Security |
Documentation Contents |
Security enhancements for the JavaTM 2 SDK, Standard Edition, v 1.4.2 include the following:Security GuidesSecurity enhancements for the JavaTM 2 SDK, Standard Edition, v 1.4.1 include the following:
- The following CA (Certification Authority) certificates were added to the cacerts file in the lib/security directory of the Java installation:
Alias name: entrustglobalclientca Owner: CN=Entrust.net Client Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/GCCA_CPS incorp. by ref. (limits liab.), O=Entrust.net Alias name: entrustgsslca Owner: CN=Entrust.net Secure Server Certification Authority, OU=(c) 2000 Entrust.net Limited, OU=www.entrust.net/SSL_CPS incorp. by ref. (limits liab.), O=Entrust.net Alias name: entrustsslca Owner: CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US Alias name: entrust2048ca Owner: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net Alias name: entrustclientca Owner: CN=Entrust.net Client Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., O=Entrust.net, C=US- Support for AES (the Advanced Encryption Standard) was added to the SunJCE cryptographic provider. For details see the JCE reference guide.
- Support for the SHA-256, SHA-384, and SHA-512 hash algorithms was added to the Sun provider. For details see the cryptography architecture reference guide.
- The SunJSSE implementation now supports a number of additional ciphersuites. They include ciphersuites using AES as a symmetric cipher and ephemeral Diffie-Hellman with RSA authentication (DHE_RSA). For details see the JSSE reference guide.
- In addition to the simple X.509 based trustmanager previously available in the SunJSSE provider, it now supports a second, PKIX compliant trust manager. It is implemented utilizing the default CertPath PKIX implementation. See the JSSE reference guide for more information.
- The PKIX CertPath implementation in the Sun provider has been made compliant with the recently published RFC 3280.
- A number of performance related changes have been made to the certificate and PKIX implementation in the Sun provider. Depending on the usage scenario, performance can be substantially improved, in some case execution may be several times as fast as in previous releases. One of these changes is the addition of caching to the LDAPCertStore implementation, which can be configured as described in the CertPath API Programmer's Guide.
- Limited support for the CRL DistributionPoints extension is now available in the Sun PKIX implementation. This allows the implementation to automatically locate and download CRLs in some cases, eliminating the need for manual configuration. This feature is disabled by default for compatibility reasons. For more information see the CertPath API Programmer's Guide.
- Added Counter mode (CTR) support for all block ciphers in the SunJCE provider. For details see the JCE reference guide.
- Security Enhancements in Java GSS
Security enhancements for the previous release, JavaTM 2 SDK, Standard Edition, v 1.4 included the following:
- Three new security tools were added in the 1.4.1 release of the Java 2 platform:
kinit
,klist
, andktab
. These tools help users obtain, list and manage Kerberos tickets. See the Security Tools section of the JavaTM 2 SDK Tools and Utilities documentation for more information.
- The Sun
SecureRandom
implementation now also makes use of an operating system-provided entropy source on Windows platforms, which can improve the startup time of cryptographic applications considerably. Edit the<java.home>/lib/security/java.security
to control this feature.
- New root CA certificates with aliases baltimorecodesigningca, gtecybertrustglobalca, baltimorecybertrustca, gtecybertrustca, and gtecybertrust5ca have been added to the
<java.home>/lib/security/cacerts
keystore file. See The cacerts Certificates File.
- The JavaTM Cryptography Extension (JCE), JavaTM Secure Socket Extension (JSSE), and JavaTM Authentication and Authorization Service (JAAS) security features have now been integrated into the Java 2 SDK, v 1.4 rather than being optional packages.
- There are two new security features:
- The JavaTM GSS-API can be used for securely exchanging messages between communicating applications using the Kerberos V5 mechanism.
- The JavaTM Certification Path API includes new classes and methods in the
java.security.cert
package that allow you to build and validate certification paths (also known as "certificate chains").
- Due to import control restrictions, the JCE jurisdiction policy files shipped with the Java 2 SDK, v 1.4 allow "strong" but limited cryptography to be used. A version of these files indicating no restrictions on cryptographic strengths is available.
- The JSSE implementation provided in this release includes strong cipher suites. However, due to U.S. export control restrictions, this release does not allow alternate "pluggable" SSL/TLS implementations to be used. For more information, please see the JSSE Reference Guide.
- With the integration of JAAS into the J2SDK, the
java.security.Policy
API handles Principal-based queries, and the default policy implementation supports Principal-basedgrant
entries. Thus, access control can now be based not just on what code is running, but also on who is running it.
- Support for dynamic policies has been added. In Java 2 SDK releases prior to version 1.4, classes were statically bound with permissions by querying security policy during class loading. The lifetime of this binding was scoped by the lifetime of the class loader. In version 1.4 this binding is now deferred until needed by a security check. The lifetime of the binding is now scoped by the lifetime of the security policy.
- The graphical Policy Tool utility has been enhanced to enable specifying a Principal field indicating what user is to be granted specified access control permissions.
General SecurityCertification Path JAAS Java GSS-API JCE JSSE
- Security Architecture
- Cryptography Architecture
- How to Implement a Provider for the Java Cryptography Architecture
- Policy Permissions
- Default Policy Implementation and Policy File Syntax
- API for Privileged Blocks
- X.509 Certificates and Certificate Revocation Lists
- Security Managers and the JavaTM 2 SDK
General SecurityCertification Path JAAS
- java.security Package
- java.security.cert Package
- java.security.interfaces Package
- java.security.spec Package
Java GSS-API JCE JSSE
- javax.security.auth Package
- javax.security.auth.callback Package
- javax.security.auth.kerberos Package
- javax.security.auth.login Package
- javax.security.auth.spi Package
- javax.security.auth.x500 Package
- com.sun.security.auth Package
- com.sun.security.auth.callback Package
- com.sun.security.auth.login Package
- com.sun.security.auth.module Package
Located on the Java Software web site:
Copyright © 1995-2003 Sun Microsystems, Inc. All Rights Reserved. Please send comments to: java-security@sun.com. This is not a subscription list. |
Java Software |