RSA BSAFE® Crypto-J 6.2.
Copyright and Trademark Legal Notices Copyright © 2019 Dell Inc. or its subsidiaries. All rights reserved. Dell Inc. believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS”.
Installation Guide 29.07.19 RSA BSAFE Crypto-J 6.2.5 Installation Guide This document provides instructions for installing RSA BSAFE Crypto-J 6.2.5 (Crypto-J) on all released platforms. Instructions are provided for binary installations, including installation on Google® Android™ and the Java™ Web Start application, and source installations of Crypto-J, including installation on Google Android.
RSA BSAFE Crypto-J 6.2.5 Installation Guide About the Crypto-J Toolkit Crypto-J provides Java™ developers with a state-of-the-art implementation of the most important privacy, authentication, and data integrity algorithms. The Crypto-J toolkit contains both the Java Cryptography Extension (JCE) API and Jsafe API. The Crypto-J distribution media contains the following: • Binary toolkit: – • Source toolkit: – 2 Toolkit Java archive (jar) files. Java source code and build and test systems.
RSA BSAFE Crypto-J 6.2.5 Installation Guide • Related product documentation: – The RSA BSAFE Crypto-C Micro Edition Security Policies, Level 1 and Level 2, in PDF, which describe how the Crypto-C ME Cryptographic Module meets the Level 1 security requirements of FIPS 140-2, the Level 2 security requirements of FIPS 140-2 for Roles, Authentication and Services, Level 3 security requirements for Design Assurance, and how to securely operate it.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Binary Installation This section describes how to install the Crypto-J binary toolkit on your development environment. These instructions assume the Crypto-J encrypted package file has been downloaded and unpacked. Note: For instructions to install the Crypto-J binary toolkit on an Android development environment, go to Binary Installation for Android.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Install JCE Unlimited Strength Jurisdiction Policy Files The JCE requires the presence of Unlimited Strength Jurisdiction Policy Files in order to use some algorithms and key strengths, and the samples that use these.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Install Crypto-J The following describes the binary distribution directory structure of the unpacked Crypto-J distribution package: Directory Content root/ Crypto-J_6.2.5_InstallGuide.pdf Crypto-J_6.2.5_ReleaseNotes.pdf license_bsafe.pdf readme.
RSA BSAFE Crypto-J 6.2.5 Installation Guide 1 This configuration will yield faster start-up times. 2 Native configuration requires access to Crypto-C ME shared libraries. For more details, see Step 4 on page 7. 3. Depending on other features to be used, additional jar files might need to be added to the class path. The following table lists these features and the corresponding jar files to be added to the class path.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Table 4 Platform-specific Native Shared Libraries for Crypto-C ME (continued) Platform-specific Native Shared Libraries Subdirectory1 Oracle Solaris Sparc v8+ 32-bit solspv8p Oracle Solaris Sparc v9 64-bit solspv9 Red Hat® Enterprise Server 32-bit linux_x86_lsb30 Red Hat Enterprise Server 64-bit linux_x64_lsb30 1 Short Platform Name. For example, for systems running a 32-bit Windows operating system: copy root\cryptoj\prebuilt\cryptocme\win32vc8\*.
RSA BSAFE Crypto-J 6.2.5 Installation Guide b. Create the provider programmatically using the following Java code: // Create a Provider object Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE(); // Add the Crypto-J JsafeJCE Provider to the current // list of providers available on the system. Security.insertProviderAt (jsafeProvider, 1); 6. The Crypto-J FIPS 140-2 toolkit may be configured to perform specific operations at start-up (load).
RSA BSAFE Crypto-J 6.2.5 Installation Guide Build and Run the Samples The following procedure for running the sample code is applicable only for the binary toolkit. Sample source code is available for each API: • The JSAFE and ASN.1 samples are in root/cryptoj/sample/src/jsafe • The JsafeJCE samples are in root/cryptoj/sample/src/jce • The Tools samples are in root/cryptoj/sample/src/tools.
RSA BSAFE Crypto-J 6.2.5 Installation Guide To build and run the sample code when using a Native configuration: Note: Step 4 on page 7 has the full list of the platforms and details of how to configure a Native implementation. 1. Navigate to the cryptoj directory. cd root/cryptoj 2. Build and run the samples: To run all of the JCE API samples: ant -f build-jce.xml run.native.all -Djvm.arg=” -Dcom.rsa.cryptoj.native.fips140.path= root/cryptoj/prebuilt/cryptocme/platform -Djava.library.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Binary Installation for Android This section describes how to install the Crypto-J binary toolkit on your Android development environment. These instructions assume the Crypto-J encrypted package file has been downloaded and unpacked. Before you begin: • Ensure that the system you are installing onto has 400 MB of free disk space. • Install JDK 7.0 or newer, and set the JAVA_HOME environment variable appropriately.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Install Crypto-J The following describes the binary distribution directory structure of the unpacked Crypto-J distribution package: Directory Content root/ Crypto-J_6.2.5_InstallGuide.pdf Crypto-J_6.2.5_ReleaseNotes.pdf license_bsafe.pdf readme.
RSA BSAFE Crypto-J 6.2.5 Installation Guide 1 This configuration will yield faster start-up times. 2Native configuration requires access to Crypto-C ME shared libraries. For more details, see step 5 on page 15. 3. Copy the jar files to the specified directories: – To work with non-FIPS 140-2 compliant Crypto-J, copy cryptoj-6.2.5.jar to the library file folder in the Android project, for example, android-project/libs, located at root/cryptoj/android/BsafeAndroidSamples/cryptoj/src, .
RSA BSAFE Crypto-J 6.2.5 Installation Guide 5. If you do not wish to use a Native FIPS or Native non-FIPS configuration of Crypto-J, go to Step 7. To use a Native FIPS or Native non-FIPS configuration of Crypto-J, the platform-specific Crypto-C ME shared libraries must be added to the Java library path. The following table details the subdirectories in root/cryptoj/prebuilt/cryptocme that contain the platform-specific shared libraries.
RSA BSAFE Crypto-J 6.2.5 Installation Guide b. Create the provider programmatically using the following Java code: // Create a Provider object Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE(); // Add the Crypto-J JsafeJCE Provider to the current // list of providers available on the system. Security.insertProviderAt (jsafeProvider, 1); Note: Unlike standard Java, Android doesn't support static registration of JCE providers, therefore the provider must be loaded dynamically. 8.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Note: Services created by JCE providers do not follow the non-Android priority order. In a non-Android system, a SecureRandom created with no defined algorithm would normally use the algorithm with the highest priority set in the security properties. On Android, a different algorithm could be used each time.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Build an Application to Run the System Tests A samples application to run the Crypto-J system tests can be built from the command line or Android Studio. Instructions are provided to: • Build an Application from the Command Line • Install a Samples Application from Android Studio. Gradle scripts to build the application are included in this release at root/cryptoj/android/BsafeAndroidSamples.
RSA BSAFE Crypto-J 6.2.5 Installation Guide For a system running a Windows operating system: gradlew.bat installvariantSamplesRelease where variant is one of the build variants listed above. The samples application is installed on the attached device. To run the samples: 1. On the attached device, start the Crypto-J samples application. A list of all the samples is displayed on the device. 2. Select and run individual samples from the list displayed.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Binary Installation for Java Web Start This section describes how to install the Crypto-J binary toolkit on your Java Web Start development environment. These instructions assume the Crypto-J encrypted package file has been downloaded and unpacked. Before you begin: • Ensure that the system you are installing onto has 400 MB of free disk space. • Install JDK 7.0 or above, and set the JAVA_HOME environment variable appropriately.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Install JCE Jurisdiction Policy Files The JCE requires the presence of Unlimited Strength Jurisdiction Policy Files in order to use some algorithms and key strengths. The following algorithms require these policy files: • AES with key sizes greater than 128 bits • RC2 with key sizes greater than 128 bits • RC4 with key sizes greater than 128 bits • RC5 with key sizes greater than 128 bits • RSA Encryption.
RSA BSAFE Crypto-J 6.2.5 Installation Guide how to install the unlimited Jurisdiction Policy Files on the client side is outside of the scope of this document. Please follow the instructions provided by the JDK vendor. Install Crypto-J The following describes the binary distribution directory structure of the unpacked Crypto-J distribution package: Directory root/ Crypto-J_6.2.5_InstallGuide.pdf Crypto-J_6.2.5_ReleaseNotes.pdf license_bsafe.pdf readme.
RSA BSAFE Crypto-J 6.2.5 Installation Guide To install Crypto-J: 1. Copy the Crypto-J directory structure into a suitable location on the target system. 2. Select the Crypto-J jar files to use and add them to the class path.The following table lists the Crypto-J APIs and the corresponding jar files. Table 12 Available APIs and Required jar Files Available APIs Jar Files to Add to the Class Path Non-FIPS JSAFE1, 2 cryptojcommon-6.2.5.jar jcm-6.2.5.jar FIPS JSAFE cryptojcommon-6.2.5.jar jcmFIPS-6.2.5.
RSA BSAFE Crypto-J 6.2.5 Installation Guide 6. Create a Java Network Launch Protocol (JNLP) file including all jars. For JNLP File Syntax, please refer to the Oracle tutorial at http://docs.oracle.com/javase/8/docs/technotes/guides/ javaws/developersguide/syntax.html. The following is an example of a non-FIPS140 JNLP file: PAGE 27RSA BSAFE Crypto-J 6.2.5 Installation Guide For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the security properties listed in the following table must be added. Table 15 FIPS 140-2 Level 2 Property Settings Property Name Value com.rsa.cryptoj.fips140auth LEVEL2 com.rsa.cryptoj.configfile1 path and filename2 1This security property is optional. There are APIs to dynamically specify this property. 2 The path and filename can be an absolute path or a path relative to the user.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Build and Run the Java Web Start Sample The following procedure for running the sample code is applicable only for the binary toolkit. Sample source code is available for Java Web Start in root/cryptoj/sample/webstart/src. Build scripts to build and run the sample are included in this release of Crypto-J at root/cryptoj. Use Apache Ant to build and run the sample for Crypto-J. Ensure that your execution path will allow the ant command to be executed.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Source Installation This section describes how to install and build the Crypto-J toolkit on your development environment. These instructions assume the Crypto-J encrypted package file has been downloaded and unpacked. Note: For instructions to install the Crypto-J source toolkit on an Android development environment, go to Source Installation for Android. Before you begin: • Ensure that the system you are installing onto has 400 MB of free disk space.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Install the JCE Jurisdiction Policy File The JCE requires the presence of Unlimited Strength Jurisdiction Policy Files in order to use some algorithms and key strengths, and the samples that use these. The following algorithms require these policy files: • AES with key sizes greater than 128 bits • RC2 with key sizes greater than 128 bits • RC4 with key sizes greater than 128 bits • RC5 with key sizes greater than 128 bits • RSA Encryption.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Install the JCE Code Signing Certificate A JCE Code Signing Certificate is used in the process of signing your jar file. A JCE Code Signing Certificate must be obtained from Oracle Corporation and installed onto your platform. It might take up to five days to receive the certificate. Complete installation instructions are on the Oracle web site at https://docs.oracle.com/javase/8/docs/technotes/guides/security /crypto/HowToImplAProvider.html.
RSA BSAFE Crypto-J 6.2.5 Installation Guide c. Create a Certificate Signing Request (CSR) using the keytool utility. keytool -certreq -alias keypairname \ -sigalg SHA256WithDSA \ -file csr_file_name \ -keystore keystore_file_name \ -storepass keystore_password -keypass private_key_password Where: • ‘\’ is a line extension character if the command line prompt buffer is not big enough for the whole command line • keypairname is the name used in Step b on page 29 • csr_file_name is the file name which s
RSA BSAFE Crypto-J 6.2.5 Installation Guide 2. Install the JCE Code Signing Certificate. a. Use the keytool utility to import the CA Certificate. keytool -import -alias alias_for_the_CA_cert \ -file CA_cert_file_name \ -keystore keystore_file_name \ -storepass keystore_password Where: • alias_for_the_CA_cert is the name you have chosen for the CA • CA_cert_file_name is the name of the attachment containing the CA certificate sent with the email • keystore_file_name is the name used in Step b on page
RSA BSAFE Crypto-J 6.2.5 Installation Guide Install the Toolkit Files The following describes the source distribution directory structure of the unpacked Crypto-J distribution package: Directory root/ Crypto-J_6.2.5_InstallGuide.pdf Crypto-J_6.2.5_ReleaseNotes.pdf license_bsafe.pdf readme.
RSA BSAFE Crypto-J 6.2.5 Installation Guide b. Edit the password.properties file located at root/cryptoj/cryptoj-src/build/config/keystore to update the keystorepass and the keypass properties with your passwords. The section of the password.properties file to be updated is shown below. # JCE code signing passwords keystorepass=insert_password_here keypass=insert_password_here Installation is now complete.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Table 16 Third-party Software Download Details (continued) Download Location Software Tool Download File BCEL 5.2 Required jars https://archive.apache.org/dist/commons/bcel/binaries/ bcel-5.2.zip bcel-5.2.jar Copy to tools/bcel/ Byte Buddy 1.6.11 https://mvnrepository.com/artifact/net.bytebuddy/byte-buddy/1.6.11 Byte Buddy java Agent 1.6.11 https://mvnrepository.com/artifact/net.bytebuddy/byte-buddy-agent/ 1.6.11 byte-buddy-1.6.11.jar byte-buddy-agent-1.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Table 16 Third-party Software Download Details (continued) Download Location Software Tool Download File Proguard 4.8 http://sourceforge.net/projects/proguard/files/proguard/4.8 proguard-4.8.zip Velocity 1.5 proguard.jar Copy to tools/proguard/ http://archive.apache.org/dist/velocity/engine/1.5 velocity-1.5.zip 1Android Required jars commons-collections-3.1.jar commons-lang-2.1.jar jdom-1.0.jar oro-2.0.8.jar velocity-1.5.jar werken-xpath-0.9.4.
RSA BSAFE Crypto-J 6.2.5 Installation Guide 3. View root/cryptoj/cryptoj-src/gen/reports/index.html to verify the results of each test. Run the System Tests The following steps summarize the process to run the system tests: 1. Run a Confidence Build. 2. Run the System Tests. 3. Run the Performance Tests. Run a Confidence Build The confidence build script builds and tests the Crypto-J toolkit. To run a Confidence Build: 1. Navigate to the cryptoj directory: cd root/cryptoj 2.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Run the Performance Tests In some environments the system performance is a high priority. To assist in the task of measuring system performance, Crypto-J provides a test script. The individual tests run against each toolkit configuration can be modified by editing the appropriate properties file located in root/cryptoj/cryptoj-src/ src/test/data/com/rsa/test/data/performance.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Source Installation for Android This section describes how to install and build the Crypto-J toolkit on your development environment. These instructions assume the Crypto-J encrypted package file has been downloaded and unpacked. Before you begin: • Ensure that the system you are installing onto has 900 MB of free disk space. • Install Oracle® JDK 8.0 and set the JAVA_HOME environment variable appropriately.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Install the JCE Code Signing Certificate A JCE Code Signing Certificate is used in the process of signing your jar file. A JCE Code Signing Certificate must be obtained from Oracle Corporation and installed onto your platform. (It may take up to five days to receive the certificate.) Complete installation instructions are on the Oracle web site at https://docs.oracle.com/javase/8/docs/technotes/guides/security /crypto/HowToImplAProvider.html.
RSA BSAFE Crypto-J 6.2.5 Installation Guide c. Create a Certificate Signing Request (CSR) using the keytool utility. keytool -certreq -alias keypairname \ -sigalg SHA256WithDSA \ -file csr_file_name \ -keystore keystore_file_name \ -storepass keystore_password -keypass private_key_password Where: • ‘\’ is a line extension character if the command line prompt buffer is not big enough for the whole command line • keypairname is the name used in Step b on page 39 • csr_file_name is the file name which s
RSA BSAFE Crypto-J 6.2.5 Installation Guide 2. Install the JCE Code Signing Certificate. a. Use the keytool utility to import the CA Certificate. keytool -import -alias alias_for_the_CA_cert \ -file CA_cert_file_name \ -keystore keystore_file_name \ -storepass keystore_password Where: • alias_for_the_CA_cert is the name you have chosen for the CA • CA_cert_file_name is the name of the attachment containing the CA certificate sent with the email • keystore_file_name is the name used in Step b on page
RSA BSAFE Crypto-J 6.2.5 Installation Guide Install the Toolkit Files The following describes the source distribution directory structure of the unpacked Crypto-J distribution package: Directory root/ Crypto-J_6.2.5_InstallGuide.pdf Crypto-J_6.2.5_ReleaseNotes.pdf license_bsafe.pdf readme.
RSA BSAFE Crypto-J 6.2.5 Installation Guide b. Edit the file root/cryptoj/cryptoj-src/build/config/keystore/ password.properties to update the keystorepass and the keypass properties with your passwords. The section of the password.properties file to be updated is shown below. # JCE code signing passwords keystorepass=insert_password_here keypass=insert_password_here Installation is now complete.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Table 17 Third-party Software Download Details (continued) Download Location Software Tool Download File BCEL 5.2 Required jars https://archive.apache.org/dist/commons/bcel/binaries/ bcel-5.2.zip bcel-5.2.jar Copy to tools/bcel/ Byte Buddy 1.6.11 https://mvnrepository.com/artifact/net.bytebuddy/byte-buddy/1.6.11 Byte Buddy java Agent 1.6.11 https://mvnrepository.com/artifact/net.bytebuddy/byte-buddy-agent/ 1.6.11 byte-buddy-1.6.11.jar byte-buddy-agent-1.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Table 17 Third-party Software Download Details (continued) Download Location Software Tool Download File Objenesis 2.5 https://mvnrepository.com/artifact/org.objenesis/objenesis/2.5 objenesis-2.5.jar Proguard 4.8 proguard.jar Copy to tools/proguard/ http://archive.apache.org/dist/velocity/engine/1.5 velocity-1.5.zip 1Android objenesis-2.5.jar Copy to tools/mockito/ http://sourceforge.net/projects/proguard/files/proguard/4.8 proguard-4.8.zip Velocity 1.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Build an Application to Run the System Tests A samples application to run the Crypto-J system tests can be built from the command line or Android Studio. Instructions are provided to: • Run System Tests from the Command line • Run System Tests from Android Studio. Gradle scripts to build and run the samples application are available at root/cryptoj/android/BsafeAndroid.
RSA BSAFE Crypto-J 6.2.5 Installation Guide Run System Tests from Android Studio Before you Begin: 1. In the development environment, launch Android Studio. 2. Open the Android test project, BsafeAndroid. This downloads the Gradle zip file and initializes Gradle to use the Gradle wrapper. The process may take from 10 to 20 minutes. To run the system tests on the attached device: 1. In Android Studio open the Gradle tool window from the View menu. 2. Expand BsafeAndroidSamples:cryptoj:Tasks:release. 3.
RSA BSAFE Crypto-J 6.2.5 Installation Guide System and Security Properties The system and security properties in Crypto-J are used to statically register the JsafeJCE provider, and to configure the toolkit and FIPS-140 mode behavior. For further detail, see the Introduction To Crypto-J -> System and Security Properties section of the RSA BSAFE Crypto-J Developers Guide.
