HomeDownloadsUser GuideDevelopment

User Guide: Security Provider Configuration

This section outlines the configuration of a Java Cryptography Extension for your PEP implementation and for the standard tools included in the Permis bundle.

Overview

The Permis core and the tools of the Permis distribution make use of the JCE.

The JCE is used for the following tasks:

Permic core:
  • Certificate chain verification.
Policy editor and tools:
  • Signing of attribute certificates.

Policy Enforcement Point

To configure the JCE used by the Permis core in your PEP implementation you can use the standard provider installation mechanisms listed in the security guide of the Java SDK or you can use the convenience configuration mechanism also used by the the policy editor and the tools.

Java SDK Configuration

The standard configuration mechanisms supported by the SDK are outlined in the Java Cryptography Architecture API Specification & Reference.

In short there are two options to configure the JCE:

  • Installation as an JRE extension.
  • Dynamic providers registration.

Both mechanisms are described in the provider installation section of the reference guide.

Permis Injection

You can also use the convenience configuration mechanism used by the Permis policy editor and tools in your own implementation. The injection mechanism uses a PicoContainer script to create a container of security providers which are then dynamically registered.

While this sounds like a complex endeavour it is pretty straightforward to use. All you have to do is to include the following statement in your PEP implementation prior to calling any Permis code that makes use of the JCE (i.e. best at bootstrap time of your application):

org.openpermis.security.SecurityProviderInitializer.initializeSecurityProvider();

For more information about the PicoContainer script and the actual configuration of the JCE of your choice please refer to the next section.

Policy Editor and Tools

To configure the policy editor and the tools included in the Permis distribution (or even your own PEP implementation if you use the Permis configuration mechanism) you will have to provide the following:

  • The JCE of your choice for inclusion on the classpath.
  • A PicoContainer script configuration for the Permis security provider configuration mechanism.

... or you can stick to the default implementation as outlined in the following section.

Bouncy Castle Default Configuration

The policy editor and the Permis tools come preconfigured with configuration for the Bouncy Castle Crypto APIs. If you intend to use Bouncy Castle in the version included in the Permis distribution you do not need to perform any manual configuration.

PicoContainer Script Configuration

The Permis security provider initializer reads a configuration file named openpermis-jce.xml in a toplevel folder on the classpath.

Pay attention to the order of your classpath entries. Your configuration file needs to be listed prior to the Permis core.jar since it includes a openpermis-jce.xml file with the default configuration.

The security provider initializer reads the PicoContainer configuration script and creates a container with all the implementations listed. Then all instances of java.security.Provider found in the container are injected at the security provicer using the dynamic JCE configuration mechanism (java.security.Security.addProvider(...)).

You can list more than once security provider in the configuration script, however at the moment the order in which the providers are added is not guaranteed therefore it is highly recommended you only add your favourite provider.

An example configuration looks as follows:

<?xml version="1.0"?>
<container>

	<!--
		Pico Container configuration for JCE Providers injected at runtime.

		This file contains the default provider implementation used by the
		Open Permis editor and is used if no other configuration overrides this
		configuration file.

		To use your favourite provider implementation create a container configuration
		named 'openpermis-jce.xml' in a toplevel folder of your classpath.

		Add your provider implementation as a component implementation to the
		container configuration. All implementations of java.security.Provider will
		automatically be added using java.security.Security.addProvider().
	-->

	<!-- BouncyCastle Security Provider Implementation. -->
	<component-implementation class="org.bouncycastle.jce.provider.BouncyCastleProvider"/>

</container>

For more information PicoContainer XML script please refer to the PicoContainer script website.