000027143 - RKM Java Client: Using a FIPS 140-2 validated module for cryptographic operations

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027143
Applies ToRSA Key Manager Java Client 2.1.3 or later
IssueRKM Java Client: Using a FIPS 140-2 validated module for cryptographic operations
Notes

The Java client doesn?t enforce FIPS validation, so there are no FIPS modes to select. If you have the Crypto-J FIPS JCE provider, you can have the Java client use this for cryptographic operations.

Please note that what is described below will help you to claim that you are using a FIPS 140-2 validated module for cryptographic operations; it will not make your application FIPS validated.

The section of the RKM 2.1.3.1 Java Client Developer?s Guide I referred to in the previous email says this:

FIPS-140 Operation

[Initializing the Key Manager Java Client <group__KMJC__INIT.html>]

The Federal Information Processing Standards Publication (FIPS) 140-2 - Security Requirements for Cryptographic Modules details the U.S. governments requirements for cryptographic modules. The Key Manager Java Client provides support for business applications to operate using FIPS 140-2 certified cryptographic functions. For a business application to be FIPS 140-2 compliant, the JCE service provider selected for use with the Key Manager Java Client must be FIPS-140 approved, such as RSA BSAFE??? Crypto-J 3.6.

For information on how to load the RSA BSAFE Crypto-J provider, see Appendix A - Using the Crypto-J Provider <group__KMJC__APP__A__CRYPTOJ__JCE.html>.

Note:

If the applications that integrate with the Key Manager Java Client are to be FIPS 140-2 compliant, then the PKCS #12 client credential file that contains the public certificate and private key must be encrypted using the Triple Data Encryption Standard (3DES) algorithm, not RC2 as used by most browser programs.

Appendix A says:

Appendix A - Using the Crypto-J Provider

Detailed Description

This section describes how to use the Crypto-J JCE provider with the RSA Key Manager Java Client.

Once the Crypto-J JCE provider jar file (JsafeJCE.jar or JsafeJCEFIPS.jar) is included in the classpath everything should be set to be able to use the Crypto-J JCE Provider.

You can load a JCE provider in one of two ways: dynamically during program execution, or statically in the java.security file.

Note:

Please see the Crypto-J documentation to find out how to use the Crypto-J JCE provider in FIPS-140 compliant mode.

Modules

Dynamically Loading a Provider at Run Time <group__KMJC__APP__A__CRYPTOJ__JCE__DYN.html>

Statically Loading a Provider <group__CKMJC__APP__A__CRYPTOJ__JCE__STAT.html>

The dynamic loading section says:

Dynamically Loading a Provider at Run Time

[Appendix A - Using the Crypto-J Provider <group__KMJC__APP__A__CRYPTOJ__JCE.html>]

This section describes how to dynamically load a JCE provider. To dynamically load the Crypto-J JCE Provider at run time, you must create a provider object. Once the provider object is created, call Security.addProvider() to finish loading the provider. The addProvider() method adds the specified provider to the end of the list of providers available on the system. It is possible to specify the position of the new provider in the list by using the Security.insertProviderAt method (see the Javadoc documentation for the java.security.Security class for more information).

The following example shows how to create a provider object and add the Crypto-J JCE Provider to the provider list.

// Create a Provider object

Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE;

// Add the Crypto-J JCE Provider to the current list of

// providers available on the system.

Security.addProvider (jsafeProvider);

The static loading section says:

Statically Loading a Provider

[Appendix A - Using the Crypto-J Provider <group__KMJC__APP__A__CRYPTOJ__JCE.html>]

This section describes how to statically load a JCE provider.

Load the Crypto-J JCE Provider statically when it needs to be available to all Java programs that run on the system. To do this, add the following line

security.provider.<n>=com.rsa.jsafe.provider.JsafeJCE

to the file

jdk install directory>/jre/lib/security/java.security

To set the Crypto-J JCE Provider as the default provider, <n> should be set to 1. In this case, you need to change the <n> values for any other providers listed in java.security so that each provider has a unique number. For example:

security.provider.1=com.rsa.jsafe.provider.JsafeJCE

security.provider.2=sun.security.provider.Sun

Note:

When using Sun JDK 1.4.2, the JsafeJCE provider must be third (or lower) after the following two providers:

1. security.provider.1=sun.security.provider.Sun

2. security.provider.2=com.sun.rsajca.Provider Or, security.provider.2=com.sun.net.ssl.internal.ssl.Provider

When using IBM JDK 1.4.2 the JsafeJCE provider must be loaded after security.provider.1=com.ibm.crypto.provider.IBMJCE.

After inserting the JsafeJCE provider in the list after the providers mentioned above, the position of the rest of the default providers must be increased by one.

 

These notes refer to Crypto-J 3.6. Please note that the RKM Java Client 2.1.3.1 doesn?t include the Crypto-J JCE provider, so you will need to get this separately. The 2.7 Client comes with Crypto-J 4.0 included. The 2.7.1 Client comes with Crypto-J 4.1 included. Crypto-J 4.0 has the added requirement of setting "com.rsa.cryptoj.jce.kat.strategy=on.load" in the java.security file. Crypto-J 4.1 changes the necessary java.security property to "com.rsa.cryptoj.kat.strategy=on.load" ("jce" dropped), since the JCE and JSAFE (original Crypto-J API) libraries have been combined. These additional properties are described in the relevant Crypto-J Security Policy files.

Legacy Article IDa51936

Attachments

    Outcomes