2. Dell
  3. BSAFE Cert-J

Dell BSAFE Cert-J User guide

  • Hello! I am an AI chatbot trained to assist you with the Dell BSAFE Cert-J User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
RSA BSAFE
®
Cert-J 6.2.4
Installation Guide
31 July 2018
Part Number
11.07.18
Copyright and Trademark
Copyright © 2018 Dell Inc. or its subsidiaries. All rights reserved.
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” DELL INC. OR ITS SUBSIDIARIES MAKES
NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any Dell software described in this publication requires an applicable software license.
Dell, RSA, the RSA logo, BSAFE, and other trademarks are registered trademarks of Dell Inc. or its subsidiaries. Other
trademarks may be trademarks of their respective companies.
Third-party licenses
This product may include software developed by parties other than Dell Inc. The text of the license agreements applicable to
third-party software in this product may be viewed in Cert-J_6.2.4_Third-partyLicenses.pdf.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Limit distribution of this document to trusted personnel.
31 July 2018 Copyright © 2018 Dell Inc. or its subsidiaries. All rights reserved. 1
Installation Guide
11.07.18
RSA BSAFE Cert-J 6.2.4 Installation Guide
This document provides instructions for installing RSA BSAFE Cert-J 6.2.4 (Cert-J)
on all released platforms. Instructions are provided for binary installations, including
installation on Google
®
Android™, and source installations of Cert-J, including
installation on Google Android.
Binary installations are suitable where the compiled version of Cert-J matches your
installation platform, and where there is no intention to alter the product. Source
installations are suitable where Cert-J is to be built for a specific platform.
Contents:
About the Cert-J Toolkit ................................................................................... 2
Binary Installation ............................................................................................. 4
Install the JCE Jurisdiction Policy Files ................................................. 5
Install Cert-J ............................................................................................... 6
Build and Run the Samples ................................................................... 11
Binary Installation for Android ...................................................................... 12
Install Cert-J ............................................................................................. 13
Build an Application to Run the Cert-J Samples ................................. 18
Source Installation ......................................................................................... 20
Install the JCE Jurisdiction Policy File ................................................. 21
Install the Toolkit Files ............................................................................ 22
Install Third-party Software Tools ......................................................... 23
Build and Test the Source Code ........................................................... 24
Source Installation for Android ..................................................................... 25
Install the Toolkit Files ............................................................................ 26
Install Third-party Software Tools ......................................................... 27
Create the Toolkit Jar Files for Android ................................................ 28
Build and Run the System Tests ........................................................... 28
System and Security Properties ................................................................... 30
Uninstallation Instructions ............................................................................. 30
2 About the Cert-J Toolkit
RSA BSAFE Cert-J 6.2.4 Installation Guide
About the Cert-J Toolkit
Cert-J is a certificate-handling software development kit for creating Java™
applications that integrate into a public key infrastructure using the proprietary Cert-J
API.
The Cert-J distribution media contains the following:
Binary toolkit
Toolkit Java archive (jar) files
CodeBase shared libraries
OpenLDAP library
RSA BSAFE Crypto-C Micro Edition 4.1 (Crypto-C ME) shared libraries
Sample source code.
Source toolkit
Java source code and build and test systems
Crypto-C ME shared libraries
Sample source code.
The RSA BSAFE Crypto-J 6.2.4.0.1 (Crypto-J) binary toolkit, which includes the
FIPS validated Crypto-J 6.2.4 module. Crypto-J provides Java implementations of
all the required cryptographic operations.
Product documentation, consisting of:
This document, the RSA BSAFE Cert-J Installation Guide, in Portable
Document Format (PDF), with instructions on how to install and build Cert-J.
RSA BSAFE Cert-J Release Notes, in PDF, with the latest information on
Cert-J.
RSA BSAFE Cert-J Security Policy, in PDF, which describes how Cert-J uses
the RSA BSAFE JSAFE and JCE Software Module, and how to operate
Cert-J in a manner consistent with the requirements of the cryptographic
module.
RSA BSAFE Cert-J Third Party Licenses, in PDF, with license information for
third-party products included with Cert-J.
RSA BSAFE Cert-J Troubleshooting Guide, in PDF, with information and
instructions for troubleshooting common issues with Cert-J.
RSA BSAFE Cert-J Developers Guide, in HTML format, with information
and instructions on how to develop applications that integrate Cert-J.
RSA BSAFE Cert-J to Crypto-J Migration Guide, in HTML, which compares
the Cert-J toolkit and the RSA BSAFE Crypto-J 6.2.4 or newer (Crypto-J)
toolkit, to assist with the changes required to migrate applications between
Cert-J 6.x and Crypto-J.
About the Cert-J Toolkit 3
RSA BSAFE Cert-J 6.2.4 Installation Guide
Related product documentation which includes:
RSA BSAFE Crypto-C Micro Edition Security Policy documents, Level 1
and Level 2, in PDF, which describe how the Crypto-C ME
Cryptographic Module meets the Level 1 security requirements of FIPS
140-2, the Level 2 security requirements of FIPS 140-2 for Roles,
Authentication and Services, Level 3 security requirements for Design
Assurance, and how to securely operate it.
RSA BSAFE Crypto-J FIPS Compliance Guide, in PDF, which describes
how Crypto-J uses the FIPS 140-2 cryptographic module, and how to
operate Crypto-J in a manner consistent with the requirements of the
cryptographic module.
RSA BSAFE Crypto-J JSAFE and JCE Software Module Security
Policies, Level 1 and Level 2, in PDF, which describes how the RSA
BSAFE Crypto-J JSAFE and JCE Software Module meets the Level 1
security requirements of FIPS 140-2, the Level 2 security requirements of
FIPS 140-2 for Roles, Authentication and Services, the Level 3 security
requirements for Design Assurance, and how to securely operate it.
RSA BSAFE Crypto-J Release Notes, in PDF, with the latest information
on Crypto-J.
The following Javadocs, in HTML format, which provide Java API reference
information:
RSA BSAFE CertJ Javadoc
RSA BSAFE JsafeJCE Javadoc
RSA BSAFE Jsafe Javadoc
RSA BSAFE Tools Javadoc.
RSA Security Concepts, in PDF, provides an overview of the fundamentals of
cryptography and security related issues.
Toolkit Configurations
The following configurations are included in the Cert-J toolkit:
Table 1 Toolkit Configurations
Configuration API
Cryptographic
Implementation
Uses FIPS
Module
1
1
Uses either the Crypto-J or Crypto-C ME FIPS 140 validated cryptographic module,.
Pure CertJ CertJ Pure Java No
Native CertJ CertJ
Pure Java and Native
2
2
If there is no Native implementation for a particular algorithm, the toolkit automatically uses the Pure Java algorithm
implementation.
No
FIPS CertJ CertJ Pure Java Yes
FIPS Native CertJ CertJ
Pure Java and Native
2
Yes
4 Binary Installation
RSA BSAFE Cert-J 6.2.4 Installation Guide
Binary Installation
This section describes how to install the Cert-J binary toolkit on your development
environment.
Note: For instructions to install the Cert-J binary toolkit on an Android
development environment, go to Binary Installation for Android.
Before you begin:
Ensure that the system you are installing onto has 300 MB of free disk space.
Install JDK 7.0 or above, and set the
JAVA_HOME environment variable
appropriately. The RSA BSAFE Cert-J Release Notes list the supported platforms.
Install one or more of the following, as necessary:
Apache Ant™ 1.7.x or newer. Ant 1.8.x is required for Android development.
JetBrains IntelliJ
®
9.0 IDE
Eclipse 3.3 IDE or newer.
Read these installation instructions.
Steps to install Cert-J:
The following steps summarize the complete installation process which is detailed
below:
1. Install the JCE Jurisdiction Policy Files.
2. Install Cert-J.
3. Build and Run the Samples.
Binary Installation 5
RSA BSAFE Cert-J 6.2.4 Installation Guide
Install the JCE Jurisdiction Policy Files
The JCE requires that Unlimited Strength Jurisdiction Policy Files are downloaded
and installed in order to use some algorithms and key strengths using the JCE API.
The following algorithms require these policy files:
AES with key sizes greater than 128 bits
RC2 with key sizes greater than 128 bits
RC4 with key sizes greater than 128 bits
RC5 with key sizes greater than 128 bits
RSA Encryption.
These algorithms are used by some PKCS #12 KeyStore files.
Some of the samples use the restricted algorithms that require the policy files.
To successfully use the relevant algorithms and run all of the samples, the Unlimited
Jurisdiction Policy Files must be downloaded and installed. The JDK version installed
determines the Jurisdiction Policy File to download.
For Oracle JDK 9, follow the instructions in the README.txt located in the
<jdk9_install_dir>/conf/security/policy directory of the JDK
download.
For all other JDK versions, obtain the applicable Jurisdiction Policy File from the
following download locations:
JCE Unlimited Strength Jurisdiction Policy Files 6 for Oracle JRockit
®
JDK 6.0
JCE Unlimited Strength Jurisdiction Policy Files 7 for:
Oracle JDK 7.0
HP JDK 7.0.
JCE Unlimited Strength Jurisdiction Policy Files 8 for:
Oracle JDK 8.0
HP JDK 8.0.
IBM Unrestricted JCE Policy Files for IBM
®
JDK 7.x and 8.0.
To install the Unlimited Jurisdiction Policy Files:
1. Extract the local_policy.jar and US_export_policy.jar files from the
downloaded zip file.
2. Copy
local_policy.jar and US_export_policy.jar to the
<jdk_install_dir>/jre/lib/security directory, overwriting the
existing policy files.
6 Binary Installation
RSA BSAFE Cert-J 6.2.4 Installation Guide
Install Cert-J
The following describes the binary distribution directory structure of the unpacked
Cert-J distribution package.
To install Cert-J:
1. Copy the Cert-J binary distribution directory structure into a suitable location on
the target system.
There is a single Cert-J toolkit which contains the Cert-J API. The toolkit operates
differently, depending on the toolkit variants of
Crypto-J on the class path and the
availability of native crypto shared libraries.
The following table lists the Cert-J configurations and the corresponding Cert-J
and
Crypto-J jar files.
Directory Content
<root>/
Cert-J_6.2.4_InstallGuide.pdf
RSA BSAFE Cert-J Installation Guide
Cert-J_6.2.4_ReleaseNotes.pdf
RSA BSAFE Cert-J Release Notes Guide
license_bsafe.pdf
Product specific license
readme.txt
certj/
android/
Files for use on the Android platform
BsafeAndroidSamples/
Android source sample code
certs/
root and intermediate CA certificates
doc/
Documentation files
cryptoj/
Crypto-J documentation files
DevGuide/
RSA BSAFE Cert-J Developers Guide
javadoc/
Cert-J Javadoc
lib/
Cert-J toolkit jar file
prebuilt/
codebase/
CodeBase jar file and native libraries
cryptocme/
Crypto-C ME native libraries
cryptoj/
Crypto-J toolkit jar files
openldap/
Open LDAP jar file
provider/
Source code for the provider component
sample/
Sample source code
Table 2 Configuration and Required Jar Files
Configuration Jar Files to Add to the Class Path
Pure CertJ
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptoj.jar
OR
1
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptojcommon.jar
<root>/certj/prebuilt/cryptoj/cryptojce.jar
<root>/certj/prebuilt/cryptoj/jcm.jar
Binary Installation 7
RSA BSAFE Cert-J 6.2.4 Installation Guide
2. Select the required jar files and add them to the class path.
3. Depending on other features to be used, additional jar files might need to be added
to the class path. The following table lists these features and the corresponding jar
files to be added to the class path.
4. If you do not wish to use a Native FIPS or Native non-FIPS configuration of
Cert-J, go to Step 5.
To use the Native configurations of Cert-J, add the Crypto-C ME shared libraries
to the Java library path.
The subdirectories in
<root>/certj/prebuilt/cryptocme that contain the
platform-specific shared libraries are detailed in the following table.
Native CertJ
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptoj.jar
OR
1
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptojcommon.jar
<root>/certj/prebuilt/cryptoj/cryptojce.jar
<root>/certj/prebuilt/cryptoj/jcm.jar
FIPS CertJ
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptojcommon.jar
<root>/certj/prebuilt/cryptoj/cryptojce.jar
<root>/certj/prebuilt/cryptoj/jcmFIPS.jar
FIPS Native
CertJ
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptojcommon.jar
<root>/certj/prebuilt/cryptoj/cryptojce.jar
<root>/certj/prebuilt/cryptoj/jcmFIPS.jar
1
This configuration will yield faster start-up times.
Table 3 Features and Required Jar Files
Features Jar Files to Add to the class path
LDAP
<root>/certj/prebuilt/openldap/openldap.jar
CodeBase Native Database
<root>/certj/prebuilt/codebase/codebase.jar
Table 4 Platform-specific Crypto-C ME Native Shared Library subdirectories
Platform
Subdirectory
1
Apple
®
Mac OS
®
X 10.6 x86 32-bit
macosx_x86
Apple Mac OS X 10.6 x86_64 64-bit
macosx_x64
FreeBSD
®
8.3 64-bit
freebsd_x64_gcc
Table 2 Configuration and Required Jar Files (continued)
Configuration Jar Files to Add to the Class Path
8 Binary Installation
RSA BSAFE Cert-J 6.2.4 Installation Guide
For example, for systems running a Windows operating system:
copy <root>\certj\prebuilt\cryptocme\win32vc8\*.*
c:\Windows\System32
For systems running a Unix operating system, add the native library to the library
path. For example, on a Solaris operating system:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:
<root>/certj/prebuilt/cryptocme/solspv8p
export LD_LIBRARY_PATH
Note: On some operating systems, it may be necessary to set the execute
permissions for the shared libraries. For example:
chmod 755 <root>/certj/prebuilt/cryptocme/solspv8p/*.so
HP HP-UX 11.31 Itanium2 32-bit
hpux1131ia32i2
HP HP-UX 11.31 Itanium2 64-bit
hpux1131ia64i2
IBM AIX
®
32-bit
aix6
IBM AIX 64-bit
aix6_64
Micro Focus
®
SUSE
®
Linux Enterprise Server 32-bit
linux_x86_lsb30
Micro Focus SUSE Linux Enterprise Server 64-bit
linux_x64_lsb30
Microsoft
®
Windows
®
32-bit
win32vc8
Microsoft Windows 64-bit
win64x64
Microsoft Windows Itanium2 64-bit
win64ia64
Oracle Solaris™ x86 32-bit
solx86
Oracle Solaris x86_64 64-bit
solx64
Oracle Solaris Sparc v8+ 32-bit
solspv8p
Oracle Solaris Sparc v9 64-bit
solspv9
Red Hat
®
Enterprise Server 32-bit
linux_x86_lsb30
Red Hat Enterprise Server 64-bit
linux_x64_lsb30
1
Short Platform Name.
Table 4 Platform-specific Crypto-C ME Native Shared Library subdirectories
Platform
Subdirectory
1
Binary Installation 9
RSA BSAFE Cert-J 6.2.4 Installation Guide
5. If you are using the Native configuration for native database access, copy the
CodeBase platform-specific native library to the system directory, or put it in the
library path.
The subdirectories in
<root>/certj/prebuilt/codebase that contain the
relevant platform-specific shared libraries are detailed in the following table.
For example, for systems running the Windows operating system:
copy <root>\certj\prebuilt\codebase\win32\*.dll
c:\Windows\System32
For systems running a Unix operating system, add the native library to the native
path. For example, for Solaris, add the library to the
LD_LIBRARY_PATH
environment variable:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<root>/certj/prebuilt/codebase/solspv8p
export LD_LIBRARY_PATH
Note: On some operating systems, it may be necessary to set the execute
permissions for the shared libraries. For example:
chmod 755 <root>/certj/prebuilt/codebase/solspv8p/*.so
6. To use the Crypto-J JsafeJCE API, register the Crypto-J JCE provider, JsafeJCE,
either statically or dynamically.
To statically register the JsafeJCE provider:
a. Copy the relevant jar files to the
<jdk_install_dir>/jre/lib/ext
directory.
Table 5 Platform-specific Native Shared Library subdirectories for CodeBase
Platform Subdirectory
HP HP-UX 11.31 Itanium 2 32-bit
hpuxia32i2
IBM AIX PowerPC 32-bit
aix5
Microsoft Windows 32-bit, multithreaded, dynamically linked
with C runtime library
win32
Red Hat Enterprise Server 32-bit
rhas30
Red Hat Enterprise Server 64-bit
rhas40_x86-64
Oracle Solaris SPARC v8+ 32-bit
solspv8p
10 Binary Installation
RSA BSAFE Cert-J 6.2.4 Installation Guide
b. Edit the <jdk_install_dir>/jre/lib/security/java.security file
to add the JsafeJCE Provider:
security.provider.n=com.rsa.jsafe.provider.JsafeJCE
To set the JsafeJCE Provider as the default provider, set n to 1.
Change the n values for any other providers listed in
java.security so
that each provider has a unique number. For example:
security.provider.1=com.rsa.jsafe.provider.JsafeJCE
security.provider.2=sun.security.provider.Sun
To dynamically register the JsafeJCE provider:
a. Add the relevant jar files to the class path.
b. Create the provider programmatically using the following Java code:
// Create a Provider object
Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();
// Add the Crypto-J JsafeJCE Provider to the current
// list of providers available on the system.
Security.insertProviderAt (jsafeProvider, 1);
7. The Cert-J FIPS 140-2 toolkit may be configured to perform specific operations at
start-up (load). Configure these operations in the
<jdk_install_dir>/jre/lib/security/java.security file.
The following table lists the property that must be set for FIPS 140-2 compliant
operation.
For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the
security properties listed in the following table must be added.
Table 6 FIPS 140-2 Property Setting
Property Name Value
com.rsa.cryptoj.fips140initialmode
FIPS140_MODE
1
1
The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE or
NON_FIPS140_MODE
.
Table 7 FIPS 140-2 Level 2 Property Settings
Property Name Value
com.rsa.cryptoj.fips140auth LEVEL2
com.rsa.cryptoj.configfile
1
1
This security property is optional. There are APIs to dynamically specify this property.
path and filename
2
2
The path and filename can be an absolute path or a path relative to the user.dir Java system property.
Binary Installation 11
RSA BSAFE Cert-J 6.2.4 Installation Guide
8. Cert-J uses CTRDRBG128 as the default random algorithm where no other random
algorithm is specified.
Use the security property
com.rsa.crypto.default.random to change this
as required. The following are valid values for this security property:
The installation of
Cert-J is complete. For information on how to run the sample
code, see Build and Run the Samples.
Build and Run the Samples
The following procedure for running the sample code is applicable only for the binary
toolkit.
The Cert-J samples are located in
<root>/certj/sample/src/certj.
There are two ways to build and run the samples for Cert-J: use the Integrated
Development Environment (IDE) project files, or use the build scripts:
Use IDE project files
The project files to build and run the samples have been included for the following
development environments:
JetBrains IntelliJ 9.0 IDE or newer
Eclipse 3.3 IDE or newer.
These project files are located at
<root>/certj.
Use Apache Ant build scripts
Build scrips to build and run the samples are located at
<root>/certj.
Ensure that the execution path will allow the ant command to be executed.
To build the sample code:
1. Navigate to the certj directory:
cd <root>/certj
2. Build the samples:
ant -f build-certj.xml
To run the sample code:
1. Run the samples from the certj directory.
a. To run all of the samples:
ant -f build-certj.xml run.all
b. To run a specific sample, specify the sample name. For example:
ant -f build-certj.xml run.VerifyCertificate
CTRDRBG
CTRDRBG128
CTRDRBG192
CTRDRBG256
HASHDRBG
HASHDRBG128
HASHDRBG192
HASHDRBG256
HMACDRBG
HMACDRBG128
HMACDRBG192
HMACDRBG256
12 Binary Installation for Android
RSA BSAFE Cert-J 6.2.4 Installation Guide
Binary Installation for Android
This section describes how to install the Cert-J binary toolkit on your Android
development environment.
Before you begin:
Ensure that the system you are installing onto has 900 MB of free disk space.
Install JDK 7.0 or above, and set the
JAVA_HOME environment variable
appropriately. The RSA BSAFE Cert-J Release Notes lists the supported
platforms.
Install Android SDK r24 or newer, or Android Studio 1.3.2 or newer, and set the
ANDROID_HOME environment variable appropriately.
Ensure an Android device running a supported version of Android is available to
run Cert-J. A hardware device or an emulator can be used for this.
Install a supported Android platform. This can be done using the Android
SDK Manager included with the SDK or Android Studio.
Install Gradle 2.4 or newer.
Add
<android-sdk>/platform-tools, <android-sdk>/tools and
<gradle-home>/bin to the path environment variable to allow the Android
commands to be called from the Cert-J build scripts.
Read these installation instructions.
Steps to install Cert-J:
The following steps summarize the complete installation process which is detailed
below:
1. Install Cert-J.
2. Build an Application to Run the Cert-J Samples.
Binary Installation for Android 13
RSA BSAFE Cert-J 6.2.4 Installation Guide
Install Cert-J
The following describes the binary distribution directory structure of the unpacked
Cert-J distribution package.
To install Cert-J:
1. Copy the Cert-J binary distribution directory structure into a suitable location on
the target system.
There is a single Cert-J toolkit which contains the Cert-J API. The toolkit operates
differently, depending on the toolkit variants of Crypto-J on the class path and the
availability of native cryptographic shared libraries.
The following table lists the Cert-J configurations and the corresponding Cert-J
and Crypto-J jar files.
Directory Content
<root>/
Cert-J_6.2.4_InstallGuide.pdf
RSA BSAFE Cert-J Installation Guide
Cert-J_6.2.4_ReleaseNotes.pdf
RSA BSAFE Cert-J Release Notes Guide
license_bsafe.pdf
Product specific license
readme.txt
certj/
android/
Files for use on the Android platform
BsafeAndroidSamples/
Android source sample code
certs/
root and intermediate CA certificates
doc/
Documentation files
cryptoj/
Crypto-J documentation files
DevGuide/
RSA BSAFE Cert-J Developers Guide
javadoc/
Cert-J Javadoc
lib/
Cert-J toolkit jar file
prebuilt/
codebase/
CodeBase jar file and native libraries
cryptocme/
Crypto-C ME native libraries
cryptoj/
Crypto-J toolkit jar files
openldap/
Open LDAP jar file
provider/
Source code for the provider component
sample/
Sample source code
Table 8 Configuration and Required Jar Files
Configuration Jar Files to Add to the Class Path
Pure CertJ
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptoj.jar
OR
1
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptojcommon.jar
<root>/certj/prebuilt/cryptoj/cryptojce.jar
<root>/certj/prebuilt/cryptoj/jcm.jar
14 Binary Installation for Android
RSA BSAFE Cert-J 6.2.4 Installation Guide
2. Select the jar files to use and add them to the specified directories:
To work with non-FIPS 140-2 compliant Cert-J:
Copy all jar files for the selected configuration from Configuration and
Required Jar Files
to the external library file folder in the Android
project, for example, android-project
/libs.
To work with FIPS 140-2 compliant Cert-J:
With the exception of
jcmandroidfips.jar,copy all jar files for the
selected configuration to the external library file folder in the Android
project, for example, android-project
/libs.
Copy the FIPS140 jar,
jcmandroidfips.jar, to the relevant folder
for loading.
To load the FIPS140 jar from the raw resources folder in the Android
project, copy
jcmandroidfips.jar to the raw resources folder,
android-project
/res/raw as jcmandroidfips.raw.
To load the FIPS140 jar from a file, the jar must be available on the
Android device that is running the application as a file, in a location
such as
/sdcard.
For details about how to load the jar file, see the section “Introduction to
Cert-J > Android” in the RSA BSAFE Cert-J Developers Guide.
3. Depending on other features to be used, additional jar
files may be required to be
added to the class path. If required, add the LDAP jar file to the class path:
<root>/certj/prebuilt/openldap/openldap.jar
Native CertJ
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptoj.jar
OR
1
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptojcommon.jar
<root>/certj/prebuilt/cryptoj/cryptojce.jar
<root>/certj/prebuilt/cryptoj/jcm.jar
FIPS CertJ
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptojcommon.jar
<root>/certj/prebuilt/cryptoj/cryptojce.jar
<root>/certj/prebuilt/cryptoj/jcmandroidfips.jar
FIPS Native
CertJ
<root>/certj/lib/certj.jar
<root>/certj/prebuilt/cryptoj/cryptojcommon.jar
<root>/certj/prebuilt/cryptoj/cryptojce.jar
<root>/certj/prebuilt/cryptoj/jcmandroidfips.jar
1
This configuration will yield faster start-up times.
Table 8 Configuration and Required Jar Files (continued)
Configuration Jar Files to Add to the Class Path
Binary Installation for Android 15
RSA BSAFE Cert-J 6.2.4 Installation Guide
4. If you do not wish to use a Native FIPS or Native non-FIPS configuration of
Cert-J, go to Step 6.
To use a Native FIPS or Native non-FIPS configuration of Cert-J, the
Crypto-C ME platform-specific shared libraries must be added to the Java library
path. The following table details the subdirectories in
<root>/certj/prebuilt/cryptocme
that contain the platform-specific
shared libraries.
5. Select the Native shared library
.so files to use and copy them to the specified
directories:
Note: In the following instructions, replace platform with either x86 or
armeabi-v7a as applicable.
To work with Cert-J configured as non-FIPS 140-2 compliant, copy
libncm.so to the platform-specific folder for the shared native library files
in the Android project at
/jniLibs/platform/android-project or
/libs/platform/android-project.
To work with Cert-J configured as FIPS 140-2 compliant:
Copy the following shared libraries to the platform-specific folder for the
shared native library files in the Android project at
/jniLibs/platform/android-project or
/libs/platform/android-project:
Copy the signature file,
libcryptocme.sig, to the
android-project
/assets/platform directory.
For details about how to use Native configurations of Cert-J, see the API-specific
section “Using Native Implementations” in the RSA BSAFE Cert-J Developers
Guide.
6. To use the Crypto-J JsafeJCE API, dynamically register the Crypto-J JCE
provider, JsafeJCE:
a. Add the relevant jar files to the class path.
Table 9 Platform-specific Crypto-C ME Native Shared Library subdirectories
Platform
Subdirectory
Google Android 32-bit
android_x86
Google Android ARM
®
v7
android_armv7
libccme_asym.so libccme_ecc_accel_fips.so
libccme_aux_entropy.so libccme_ecc_accel_non_fips.so
libccme_base.so libccme_ecdrbg.so
libccme_base_non_fips.so libccme_error_info.so
libccme_ecc.so libcryptocme.so
libccme_ecc_non_fips.so libncm_fips140.so
16 Binary Installation for Android
RSA BSAFE Cert-J 6.2.4 Installation Guide
b. Create the provider programmatically using the following Java code:
// Create a Provider object
Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();
// Add the Crypto-J JsafeJCE Provider to the current
// list of providers available on the system.
Security.insertProviderAt (jsafeProvider, 1);
Note: Unlike standard java, Android doesn't support static
registration of JCE providers, therefore the provider must be loaded
dynamically.
7. If required, set the following properties to configure Cert-J for FIPS 140-2
compliant operation:
For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the
security properties listed in the following table must be added.
8. Cert-J uses
CTRDRBG128 as the default random algorithm where no other random
algorithm is specified.
Use the security property
com.rsa.crypto.default.random to change this
as required. The following are valid values for this security property:
Table 10 FIPS 140-2 Property Setting
Property Name Value
com.rsa.cryptoj.fips140initialmode
FIPS140_MODE
1
1
The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE or
NON_FIPS140_MODE
.
com.rsa.cryptoj.native.fips140.path
path
2
2
This property is set when using a Native configuration only. The path and filename can be an absolute path.
Table 11 FIPS 140-2 Level 2 Property Settings
Property Name Value
com.rsa.cryptoj.fips140auth LEVEL2
com.rsa.cryptoj.configfile
1
1
This security property is optional. There are APIs to dynamically specify this property.
path and filename
2
2
The path and filename can be an absolute path or a path relative to the user.dir Java system property.
CTRDRBG
CTRDRBG128
CTRDRBG192
CTRDRBG256
HASHDRBG
HASHDRBG128
HASHDRBG192
HASHDRBG256
HMACDRBG
HMACDRBG128
HMACDRBG192
HMACDRBG256
Binary Installation for Android 17
RSA BSAFE Cert-J 6.2.4 Installation Guide
Note: Services created by JCE providers do not follow the non-Android
priority order. In a non-Android system, a
SecureRandom created with
no defined algorithm would normally use the algorithm with the highest
priority set in the security properties. On Android, a different algorithm
could be used each time. RSA recommends that on Android an algorithm
is always specified when creating a
SecureRandom or when using any
JCE component that has an option to use a default SecureRandom.
The installation of
Cert-J is complete. For information on how to run the sample
code, see Build an Application to Run the Cert-J Samples.
Note: For details about how to run ProGuard with Cert-J jar files, see the
section “Introduction to Cert-J > ProGuard and Cert-J Jar Files” in the
RSA BSAFE Cert-J Developers Guide.
18 Binary Installation for Android
RSA BSAFE Cert-J 6.2.4 Installation Guide
Build an Application to Run the Cert-J Samples
An Android samples application to run the Cert-J samples can be built from the
command line and Android Studio. Instructions are provided to:
Build the Android Application from the Command Line
Install the Android Samples Application from Android Studio.
Gradle scripts to build the application are included in this release at
<root>/certj/android/BsafeAndroidSamples.
Android samples are available in four build variants:
certj - non-FIPS 140-2 mode with the Pure Java implementation
certjFips - FIPS 140-2 mode with the Pure Java implementation
certjNative - non-FIPS 140-2 mode with the Native implementation
certjNativeFips - FIPS 140-2 mode with the Native implementation.
Build the Android Application from the Command Line
Before you Begin:
Ensure that your execution path will allow the gradle command to be executed.
Attach the relevant Android device.
To build the sample code:
1. Navigate to the Android samples directory.
cd <root>/certj/android/BsafeAndroidSamples.
2. Run the Gradle wrapper task in the BsafeAndroidSamples project to create
the Gradle wrapper:
gradle wrapper --gradle-version=version
[--gradle-distribution-url=url]
Where:
version is the installed version of Gradle.
url is optional, provided where Gradle is already downloaded, in the format
file://full_path/gradle-distribution-zipfile.
If not specified, the wrapper task downloads a new Gradle distribution.
3. Install and run the Android samples application on the attached device:
For systems running a Windows operating system:
./gradlew.bat installvariantSamplesRelease
For systems running a Unix operating system:
./gradlew installvariantSamplesRelease
where variant is one of the build variants listed above.
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
/