The desktop client platform can use either the IBM® J9 Virtual Machine (VM) that implements the Java specifications with DesktopEE class libraries or the IBM J9 VM with the Java 2 SE 5.0 class libraries. The security configuration options are different depending on the VM that is used.
The Lotus® Expeditor Client installs the J9 with DesktopEE as the default VM, and Java 2 SE 5.0 can be installed later. Other products that use this platform might provision only Java 2 SE 5.0 and not DesktopEE.
When using the Lotus Expeditor Client on devices, DB2e can use SSL while synchronizing with a server by specifying https
in the connection URL.
Refer to the following URL for information about the security capabilities of the VM on Microsoft® Windows®:
Refer to the following URL for information about the security capabilities of the VM on Linux®:
The following URL is the index page for information about the security aspects of the IBM J2SE 5 VM:
The use of JCE within the platform follows the standard patterns of JCE usage.
Because the platform uses multiple inbound and outbound communication mechanisms, depending on the type of communication required, there are specific configuration steps needed to configure JSSE to support SSL communications. Refer to the appropriate section according to the wanted communication mechanism.
The Lotus Expeditor Client does not support the use of Java 2 Security to grant or prevent code access based on identity.
Configuring for DesktopEE
The following Ciphers are provided using JCE in DesktopEE:
The following CipherSuites are supported for SSL Connections:
The JAAS component provides a means for principal-based authentication and authorization
The DesktopEE key tool can only be used to create or operate on JKS keystores. You cannot use it to build JCEKS keystores. JCEKS keystores are currently not supported on DesktopEE.
DesktopEE contains some preinstalled certificates in the file lib\security\cacerts. This file is preinstalled with a number of root CAs and is used for SSL server certificate validation, signed JARverification, and midlet verification.
Switching from DesktopEE to J2SE
See Changing to a different runtime and class library
for information about switching from DesktopEE to J2SE.
Keystore considerations when switching VMs
Keystore files that are created by the Java 2 SE 5.0 VM are not compatible with DesktopEE. Similarly, keystore files created with DesktopEE are not compatible with Java 2 SE 5.0. For this reason, IBM Lotus Expeditor maintains one keystore file for each VM. Because of this arrangement, when switching VMs, you must reset all the passwords that were stored in the keystore of one VM and the keystore password itself. None of the data stored in keystore file of one is transferred to the keystore file of the other VM. It is important to note that it is possible to have two different sets of stored credentials; one is accessible only to DesktopEE, and one is accessible only to Java 2 SE 5.0.
Specifying the default platform login configuration: XPD622
A login configuration tells the application which LoginModule to use to authenticate users. A LoginModule describes the interface implemented by authentication technology providers.
Configuring SSL for the platform: XPD622
If you need to use Secure Sockets Layer (SSL) with a self-signed test certificate or a certificate that does not have a root certificate contained in the default manager keystore, you are prompted, denied, or allowed, depending on how you configure your managed preferences value for com.ibm.rcp.security.jceproxy/ssl.unknowncert.action
Configuring SSL for the Enterprise Management Agent: XPD622
Secure Sockets Layer (SSL) connections are based on the existence of digital certificates to promote secure data exchange between server and client. In Lotus Expeditor, the Enterprise Management agent supports both normal and SSL connections between the client and a Lotus Expeditor server. We recommend that you purchase commercial certificates for which public key certificates are already available on the client devices. This purchase greatly simplifies using secure connections because new certificates do not have to be deployed to the clients. You can also use self-signed certificates that you create. The procedures for deploying certificates to desktops and devices are different.
Configuring clientside SSL support: XPD622
To access a server that requires client certificate authentication for SSL connections, the Lotus Expeditor Client keystore must contain a personal certificate signed by an authority that is trusted by that server.
Configuring SSL for Web Services: XPD622
If you plan on running Web Services applications that connect to Web Services located behind a secure URL, for example HTTPS, you must set up Lotus Expeditor Client with an appropriate default configuration.
Configuring SSL for the Web Container: XPD622
This section describes how to configure SSL for the Web Container.
Configuring SSL for ISync: XPD622
The DB2® Everyplace® Sync technology (ISync) allows for the use of SSL to connect from the client to the DB2 Everyplace Sync server, if both client and server are SSL-enabled in a compatible configuration.
Using SSL from applications: XPD622
This section describes using SSL from applications, specifically creating SSL connections to servers and creating SSL sockets from incoming connections.
Enabling FIPScompliant JCE and JSSE providers: XPD622
This section describes how to enable Federal Information Processing Standards (FIPS)-compliant JCE and JSSE providers.
Parent topic: Managing client configurations: XPD622