IBM rantery

Well it’s about time. Haven’t done a big ole’ IBM rant in ages. This has been a long week (at least 63 hours, probably more): it started Sunday night, when I engaged in a little light Java development (ha!). I eventually retired at 2am (Monday), and was up again four hours later, fresh as a daisy for my morning chores and the commute in to London.

* cough *

My current project is nearing the end, but there’s been some frantic coding and troubleshooting on my part, with copious nuggets of precious guidance and information from one of my learned colleagues (thanks Steve!) who knows his (Java) beans, plus our resident Websfear guru (thanks Ric!). “But this is all nice fluffy stuff, where’s the rant!” I hear you shout! Well, check this out: a Sametime session created this very day. Steve and I were talking through my code, specifically a piece which generates a key and then uses that key to encrypt data. We were talking around the standard Java Cryptology Extension (JCE) stuff that Sun offer. Anyway, with a nod to jonvon, and apologies for the out-and-out geekery, here is a transcript of the ST chat:

M’colleague	It’s now not liking the random number generator in
RNG_ALGORITHM. You’ve got SHA1PRNG? Shouldn’t it be DESede something?

Me (muppet)	DESEde is the short name for the triple des algorithm… but
you have to "seed" SecureRandom with an algorithm that implements the
Pseudo Random Number Generator algorithm (!) Or PRNG for short… SHA1PRNG
is the normal one that gets used. So then I read the Java Crypto reference,
and SHA1PRNG is the only algorithm listed for use in this regard

M’colleague	sorry - I wasn’t reading the line properly with the brackets.
That’s right. I know that’s not a valid excuse this side of midnight

Me (muppet)	No mate, I take all questions: it ensures I’ve actually
thought everything through… ;o)
Or not. Either way, it means we hopefully find the issue!

M’colleague	sha1prng isn’t available in my version of WAS as it’s part
of the Sun JDK. We’ll have to check to see if it’s available in the
version we deploy to (it’s a slightly later version to the one I’ve got)

Me (muppet)	OK… eek, that seems like a bit of a stopper.
BTW, the stuff about algorithms is in the docs, but there’s an online version here:
Appendix A covers the algorithms available for different purposes and it says "SHA1PRNG"
is the name of the random number algorithm *PROVIDED BY THE SUN PROVIDER*
So I need to see what the IBM impl has. It will work in my dev environment because
the IBM stuff augments the pre-existing Sun stuff whereas Websfear is entirely IBM JVM.

M'colleague	I use the init with no provider so it uses “a system-provided source
of randomness”.

Me (muppet)	Here we go: IBM’s is called “IBM SHA1PRNG”

M’colleague	I’ll try that

Me (muppet)	Jaysus, why do they have to brand their feckin algorithms?!?

M’colleague	at least it’s not “IBM Rational Websphere SHA1PRNG”

Me (muppet)	LOL. Give it time


  1. There might be some logic to that, as (if I recall correctly) the JCE architecture allows for multiple providers to be loaded simultaneously, so one needs to avoid name conflicts for the algorithms. Been a while since I ventured into JCE, though, so I could be wrong…

    -richRichard Schwartz#
  2. Not sure; SecureRandom allows you to specify an algorithm only, an algorithm plus provider, or nothing at all… if you just specify an algorithm and no provider, I don't know how it resolves which provider to use if there are two algorithms present with the same name.

    Certainly for normal signing and encryption, IBM keep the same algorithm names as everyone else: "Sha1WithRSA", "DES", and so on.

    On that basis I suspect that it doesn't really matter; you're right, the JCE architecture does allow for multiple providers. The thing is though, something like WebSphere basically uses the IBMJCE and that's it.

    I find it amusing that even these weird little algorithms, that no-one ever really sees, get branded :-) Ben Poole#
  3. I've had other troubles with the Sun provider for JCE (like, it only worked -- for what I was trying to do, anyway -- on Windows, not on Solaris, go figure….).

    BouncyCastle has a nice provider, though, and it's freeBob Balaban#
  4. Indeed, I used BouncyCastle in the early stages of development, before I got hold of the IBM stuff (which we have to use as we’re going Websfear -> Websfear). The BouncyCastle site is excellent too: well laid-out and loads of info:

    http://www.bouncycastle.orgBen Poole#
  5. did someone say claudia schiffer?


    thanks for the nod sir. ;-)jonvon#
  6. LOL After all that, despite what the docs say, IBM SHA1PRNG isn't a valid algorithm… at least not for WAS 5.1. IBMSecureRandom does the job though.

    Oh the grief…Ben Poole#

Comments on this post are now closed.


I’m a software architect / developer / general IT wrangler specialising in web, mobile web and middleware using things like node.js, Java, C#, PHP, HTML5 and more.

Best described as a simpleton, but kindly. You can read more here.