Page 1 (1-3 of 3 questions)Last Updated February 09, 2007
A: The UltraSPARC T1 processor (a.k.a. Niagara) present in CoolThreads servers has a specialized Modular Arithmetic Unit in each core. These are used to accelerate the computationally expensive operations found in public key cryptographic algorithms such as RSA and DSA. If your Java application uses Java SE 5 platform or later then you don't need to do a thing. The PKCS11 JCE provider automatically detects the presence of cryptographic accelerator hardware and uses it. Access is transparent and no changes are required to your Java application. For example, use the Java keytool(1) command-line tool to generate 10 RSA keypairs in a temporary keystore. Also, use the Solaris kstat(1) command-line tool to display kernel-level counters to confirm that RSA operations are being performed in hardware:
# kstat -n ncp0 | grep rsa
% foreach i ( 0 1 2 3 4 5 6 7 8 9 )
? keytool -genkeypair' -dname "cn=test$i,dc=example,dc=com" -keyalg RSA
-alias test$i -keystore /tmp/mystore -storepass changeme
-keypass changeme
? end
# kstat -n ncp0 | grep rsa
February 09, 2007
Q: Can I share cryptographic keys and public key certificates between Java applications and native applications on the Solaris OS? A: Yes. Solaris 10 provides a keystore for keys and certificates which is easily accessible from both Java applications and Solaris native applications. The keystore is a security token implemented in software which supports the PKCS#11 cryptographic standard. By default, each user has the token located under their home directory: $HOME/.sunw/pkcs11_softtoken/ Use the Solaris pktool(1) command-line tool to confirm that the default PKCS#11 keystore is present: % pktool tokens Token Label Manuf ID Serial No PIN State Sun Software PKCS#11 softtoken Sun Microsystem default' % Java applications can access the default PKCS#11 keystore by means of the PKCS11 JCE provider. For example, use the Java keytool(1) command-line tool to generate a Triple-DES secret key in the keystore: % keytool -genseckey' -keyalg DESede -alias my3DESkey -storetype PKCS11 -storepass changeme Then confirm that the secret key is present in the keystore: % keytool -v -list -storetype PKCS11 -storepass changeme-or- % pktool list objtype=key February 09, 2007
Q: How do I sign a JAR file using a keypair from the default PKCS#11 keystore in the Solaris OS? A: Use a keypair and associated public-key certificate already present in the keystore or create a new one. For example, use the Java keytool(1) command-line utility to generate an RSA keypair and a self-signed public key certificate: % keytool -genkeypair' -dname "cn=bob,dc=example,dc=com" -keyalg RSA -sigalg SHA1withRSA -alias bob -storetype PKCS11 -storepass changeme Use the Java jarsigner(1) command-line tool to sign a JAR file with the RSA keypair named 'bob': % jarsigner -keystore NONE -storetype PKCS11 -storepass changeme bob.jar bob Confirm that the JAR file is signed:
% jarsigner -verify -verbose -certs -keystore NONE -storetype PKCS11
-storepass changeme bob.jar
132 Fri Dec 16 14:02:38 GMT 2007 META-INF/MANIFEST.MF
253 Fri Dec 16 14:04:46 GMT 2007 META-INF/BOB.SF
779 Fri Dec 16 14:04:46 GMT 2007 META-INF/BOB.RSA
0 Thu May 15 16:03:52 GMT 2006 META-INF/
sm 1002 Thu May 15 16:03:22 GMT 2006 A.class
sm 1493 Thu May 15 16:03:22 GMT 2006 B.class
sm 21002 Thu May 15 16:03:22 GMT 2006 C.class
X.509, CN=bob, DC=sun, DC=com (bob)
[certificate will expire on 4/01/07 12:00 PM]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains entries whose signer certificate will expire within
six months.
February 09, 2007
Question file was not found. |
 BigAdmin SubscriptionsBigAdmin Areas
BigAdmin Sun Center
BigAdmin Topics | |||||
| |
