Manualshelf

Users Guide

ManualsBrandsDell ManualsBSAFEBSAFE SSL-J
123456789
Use SSL-J with J2EE Applications and Application Servers 5
RSA BSAFE SSL-J 6.2.6 Troubleshooting Guide
Use SSL-J with J2EE Applications and Application
Servers
Java Application Servers use a hierarchy of class loaders to isolate the applications in
the Web and Enterprise JavaBeans containers. The use of class loaders affects how
SSL-J can be used in this environment.
Static Registration
SSL-J can be statically registered and successfully used in most Application Server
environments. Static registration allows the Application Server to take advantage of
SSL-J, however there are some disadvantages to using this approach.
All applications must use the statically registered SSL-J. For static registration,
SSL-J jars must be installed in the
ext directory of the Java runtime so that they
appear in the class path of all applications.
The existence of multiple instances of the SSL-J jars in the class path is an
unsupported configuration, so no application can have a private copy of SSL-J
within its EAR file.
All applications must use the same version of SSL-J, so if SSL-J is updated then
all applications should be tested with the new version. Note that some Application
Servers may provide additional controls over isolation. Configuration options may
enable the installation of SSL-J so that it is visible only to the Application Server
and not to the applications in the containers.
It is necessary to shut down the entire Application Server in order to upgrade
SSL-J.
Dynamic Registration
The use of dynamic registration can lead to a number of problems. The provider list is
maintained by the
java.security.Security class, which is in the Java Runtime
Library. As a result, any dynamically registered provider instance is available to all
applications.
Dynamic registration can work successfully if:
The SSL-J jars are installed in
ext directory of the JRE, not in any application’s
EAR file.
Before registration, the applications checks if the RsaJsse provider has already
been registered by another application.
This approach has the same disadvantages as static registration.
It is not recommended for applications that contain SSL-J jars in their EAR file to
register their own instance of the RsaJsse provider, as that instance would be visible to
other applications.