db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bernt M. Johnsen (JIRA)" <j...@apache.org>
Subject [jira] Created: (DERBY-2837) Update docs on STRONG_PASSWORD_SUBSTITUTE_SECURITY/ENCRYPTED_USER_AND_PASSWORD_SECURITY and JCE support
Date Mon, 18 Jun 2007 09:25:26 GMT
Update docs on STRONG_PASSWORD_SUBSTITUTE_SECURITY/ENCRYPTED_USER_AND_PASSWORD_SECURITY and
JCE support
-------------------------------------------------------------------------------------------------------

                 Key: DERBY-2837
                 URL: https://issues.apache.org/jira/browse/DERBY-2837
             Project: Derby
          Issue Type: Improvement
          Components: Documentation
    Affects Versions: 10.3.1.0
            Reporter: Bernt M. Johnsen


Bernt M. Johnsen wrote:
>>>>>>>>>>>>>Michael Segel wrote (2007-06-16 00:23:56):
>>Which is why I'm a little suspect that the *only* way to do encryption on
>>the wire is to be forced to bring in IBM's JCE.
>
>You don't need the IBM JCE. Sun's JDK comes with and JCE which works
>just fine. The docs tries to tell you that if you use an old IBM
>environment, you need to install IBMS JCE searately.

That section (installing an IBM JCE) should be removed from the
documentation for 10.3 onwards since JDK 1.4 is the lowest supported JVM
level.

>
>There is, however small issue, if you choose
>ENCRYPTED_USER_AND_PASSWORD_SECURITY, newer Sun JCE's (from 1.4, I
>think) does not support the shared DHS value defined in the DRDA
>protocol. It's too weak. As an alternative solution for passsword
>protection, Francois implemented STRONG_PASSWORD_SUBSTITUTE_SECURITY.

This information would be great to add to the docs. Restating the
requirements in terms of a JCE that supports "the shared DHS value
defined in the DRDA protocol" (whatever the correct JCE term for that
is) and not specifically the IBM JCE. The documentation then should
state that this is not supported by some JCEs due to its weakness and an
alternative is to use STRONG_PASSWORD_SUBSTITUTE_SECURITY (and/or SSL?).

Dan.



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message