1. Administering Security for Oracle WebLogic Server
  2. Configuring SSL
  3. Using JCE Providers with WebLogic Server

35 Using JCE Providers with WebLogic Server

Learn how Oracle WebLogic Server supports the use of the Jipher and JDK Java Cryptography Extension (JCE) providers.

Using the Jipher JCE Provider

The Jipher JCE provider is an Oracle developed JCE provider that is included with WebLogic Server. It is located in jipher-jce.jar, which is in the WebLogic Server classpath by default. It is built on top of OpenSSL and uses the OpenSSL FIPS module.

You can configure a FIPS compliant implementation of WebLogic Server by registering the Jipher JCE provider and the SunJSSE provider in the first and second positions respectively in the JDK java.security file as described in Enabling FIPS Mode with Jipher JCE and SunJSSE Providers.

You can register the Jipher JCE provider by customizing the java.security properties file in the deployment environment to modify the registered provider list or specify a system property on the command line.

  • Override the default java.security file - note the double equal signs. 
    java -Djava.security.properties==/etc/sysconfig/jvm1.java.security
  • Append or override parts of the java.security file - note the single equal sign.
    java -Djava.security.properties=/etc/sysconfig/jvm.java.security

If you require support for non-FIPS compliant algorithms, you can register another JCE provider in a position below Jipher JCE, and the non-FIPS compliant algorithms will fall through to use that provider instead.

Using the JDK JCE Provider

WebLogic Server supports the use of the JDK JCE provider (SunJCE). The JCA framework includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations).

For more information about the features in SunJCE, see Java Cryptography Architecture (JCA) Reference Guide in Security Developer’s Guide. Restrictions regarding cryptographic algorithms and cryptographic strengths are specified in the Jurisdiction Policy File Format section.

WebLogic Server will continue to control the strength of the cryptography used by the WebLogic Server Application Programming Interfaces (APIs). Client code without the appropriate domestic strength cryptography setting will only be able to use the Java SE export strength default cryptography. On the server, WebLogic Server will enable either export or domestic strength cryptography.