The asymmetric password encryption mechanism uses RSA encryption algorithms to encrypt the password being transmitted. To perform this RSA encryption, configure your JRE with a suitable Java Cryptography Extension (JCE) provider. The configured JCE provider should be capable of supporting the “RSA/NONE/OAEPWithSHA1AndMGF1Padding” transformation.
The JCE provider included with your JRE may not be capable of handling the “RSA/NONE/OAEPWithSHA1AndMGF1Padding” transformation. To use the extended password encryption feature in this case, configure an external JCE provider that includes support for this transformation. If the JCE cannot handle the required transformation, you receive an error message at login.
You can use the JCE_PROVIDER_CLASS connection property to specify the JCE provider. There are a number of commercial and open source JCE providers that you can choose from. For example, the “Bouncy Castle Crypto APIs for Java” is a popular open source Java JCE provider. If you choose not to specify the JCE_PROVIDER_CLASS property, jConnect attempts to use any bundled JCE.
You can use the Certicom Security Builder GSE-J to perform RSA password encryption. Certicom Security Builder GSE-J is a FIPS 140-2 compliant JCE provider that is included in the jConnect driver. This provider contains two JAR files, EccpressoFIPS.jar and EccpressoFIPSJca.jar, that are both accessible from the $JDBC_HOME/classes and the $JDBC_HOME/devclasses directories.
To use the Certicom Security Builder GSE-J provider, set the value of JCE_PROVIDER_CLASS connection property to “com.certicom.ecc.jcae.Certicom”.
If you enable password encryption by setting the ENCRYPT_PASSWORD connection
property but not the JCE_PROVIDER_CLASS connection
property, jConnect attempts
to locate and load the Certicom Security Builder GSE-J provider. This succeeds
only if EccpressoFIPS.jar and EccpressoFIPSJca.jar are
located in the same directory as the jConnect JAR
file—jconn4.jar or jconn4d.jar— in
use.
To specify a custom JCE provider:
Set the JCE_PROVIDER_CLASS property to the fully qualified class name of the provider you want to use. For example, to use the Bouncy Castle JCE:
String url = "jdbc:sybase:Tds:myserver:3697";
Properties props = new Properties();
props.put("ENCRYPT_PASSWORD ", “true”);
props.put("JCE_PROVIDER_CLASS",
"org.bouncycastle.jce.provider.BouncyCastleProvider");
/* Set up additional connnection properties as needed */
props.put("user", "xyz");
props.put("password", "123");
/* get the connection */
Connection con = DriverManager.getConnection(url, props);
Configure the JCE provider before using it. This can be done by one of two ways:
Copy the JCE provider jar file into the JRE standard extension directory:
For UNIX platforms: ${JAVA_HOME}/jre/lib/ext
For Windows: %JAVA_HOME%\jre\lib\ext
If you cannot copy the JCE jar file to the appropriate directory, refer to the JCE Reference Guide for instructions on setting up an external JCE provider.
If jConnect cannot use the specified JCE provider, it attempts to use the JCE providers configured in the JRE security profile. If no other JCE providers are configured, or if configured providers do not support the required transformation and password encryption is enabled, the connection fails.
