Contact Us 1-800-596-4880

Configuring JCE Cryptography

The Java Cryptography Extension (JCE) strategy lets you use Java’s powerful encryption features. You have the flexibility to encrypt an entire message or just specific parts of it using either of these two methods:

  • Password-based encryption (PBE)
    This method enables you to encrypt and sign content by simply providing an encryption password.

  • Key-based encryption (KBE)
    Similar to PGP and XML encryption, this method enables you to configure a symmetric or asymmetric key to perform encryption and signing operations.

Use the Cryptography Module JCE operations to configure these methods.

Before You Begin

You are familiar with PBE and KBE encryption, concepts of public and private keys, and asymmetric cryptography.

Configure PBE Encryption

This method takes your password and runs it through a hash function to create a symmetric encryption key. This generated key works with standard encryption algorithms. Because PBE only needs a password, you don’t need a separate Global Configuration Element for JCE PBE operations.

Configure JCE PBE Operations in Anypoint Studio

Follow these steps:

  1. In Anypoint Studio, drag a Cryptography Module JCE PBE operation to the canvas flow.

    A palette menu for adding password-based encryption modules in a cryptographic flow
  2. In the operation configuration window, set the Algorithm and Password properties:

    A configuration settings for JCE encrypt PBE with algorithm and password options

XML Examples

These are XML examples for each of the JCE PBE operations:

  • Jce encryption pbe

    <crypto:jce-encrypt-pbe password="a-Sup3r_Secure-Passw0rd"/>

    If you don’t specify an algorithm, the module uses PBEWithHmacSHA256AndAES_128 .

  • Jce decrypt pbe

    <crypto:jce-decrypt-pbe algorithm="PBEWithHmacSHA256AndAES_128" password="a-Sup3r_Secure-Passw0rd"/>
  • Jce sign pbe

    <crypto:jce-sign-pbe password="a-Sup3r_Secure-Passw0rd"/>

    If you don’t specify an algorithm, the module uses PBEWithHmacSHA256.

  • Jce validate pbe

    <crypto:jce-validate-pbe password="a-Sup3r_Secure-Passw0rd" algorithm="PBEWithHmacSHA256" expected="#[vars.expectedSignature]"/>

    The expected parameter defines the signature used to validate the message.

Configure KBE Encryption

Configure a symmetric or asymmetric key to perform encryption and signing operations.

Configure JCE KBE Operations in Anypoint Studio

Follow these steps:

  1. In Anypoint Studio, drag a Cryptography Module JCE KBE operation to the canvas flow.

    A crypto-examples project with components for encryption and decryption
  2. In the operation configuration window, select an existing Module configuration, or create a new one by configuring the Keystore, Type (JKS, JCEKS, PKCS12), and Password parameters.

    You can also add symmetric or asymmetric key information to use in sign operations:

    Global configuration properties for Crypto JCE with keystore details
  3. Configure Key selection by using a Key id value previously defined in the module configuration, or define a new one for this operation:

    A configuration panel for JCE encryption showing settings for content, algorithm, and key selection
  4. Select the algorithm to use during the operation.

XML Examples

These XML examples show a JCE configuration that defines symmetric and asymmetric keys and different operations using these keys.

  • Configuration

    In this example, the JCE configuration contains a keystore with different types of keys:

    <crypto:jce-config name="jceConfig" keystore="jce/keys.jceks" password="123456" type="JCEKS">
        <crypto:jce-key-infos>
            <crypto:jce-symmetric-key-info keyId="aes128" alias="aes128" password="123456"/>
            <crypto:jce-symmetric-key-info keyId="blowfish" alias="blowfish" password="123456"/>
            <crypto:jce-symmetric-key-info keyId="hmacsha256" alias="hmacsha256" password="123456"/>
            <crypto:jce-asymmetric-key-info keyId="rsa" alias="myrsakey" password="123456"/>
            <crypto:jce-asymmetric-key-info keyId="dsa" alias="mydsakey" password="123456"/>
        </crypto:jce-key-infos>
    </crypto:jce-config>
  • Asymmetric Encryption

    In this example, the operations Jce encrypt and Jce decrypt use the asymmetric keys defined in the previous configuration.

    Encrypting a Message
    <crypto:jce-encrypt config-ref="jceConfig" keyId="rsa" algorithm="RSA"/>
    Decrypting a Message
    <crypto:jce-decrypt config-ref="jceConfig" keyId="rsa" algorithm="RSA"/>
  • Symmetric Encryption

    In this example, the operations Jce encrypt and Jce decrypt use the symmetric keys defined in the previous configuration.

    Encrypting a Message
    <crypto:jce-encrypt config-ref="jceConfig" keyId="aes128" algorithm="AES"/>
    Decrypting a Message
    <crypto:jce-decrypt config-ref="jceConfig" keyId="aes128" algorithm="AES"/>
  • Signature and Validation

    In this example, the Jce sign and Jce validate operations use a key defined in the previous configuration:

    Signing a Message
    <crypto:jce-sign config-ref="jceConfig" keyId="dsa" algorithm="SHA256withDSA"/>
    Validating a Signature
    <crypto:jce-validate config-ref="jceConfig" keyId="dsa" algorithm="SHA256withDSA" expected="#[vars.expectedSignature]"/>

    The expected parameter defines the signature used to validate the message.

View on GitHub