Ajs 4 c
- 1. Collaborate
Knowledge Byte
• In this lesson you will learn about:
• Security Tools
• keytool
• jarsigner
• policytool
©NIIT Collaborate Lesson 2B / Slide 1 of 23
- 2. Collaborate
Security Tools
• The Java 2 SDK provides various security tools to prevent malicious applets
from performing hazardous operations, such as reading files from or writing
files to a local computer.
• The Java 2 SDK provides three different tools for ensuring security while
running applets in a network:
• keytool
• jarsigner
• policytool
©NIIT Collaborate Lesson 2B / Slide 2 of 23
- 3. Collaborate
Security Tools (Contd.)
• The keytool Security Tool
• The keytool security tool is used to manage a keystore of private keys and
the associated certificates that are used for authenticating the
corresponding public keys.
• An end user can administer their own public/private key pairs and
certificates associated with them for self-authentication.
• Public key is mainly used for enciphering the message and is distributed to
a user requesting for it.
• The private key is used for deciphering the message encrypted using
public key but is kept secure.
• A keystore is implemented as a file that stores the keys and their
corresponding certificates.
• A keystore guards the private keys by using a password.
• A certificate represents a digitally signed statement that indicates the
specified value of a public key.
©NIIT Collaborate Lesson 2B / Slide 3 of 23
- 4. Collaborate
Security Tools (Contd.)
• The keytool Security Tool (contd.)
• The various roles of a keytool are:
• Generates public/private key pairs.
• Issues certificate requests in order to send them to a Certification
Authority.
• Imports certificate response retrieved from the Certification
Authority.
• Designates public keys that belong to other trusted parties.
• A keystore file contains two different types of entries:
• Key entry: Stores sensitive data about the private keys in an
encrypted format in order to prevent the unauthorized access from
malicious end users.
• Trusted certificate entry: Holds a public key certificate, also called
trusted certificate that belongs to another end user.
©NIIT Collaborate Lesson 2B / Slide 4 of 23
- 5. Collaborate
Security Tools (Contd.)
• The keytool Security Tool (contd.)
• An entry in a keystore is accessed using unique aliases.
• You can use the genkey command to generate a public/private key pair.
• You need to use the import command to add a certificate in the list of
trusted certificates.
• You can use the following command to generate a new public/private key
pair with a self-signed certificate that uses don as an alias:
keytool –genkey –alias don –keypass donpassword
• You can also change the private key password associated with the
specified alias by using the following command:
keytool –keypasswd –alias don –keypass donpassword –new
newpassword
• You create a keystore by using the –keystore option in the keytool
command or by using the –genkey and -import commands.
©NIIT Collaborate Lesson 2B / Slide 5 of 23
- 6. Collaborate
Security Tools (Contd.)
• The keytool Security Tool (contd.)
• The following table lists the options used with the keytool command:
Option Description
-genkey Generates a public/private key pair.
-import Reads the specified certificate and stores it in the
keystore.
-export Exports the required certificate associated with the
specified alias.
-list Displays the content of the whole keystore.
©NIIT Collaborate Lesson 2B / Slide 6 of 23
- 7. Collaborate
Security Tools (Contd.)
• The keytool Security Tool (contd.)
Option Description
-storepasswd Modifies the required password that guards the
integrity of the keystore.
-keypasswd Modifies the required password that protects a key
associated with the specified alias
-delete Deletes the content of the specified keystore
©NIIT Collaborate Lesson 2B / Slide 7 of 23
- 8. Collaborate
Security Tools (Contd.)
• The jarsigner Security Tool
• The jarsigner tool is used to generate and verify digital signatures for Java
ARchive (JAR) files by using certificates from a keystore.
• A digital signature of a message is a set of numeric values that are
dependent on the value of a private key known only to the generator of
the signature.
• The jarsigner tool generates digital signatures for JAR files by using the
private key and certificate information from a keystore, which is managed
by the keytool.
• The jarsigner verifies the digital signature of a signed JAR file by using the
certificate. The following syntax shows how to sign a JAR file:
jarsigner <filename.jar> <username>
• You can use the following command to sign a JAR file:
jarsigner myFile.jar mary
©NIIT Collaborate Lesson 2B / Slide 8 of 23
- 9. Collaborate
Security Tools (Contd.)
• The jarsigner Security Tool (contd.)
• The following table lists the options used with the jarsigner tool
Option Description
-storepass Indicates the required password for accessing the
keystore.
-keypass Indicates the required password for protecting the
private key of an alias entry of a keystore.
©NIIT Collaborate Lesson 2B / Slide 9 of 23
- 10. Collaborate
Security Tools (Contd.)
• The jarsigner Security Tool (contd.)
Option Description
-signedjar Indicates the required name for signing the JAR file.
-verify Verifies the JAR file.
-verbose Provides additional information required for signing
and verifying the JAR file.
-certs Provides certificate information about the signer of
the jar file. The –certs option is used in conjunction
with –verify and -verbose options for signing and
verifying the JAR file.
©NIIT Collaborate Lesson 2B / Slide 10 of 23
- 11. Collaborate
Security Tools (Contd.)
• The jarsigner Security Tool (contd.)
• You can use the required keystore by specifying the URL of the keystore
with the –keystore option in the jarsigner command.
• The jarsigner tool signs a JAR file using the Digital Signature Algorithm
(DSA) with the SHA-1 digest algorithm, if the public and private keys
are DSA keys.
• The output produced on signing the JAR file using the jarsigner tool is
exactly same as the input JAR file.
• However, the output contains two additional files, signature file and
signature block file in the META-INF directory.
• A signature file contains an .SF extension and a signature block
contains a .DSA extension.
• The .SF file contains the information, such as filename, name of digest
algorithm used, and the digest value.
• The .DSA file contains the signatures in encoded form and certificate
from the keystore to authenticate the public key.
©NIIT Collaborate Lesson 2B / Slide 11 of 23
- 12. Collaborate
Security Tools (Contd.)
• The jarsigner Security Tool (contd.)
• The verification of a JAR file includes the following steps:
1. Verify the signature of the .SF file by ensuring that the signature
stored in a .DSA file is generated by using the private key. This
private key needs to correspond with the public key of the
certificate that appears in the .DSA file.
2. Verify the entries for digest mentioned in the .SF file with the
corresponding entry in the manifest file. The verification process
matches the hash entry made in the header of .SF file with the
manifest file.
3. Read all the files, which contain an entry in the .SF file of the JAR
file. While reading the files, the file digest needs to be computed
and compare the results with the manifest file. The verification
fails, if the digests do not match.
©NIIT Collaborate Lesson 2B / Slide 12 of 23
- 13. Collaborate
Security Tools (Contd.)
• The policytool Security Tool
• The Java runtime environment provides various policies that specify the
different permissions required for accessing code by different users.
• The information regarding the policy implementation is available in the
static policy configuration files.
• A user policy file is stored in the home directory of user by the name
.java.policy.
• You can create a policy file by typing the required commands in a text
editor or by using the GUI-based policytool utility.
• You can also edit and remove the settings applied in a policy file, such
as policy entry, Principals, and permissions.
©NIIT Collaborate Lesson 2B / Slide 13 of 23
- 14. Collaborate
From the Expert’s Desk
In this section, you will learn:
• Best Practice on:
• Advantages of Using MDB over JMS in J2EE Applications
• Tips and Tricks on:
• Working with Java Security Infrastructure
• FAQs on Cryptography
©NIIT Collaborate Lesson 2B / Slide 14 of 23
- 15. Collaborate
Best Practices
Advantages of Using MDB over JMS in J2EE
Applications
• JMS API introduces a middle layer in between the JMS producer
and JMS consumer that helps in asynchronous messaging.
• The middle layer in the JMS API enables you to send the messages
to multiple JMS consumer.
• Using the JMS API, a number of JMS consumers can receive
messages from a single JMS producer.
©NIIT Collaborate Lesson 2B / Slide 15 of 23
- 16. Collaborate
Best Practices (Contd.)
Advantages of Using MDB over JMS in J2EE
Applications (Contd.)
• A single JMS consumer can also receive messages from multiple JMS
producers.
• MDB enables you to consume and process messages concurrently.
• You use MDB to manage resources, transactions, and security in a
multithreaded environment.
©NIIT Collaborate Lesson 2B / Slide 16 of 23
- 17. Collaborate
Tips
Working With Java Security Infrastructure
• The various tips for implementing security in Java applications are:
• Execute the Java programs within the security manager. AppletViewer
and Java-enabled browsers contain a default security manager attached
to them. You can install a security manager by including the flag,
Djava.security.manager at the command prompt while starting the
Java.
• Use a digital certificate to sign a .jar file, to setup a SSL server, or to
perform encryption of messages to be transmitted.
• Use the Java plug-in tool to support the Java 2 security model
environment for the browsers that do not support this model.
©NIIT Collaborate Lesson 2B / Slide 17 of 23
- 18. Collaborate
Tips (Contd.)
Working With Java Security Infrastructure (Contd.)
• Install the security extensions for providing Java security infrastructure, such
as JCE, JSSE, and JAAS. Java Cryptography Extension (JCE) is used in
applications that require strong encryption. Java Secure Sockets Extension
(JSSE) is used to provide a Java interface to SSL. Java Authentication and
Authorization Service (JAAS) is used to authenticate and authorize end
users.
• Verify SSL server names while installing the JSSE security extension.
• Customize the implementations according to an enterprise by defining the
implementation of various Java classes.
• Use the correct parameters while encrypting data using algorithms in JCE
API, such as DES and Blowfish.
©NIIT Collaborate Lesson 2B / Slide 18 of 23
- 19. Collaborate
FAQs
• How is cryptography applied?
Cryptography is applied using keys. Cryptography is categorized into
symmetric cryptography and asymmetric cryptography. The technique that
uses the same key for both encryption and decryption of data is called
symmetric cryptography. Asymmetric cryptography is a technique that uses
public/private key pairs for encryption and decryption of data.
©NIIT Collaborate Lesson 2B / Slide 19 of 23
- 20. Collaborate
FAQs (Contd.)
• What is the importance of cryptography?
Cryptography is used in a variety of applications. The various applications of
Cryptography are:
• Used for storing passwords, as the passwords need to be stored in an
encrypted form.
• Guards the data stored in a computer against malicious attacks by
encrypting the complete files.
• Used in electronic commerce (e-commerce) for encrypting data to be
transmitted over the whole network.
• Controls access to satellite and cable TV by encrypting the signals to
be transmitted to multiple receivers.
• Used in telephones by encrypting voice at sender end and decrypting
the voice back at receiver end.
©NIIT Collaborate Lesson 2B / Slide 20 of 23
- 21. Collaborate
FAQs (Contd.)
• How many standard time zones exist?
There are 25 standard time zones. An extra time zone for UTC+12 hours
and UTC-12 hours also exist.
• What is the use of locale?
A Locale object provides information about the specified cultural and
geographical region.
©NIIT Collaborate Lesson 2B / Slide 21 of 23
- 22. Collaborate
Challenge
• You can have any number of Principals associated with a Subject.
(True/False)
• The ________ method of JMS must be called to receive messages
synchronously.
• JMS supports _________ and ________ messaging models.
• Which of the following represents a set of numeric values that are dependent
on the value of a private key and is known only to the generator of the
signature?
a) Public key
b) Digital signature
c) Digital certificate
d) Algorithm
5. An untrusted applet enables you to perform operations, such as reading and
writing data to a local computer. (True/False)
©NIIT Collaborate Lesson 2B / Slide 22 of 23