Those seeking to include various aspects of XML Security infrastructure in their environments may quickly find themselves puzzled by where to go and how to gain access to such technology for runtime use. But the availability of two different developer toolkits for Java means that at least some developers can turn to one or the other (assuming their development plans permit them to use Java-based technologies, that is) for reasonably ready access to a usable set of tools for this purpose. These two toolkits are as follows:
Both of these offerings promise to make developers' jobs easier when it comes to integrating XML-based security capabilities into their systems and applications.
More about Entrust Authority
The Entrust offering comes from a leading company in the information security business, which brought one of the first commercial PKI (public key infrastructure) offerings to market in 1994. Entrust Authority is in fact the product family to which the security toolkit covered here belongs. What this toolkit brings to developers is an ability to incorporate strong security features, including encryption and digital signatures into their code. Among other features and benefits, this security toolkit includes the following capabilities:
- Enables secure data transfer, exchange and storage of date with multiple PKI solutions with support for open product standard
- Enables use of cryptography and creation of self-signed certificates without requiring use of PKI
- Supports end-to-end data encryption and accountability using digital signatures, plus various non-repudiation mechanisms
- Supports creation of key pairs or creating digital signatures as specified in RFC 3039 as well as mechanisms for accessing and using keys in Microsoft CAPI stores
- Supports secure file transfer and messaging using XML digital signatures, XML encryption, S/MIME v2 and v3, optional authentication and other mechanisms as appropriate
- Supports broad range of algorithms, including RSA, DSA, ECDSA and AES
This environment works with JDK 1.3.1 or later, J2DSK 1.3 or later, or with Javasoft's Java Plugin 1.3 or later to provide support for older IE or Netscape versions (otherwise, Netscape 6.2 or IE 5.5 or newer versions are required). Works with all platforms for which Sun Java Development kits are available, as well as for numerous IBM and HP-UX Java Development kits (see specifications for details). The Entrust Authority Security Manager software (release 6.x or 7.x) is also required to support this developer toolkit, however.
More About IBM's XML Security Suite
The IBM XML Security provides support for security features that include digital signature, encryption and access control within XML documents, above and beyond what transport-level security protocols such as SSL (Secure Sockets Layer) can deliver. To that end, the suite supports three technologies:
- Digital signatures as specified in the "XML-Signature Syntax and Processing"recommendation (also the subject of IETF documents)
- XML encryption as specified in the "XML Encryption Syntax and Processing" recommendation
- XML Access Control Language (XACL) and implementation
Requirements are basic and straight forward. The code works for clients running Windows 95, 98, NT, 2003, XP or Linux. Developers need to work with JDK 1.1 or 1.2 and the Apache Xerces-J environments (further download and installation instructions are readily available). No other supporting software is needed or required, so this implementation may be more attractive to developers who might not otherwise need to license Entrust Authority offerings.
Either of these toolkits makes it easier for developers to draw on standard XML security services and capabilities, and promises to up the security ante considerably in documents or applications that use them. Thus, both are worth looking into.
About the author
Ed Tittel is a full-time writer and trainer whose interests include XML and development topics, along with IT Certification and information security topics. E-mail Ed with comments, questions, or suggested topics or tools for review.