Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
10.3.1.4
-
None
Description
Bernt M. Johnsen wrote:
>>>>>>>>>>>>>Michael Segel wrote (2007-06-16 00:23:56):
>>Which is why I'm a little suspect that the only way to do encryption on
>>the wire is to be forced to bring in IBM's JCE.
>
>You don't need the IBM JCE. Sun's JDK comes with and JCE which works
>just fine. The docs tries to tell you that if you use an old IBM
>environment, you need to install IBMS JCE searately.
That section (installing an IBM JCE) should be removed from the
documentation for 10.3 onwards since JDK 1.4 is the lowest supported JVM
level.
>
>There is, however small issue, if you choose
>ENCRYPTED_USER_AND_PASSWORD_SECURITY, newer Sun JCE's (from 1.4, I
>think) does not support the shared DHS value defined in the DRDA
>protocol. It's too weak. As an alternative solution for passsword
>protection, Francois implemented STRONG_PASSWORD_SUBSTITUTE_SECURITY.
This information would be great to add to the docs. Restating the
requirements in terms of a JCE that supports "the shared DHS value
defined in the DRDA protocol" (whatever the correct JCE term for that
is) and not specifically the IBM JCE. The documentation then should
state that this is not supported by some JCEs due to its weakness and an
alternative is to use STRONG_PASSWORD_SUBSTITUTE_SECURITY (and/or SSL?).
Dan.
Attachments
Attachments
Issue Links
- is related to
-
DERBY-2882 Remove references to JDK 1.2 and 1.3 in the documentation
- Closed