When using SSL connections does the ldap SDK use the JCE or JSSE?
I need to use FIPS 140-2 approved algorithms so can't use the standard JCE / JSSE provided by Oracles JDK.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The network communication performed by the LDAP SDK occurs over java.net.Socket objects created by a javax.net.SocketFactory. If you don't provide a SocketFactory when creating the connection, then it will use the JVM-provided default factory that uses unencrypted communication. If you want SSL, then you need to provide your own SocketFactory that creates sockets that use SSL-encrypted communication. If you use the com.unboundid.util.ssl.SSLUtil class, then it creates javax.net.ssl.SSLSocketFactory objects (which are part of JSSE).
Although the Sun/Oracle JVM isn't FIPS 140-2 compliant, IBM does provide JVMs (for at least Java SE 5, 6, and 7) that can be configured to conform to this specification, including support for a JSSESocketFactory. I believe that this can be used by either requesting a specific provider or by configuring the JVM to use this provider by default (as per http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2Fprogpractices.html). This is the only FIPS-compliant implementation that I've used, but if you've got a different library with the appropriate certification then you should be able to plug it just as easily.
Neil Wilson
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
When using SSL connections does the ldap SDK use the JCE or JSSE?
I need to use FIPS 140-2 approved algorithms so can't use the standard JCE / JSSE provided by Oracles JDK.
The network communication performed by the LDAP SDK occurs over java.net.Socket objects created by a javax.net.SocketFactory. If you don't provide a SocketFactory when creating the connection, then it will use the JVM-provided default factory that uses unencrypted communication. If you want SSL, then you need to provide your own SocketFactory that creates sockets that use SSL-encrypted communication. If you use the com.unboundid.util.ssl.SSLUtil class, then it creates javax.net.ssl.SSLSocketFactory objects (which are part of JSSE).
Although the Sun/Oracle JVM isn't FIPS 140-2 compliant, IBM does provide JVMs (for at least Java SE 5, 6, and 7) that can be configured to conform to this specification, including support for a JSSESocketFactory. I believe that this can be used by either requesting a specific provider or by configuring the JVM to use this provider by default (as per http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2Fprogpractices.html). This is the only FIPS-compliant implementation that I've used, but if you've got a different library with the appropriate certification then you should be able to plug it just as easily.
Neil Wilson