Getting started with RSA BSAFE® Share For JAVA⢠Platform - EMC ...
Getting started with RSA BSAFE® Share For JAVA⢠Platform - EMC ...
Getting started with RSA BSAFE® Share For JAVA⢠Platform - EMC ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>RSA</strong> BSAFE ® <strong>Share</strong> for Java <strong>Platform</strong> 1.1<br />
Upgrading<br />
<strong>RSA</strong>, The Security Division of <strong>EMC</strong>,<br />
July 16, 2009<br />
Version 1.0, July 16, 2009
Introduction to Presentation<br />
This presentation describes how to upgrade an application<br />
to and from using <strong>RSA</strong> BSAFE ® <strong>Share</strong> for Java TM<br />
<strong>Platform</strong> (<strong>Share</strong> for Java).<br />
2
Objective<br />
As a result of this presentation you will be able to upgrade:<br />
– Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
– <strong>Share</strong> for Java to <strong>RSA</strong> BSAFE® Crypto-J and <strong>RSA</strong> BSAFE®<br />
SSL-J.<br />
3
Agenda<br />
Upgrading from Sun’s JRE 6.0<br />
Upgrading to <strong>RSA</strong> BSAFE® Crypto-J and <strong>RSA</strong> BSAFE®<br />
SSL-J<br />
4
Upgrading<br />
Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
5
Upgrading: Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
Agenda<br />
Agenda<br />
– Class path and provider registration<br />
– Algorithm support<br />
– Key stores<br />
– Recommended code changes<br />
6
Upgrading: Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
Class Path and Provider Registration<br />
shareCrypto.jar and shareTLS.jar must be added directly or<br />
indirectly to the class path.<br />
– If static registration is to be used:<br />
• shareCrypto.jar and shareTLS.jar files must be copied to the<br />
jre/lib/ext directory.<br />
• If LDAP is to be used, openldap.jar must be copied to the<br />
jre/lib/ext directory.<br />
• com.rsa.jsafe.provider.JsafeJCE and<br />
com.rsa.jsse.JsseProvider must be added to the provider list in<br />
the jre/lib/security/java.security file.<br />
– If dynamic registration is to be used:<br />
• shareCrypto.jar and shareTLS.jar files must be copied to the<br />
jre/lib/ext directory or added to the class path.<br />
• If LDAP is to be used, openldap.jar must be copied to the<br />
jre/lib/ext directory or added to the class path.<br />
7
Upgrading: Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
Algorithm Support<br />
Applications which rely on algorithms not supported by<br />
<strong>Share</strong> for Java need to be modified to use alternative<br />
algorithms.<br />
8
Upgrading: Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
Algorithm Support: JKS KeyStores<br />
JKS format java.security.KeyStore objects are not<br />
supported by <strong>Share</strong> for Java.<br />
– Upgrade Path: Copy all private keys and certificate chains out of<br />
the JKS KeyStore and put them into a PKCS #12 KeyStore.<br />
• Using Sun JRE 6.0...<br />
• Statically register com.rsa.jsafe.provider.JsafeJCE from<br />
shareCrypto.jar in first position.<br />
• Execute the command line:<br />
keytool -importkeystore –v<br />
-srckeystore .jks -srcstoretype JKS -srcstorepass <br />
-destkeystore .p12 -deststoretype P12 -deststorepass <br />
where is the file to be converted and is the password.<br />
9
Upgrading: Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
Recommended Code Changes<br />
The following slides list some small code changes which<br />
will improve the security of your system. The changes fall<br />
into the categories:<br />
– Use of java.security.SecureRandom<br />
– Use of javax.net.ssl.SSLContext<br />
– Use of javax.net.ssl.SSLServerSocket and<br />
javax.net.ssl.SSLSocket<br />
10
Upgrading: Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
Recommended Code Changes: SecureRandom<br />
Issue:<br />
– No strong PRNG algorithms are available in Sun JRE 6.0. If a<br />
SecureRandom is being explicitly created, it won’t be using a<br />
strong algorithm.<br />
Review calls to java.security.SecureRandom.getInstance<br />
methods.<br />
Change the algorithm used to ECDRBG or HMACDRBG.<br />
– ECDRBG provides the best long term security.<br />
– HMACDRBG provides better performance than ECDRBG whilst still<br />
providing good security.<br />
11
Upgrading: Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
Recommended Code Changes: SSLContext<br />
Issue:<br />
– SecureRandom parameters are sometimes passed to<br />
SSLContext.init. Sometimes this makes sense (for performance<br />
reasons, or because a special HSM SecureRandom object is<br />
being used), but usually, it is better to use the default.<br />
Review calls to the<br />
javax.net.ssl.SSLContext.init(KeyManager[] km,<br />
TrustManager[] tm, SecureRandom random) method.<br />
Passing null for the random parameter to the init method<br />
allows the JSSE provider to choose the best SecureRandom<br />
implementation.<br />
12
Upgrading: Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
Recommended Code Changes: SSL Sockets<br />
Issue:<br />
– The TLS protocol version to support can be specified for a socket.<br />
Some applications may use this to limit protocol support to TLSv1,<br />
or maybe SSLv3 and TLSv1. This prevents applications from<br />
connecting <strong>with</strong> SSLv2. However, this also prevents <strong>Share</strong> for<br />
Java from using TLSv1.1 and TLSv1.2.<br />
Review calls to<br />
javax.net.ssl.SSLServerSocket.setEnabledProtocols<br />
and javax.net.ssl.SSLSocket.setEnabledProtocols<br />
Either remove these calls or add the values<br />
com.rsa.jsse.JsseProvider.TLS_V11 and<br />
com.rsa.jsse.JsseProvider.TLS_V12 to the array of<br />
algorithms supplied to the setEnabledProtocols method.<br />
13
Upgrading: Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
Recommended Code Changes: SSL Sockets<br />
Issue:<br />
– The cipher suites to use can be specified for a socket. Some<br />
applications may use this to limit which cipher suites to use. This<br />
prevents an application from using cipher suites which do not<br />
provide good security. However, this also prevents <strong>Share</strong> for<br />
Java from using more advanced cipher suites.<br />
Review calls to<br />
javax.net.ssl.SSLServerSocket.setEnabledCipherSuites<br />
and javax.net.ssl.SSLSocket.setEnabledCipherSuites<br />
Either remove these calls or look at the release notes to<br />
determine which cipher suites to add.<br />
14
Upgrading<br />
<strong>Share</strong> for Java to Crypto-J/Cert-J/SSL-J<br />
15
Upgrading: <strong>Share</strong> to Crypto-J/Cert-J/SSL-J<br />
Agenda<br />
Agenda<br />
– Introduction<br />
– Class path and provider registration<br />
– FIPS 140<br />
– Native crypto<br />
– PKCS #11<br />
– Feature support:<br />
• Entropy from Hardware Security Module (HSM)<br />
16
Upgrading: <strong>Share</strong> to Crypto-J/Cert-J/SSL-J<br />
Introduction<br />
sslj.jar<br />
<strong>RSA</strong> BSAFE ® SSL-J 5.1<br />
<strong>RSA</strong> BSAFE ® <strong>Share</strong><br />
for Java TM <strong>Platform</strong><br />
shareTLS.jar<br />
SSLJ API<br />
JSSE API<br />
JSSE API<br />
<strong>RSA</strong> BSAFE ® Cert-J 3.1<br />
certj.jar<br />
CERTJ API<br />
<strong>RSA</strong> BSAFE ® Crypto-J 4.1<br />
cryptoj.jar, cryptojFIPS.jar<br />
shareCrypto.jar<br />
JSAFE API<br />
JCE API<br />
JCE API<br />
17
Upgrading: Sun’s JRE 6.0 to <strong>Share</strong> for Java<br />
Class Path and Provider Registration<br />
shareCrypto.jar and shareTLS.jar must be replaced <strong>with</strong><br />
cryptoj.jar or cryptojFIPS.jar, and sslj.jar.<br />
– If shareCrypto.jar and shareTLS.jar are in the jre/lib/ext<br />
directory, they must be removed and replaced <strong>with</strong> cryptoj.jar or<br />
cryptojFIPS.jar and sslj.jar.<br />
– If shareCrypto.jar and shareTLS.jar are in the class path, they<br />
must be removed and replaced <strong>with</strong> cryptoj.jar or<br />
cryptojFIPS.jar and sslj.jar.<br />
18
Upgrading: <strong>Share</strong> to Crypto-J/Cert-J/SSL-J<br />
FIPS 140<br />
<strong>For</strong> an application to be FIPS 140 compliant, it must:<br />
– Use cryptojFIPS.jar<br />
– Have the com.rsa.cryptoj.kat.strategy property set to<br />
on.load in the jre/lib/security/java.security file.<br />
– Not use non-FIPS 140 algorithms directly or indirectly.<br />
• Cipher Suites: Either don’t set cipher suites explicitly or only use<br />
cipher suites which use only FIPS 140 algorithms.<br />
• Key Stores: Convert PKCS #12 key stores to Crypto-J 4.1 / <strong>Share</strong><br />
for Java 1.0 format so that only FIPS 140 algorithms are used.<br />
19
Upgrading: <strong>Share</strong> to Crypto-J/Cert-J/SSL-J<br />
Native Crypto<br />
To use Native Crypto:<br />
– Ensure the platform specific shared library is in the Java library<br />
path or the system library path.<br />
– On Windows:<br />
• Copy cryptoj\prebuilt\cryptoc\win32\lib\jsafe.dll to<br />
C:\WINDOWS\system32<br />
– Native algorithms will be used if they are available.<br />
20
Upgrading: <strong>Share</strong> to Crypto-J/Cert-J/SSL-J<br />
PKCS #11<br />
To use PKCS #11 Crypto:<br />
– Ensure the platform specific shared libraries are in the Java library<br />
path or the system library path, and that the PKCS #11 driver is in<br />
the system library path.<br />
– On Windows:<br />
• Copy cryptoj\prebuilt\cryptoc\win32\lib\jsafe.dll<br />
and<br />
cryptoj\prebuilt\cryptoc\win32\lib\jsafepkcs11.dll<br />
to C:\WINDOWS\system32<br />
– Use PKCS #11 algorithms names:<br />
• KeyPairGenerator: DSAWithPKCS11, <strong>RSA</strong>WithPKCS11.<br />
• Cipher: <strong>RSA</strong>WithPKCS11.<br />
• Signature: SHA1<strong>with</strong><strong>RSA</strong>andPKCS11, NONE<strong>with</strong><strong>RSA</strong>andPKCS11,<br />
SHA1<strong>with</strong>DSAandPKCS11.<br />
21
Upgrading: <strong>Share</strong> to Crypto-J/Cert-J/SSL-J<br />
Entropy from a Hardware Security Module<br />
Entropy can be supplied to Crypto-J from an external<br />
source, such as an HSM:<br />
– Ensure the HSM specific JCE provider is available.<br />
– Use com.rsa.jsafe.crypto.CryptoJ’s<br />
setSeeder(SecureRandom, boolean) method.<br />
– See the javadoc for more details.<br />
22
Thank you!