Dell BSAFE Cert-J User guide

  • Hello! I am an AI chatbot trained to assist you with the Dell BSAFE Cert-J User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
31 July 2018 Copyright © 2018 Dell Inc. or its subsidiaries. All rights reserved. 1
Troubleshooting Guide
11.07.18
RSA BSAFE
®
Cert-J 6.2.4 Troubleshooting Guide
This document provides information and instructions for troubleshooting common
issues for RSA BSAFE Cert-J 6.2.4 (Cert-J) on all released platforms.
Contents:
Install JCE Unlimited Strength Jurisdiction Policy Files .............................. 2
Use Cert-J in FIPS-140 Mode in Compliance with FIPS 140-2
Requirements ................................................................................................... 3
Decrease the Time Taken for Cryptographic Operations ........................... 3
Convert Oracle JKS Keystore to PKCS #12 format .................................... 4
Errors when Running a Java Web Start Application ................................... 4
Customization Using the System and Security Properties ......................... 5
2 Install JCE Unlimited Strength Jurisdiction Policy Files
RSA BSAFE Cert-J 6.2.4 Troubleshooting Guide
Install JCE Unlimited Strength Jurisdiction Policy Files
The JCE framework requires that Unlimited Strength Jurisdiction Policy Files are
downloaded and installed in order to use some algorithms and key strengths using the
JCE API.
The following algorithms require these policy files:
AES with key sizes greater than 128 bits
RC2 with key sizes greater than 128 bits
RC4 with key sizes greater than 128 bits
RC5 with key sizes greater than 128 bits
RSA Encryption.
To successfully use the relevant algorithms and run all of the samples, the Unlimited
Jurisdiction Policy Files must be downloaded and installed. The JDK version installed
determines the Jurisdiction Policy File to download.
For Oracle JDK 9, follow the instructions in the README.txt located in the
<jdk9_install_dir>/conf/security/policy directory of the JDK
download.
For all other JDK versions, obtain the applicable Jurisdiction Policy File from the
following download locations:
JCE Unlimited Strength Jurisdiction Policy Files 6 for Oracle JRockit
®
JDK 6.0
JCE Unlimited Strength Jurisdiction Policy Files 7 for:
Oracle JDK 7.0
HP JDK 7.0.
JCE Unlimited Strength Jurisdiction Policy Files 8 for:
Oracle JDK 8.0
HP JDK 8.0.
IBM Unrestricted JCE Policy Files for IBM
®
JDK 7.0 and 8.0.
To install the unlimited Jurisdiction Policy Files:
1. Extract the local_policy.jar and US_export_policy.jar files from the
downloaded zip file.
2. Copy
local_policy.jar and US_export_policy.jar to the
<jdk_install_dir>/jre/lib/security directory, overwriting the existing
policy files.
Use Cert-J in FIPS-140 Mode in Compliance with FIPS 140-2 Requirements 3
RSA BSAFE Cert-J 6.2.4 Troubleshooting Guide
Use Cert-J in FIPS-140 Mode in Compliance with FIPS
140-2 Requirements
To ensure that Cert-J is used in the FIPS 140 mode in compliance with FIPS 140-2
requirements, complete the following:
Use the correct jar file:
For non-Android environments, use the
jcmFIPS.jar file
For Android environments, use the
jcmandroidfips.jar file.
Set the initial FIPS-140 mode of operation security property
com.rsa.cryptoj.fips140initialmode to one of:
FIPS140_MODE (default)
FIPS140_SSL_MODE.
For further details, see Customization Using the System and Security Properties.
For more information about using Cert-J on Android in FIPS-140 mode, see
Introduction to Cert-J > Android in the RSA BSAFE Cert-J Developer Guide.
Decrease the Time Taken for Cryptographic Operations
Cert-J relies on the operating system to provide the entropy needed for seeding the
SecureRandom object used for cryptographic operations. These operations can take
an unusually long time if the operating system is unable to provide sufficient entropy.
RSA recommends using a Hardware Security Module with Cert-J for generating the
entropy.
Refer to the “Welcome to the Crypto-J Toolkit > Introduction to Crypto-J >
Hardware Operations” section of the RSA BSAFE Cert-J Developers Guide.
4 Convert Oracle JKS Keystore to PKCS #12 format
RSA BSAFE Cert-J 6.2.4 Troubleshooting Guide
Convert Oracle JKS Keystore to PKCS #12 format
The keytool utility has an importkeystore option, for JDK1.6.x onwards, which
can be used to convert a JKS keystore to PKCS #12 format:
<jdk_install_dir>/bin/keytool
-importkeystore
-srckeystore src_jks_keystore
-destkeystore destination_p12_keystore
-srcstoretype JKS
-deststoretype PKCS12
-srcstorepass src_keystore_password
-deststorepass destination_keystore_password
-srckeypass src_keys_password
-destkeypass destination_keys_password
-noprompt
Note: The ciphers used to encrypt the PKCS #12 keystore are the same used
in the JKS keystore. These may include a Non-FIPS 140 cipher, for example
RC2. To convert these into a FIPS 140 approved cipher, for example
Triple-DES, write a simple java class to import the PKCS #12 file and then
export it back out to a file. By default Cert-J always uses FIPS 140 approved
algorithms when exporting PKCS #12 files. Refer to the Welcome to the
Crypto-J Toolkit -> Learn About the JsafeJCE API -> Key Storage
section of the RSA BSAFE Cert-J Developers Guide for information about
how to load and export PKCS #12 keystores.
Errors when Running a Java Web Start Application
The following errors can occur when running a Java Web Start application on the
client side:
Failed to validate signing of launch file. The signed version
does not match the downloaded version
.
In addition to signing all jar files, the Java Network Launch Protocol (JNLP) file
must be signed. Refer to the following link for more details.
http://docs.oracle.com/javase/7/docs/technotes/guides/web/secur
ity/signedJNLP.html
The application launch for a Java Web Start application is blocked by a security
warning on the client side.
In addition to signing the JNLP file and all jar files using the same trusted
certificate, the application provider must follow the security guidelines from Java
Web Start. Refer to the document provided by Oracle at
http://docs.oracle.com/javase/tutorial/deployment/webstart/index/
html.
Customization Using the System and Security Properties 5
RSA BSAFE Cert-J 6.2.4 Troubleshooting Guide
Customization Using the System and Security Properties
System and security properties in Cert-J are used to statically register the JCE provider
and to configure the toolkit and FIPS-140 mode behavior.
The following list details the main system and security properties according to the
functions in which they are involved:
Set the Default Random Algorithm:
com.rsa.crypto.default.random
Configure OCSP:
ocsp.*
Specify the location of the Cryptographic Module configuration file:
com.rsa.cryptoj.configfile
Set the Event Handler to run at start-up:
com.rsa.cryptoj.eventhandler
Set or change the initial FIPS mode of operation:
com.rsa.cryptoj.fips140initialmode
Set FIPS role authentication:
com.rsa.cryptoj.fips140auth
Set the iteration count to be used for PBKDF2 algorithms:
com.rsa.cryptoj.jce.pkcs15.iterationcount
Set the algorithm to use to encrypt the keystore, when exporting PKCS #12 files.
com.rsa.cryptoj.pkcs12.defaultpbe
Set a MAC to be output when saving a PKCS #12 key store to disk.
com.rsa.cryptoj.pkcs12.outputmac
Activate CRLDP checking during certificate path validation:
com.sun.security.enableCRLDP OR
com.ibm.security.enableCRLDP
Activate debug for security operations:
java.security.debug
Set an event listener for logging crypto object creation:
com.rsa.crypto.logger
For further detail, see the Welcome to the Cert-J Toolkit -> Introduction To Cert-J
-> System and Security Properties section of the RSA BSAFE Cert-J Developers
Guide.
The following property is no longer required:
com.rsa.cryptoj.jce.kat.strategy
/