34 Using JCE Providers with WebLogic Server

Learn how Oracle WebLogic Server supports the use of the Jipher, Dell, JDK, and nCipher Java Cryptography Extension (JCE) providers.

• Using the Jipher JCE Provider

• Using the Dell JCE Provider

• Using the JDK JCE Provider

• Using nCipher JCE Provider

Using the Jipher JCE Provider

The Jipher JCE provider is an Oracle developed JCE provider that is included with WebLogic Server. It is located in jipher-jce.jar, which is in the WebLogic Server classpath by default. It is built on top of OpenSSL and uses the OpenSSL FIPS module.

Note:

The April 2026 Patch Set Update (PSU) adds support for the Jipher JCE provider.

You can configure a FIPS compliant implementation of WebLogic Server by registering the Jipher JCE provider and the SunJSSE provider in the first and second positions respectively in the JDK java.security file as described in Enabling FIPS Mode with Jipher JCE and SunJSSE Providers.

You can register the Jipher JCE provider by customizing the java.security properties file in the deployment environment to modify the registered provider list or specify a system property on the command line.

• Override the default java.security file - note the double equal signs.

  java -Djava.security.properties==/etc/sysconfig/jvm1.java.security 
  

• Append or override parts of the java.security file - note the single equal sign.

  java -Djava.security.properties=/etc/sysconfig/jvm.java.security

If you require support for non-FIPS compliant algorithms, you can register another JCE provider in a position below Jipher JCE, and the non-FIPS compliant algorithms will fall through to use that provider instead.

Using the Dell JCE Provider

The Dell JCE (previously known as RSA JCE) provider is included with WebLogic Server. The Dell JCE provider is located in cryptoj.jar, which is in the WebLogic Server classpath by default. You can use the Dell JCE provider in non-FIPS or FIPS mode.

Note:

This section describes using the Dell JCE provider in non-FIPS mode. To use the Dell JCE provider in FIPS mode, see Enabling FIPS Mode.

Using the following URL, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK. These Java policy JAR files affect cipher key sizes greater than 128 bits.

https://www.oracle.com/java/technologies/javase-jce-all-downloads.html

Note:

You can skip this step if you are running WebLogic Server on JDK 8u161 or later. On JDK 8u161 and later, stronger cryptographic algorithms are available by default.

Open the .ZIP distribution and update local_policy.jar and US_export_policy.jar in JAVA_HOME/jre/lib/ security. See the README.txt file in the .ZIP distribution for more information and installation instructions.

The Dell BSAFE Crypto-J documentation describes at least two ways to use the Dell JCE Provider:

• Static registration (for example, by editing java.security).

  security.provider.1=com.rsa.jsafe.provider.JsafeJCE
  

• Dynamic registration at runtime.

  // Create a Provider object
  Provider jceProvider = new com.rsa.jsafe.provider.JsafeJCE();
  // Add the JCE Provider class to the current list of providers available on the system.
  Security.insertProviderAt (jceProvider, 1);
  

Using the JDK JCE Provider

WebLogic Server supports the use of the JDK JCE provider (SunJCE). The JCA framework includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations).

For more information about the features in SunJCE, see the Java™ Cryptography Architecture (JCA) Reference Guide at http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html.

The restrictions regarding cryptographic algorithms and cryptographic strengths are specified in "jurisdiction policy files". See the Java™ Cryptography Architecture (JCA) Reference Guide.

WebLogic Server will continue to control the strength of the cryptography used by the WebLogic Server Application Programming Interfaces (APIs). Client code without the appropriate domestic strength cryptography setting will only be able to use the Java SE export strength default cryptography. On the server, WebLogic Server will enable either export or domestic strength cryptography.

Using nCipher JCE Provider

JCE providers like nCipher, that use a hardware card for encryption, offload SSL processing from Web servers which frees the servers to process more transactions. They also provide strong encryption and cryptographic processes to preserve the integrity and secrecy of keys.

WebLogic Server also supports the use of the nCipher JCE provider. SSL is a key component in the protection of resources available in Web servers. However, heavy SSL traffic can cause bottlenecks that affect the performance of Web servers. You can install nCipher JCE provider that helps in offloading SSL traffic from Web servers so that the servers can perform efficiently.

Installing the nCipher JCE Provider

To install the nCipher JCE provider:

1. Install and configure the hardware for the nCipher JCE provider according to the product's documentation.
2. Install the files for the nCipher JCE provider. The following files are required:

   • Jurisdiction policy files—The JDK installs these files by default but they are of limited export strength.

   • Certificate that signed the JAR file

     Note:

     This step may have been performed as part of installing the hardware for nCipher JCE provider. In that case, verify that the files are correctly installed.

   • The JCE provider JAR files

   Choose an installation method for the files:

   • Install files as an extension. Copy the files to one of the following locations:

     JAVA_HOME/jre/lib/ext
     

     For example:

     ORACLE_HOME/jdk1.8.0_131/jre/lib/ext
     

   • Install files in the CLASSPATH of the server.

3. Edit the Java security properties file (java.security) to add the nCipher JCE provider to the list of approved JCE providers for WebLogic Server. The Java security properties file is located in:

   JAVA_HOME/jre/lib/security/java.security
   

   Specify the nCipher JCE provider as:

   security.provider.n=com.ncipher.provider.km.mCipherKM
   

   where n specifies the preference order that determines the order in which providers are searched for requested algorithms when no specific provider is requested. The order is 1-based; 1 is the most preferred, followed by 2, and so on.

   The nCipher JCE provider must follow the RSA JCA provider in the security properties file. For example:

   security.provider.1=sun.security.provider.Sun
   security.provider.2=sun.security.rsa.SunRsaSign
   security.provider.3=com.ncipher.provider.km.mCipherKM
   

4. Boot WebLogic Server.
5. To ensure the nCipher JCE provider is working properly, enable debugging according to the nCipher product documentation.