Académique Documents
Professionnel Documents
Culture Documents
Installation Guide
28 May 2015
Copyright and Trademark
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
above. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Third-party licenses
This product may include software developed by parties other than EMC. The text of the license agreements applicable to
third-party software in this product may be viewed in the file Crypto-J_6.2.0.1_Third-partyLicenses.pdf.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Disclaimer
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES
NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Distribution
Limit distribution of this document to trusted personnel.
Part Number
21.05.15
Installation Guide
21.05.15
This document provides instructions for installing RSA BSAFE Crypto-J 6.2.0.1
(Crypto-J) on all released platforms. Instructions are provided for binary installations
and source installations of Crypto-J. Instructions are also provided for binary
installations on Google® Android™ and the Java™ Web Start application.
Binary installations are suitable where the compiled version of Crypto-J matches your
installation platform, and where there is no intention to alter the product. Source
installations are suitable where there is a requirement to build Crypto-J for a specific
platform.
Contents:
About the Crypto-J Toolkit ............................................................................... 2
Binary Installation ............................................................................................. 4
Install JCE Jurisdiction Policy Files ........................................................ 5
Decrypt the Toolkit Files ........................................................................... 6
Install Crypto-J .......................................................................................... 8
Build and Run the Samples ................................................................... 13
Binary Installation for Android ...................................................................... 15
Decrypt the Toolkit Files ......................................................................... 16
Install Crypto-J ........................................................................................ 18
Build and Run the Android Samples .................................................... 23
Binary Installation for Java Web Start ......................................................... 25
Install JCE Jurisdiction Policy Files ...................................................... 26
Decrypt the Toolkit Files ......................................................................... 27
Install Crypto-J ........................................................................................ 29
Build and Run the Java Web Start Sample ......................................... 32
Source Installation ......................................................................................... 33
Install the JCE Jurisdiction Policy File ................................................. 34
Install the JCE Code Signing Certificate .............................................. 35
Decrypt the Toolkit Files ......................................................................... 38
Install the Toolkit Files ............................................................................ 40
Build and Test the Source Code ........................................................... 40
System and Security Properties ................................................................... 46
Uninstallation Instructions ............................................................................. 46
28 May 2015 Copyright © 2015 EMC Corporation. All rights reserved. Published in the USA. 1
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Toolkit Configuration
The following table lists the eight toolkit configurations included in the Crypto-J
toolkit.
FIPS Native JCE and JSAFE Pure Java and Native Yes1 Yes
1
Not applicable to Crypto-J on Android.
Binary Installation
This section describes how to install the Crypto-J binary toolkit on your development
environment.
Decryption utilities are available for the Windows®, UNIX®, Linux ®and Solaris®
operating systems. Go to Information > Utilities on the RSA download server to
access the decryption utility for your system.
To install Crypto-J:
The following steps summarize the complete installation process which is detailed
below:
1. Install JCE Jurisdiction Policy Files
2. Decrypt the Toolkit Files
3. Distribution Directory Structure
4. Build and Run the Samples.
4 Binary Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Some of the samples use the restricted algorithms that require the policy files.
To successfully use the relevant algorithms and run all of the samples, the Unlimited
Jurisdiction Policy Files must be downloaded and installed.
The JDK vendor and version determines the Jurisdiction Policy File to download.
Obtain the applicable JDK versions from the following download locations:
• JCE Unlimited Strength Jurisdiction Policy Files 6 for:
– Oracle® JDK 6.0
– Oracle JRockit® JDK 6.0
– HP JDK 6.0.
• JCE Unlimited Strength Jurisdiction Policy Files 7 for:
– Oracle JDK 7.0
– HP JDK 7.0.
• JCE Unlimited Strength Jurisdiction Policy Files 8 for Oracle JDK 8.0.
• IBM Unrestricted JCE Policy Files for IBM® JDK 6.0 and 7.0.
Binary Installation 5
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
The following procedure describes the steps to copy and decrypt the toolkit files on
platforms that support the source distribution of Crypto-J. For this release these are the
AIX, HP-UX, Linux, Solaris, and Windows operating systems.
6 Binary Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Binary Installation 7
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Install Crypto-J
To install Crypto-J:
1. Copy the Crypto-J binary distribution directory structure into a suitable location
on the target system.
2. Select the Crypto-J jar files to use and add them to the class path.The following
table lists the Crypto-J APIs and the corresponding jar files.
Table 2 Available APIs and Required jar Files
8 Binary Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
3. Depending on other features to be used, additional jar files might need to be added
to the class path. The following table lists these features and the corresponding jar
files to be added to the class path.
Table 3 Features and Required jar Files
LDAP <root>/cryptoj/prebuilt/openldap/openldap.jar
Binary Installation 9
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
For details about how to use Native configurations of Crypto-J, see the
API-specific section “Using Native Implementations” in the RSA BSAFE
Crypto-J Developers Guide.
10 Binary Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
5. To use the Crypto-J JsafeJCE API, register the Crypto-J JCE provider, JsafeJCE,
either statically or dynamically.
To statically register the JsafeJCE provider:
a. Copy the relevant jar files to the
<jdk install directory>/jre/lib/ext directory.
b. Edit the <jdk install directory>/jre/lib/security/
java.security file to add the JsafeJCE Provider:
security.provider.<n>=com.rsa.jsafe.provider.JsafeJCE
To set the JsafeJCE Provider as the default provider, set <n> to 1.
Change the <n> values for any other providers listed in java.security so
that each provider has a unique number. For example:
security.provider.1=com.rsa.jsafe.provider.JsafeJCE
security.provider.2=sun.security.provider.Sun
To dynamically register the JsafeJCE provider:
a. Add the relevant jar files to the class path.
b. Create the provider programmatically using the following Java code:
// Create a Provider object
Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();
// Add the Crypto-J JsafeJCE Provider to the current
// list of providers available on the system.
Security.insertProviderAt (jsafeProvider, 1);
6. The Crypto-J FIPS 140-2 toolkit may be configured to perform specific operations
at start-up (load). Configure these operations by editing
<jdk install directory>/jre/lib/security/java.security.
The following table lists the property that must be set for FIPS 140-2 compliant
operation.
Table 5 FIPS 140-2 Property Setting
com.rsa.cryptoj.fips140initialmode FIPS140_MODE 1
1The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE, FIPS140_ECC_MODE,
FIPS140_SSL_ECC_MODE or NON_FIPS140_MODE.
For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the
security properties listed in the following table must be added.
Table 6 FIPS 140-2 Level 2 Property Settings
com.rsa.cryptoj.fips140auth LEVEL2
Binary Installation 11
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
1
The use of this algorithm is deprecated until December 31, 2015, and disallowed after 2015.
Refer to “Random Number Generation” in SP800-131A.
12 Binary Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
There are two ways to build and run the samples for Crypto-J:
• Use IDE project files
The project files to build and run the samples have been included in this release of
Crypto-J for the following development environments:
– JetBrains IntelliJ 9.0 IDE
– Eclipse 3.3 IDE.
These project files are located at <root>/cryptoj.
• Use Apache Ant build scripts
Build scripts to build and run the samples are included in this release of Crypto-J
at <root>/cryptoj. Ensure that your execution path will allow the ant
command to be executed.
Note: The following instructions are based on the use of Apache Ant.
To build and run the sample code when using a Pure Java configuration:
1. Navigate to the cryptoj directory.
cd <root>/cryptoj
2. Build and run the samples:
a. To run all of the samples:
ant -f build-<api_name>.xml run.all
b. To run a specific sample, specify the sample name. For example:
ant -f build-<api_name>.xml run.ECIESwithAES
Binary Installation 13
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
To build and run the sample code when using a Native configuration:
Note: Step 4 on page 9 has the full list of the platforms and details of how to
configure a Native implementation.
14 Binary Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Decryption utilities are available for the Windows®, UNIX®, Linux ®and Solaris®
operating systems. Go to Information > Utilities on the RSA download server to
access the decryption utility for your system.
To install Crypto-J:
The following steps summarize the complete installation process which is detailed
below:
1. Decrypt the Toolkit Files
2. Distribution Directory Structure
3. Build and Run the Android Samples.
The following procedure describes the steps to copy and decrypt the toolkit files on
platforms that support the source distribution of Crypto-J. For this release these are the
AIX, HP-UX, Linux, Solaris, and Windows operating systems.
Install Crypto-J
To install Crypto-J:
1. Copy the Crypto-J binary distribution directory structure into a suitable location
on the target system.
2. Select the Crypto-J jar files to use and add them to the class path.The following
table lists the Crypto-J APIs and the corresponding jar files.
Table 7 Available APIs and Required jar Files
LDAP <root>/cryptoj/prebuilt/openldap/openldap.jar
6. Select the Native shared library jar files to use and copy them to the specified
directories:
– To work with Crypto-J configured as non-FIPS 140-2 compliant, copy
libncm.so to the <android-project>/libs/<platform> directory.
– To work with Crypto-J configured as FIPS 140-2 compliant:
• Copy the following shared libraries to the
<android-project>/libs/<platform> directory:
libncm_fips140.so
libccme_asym.so
libccme_aux_entropy.so
libccme_base.so
libccme_base_non_fips.so
libccme_ecc.so
libccme_ecc_accel_fips.so
libccme_ecc_accel_non_fips.so
libccme_ecc_non_fips.so
libccme_ecdrbg.so
libccme_error_info.so
libcryptocme.so
• Copy the signature file, libcryptocme.sig, to the
<android-project>/assets directory.
For details about how to use Native configurations of Crypto-J, see the
API-specific section “Using Native Implementations” in the RSA BSAFE
Crypto-J Developers Guide.
7. To use the Crypto-J JsafeJCE API, dynamically register the Crypto-J JCE
provider, JsafeJCE:
a. Add the relevant jar files to the class path.
b. Create the provider programmatically using the following Java code:
// Create a Provider object
Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();
// Add the Crypto-J JsafeJCE Provider to the current
// list of providers available on the system.
Security.insertProviderAt (jsafeProvider, 1);
com.rsa.cryptoj.fips140initialmode FIPS140_MODE 1
com.rsa.cryptoj.native.fips140.path <path>
1
The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE, FIPS140_ECC_MODE,
FIPS140_SSL_ECC_MODE or NON_FIPS140_MODE.
For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the
security properties listed in the following table must be added.
Table 11 FIPS 140-2 Level 2 Property Settings
com.rsa.cryptoj.fips140auth LEVEL2
2
The use of this algorithm is deprecated until December 31, 2015, and disallowed after 2015.
Refer to “Random Number Generation” in SP800-131A.
Note: The samples can be run in either FIPS 140-2 Level 1 or Level 2 mode,
per installation. To re-run the samples in the alternate mode, they must first
be un-installed and then re-installed.
Build scripts to build and run the samples are included in this release of Crypto-J at
<root>/cryptoj/sample/android/Samples
<root>/cryptoj/sample/android/FipsSamples
<root>/cryptoj/sample/android/NativeSamples
<root>/cryptoj/sample/android/NativeFipsSamples.
Ensure that your execution path will allow the ant command to be executed.
6. To run the samples in FIPS 140-2 mode with the Native implementation:
ant -f build-android.xml -Dandroid.target=<target>
-Dandroid.project.name=NativeFipsSamples
-Dapp.abi=<platform> run
Where:
• target is the identifier of one of the available targets.
• platform is the target Android device platform identifier.
Some of these samples will take several minutes to complete while running on an
emulator or older hardware.
Decryption utilities are available for the Windows®, UNIX®, Linux ®and Solaris®
operating systems. Go to Information > Utilities on the RSA download server to
access the decryption utility for your system.
To install Crypto-J:
The following steps summarize the complete installation process which is detailed
below:
1. Install JCE Jurisdiction Policy Files
2. Decrypt the Toolkit Files
3. Distribution Directory Structure
4. Build and Run the Java Web Start Sample.
These algorithms are used by some PKCS #12 KeyStore files. Some of the samples
use the restricted algorithms that require the policy files.
To successfully use the relevant algorithms and run all of the samples, the Unlimited
Jurisdiction Policy Files must be downloaded and installed. The JDK vendor and
version determines the Jurisdiction Policy File to download. Obtain the applicable
JDK versions from the following download locations:
• JCE Unlimited Strength Jurisdiction Policy Files 6 for:
– Oracle® JDK 6.0
– Oracle JRockit® JDK 6.0
– HP JDK 6.0.
• JCE Unlimited Strength Jurisdiction Policy Files 7 for:
– Oracle JDK 7.0
– HP JDK 7.0.
• JCE Unlimited Strength Jurisdiction Policy Files 8 for Oracle JDK 8.0.
• IBM Unrestricted JCE Policy Files for IBM® JDK 6.0 and 7.0.
The following procedure describes the steps to copy and decrypt the toolkit files on
platforms that support the source distribution of Crypto-J. For this release these are the
AIX, HP-UX, Linux, Solaris, and Windows operating systems.
Install Crypto-J
To install Crypto-J:
1. Copy the Crypto-J binary distribution directory structure into a suitable location
on the target system.
2. Select the Crypto-J jar files to use and add them to the class path.The following
table lists the Crypto-J APIs and the corresponding jar files.
Table 12 Available APIs and Required jar Files
3. Depending on other features to be used, additional jar files might need to be added
to the class path. The following table lists these features and the corresponding jar
files to be added to the class path.
Table 13 Features and Required jar Files
LDAP <root>/cryptoj/prebuilt/openldap/openldap.jar
4. To use the Crypto-J JsafeJCE API, register the Crypto-J JCE provider, JsafeJCE,
dynamically in the Java Web Start application. To dynamically register the
JsafeJCE provider:
a. Add the relevant jar files to the class path.
b. Create the provider programmatically using the following Java code:
// Create a Provider object
Provider jsafeProvider = new com.rsa.jsafe.provider.JsafeJCE();
// Add the Crypto-J JsafeJCE Provider to the current
// list of providers available on the system.
Security.insertProviderAt (jsafeProvider, 1);
5. Sign all jar files with a trusted certificate. Binary released cryptoj.jar and
cryptojce.jar have already been signed with a SHA-256 digest algorithm and
they can be re-signed using the same SHA-256 digest algorithm.
6. Create a Java Network Launch Protocol (JNLP) file including all jars.
For JNLP File Syntax, please refer to the Oracle tutorial at
http://docs.oracle.com/javase/8/docs/technotes/guides/
javaws/developersguide/syntax.html.
The following is an example of a non-FIPS140 JNLP file:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="6.0+" codebase="https://<codebase_utl>" href="<filename>.jnlp">
<information>
<title>Your Java Web Start title</title>
<vendor>Company Name</vendor>
<description>Some descriptions about application</description>
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.7+"/>
<jar href="<path_to_library>/any.jar"/>
...
<jar href="<path_to_library>/cryptojcommon.jar"/>
<jar href="<path_to_library>/cryptojce.jar"/>
7. The Crypto-J FIPS 140-2 toolkit may be configured to perform specific operations
at start-up (load). Configure these operations by editing
<jdk install directory>/jre/lib/security/java.security.
The following table lists the property that must be set for FIPS 140-2 compliant
operation.
Table 14 FIPS 140-2 Property Setting
com.rsa.cryptoj.fips140initialmode FIPS140_MODE 1
1
The fips140initialmode value can be any of FIPS140_MODE, FIPS140_SSL_MODE, FIPS140_ECC_MODE,
FIPS140_SSL_ECC_MODE or NON_FIPS140_MODE.
For FIPS 140-2 Level 2 Roles, Authentication and Services compliance, the
security properties listed in the following table must be added.
Table 15 FIPS 140-2 Level 2 Property Settings
com.rsa.cryptoj.fips140auth LEVEL2
3
The use of this algorithm is deprecated until December 31, 2015, and disallowed after 2015.
Refer to “Random Number Generation” in SP800-131A.
Build scripts to build and run the sample are included in this release of Crypto-J at
<root>/cryptoj. Use Apache Ant to build and run the sample for Crypto-J. Ensure
that your execution path will allow the ant command to be executed.
The sample can be run in FIPS 140-2 mode or non-FIPS 140-2 mode, for either JCE or
Jsafe. In the following instructions, replace <api_name> with either jsafe or jce
as required.
Source Installation
This section describes how to decrypt, install and build the Crypto-J toolkit on your
development environment.
Decryption utilities are available for the Windows®, UNIX®, Linux ®and Solaris®
operating systems. Go to Information > Utilities on the RSA download server to
access the decryption utility for your system.
To install Crypto-J:
The following steps summarize the installation process which is detailed below:
1. Install the JCE Jurisdiction Policy File
2. Install the JCE Code Signing Certificate
3. Decrypt the Toolkit Files
4. Install the Toolkit Files
5. Build and Test the Source Code.
Source Installation 33
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
The JCE requires the presence of Unlimited Strength Jurisdiction Policy Files in order
to use some algorithms and key strengths.
To successfully build and test the Crypto-J toolkit jar files, the Unlimited Jurisdiction
Policy Files must be downloaded and installed.
The JDK version installed determines the Jurisdiction Policy File to download. Obtain
the Oracle JDK 6.0 and Oracle JDK 7.0 versions from the Oracle download location:
Oracle Java SE Downloads.
34 Source Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
The following is a brief summary of the steps involved. If in any doubt about these
steps, see the Oracle web site.
1. Obtain a JCE Code Signing Certificate from Oracle Corporation.
a. Download the keytool utility required to generate a DSA key pair.
• For a Windows operating system:
http://download.oracle.com/javase/6/docs/technotes/tools/
windows/keytool.html.
b. Generate a DSA key pair for JCE Code Signing using the keytool utility.
keytool -genkeypair
-alias <keypairname> \
-keyalg DSA \
-keysize 1024 \
-dname “cn=<Company Name>, \
ou=Java Software Code Signing, \
o=Sun Microsystems Inc” \
-keystore <keystore file name> \
-storepass <keystore password>
Where:
• ‘\’ is a line extension character if the command line prompt buffer is not
big enough for the whole command line.
• <keypairname> is the newly generated keystore entry for future use.
• <Company Name> is your company name.
• <keystore file name> is the name of the key store to be used. If this
does not exist it will be created.
• <keystore password> is the password to enable access to the keys
once created.
Source Installation 35
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
36 Source Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Source Installation 37
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
The following procedure describes the steps to copy and decrypt the toolkit files on
platforms that support the source distribution of Crypto-J. For this release these are the
AIX, HP-UX, Linux, Solaris, and Windows operating systems.
38 Source Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Source Installation 39
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
40 Source Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Download Location
Software Tool
Download File Required jars
Android http://developer.android.com/sdk
framework1
Android SDK <android-sdk>/platforms/
android-<n>/android.jar
Copy to <tools>/android/
ant-junit.jar ant-junit.jar
Copy to <tools>/ant/
aspectj-1.5.3.jar aspectjlib.jar
aspectjrt.jar
aspectjtools.jar
aspectjweaver.jar
Copy to <tools>/aspectj/
bcel-5.2.zip bcel-5.2.jar
Copy to <tools>/bcel/
checkstyle-4.4.zip antlr.jar
checkstyle-all-4.4.jar
commons-beanutils.jar
commons-logging.jar
Copy to <tools>/checkstyle/
cobertura-1.9.4.1-bin.zip asm-30.jar
asm-tree-3.0.jar
cobertura.jar
log4j-1.2.9.jar
Copy to <tools>/cobertura/
Source Installation 41
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Download Location
Software Tool
Download File Required jars
google-gson-1.7.1-release.zip gson-1.7.1.jar
Copy to <tools>/google-gson/
junit4.8.2.jar junit.jar
Copy to <tools>/junit/
mockito-1.9.5.jar mockito-1.9.5.jar
Copy to <tools>/mockito/
proguard4.8.zip proguard.jar
Copy to <tools>/proguard/
qdox-1.6.1.jar qdox-1.6.1.jar
Copy to <tools>/qdox/
velocity-1.5.zip commons-collections-3.1.jar
commons-lang-2.1.jar
jdom-1.0.jar
oro-2.0.8.jar
velocity-1.5.jar
werken-xpath-0.9.4.jar
Copy to <tools>/velocity/
1
Android framework is optional. It is only required if Android needs to be supported.
42 Source Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Source Installation 43
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
The individual tests run against each toolkit configuration can be modified by editing
the appropriate properties file located in <root>/cryptoj/cryptoj-src/
src/test/data/com/rsa/test/data/performance.
View the results of the performance tests in the csv files located in
<root>/cryptoj/cryptoj-src/gen/reports/performance.
To run a complete set of tests on all jar files and the Oracle provider:
1. Run the ant test script:
ant test.performance
2. View the output of these tests in cryptoj.marketing.report.csv located in
<root>/cryptoj/cryptoj-src/gen/reports/performance .
44 Source Installation
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
Note: These tests will run for several hours on newer hardware, but will
take up to a few days on older hardware or an emulator.
Source Installation 45
RSA BSAFE Crypto-J 6.2.0.1 Installation Guide
For further detail, see the Introduction To Crypto-J -> System and Security
Properties section of the RSA BSAFE Crypto-J Developers Guide, and the RSA
BSAFE Crypto-J Troubleshooting Guide.
Uninstallation Instructions
To uninstall Crypto-J on all platforms, remove all files and directories created
during the installation process, and remove the relevant environment variables.