Bouncy Castle Install

 Bouncy Castle

The Bouncy Castle and unlimited strength JCE policy files add the encryption algorithms required for Lawson Single Sign-on.  During the Lawson installation, you will select the algorithms you want to use. However, not all algorithms are compatible with all versions of JDK. If you select an incompatible algorithm during the installation, an error message will prompt you to choose a different algorithm.  Some customers may want to use a specific algorithm. After completing this section, Lawson recommends that you use the regression tests provided by Bouncy Castle to verify that your algorithm is compatible with your JDK before you begin the installation.  

IMPORTANT Bouncy Castle is added to all JDKs used by the Lawson system before you install any Lawson products. Repeat the steps below for all JDKs consumed by the Lawson system, for example:

• TheJDKdefined as JAVA_HOME and LAW_JAVA_HOME on the Lawson server.
• The JDK delivered with and used by the application server.
• Any JDKs consumed by other Lawson products that use Lawson Single Sign-on via the Distributed SSO solution (for example, Lawson Business Intelligence (LBI) applications such as Smart Notification and Framework Services).

 

Download Bouncy Castle files

 1. Log in as root.

 2. Download the following files from the Bouncy Castle download site http://www.bouncycastle.org/latest_releases.html.

• If you are using Java SDK 1.4.2, use Bouncy Castle 1.4 files.
• If you are using Java SDK 5, use Bouncy Castle 1.5 files.

File	Purpose
Bcprov-jdk1X-XXX.jar	Deliver algorithms to the JDK.
Bctest-jdk1X-XXX.jar	Contain regression tests used to verify which algorithms are compatible with your JDK.  Download these files if you want to verify algorithms before installing Lawson.

 3. Download the unlimited strength JCE policy files for the JDK(s) you are using:

JDK	Platform	Policy files to use	Where to find files
Lawson JDK (LAW_JAVA_HOME)	AIX	IBM	https://www6.software.ibm.com/dl/jcesdk/jcesdk-p
Lawson JDK (LAW_JAVA_HOME)	HP   Solaris	Sun	For JDK 1.4.2, use the “Other Downloads” link at http://java.sun.com/j2se/1.4.2/download.html   For JDK 5, use the “Other Downloads” link at http://java.sun.com/javase/downloads/index_jdk5.jsp
WebSphere JDK	HP Solaris	For WebSphere 6.0.2.x, use Sun   Dor WebSphere 6.0.1.x, use IBM	For WebSphere 6.0.2.x, use the “Other Downloads” link at http://java.sun.com/j2se/1.4.2/download.html   For WebSPhere 6.1, use the IBM policy files at https://www6.software.ibm.com/dl/jcesdk/jcesdk-p
WebSphere JDK	AIX	IBM	https;//www6.software.ibm.com/dl/jcesdk/jcesdk-p   Note that the IBM policy files are the same for JDK 1.4 and JDK 1.5

   

Install Bouncy Castle

 1. Create a temporary directory to hold the Bouncy Castle regression test .jar file.

mkdir BCTestDir

 2. Copy the regression .jar into the temporary directory.

cp bctest-jdk1X-XXX.jar BCTestDir

 3. Copy the bcprov-jdk1X-XXX.jar to the following location(s).

Configuration	Location
All installations	$JAVA_HOME/jre/lib/ext
WebSphere installations	$WAS_HOME/java/jre/lib/ext

 4. Verify that the file permissions on the Bouncy Castle .jar files allow read and execute access for "owner", "group", and "other".  If they do not, change permissions on the files.

chmod 555 bcprov-jdk1X-XXX.jar
                chmod 555 bctest-jdk1X-XXX.jar

where X-XXX is the version number of the .jar file

 NOTE The Bouncy Castle .jar file must be owned by the user who runs the servlet container. During the installation process, that user is always root. Once the Lawson installation is complete, you can change the ownership of the file.

 Configure Java Encryption

 1. Extract local_policy.jar and US_export_policy.jar from the unlimited strength policy files and copy them into the following location(s). 

Configuration	Location
All installations	$JAVA_HOME/jre/lib/security
WebSphere installations	$WAS_HOME/java/jre/lib/security

 

2. Verify that the file permissions on the $JAVA_HOME/jre/lib/security/java.security file allow write access for "owner", "group", and "other".  If they do not, change permissions on the file.

chmod 777 java.security

 3. Use a text editor to open the$JAVA_HOME/jre/lib/security/java.security file. Add the following line.

security.provider.ProviderNumber=org.bouncycastle.jce.provider.BouncyCastleProvider
where ProviderNumber is the number that reflects the position where the line appears in the file.

You must change the ProviderNumber for each security.provider that appears after the Bouncy Castle line.

• For Sun JDK, the security.provider line for Bouncy Castle must come AFTER the sun.security.provider.Sun line.

 

Sun JDK Example
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider

• For IBM JDK, the security.provider line for Bouncy Castle must come AFTER the com.ibm.crypto.provider.IBMJCE line.

IBM JDK Example
security.provider.1=com.ibm.crypto.provider.IBMJCE
security.provider.2=com.ibm.jsse.IBMJSSEProvider
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.5=com.ibm.security.cert.IBMCertPath
security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11

 

4. Change file permissions on the java.security file to read/execute access for "owner", "group", and "other".

chmod 555 java.security

 

5. Repeat these steps for all JDKs used by your system, including the following:

• The WebSphere JDK located in WAS_HOME/java/jre/lib/security

• JDKs on machines running applications that connect to Lawson using the Distributed Single Sign-on Solution (DSSO).

 

6. Run the Bouncy Castle algorithm verification tests.

 

Example: 

cd /tmp/dwnlds/bc
Mkdir bctest
cp –rp t* bctest/
cp -rp bcprov* $JAVA_HOME/jre/lib/ext
cp -rp bcprov* $WAS_HOME/java/jre/lib/ext
chmod 555 $JAVA_HOME/jre/lib/ext/bcprov*
chmod 555 $WAS_HOME/java/jre/lib/ext/bcprov*
chmod 555 /tmp/dwnlds/bc/bctest/bctest*

 

BACK_UP

cd /tmp/dwnlds/bc/
mkdir javabkup
mkdir wasbkup
cp -p $JAVA_HOME/jre/lib/security/* javabkup
cp -p $WAS_HOME/java/jre/lib/security/* wasbkup

jar -xvf unrestrict142.zip
cp -p local_policy.jar $JAVA_HOME/jre/lib/security/
cp -p US_export_policy.jar $JAVA_HOME/jre/lib/security/
cp -p local_policy.jar $WAS_HOME/java/jre/lib/security/
cp -p US_export_policy.jar $WAS_HOME/java/jre/lib/security/

 cd /etc/java5/jre/lib/security
chmod 777 java.security

 EDIT:

vi  $JAVA_HOME/jre/lib/security/java.security

security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider

 vi $WAS_HOME/java/jre/lib/security/java.security

security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider

 $JAVA_HOME/bin/java -cp bctest-jdk15-137.jar org.bouncycastle.crypto.test.RegressionTest > java.crypto.out 2>&1

 $JAVA_HOME/bin/java -cp bctest-jdk15-137.jar org.bouncycastle.jce.provider.test.RegressionTest > java.jcecrypto.out 2>&1

 $WAS_HOME/java/bin/java -cp bctest-jdk15-137.jar

org.bouncycastle.crypto.test.RegressionTest > was.crypto.out 2>&1

 $WAS_HOME/java/bin/java -cp bctest-jdk15-137.jar org.bouncycastle.jce.provider.test.RegressionTest > was.jcecrypto.out 2>&1