This line should immediately follow the line you inserted for JCE. To use JSSE as an unbundled extension, you must: Add the three jar files to your classpath. • In every program that you run, you must insert the following line: Security.addProvidernew com.sun.net.ssl.internal.ssl.Provider ; •

1.2.4 The Java Authentication and Authorization Service

JAAS provides for user authentication within the Java platform. It performs a unique function in the Java platform. All of the core facilities of Javas security design are intended to protect end users from the influences of developers: end users give permissions to developers to access resources on the end users machine. JAAS, on the other hand, allows developers to grant or deny access to their programs based on the authentication credentials provided by the user. JAAS can be downloaded from http:java.sun.comproductsjaas. It comes in two parts: a Java library which defines the interface to the service the JAAS proper, and platform−specific modules to perform the authorization the JAAS modules. Sample modules are available to perform authentication based on JNDI directory services, Windows NT login services, and Solaris login services. JAAS itself contains documentation and a lib directory with a single jar file jaas.jar. The jar file should either be installed into JREHOMElibext, or the user must add it to her classpath. The lib directory of the JAAS modules contains an additional jar file jaasmod.jar that must be handled similarly. It also contains platform−specific shared libraries. On Solaris systems, these libraries must be installed into JREHOMElibsparc. If that is not possible, the libraries can be placed into any directory e.g., filesjaasmod1_0lib and that directory can be added to the users LD_LIBRARY_PATH. On Microsoft Windows systems, these libraries are named nt.dll, nt.lib, and nt.exp and they must be installed into JREHOME\bin. If that is not possible, then you must set the java.library.path property on the command line. For instance, if the libraries are in \files\jaasmod1_0\lib, you would specify the following property on the command line: −Djava.library.path=\files\jaasmod1_0\lib No modification to the java.security file is required for JAAS.

1.2.5 More About Export Controls

The U.S. is not the only government that regulates the use of encryption, and encryption software can face import restrictions as well as export restrictions. In France, for example, it is illegal to import many encryption packages without a license. Other countries have regulations for cryptography, but in most cases they are less onerous than those of the United States. However, it is always wise to check your local policies to be sure see Appendix B, for resources to find more information about these limitations. Even though the U.S. has relaxed its export rules, some restrictions still apply. You may not export either JCE or JSSE and, hence, any programs that use them to the following countries: Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, SerbiaMontenegro Yugoslavia, Sudan, Syria and parties listed on the Denied and Restricted Parties List available at http:bxa.fedworld.govprohib.html. Additionally, it is Sun company policy not to ship products to Burma. 12 The encryption extensions, like many aspects of the Java platform, allow for third−party implementations; just like you can buy a third−party JDBC driver, you can buy third−party implementations of JCE. However, many of the popular algorithms that are used by the extensions are patented algorithms, which also restricts their use. RSA Data Security, Inc. holds a patent in the U.S. on several algorithms involving RSA encryption and digital signatures; Ascom System AG in Switzerland holds both U.S. and European patents on the IDEA method of performing encryption. If you live in a country where these patents apply, you cant use these underlying algorithms without paying a licensing fee to the patent holder. In particular, this means that many of the third−party security providers and third−party implementations of JCE cannot be used within the United States because of patents held by RSA although some of them have reached a licensing agreement with RSA Data Security, Inc. −− again, it is best to check with the provider to see what restrictions might apply. Sun has an agreement with RSA Data Security to redistribute its implementation of the RSA algorithms. Encryption and Weaponry The whole question of importing and exporting encryption technology occurs because it is often classified as a munition. While this position is sometimes questioned, it comes from a long tradition in computer science. During WWII, the Allies waged a successful and pivotal campaign in the Atlantic against the Axis navy. The success of this campaign was greatly due to the work of Alan Turing, who with his colleagues broke the German encryption algorithm known as Enigma. Turing was also one of the founding fathers of modern computer science, much of which was based on the work he developed in service to his country during the war. Ironically, the reward that Turing reaped for his efforts was that some years after the war, he was arrested and forced to undergo harmful chemical treatments because he was gay. Theres an odd parallel here: many of the harsh restrictions that are sometimes placed on encryption technology make no more sense in a world with a global Internet than did Englands persecution of Alan Turing in the 1950s. Perhaps the relaxation of export restrictions is a good sign in general. Note that import and export restrictions apply only to the encryption technology contained within JCE and JSSE. Although the core Java APIs perform important cryptographic operations, those operations are not considered to be munition−grade operations.

1.2.6 Other Software Versions