Dell BSAFE Cert-J User guide

Brand: Dell

Model: BSAFE Cert-J

Type: User guide

RSA BSAFE

Cert-J 6.2.4

Installation Guide

31 July 2018

Part Number

11.07.18

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change

without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” DELL INC. OR ITS SUBSIDIARIES MAKES

NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS

PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any Dell software described in this publication requires an applicable software license.

Dell, RSA, the RSA logo, BSAFE, and other trademarks are registered trademarks of Dell Inc. or its subsidiaries. Other

trademarks may be trademarks of their respective companies.

Third-party licenses

This product may include software developed by parties other than Dell Inc. The text of the license agreements applicable to

third-party software in this product may be viewed in Cert-J_6.2.4_Third-partyLicenses.pdf.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption

technologies, and current use, import, and export regulations should be followed when using, importing or exporting this

product.

Distribution

Limit distribution of this document to trusted personnel.

Installation Guide

11.07.18

RSA BSAFE Cert-J 6.2.4 Installation Guide

This document provides instructions for installing RSA BSAFE Cert-J 6.2.4 (Cert-J)

on all released platforms. Instructions are provided for binary installations, including

installation on Google

Android™, and source installations of Cert-J, including

installation on Google Android.

Binary installations are suitable where the compiled version of Cert-J matches your

installation platform, and where there is no intention to alter the product. Source

installations are suitable where Cert-J is to be built for a specific platform.

Contents:

About the Cert-J Toolkit ................................................................................... 2

Binary Installation ............................................................................................. 4

Install the JCE Jurisdiction Policy Files ................................................. 5

Install Cert-J ............................................................................................... 6

Build and Run the Samples ................................................................... 11

Binary Installation for Android ...................................................................... 12

Install Cert-J ............................................................................................. 13

Build an Application to Run the Cert-J Samples ................................. 18

Source Installation ......................................................................................... 20

Install the JCE Jurisdiction Policy File ................................................. 21

Install the Toolkit Files ............................................................................ 22

Install Third-party Software Tools ......................................................... 23

Build and Test the Source Code ........................................................... 24

Source Installation for Android ..................................................................... 25

Install the Toolkit Files ............................................................................ 26

Install Third-party Software Tools ......................................................... 27

Create the Toolkit Jar Files for Android ................................................ 28

Build and Run the System Tests ........................................................... 28

System and Security Properties ................................................................... 30

Uninstallation Instructions ............................................................................. 30

2 About the Cert-J Toolkit

RSA BSAFE Cert-J 6.2.4 Installation Guide

About the Cert-J Toolkit

Cert-J is a certificate-handling software development kit for creating Java™

applications that integrate into a public key infrastructure using the proprietary Cert-J

API.

The Cert-J distribution media contains the following:

• Binary toolkit

– Toolkit Java archive (jar) files

– CodeBase shared libraries

– OpenLDAP library

– RSA BSAFE Crypto-C Micro Edition 4.1 (Crypto-C ME) shared libraries

– Sample source code.

• Source toolkit

– Java source code and build and test systems

– Crypto-C ME shared libraries

– Sample source code.

• The RSA BSAFE Crypto-J 6.2.4.0.1 (Crypto-J) binary toolkit, which includes the

FIPS validated Crypto-J 6.2.4 module. Crypto-J provides Java implementations of

all the required cryptographic operations.

• Product documentation, consisting of:

– This document, the RSA BSAFE Cert-J Installation Guide, in Portable

Document Format (PDF), with instructions on how to install and build Cert-J.

– RSA BSAFE Cert-J Release Notes, in PDF, with the latest information on

Cert-J.

– RSA BSAFE Cert-J Security Policy, in PDF, which describes how Cert-J uses

the RSA BSAFE JSAFE and JCE Software Module, and how to operate

Cert-J in a manner consistent with the requirements of the cryptographic

module.

– RSA BSAFE Cert-J Third Party Licenses, in PDF, with license information for

third-party products included with Cert-J.

– RSA BSAFE Cert-J Troubleshooting Guide, in PDF, with information and

instructions for troubleshooting common issues with Cert-J.

– RSA BSAFE Cert-J Developers Guide, in HTML format, with information

and instructions on how to develop applications that integrate Cert-J.

– RSA BSAFE Cert-J to Crypto-J Migration Guide, in HTML, which compares

the Cert-J toolkit and the RSA BSAFE Crypto-J 6.2.4 or newer (Crypto-J)

toolkit, to assist with the changes required to migrate applications between

Cert-J 6.x and Crypto-J.

About the Cert-J Toolkit 3

RSA BSAFE Cert-J 6.2.4 Installation Guide

– Related product documentation which includes:

• RSA BSAFE Crypto-C Micro Edition Security Policy documents, Level 1

and Level 2, in PDF, which describe how the Crypto-C ME

Cryptographic Module meets the Level 1 security requirements of FIPS

140-2, the Level 2 security requirements of FIPS 140-2 for Roles,

Authentication and Services, Level 3 security requirements for Design

Assurance, and how to securely operate it.

• RSA BSAFE Crypto-J FIPS Compliance Guide, in PDF, which describes

how Crypto-J uses the FIPS 140-2 cryptographic module, and how to

operate Crypto-J in a manner consistent with the requirements of the

cryptographic module.

• RSA BSAFE Crypto-J JSAFE and JCE Software Module Security

Policies, Level 1 and Level 2, in PDF, which describes how the RSA

BSAFE Crypto-J JSAFE and JCE Software Module meets the Level 1

security requirements of FIPS 140-2, the Level 2 security requirements of

FIPS 140-2 for Roles, Authentication and Services, the Level 3 security

requirements for Design Assurance, and how to securely operate it.

• RSA BSAFE Crypto-J Release Notes, in PDF, with the latest information

on Crypto-J.

– The following Javadocs, in HTML format, which provide Java API reference

information:

• RSA BSAFE CertJ Javadoc

• RSA BSAFE JsafeJCE Javadoc

• RSA BSAFE Jsafe Javadoc

• RSA BSAFE Tools Javadoc.

– RSA Security Concepts, in PDF, provides an overview of the fundamentals of

cryptography and security related issues.

Toolkit Configurations

The following configurations are included in the Cert-J toolkit:

Table 1 Toolkit Configurations

Configuration API

Cryptographic

Implementation

Uses FIPS

Module

Uses either the Crypto-J or Crypto-C ME FIPS 140 validated cryptographic module,.

Pure CertJ CertJ Pure Java No

Native CertJ CertJ

Pure Java and Native

If there is no Native implementation for a particular algorithm, the toolkit automatically uses the Pure Java algorithm

implementation.

FIPS CertJ CertJ Pure Java Yes

FIPS Native CertJ CertJ

Pure Java and Native

Yes

4 Binary Installation

RSA BSAFE Cert-J 6.2.4 Installation Guide

Binary Installation

This section describes how to install the Cert-J binary toolkit on your development

environment.

Note: For instructions to install the Cert-J binary toolkit on an Android

development environment, go to Binary Installation for Android.

Before you begin:

• Ensure that the system you are installing onto has 300 MB of free disk space.

• Install JDK 7.0 or above, and set the

JAVA_HOME environment variable

appropriately. The RSA BSAFE Cert-J Release Notes list the supported platforms.

• Install one or more of the following, as necessary:

– Apache Ant™ 1.7.x or newer. Ant 1.8.x is required for Android development.

– JetBrains IntelliJ

9.0 IDE

– Eclipse 3.3 IDE or newer.

• Read these installation instructions.

Steps to install Cert-J:

The following steps summarize the complete installation process which is detailed

below:

1. Install the JCE Jurisdiction Policy Files.

2. Install Cert-J.

3. Build and Run the Samples.

Binary Installation 5

RSA BSAFE Cert-J 6.2.4 Installation Guide

Install the JCE Jurisdiction Policy Files

The JCE requires that Unlimited Strength Jurisdiction Policy Files are downloaded

and installed in order to use some algorithms and key strengths using the JCE API.

The following algorithms require these policy files:

• AES with key sizes greater than 128 bits

• RC2 with key sizes greater than 128 bits

• RC4 with key sizes greater than 128 bits

• RC5 with key sizes greater than 128 bits

• RSA Encryption.

These algorithms are used by some PKCS #12 KeyStore files.

Some of the samples use the restricted algorithms that require the policy files.

To successfully use the relevant algorithms and run all of the samples, the Unlimited

Jurisdiction Policy Files must be downloaded and installed. The JDK version installed

determines the Jurisdiction Policy File to download.

For Oracle JDK 9, follow the instructions in the README.txt located in the

<jdk9_install_dir>/conf/security/policy directory of the JDK

download.

For all other JDK versions, obtain the applicable Jurisdiction Policy File from the

following download locations:

• JCE Unlimited Strength Jurisdiction Policy Files 6 for Oracle JRockit

JDK 6.0

• JCE Unlimited Strength Jurisdiction Policy Files 7 for:

– Oracle JDK 7.0

– HP JDK 7.0.

• JCE Unlimited Strength Jurisdiction Policy Files 8 for:

– Oracle JDK 8.0

– HP JDK 8.0.

• IBM Unrestricted JCE Policy Files for IBM

JDK 7.x and 8.0.

To install the Unlimited Jurisdiction Policy Files:

1. Extract the local_policy.jar and US_export_policy.jar files from the

downloaded zip file.

2. Copy

local_policy.jar and US_export_policy.jar to the

<jdk_install_dir>/jre/lib/security directory, overwriting the

existing policy files.

6 Binary Installation

RSA BSAFE Cert-J 6.2.4 Installation Guide

Install Cert-J

The following describes the binary distribution directory structure of the unpacked

Cert-J distribution package.

To install Cert-J:

1. Copy the Cert-J binary distribution directory structure into a suitable location on

the target system.

There is a single Cert-J toolkit which contains the Cert-J API. The toolkit operates

differently, depending on the toolkit variants of

Crypto-J on the class path and the

availability of native crypto shared libraries.

The following table lists the Cert-J configurations and the corresponding Cert-J

and

Crypto-J jar files.

Directory Content

<root>/

Cert-J_6.2.4_InstallGuide.pdf

RSA BSAFE Cert-J Installation Guide

Cert-J_6.2.4_ReleaseNotes.pdf

RSA BSAFE Cert-J Release Notes Guide

license_bsafe.pdf

Product specific license

readme.txt

certj/

android/

Files for use on the Android platform

BsafeAndroidSamples/

Android source sample code

certs/

root and intermediate CA certificates

doc/

Documentation files

cryptoj/

Crypto-J documentation files

DevGuide/

RSA BSAFE Cert-J Developers Guide

javadoc/

Cert-J Javadoc

lib/

Cert-J toolkit jar file

prebuilt/

codebase/

CodeBase jar file and native libraries

cryptocme/

Crypto-C ME native libraries

cryptoj/

Crypto-J toolkit jar files

openldap/

Open LDAP jar file

provider/

Source code for the provider component

sample/

Sample source code

Table 2 Configuration and Required Jar Files

Configuration Jar Files to Add to the Class Path

Pure CertJ

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptoj.jar

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptojcommon.jar

<root>/certj/prebuilt/cryptoj/cryptojce.jar

<root>/certj/prebuilt/cryptoj/jcm.jar

Binary Installation 7

RSA BSAFE Cert-J 6.2.4 Installation Guide

2. Select the required jar files and add them to the class path.

3. Depending on other features to be used, additional jar files might need to be added

to the class path. The following table lists these features and the corresponding jar

files to be added to the class path.

4. If you do not wish to use a Native FIPS or Native non-FIPS configuration of

Cert-J, go to Step 5.

To use the Native configurations of Cert-J, add the Crypto-C ME shared libraries

to the Java library path.

The subdirectories in

<root>/certj/prebuilt/cryptocme that contain the

platform-specific shared libraries are detailed in the following table.

Native CertJ

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptoj.jar

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptojcommon.jar

<root>/certj/prebuilt/cryptoj/cryptojce.jar

<root>/certj/prebuilt/cryptoj/jcm.jar

FIPS CertJ

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptojcommon.jar

<root>/certj/prebuilt/cryptoj/cryptojce.jar

<root>/certj/prebuilt/cryptoj/jcmFIPS.jar

FIPS Native

CertJ

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptojcommon.jar

<root>/certj/prebuilt/cryptoj/cryptojce.jar

<root>/certj/prebuilt/cryptoj/jcmFIPS.jar

This configuration will yield faster start-up times.

Table 3 Features and Required Jar Files

Features Jar Files to Add to the class path

LDAP

<root>/certj/prebuilt/openldap/openldap.jar

CodeBase Native Database

<root>/certj/prebuilt/codebase/codebase.jar

Table 4 Platform-specific Crypto-C ME Native Shared Library subdirectories

Platform

Subdirectory

Apple

Mac OS

X 10.6 x86 32-bit

macosx_x86

Apple Mac OS X 10.6 x86_64 64-bit

macosx_x64

FreeBSD

8.3 64-bit

freebsd_x64_gcc

Table 2 Configuration and Required Jar Files (continued)

Configuration Jar Files to Add to the Class Path

8 Binary Installation

RSA BSAFE Cert-J 6.2.4 Installation Guide

For example, for systems running a Windows operating system:

copy <root>\certj\prebuilt\cryptocme\win32vc8\*.*

c:\Windows\System32

For systems running a Unix operating system, add the native library to the library

path. For example, on a Solaris operating system:

LD_LIBRARY_PATH=$LD_LIBRARY_PATH:

<root>/certj/prebuilt/cryptocme/solspv8p

export LD_LIBRARY_PATH

Note: On some operating systems, it may be necessary to set the execute

permissions for the shared libraries. For example:

chmod 755 <root>/certj/prebuilt/cryptocme/solspv8p/*.so

HP HP-UX 11.31 Itanium2 32-bit

hpux1131ia32i2

HP HP-UX 11.31 Itanium2 64-bit

hpux1131ia64i2

IBM AIX

32-bit

aix6

IBM AIX 64-bit

aix6_64

Micro Focus

SUSE

Linux Enterprise Server 32-bit

linux_x86_lsb30

Micro Focus SUSE Linux Enterprise Server 64-bit

linux_x64_lsb30

Microsoft

Windows

32-bit

win32vc8

Microsoft Windows 64-bit

win64x64

Microsoft Windows Itanium2 64-bit

win64ia64

Oracle Solaris™ x86 32-bit

solx86

Oracle Solaris x86_64 64-bit

solx64

Oracle Solaris Sparc v8+ 32-bit

solspv8p

Oracle Solaris Sparc v9 64-bit

solspv9

Red Hat

Enterprise Server 32-bit

linux_x86_lsb30

Red Hat Enterprise Server 64-bit

linux_x64_lsb30

Short Platform Name.

Table 4 Platform-specific Crypto-C ME Native Shared Library subdirectories

Platform

Subdirectory

Binary Installation 9

RSA BSAFE Cert-J 6.2.4 Installation Guide

5. If you are using the Native configuration for native database access, copy the

CodeBase platform-specific native library to the system directory, or put it in the

library path.

The subdirectories in

<root>/certj/prebuilt/codebase that contain the

relevant platform-specific shared libraries are detailed in the following table.

For example, for systems running the Windows operating system:

copy <root>\certj\prebuilt\codebase\win32\*.dll

c:\Windows\System32

For systems running a Unix operating system, add the native library to the native

path. For example, for Solaris, add the library to the

LD_LIBRARY_PATH

environment variable:

LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<root>/certj/prebuilt/codebase/solspv8p

export LD_LIBRARY_PATH

Note: On some operating systems, it may be necessary to set the execute

permissions for the shared libraries. For example:

chmod 755 <root>/certj/prebuilt/codebase/solspv8p/*.so

6. To use the Crypto-J JsafeJCE API, register the Crypto-J JCE provider, JsafeJCE,

either statically or dynamically.

To statically register the JsafeJCE provider:

a. Copy the relevant jar files to the

<jdk_install_dir>/jre/lib/ext

directory.

Table 5 Platform-specific Native Shared Library subdirectories for CodeBase

Platform Subdirectory

HP HP-UX 11.31 Itanium 2 32-bit

hpuxia32i2

IBM AIX PowerPC 32-bit

aix5

Microsoft Windows 32-bit, multithreaded, dynamically linked

with C runtime library

win32

Red Hat Enterprise Server 32-bit

rhas30

Red Hat Enterprise Server 64-bit

rhas40_x86-64

Oracle Solaris SPARC v8+ 32-bit

solspv8p

10 Binary Installation

RSA BSAFE Cert-J 6.2.4 Installation Guide

b. Edit the <jdk_install_dir>/jre/lib/security/java.security file

to add the JsafeJCE Provider:

security.provider.n=com.rsa.jsafe.provider.JsafeJCE

To set the JsafeJCE Provider as the default provider, set n to 1.

Change the n values for any other providers listed in

java.security so

that each provider has a unique number. For example:

security.provider.1=com.rsa.jsafe.provider.JsafeJCE

security.provider.2=sun.security.provider.Sun

To dynamically register the JsafeJCE provider:

a. Add the relevant jar files to the class path.

b. Create the provider programmatically using the following Java code:

// Create a Provider object

Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();

// Add the Crypto-J JsafeJCE Provider to the current

// list of providers available on the system.

Security.insertProviderAt (jsafeProvider, 1);

7. The Cert-J FIPS 140-2 toolkit may be configured to perform specific operations at

start-up (load). Configure these operations in the

<jdk_install_dir>/jre/lib/security/java.security file.

The following table lists the property that must be set for FIPS 140-2 compliant

operation.

For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the

security properties listed in the following table must be added.

Table 6 FIPS 140-2 Property Setting

Property Name Value

com.rsa.cryptoj.fips140initialmode

FIPS140_MODE

The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE or

NON_FIPS140_MODE

Table 7 FIPS 140-2 Level 2 Property Settings

Property Name Value

com.rsa.cryptoj.fips140auth LEVEL2

com.rsa.cryptoj.configfile

This security property is optional. There are APIs to dynamically specify this property.

path and filename

The path and filename can be an absolute path or a path relative to the user.dir Java system property.

Binary Installation 11

RSA BSAFE Cert-J 6.2.4 Installation Guide

8. Cert-J uses CTRDRBG128 as the default random algorithm where no other random

algorithm is specified.

Use the security property

com.rsa.crypto.default.random to change this

as required. The following are valid values for this security property:

The installation of

Cert-J is complete. For information on how to run the sample

code, see Build and Run the Samples.

Build and Run the Samples

The following procedure for running the sample code is applicable only for the binary

toolkit.

The Cert-J samples are located in

<root>/certj/sample/src/certj.

There are two ways to build and run the samples for Cert-J: use the Integrated

Development Environment (IDE) project files, or use the build scripts:

• Use IDE project files

The project files to build and run the samples have been included for the following

development environments:

– JetBrains IntelliJ 9.0 IDE or newer

– Eclipse 3.3 IDE or newer.

These project files are located at

<root>/certj.

• Use Apache Ant build scripts

Build scrips to build and run the samples are located at

<root>/certj.

Ensure that the execution path will allow the ant command to be executed.

To build the sample code:

1. Navigate to the certj directory:

cd <root>/certj

2. Build the samples:

ant -f build-certj.xml

To run the sample code:

1. Run the samples from the certj directory.

a. To run all of the samples:

ant -f build-certj.xml run.all

b. To run a specific sample, specify the sample name. For example:

ant -f build-certj.xml run.VerifyCertificate

• CTRDRBG

• CTRDRBG128

• CTRDRBG192

• CTRDRBG256

• HASHDRBG

• HASHDRBG128

• HASHDRBG192

• HASHDRBG256

• HMACDRBG

• HMACDRBG128

• HMACDRBG192

• HMACDRBG256

12 Binary Installation for Android

RSA BSAFE Cert-J 6.2.4 Installation Guide

Binary Installation for Android

This section describes how to install the Cert-J binary toolkit on your Android

development environment.

Before you begin:

• Ensure that the system you are installing onto has 900 MB of free disk space.

• Install JDK 7.0 or above, and set the

JAVA_HOME environment variable

appropriately. The RSA BSAFE Cert-J Release Notes lists the supported

platforms.

• Install Android SDK r24 or newer, or Android Studio 1.3.2 or newer, and set the

ANDROID_HOME environment variable appropriately.

• Ensure an Android device running a supported version of Android is available to

run Cert-J. A hardware device or an emulator can be used for this.

• Install a supported Android platform. This can be done using the Android

SDK Manager included with the SDK or Android Studio.

• Install Gradle 2.4 or newer.

• Add

<android-sdk>/platform-tools, <android-sdk>/tools and

<gradle-home>/bin to the path environment variable to allow the Android

commands to be called from the Cert-J build scripts.

• Read these installation instructions.

Steps to install Cert-J:

The following steps summarize the complete installation process which is detailed

below:

1. Install Cert-J.

2. Build an Application to Run the Cert-J Samples.

Binary Installation for Android 13

RSA BSAFE Cert-J 6.2.4 Installation Guide

Install Cert-J

The following describes the binary distribution directory structure of the unpacked

Cert-J distribution package.

To install Cert-J:

1. Copy the Cert-J binary distribution directory structure into a suitable location on

the target system.

There is a single Cert-J toolkit which contains the Cert-J API. The toolkit operates

differently, depending on the toolkit variants of Crypto-J on the class path and the

availability of native cryptographic shared libraries.

The following table lists the Cert-J configurations and the corresponding Cert-J

and Crypto-J jar files.

Directory Content

<root>/

Cert-J_6.2.4_InstallGuide.pdf

RSA BSAFE Cert-J Installation Guide

Cert-J_6.2.4_ReleaseNotes.pdf

RSA BSAFE Cert-J Release Notes Guide

license_bsafe.pdf

Product specific license

readme.txt

certj/

android/

Files for use on the Android platform

BsafeAndroidSamples/

Android source sample code

certs/

root and intermediate CA certificates

doc/

Documentation files

cryptoj/

Crypto-J documentation files

DevGuide/

RSA BSAFE Cert-J Developers Guide

javadoc/

Cert-J Javadoc

lib/

Cert-J toolkit jar file

prebuilt/

codebase/

CodeBase jar file and native libraries

cryptocme/

Crypto-C ME native libraries

cryptoj/

Crypto-J toolkit jar files

openldap/

Open LDAP jar file

provider/

Source code for the provider component

sample/

Sample source code

Table 8 Configuration and Required Jar Files

Configuration Jar Files to Add to the Class Path

Pure CertJ

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptoj.jar

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptojcommon.jar

<root>/certj/prebuilt/cryptoj/cryptojce.jar

<root>/certj/prebuilt/cryptoj/jcm.jar

14 Binary Installation for Android

RSA BSAFE Cert-J 6.2.4 Installation Guide

2. Select the jar files to use and add them to the specified directories:

– To work with non-FIPS 140-2 compliant Cert-J:

• Copy all jar files for the selected configuration from Configuration and

Required Jar Files

to the external library file folder in the Android

project, for example, android-project

/libs.

– To work with FIPS 140-2 compliant Cert-J:

• With the exception of

jcmandroidfips.jar,copy all jar files for the

selected configuration to the external library file folder in the Android

project, for example, android-project

/libs.

• Copy the FIPS140 jar,

jcmandroidfips.jar, to the relevant folder

for loading.

• To load the FIPS140 jar from the raw resources folder in the Android

project, copy

jcmandroidfips.jar to the raw resources folder,

android-project

/res/raw as jcmandroidfips.raw.

• To load the FIPS140 jar from a file, the jar must be available on the

Android device that is running the application as a file, in a location

such as

/sdcard.

For details about how to load the jar file, see the section “Introduction to

Cert-J > Android” in the RSA BSAFE Cert-J Developers Guide.

3. Depending on other features to be used, additional jar

files may be required to be

added to the class path. If required, add the LDAP jar file to the class path:

<root>/certj/prebuilt/openldap/openldap.jar

Native CertJ

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptoj.jar

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptojcommon.jar

<root>/certj/prebuilt/cryptoj/cryptojce.jar

<root>/certj/prebuilt/cryptoj/jcm.jar

FIPS CertJ

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptojcommon.jar

<root>/certj/prebuilt/cryptoj/cryptojce.jar

<root>/certj/prebuilt/cryptoj/jcmandroidfips.jar

FIPS Native

CertJ

• <root>/certj/lib/certj.jar

<root>/certj/prebuilt/cryptoj/cryptojcommon.jar

<root>/certj/prebuilt/cryptoj/cryptojce.jar

<root>/certj/prebuilt/cryptoj/jcmandroidfips.jar

This configuration will yield faster start-up times.

Table 8 Configuration and Required Jar Files (continued)

Configuration Jar Files to Add to the Class Path

Binary Installation for Android 15

RSA BSAFE Cert-J 6.2.4 Installation Guide

4. If you do not wish to use a Native FIPS or Native non-FIPS configuration of

Cert-J, go to Step 6.

To use a Native FIPS or Native non-FIPS configuration of Cert-J, the

Crypto-C ME platform-specific shared libraries must be added to the Java library

path. The following table details the subdirectories in

<root>/certj/prebuilt/cryptocme

that contain the platform-specific

shared libraries.

5. Select the Native shared library

.so files to use and copy them to the specified

directories:

Note: In the following instructions, replace platform with either x86 or

armeabi-v7a as applicable.

– To work with Cert-J configured as non-FIPS 140-2 compliant, copy

libncm.so to the platform-specific folder for the shared native library files

in the Android project at

/jniLibs/platform/android-project or

/libs/platform/android-project.

– To work with Cert-J configured as FIPS 140-2 compliant:

• Copy the following shared libraries to the platform-specific folder for the

shared native library files in the Android project at

/jniLibs/platform/android-project or

/libs/platform/android-project:

• Copy the signature file,

libcryptocme.sig, to the

android-project

/assets/platform directory.

For details about how to use Native configurations of Cert-J, see the API-specific

section “Using Native Implementations” in the RSA BSAFE Cert-J Developers

Guide.

6. To use the Crypto-J JsafeJCE API, dynamically register the Crypto-J JCE

provider, JsafeJCE:

a. Add the relevant jar files to the class path.

Table 9 Platform-specific Crypto-C ME Native Shared Library subdirectories

Platform

Subdirectory

Google Android 32-bit

android_x86

Google Android ARM

android_armv7

• libccme_asym.so • libccme_ecc_accel_fips.so

• libccme_aux_entropy.so • libccme_ecc_accel_non_fips.so

• libccme_base.so • libccme_ecdrbg.so

• libccme_base_non_fips.so • libccme_error_info.so

• libccme_ecc.so • libcryptocme.so

• libccme_ecc_non_fips.so • libncm_fips140.so

16 Binary Installation for Android

RSA BSAFE Cert-J 6.2.4 Installation Guide

b. Create the provider programmatically using the following Java code:

// Create a Provider object

Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();

// Add the Crypto-J JsafeJCE Provider to the current

// list of providers available on the system.

Security.insertProviderAt (jsafeProvider, 1);

Note: Unlike standard java, Android doesn't support static

registration of JCE providers, therefore the provider must be loaded

dynamically.

7. If required, set the following properties to configure Cert-J for FIPS 140-2

compliant operation:

For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the

security properties listed in the following table must be added.

8. Cert-J uses

CTRDRBG128 as the default random algorithm where no other random

algorithm is specified.

Use the security property

com.rsa.crypto.default.random to change this

as required. The following are valid values for this security property:

Table 10 FIPS 140-2 Property Setting

Property Name Value

com.rsa.cryptoj.fips140initialmode

FIPS140_MODE

The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE or

NON_FIPS140_MODE

com.rsa.cryptoj.native.fips140.path

path

This property is set when using a Native configuration only. The path and filename can be an absolute path.

Table 11 FIPS 140-2 Level 2 Property Settings

Property Name Value

com.rsa.cryptoj.fips140auth LEVEL2

com.rsa.cryptoj.configfile

This security property is optional. There are APIs to dynamically specify this property.

path and filename

The path and filename can be an absolute path or a path relative to the user.dir Java system property.

• CTRDRBG

• CTRDRBG128

• CTRDRBG192

• CTRDRBG256

• HASHDRBG

• HASHDRBG128

• HASHDRBG192

• HASHDRBG256

• HMACDRBG

• HMACDRBG128

• HMACDRBG192

• HMACDRBG256

Binary Installation for Android 17

RSA BSAFE Cert-J 6.2.4 Installation Guide

Note: Services created by JCE providers do not follow the non-Android

priority order. In a non-Android system, a

SecureRandom created with

no defined algorithm would normally use the algorithm with the highest

priority set in the security properties. On Android, a different algorithm

could be used each time. RSA recommends that on Android an algorithm

is always specified when creating a

SecureRandom or when using any

JCE component that has an option to use a default SecureRandom.

The installation of

Cert-J is complete. For information on how to run the sample

code, see Build an Application to Run the Cert-J Samples.

Note: For details about how to run ProGuard with Cert-J jar files, see the

section “Introduction to Cert-J > ProGuard and Cert-J Jar Files” in the

RSA BSAFE Cert-J Developers Guide.

18 Binary Installation for Android

RSA BSAFE Cert-J 6.2.4 Installation Guide

Build an Application to Run the Cert-J Samples

An Android samples application to run the Cert-J samples can be built from the

command line and Android Studio. Instructions are provided to:

• Build the Android Application from the Command Line

• Install the Android Samples Application from Android Studio.

Gradle scripts to build the application are included in this release at

<root>/certj/android/BsafeAndroidSamples.

Android samples are available in four build variants:

•

certj - non-FIPS 140-2 mode with the Pure Java implementation

•

certjFips - FIPS 140-2 mode with the Pure Java implementation

•

certjNative - non-FIPS 140-2 mode with the Native implementation

•

certjNativeFips - FIPS 140-2 mode with the Native implementation.

Build the Android Application from the Command Line

Before you Begin:

• Ensure that your execution path will allow the gradle command to be executed.

• Attach the relevant Android device.

To build the sample code:

1. Navigate to the Android samples directory.

cd <root>/certj/android/BsafeAndroidSamples.

2. Run the Gradle wrapper task in the BsafeAndroidSamples project to create

the Gradle wrapper:

gradle wrapper --gradle-version=version

[--gradle-distribution-url=url]

Where:

– version is the installed version of Gradle.

– url is optional, provided where Gradle is already downloaded, in the format

file://full_path/gradle-distribution-zipfile.

If not specified, the wrapper task downloads a new Gradle distribution.

3. Install and run the Android samples application on the attached device:

For systems running a Windows operating system:

./gradlew.bat installvariantSamplesRelease

For systems running a Unix operating system:

./gradlew installvariantSamplesRelease

where variant is one of the build variants listed above.

Page is loading ...

Dell BSAFE Cert-J User guide

Dell BSAFE Cert-J User guide

Dell BSAFE Cert-J User guide

Related papers

Other documents