What is IBMJCECCA?

The IBM Java Cryptography Extension Common Cryptographic Architecture (IBMJCECCA) is a JCE security provider developed by IBM that offers support for cryptographic algorithms, protocols, and key management. IBMJCECCA is unique because it is able to access hardware cryptographic devices via the IBM Common Cryptographic Architecture (CCA) interfaces. IBMJCECCA fits directly into the JCE framework, so it allows developers to seamlessly integrate IBMJCECCA capabilities into their Java applications that already utilize JCE capabilities.

IBMJCECCA utilizes the CCA APIs to connect to secure, high-speed cryptographic devices. On z/OS, these APIs are handled by services such as the Integrated Cryptographic Service Facility (ICSF) which are, in turn, recruited by the IBMJCECCA provider to provide these cryptographic hardware capabilities to Java applications. With the ability to perform cryptographic operations on hardware devices, your Java applications will see increased performance and enhanced security. Let's take a deeper look into the actual capabilities of the IBMJCECCA provider and how it could help your applications.

Features of the IBMJCECCA provider

IBMJCECCA provides support for several types of cryptographic ciphers, signatures, & message digests, along with key generation, key management, and storage capabilities. See below for a full table on the capabilities of IBMJCECCA...

Why use the IBMJCECCA provider?

Hardware acceleration

The IBMJCECCA provider takes advantage of hardware devices to perform accelerated hardware cryptography within the JCE framework. IBMJCECCA provides high-performance cryptographic operations using available hardware on the mainframe such as Crypto Express (CEX) cards or Central Processor Assist for Cryptographic Function (CPACF) instructions.

Secure key storage

IBMJCECCA supports special kinds of key management capabilities that are only provided by IBMJCECCA and the mainframe. IBMJCECCA allows users to create several types of keys in the CCA architecture, including PKDS, CKDS, and clear keys. Users can store keys in encrypted keystore file with IBMJCECCA's JCECCAKS, and they can even manage keys and certificates stored in RACF keyrings with the JCECCARACFKS (the JCECCARACFKS keystore type is only supported on z/OS).

Easy integration into Java applications

IBMJCECCA allows developers to quickly and effortlessly integrate these hardware capabilities into their projects that use the JCE provider framework.

hwkeytool command

IBMJCECCA also provides a command-line tool called hwkeytool that allows users to create and manage keys, certificates, and keystores from the CLI.

How to enable and configure IBMJCECCA

In order to use IBMJCECCA, you must first download IBM Semeru Runtime Certified Edition for z/OS, Version 17 and install it onto your z/OS system. You must then edit your java.security file so that IBMJCECCA is the first JCE provider in the list. Here's an example...

security.provider.1=IBMJCECCA
security.provider.2=OpenJCEPlus
security.provider.3=IBMZSecurity
security.provider.4=SUN
security.provider.5=SunRsaSign
security.provider.6=SunEC
security.provider.7=SunJSSE
security.provider.8=SunJCE
.
. (rest of list omitted)
.

You must also ensure that ICSF is started on your system and your hardware cryptographic devices are properly configured before attempting to use IBMJCECCA.

Some examples

This tutorial will be using IBM Semeru Runtime Certified Edition for z/OS, Version 17 for examples. Below are some examples for how you can use IBMJCECCA:

1. MessageDigest Example

String message = "Hello from IBM!";
MessageDigest md = MessageDigest.getInstance("SHA-256", "IBMJCECCA");
md.update(message.getBytes());
byte[] digest = md.digest();

2. Storing keys in a JCECCAKS

// Generate a new AES key
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "IBMJCECCA");
keyGenerator.init(256);
SecretKey secretKey = keyGenerator.generateKey();

// Create a new JCECCAKS key store
KeyStore keyStore = KeyStore.getInstance("JCECCAKS", "IBMJCECCA");
char[] password = "password".toCharArray();
keyStore.load(null, password);

// Store our AES key in the keystore
SecretKeyEntry keyEntry = new SecretKeyEntry(secretKey);
ProtectionParameter protection = new PasswordProtection(password);
keyStore.setEntry("aesKey", keyEntry, protection);

// Save the JCECCAKS to a file
FileOutputStream out = new FileOutputStream("keystore.jceccaks");
keyStore.store(out, password);
out.close();

3. Generating a key pair with hwkeytool

hwkeytool -genkeypair \
  -alias myKeyPair \
  -keyAlg RSA \
  -keysize 512 \
  -keypass "keypass" \
  -dname 'CN=Greg, OU=Poughkeepsie, O=IBM, C=US' \
  -keystore keystore.jceccaks \
  -storetype JCECCAKS \
  -storepass "storepass"

Conclusion

There you have it! We've learned that IBMJCECCA uses hardware-accelerated cryptographic devices to perform fast and secure crypto operations. IBMJCECCA also interacts with other z/OS applications such as ICSF and RACF in order to provide reliable and accelerated key management, encryption, and several other JCE capabilities. IBMJCECCA can seamlessly integrate into your Java applications to help protect sensitive data and accelerate encryption/decryption operations. Try it out!

How to obtain IBMJCECCA

IBMJCECCA is included in the IBM Semeru Runtime Certified Edition for z/OS download. Please follow the links below to download the IBM Semeru JDK onto your own machines.

 How to obtain IBM Semeru Runtime Certified Edition for z/OS?
IBM Semeru Runtime Certified Edition for z/OS is available for zero license charge through Shopz SMP/E, or you can download the non-SMP/E here. The subscription and service number is 5655-I48.

Supporting Links:
IBM Semeru Runtime Certified Edition for z/OS product page
For additional information on installation, troubleshooting and support please visit IBM Documentation.