithms and cryptographic strengths are specified in "jurisdiction policy files". See the Java™ Cryptography Architecture (JCA) Reference Guide.
WebLogic Server will continue to control the strength of the cryptography used by the WebLogic Server Application Programming Interfaces (APIs). Client code without the appropriate domestic strength cryptography setting will only be able to use the Java SE export strength default cryptography. On the server, WebLogic Server will enable either export or domestic strength cryptography.
Using nCipher JCE Provider
JCE providers like nCipher, that use a hardware card for encryption, offload SSL processing from Web servers which frees the servers to process more transactions. They also provide strong encryption and cryptographic processes to preserve the integrity and secrecy of keys.
WebLogic Server also supports the use of the nCipher JCE provider. SSL is a key component in the protection of resources available in Web servers. However, heavy SSL traffic can cause bottlenecks that affect the performance of Web servers. You can install nCipher JCE provider that helps in offloading SSL traffic from Web servers so that the servers can perform efficiently.