HomeDownloadsUser GuideDevelopment

User Guide: Security Provider Configuration

This section outlines the configuration of a Java Cryptography Extension for your PEP implementation and for the standard tools included in the OpenPermis bundle.

Overview

The OpenPermis core and the tools of the OpenPermis distribution make use of the JCE.

The JCE is used for the following tasks:

OpenPermis core:
  • Certificate chain verification.
Policy editor and tools:
  • Signing of attribute certificates.

Policy Enforcement Point

To configure the JCE used by the OpenPermis core in your PEP implementation you can use the standard provider installation mechanisms listed in the security guide of the Java SDK or you can use the convenience configuration mechanism also used by the the policy editor and the tools.

Java SDK Configuration

The standard configuration mechanisms supported by the SDK are outlined in the Java Cryptography Architecture API Specification & Reference.

In short there are two options to configure the JCE:

  • Installation as an JRE extension.
  • Dynamic providers registration.

Both mechanisms are described in the provider installation section of the reference guide.

OpenPermis Injection

You can also use the convenience configuration mechanism used by the OpenPermis policy editor and tools in your own implementation. The injection mechanism uses a PicoContainer script to create a container of security providers which are then dynamically registered.

While this sounds like a complex endeavour it is pretty straightforward to use. All you have to do is to include the following statement in your PEP implementation prior to calling any OpenPermis code that makes use of the JCE (i.e. best at bootstrap time of your application):

org.openpermis.security.SecurityProviderInitializer.initializeSecurityProvider();

For more information about the PicoContainer script and the actual configuration of the JCE of your choice please refer to the next section.

Policy Editor and Tools

To configure the policy editor and the tools included in the OpenPermis distribution (or even your own PEP implementation if you use the OpenPermis configuration mechanism) you will have to provide the following:

  • The JCE of your choice for inclusion on the classpath.
  • A PicoContainer script configuration for the OpenPermis security provider configuration mechanism.

... or you can stick to the default implementation as outlined in the following section.

Bouncy Castle Default Configuration

The policy editor and the OpenPermis tools come preconfigured with configuration for the Bouncy Castle Crypto APIs. If you intend to use Bouncy Castle in the version included in the OpenPermis distribution you do not need to perform any manual configuration.

PicoContainer Script Configuration

The OpenPermis security provider initializer reads a configuration file named openpermis-jce.xml in a toplevel folder on the classpath.

Pay attention to the order of your classpath entries. Your configuration file needs to be listed prior to the OpenPermis core.jar since it includes a openpermis-jce.xml file with the default configuration.

The security provider initializer reads the PicoContainer configuration script and creates a container with all the implementations listed. Then all instances of java.security.Provider found in the container are injected at the security provicer using the dynamic JCE configuration mechanism (java.security.Security.addProvider(...)).

You can list more than once security provider in the configuration script, however at the moment the order in which the providers are added is not guaranteed therefore it is highly recommended you only add your favourite provider.

An example configuration looks as follows:

<?xml version="1.0"?>
<container>

	<!--
		Pico Container configuration for JCE Providers injected at runtime.

		This file contains the default provider implementation used by the
		OpenPermis editor and is used if no other configuration overrides this
		configuration file.

		To use your favourite provider implementation create a container configuration
		named 'openpermis-jce.xml' in a toplevel folder of your classpath.

		Add your provider implementation as a component implementation to the
		container configuration. All implementations of java.security.Provider will
		automatically be added using java.security.Security.addProvider().
	-->

	<!-- BouncyCastle Security Provider Implementation. -->
	<component-implementation class="org.bouncycastle.jce.provider.BouncyCastleProvider"/>

</container>

For more information PicoContainer XML script please refer to the PicoContainer script website.