Академический Документы
Профессиональный Документы
Культура Документы
JCE Provider
This document is subject to change without notice. The user is responsible for complying with all applicable copyright laws. No
part of this document may be reproduced or transmitted in any form or by any means (electronic or otherwise) for any purpose
without the express written permission of Ingrian Networks.
Ingrian Networks may have copyrights, trademarks, and other intellectual property rights in and to the contents of this
document. This document grants no License to such copyrights, trademarks and other intellectual property rights.
Trademark Information
DataSecure, EdgeSecure, i10, i100, i110, i116, i140, i210, i211, i215, i220, i221, i225, i311, i315, i321, i325, i411, i416, i421,
i426 Ingrian, the Ingrian Logo, Ingrian Networks, Network-Attached Encryption, and SiteSecure are trademarks and/or
registered trademarks of Ingrian Networks, Inc.
BEA is a registered trademark of BEA Systems, Inc. Cryptix is a trademark of The Cryptix Foundation Limited. HP-UX is a
trademark of the Hewlett-Packard Company. AIX, DB2, and IBM are registered trademarks of International Business
Machines, Inc. DOS, Microsoft, Microsoft Internet Explorer, Microsoft SQL Server, MSCAPI, .NET, Windows, Windows 2000
Server, Windows 2000 Advanced Server, and Windows Server 2003 are trademarks of Microsoft Corporation. XML is a
trademark of MIT and a product of the World Wide Web Consortium (W3C). Firefox and Mozilla are trademarks of The Mozilla
Foundation. Netscape is a registered trademark of Netscape Communications Corporation. UNIX is a registered trademark of
The Open Group. Oracle, Oracle 8i, Oracle 9i, and Oracle 10g are trademarks of the Oracle Corporation. Red Hat Enterprise,
Red Hat Enterprise Linux, and Red Hat Linux are trademarks of Red Hat, Inc. RC4 and RSA are trademarks or registered
trademarks of RSA Security, Inc. JAR, Java, JCE, JDBC, JDK, JVM, Solaris, and Sun are trademarks or registered
trademarks of Sun Microsystems, Inc. Sybase is a registered trademark of Sybase, Inc. Linux is a registered trademark of
Linus Torvalds. Trustix is a trademark of Trustix AS.
Other product and company names used in this document may be the trademarks of their respective owners.
License Notices
This product contains software that is subject to various public licenses. The source code form of such software and all
derivative forms thereof can be copied from the following website: https://iwsc.ingrian.com/sourcecode.php
Table of Contents
ABOUT THIS GUIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Using This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Notes and Cautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Contacting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
CHAPTER 1 OVERVIEW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
General System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Hardware and Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Ingrian Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Supported Cryptographic Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Supported Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Alternate Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Extremely High Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
INDEX99
Organization 2
Documentation Conventions 3
Organization
This user guide is divided into the chapters described below:
Chapter 1, “Overview”
Presents high-level information about the Ingrian JCE Provider.
Chapter 2, “Installing the Ingrian JCE Provider”
Details the installation process.
Chapter 3, “Configuring the Ingrian Client”
Explains how to configure the Ingrian JCE Provider.
Chapter 4, “Setting up SSL”
Discusses how to configure SSL for your DataSecure Platform.
Chapter 5, “Using the JCE Provider”
Describes the classes delivered with the Ingrian software.
Chapter 6, “Using the Sample Applications”
Provides brief examples of how to use the Ingrian JCE Provider to perform basic
connection tasks, work with keys, perform cryptographic operations, and work
with files. The chapter also discusses the sample Tomcat Servlet.
Documentation Conventions
This section describes the formatting conventions used in this manual to explain special
notes and cautions.
Overview
This document describes how to integrate the Ingrian JCE Provider with your back-end
application servers and it gives code samples that illustrate how you might customize the
Ingrian JCE Provider as your application requires. This chapter provides a description of
the high-level architecture of the Ingrian DataSecure Platform and covers the following
topics:
General System Architecture 6
Supported Content 8
Alternate Configurations 8
6 OVERVIEW
The Ingrian JCE Provider is installed on all the back-end servers that might be making
requests for cryptographic operations. All applications, servlets, or scripts see a
conventional JCE interface and issue simple Java–based (JCE) commands to the NAE
Server to perform cryptographic operations. Instead of bogging down back-end server
applications with cryptographic operations, the NAE Server performs all such operations.
The performance impact from doing cryptographic operations over a secure connection is
not as significant as you might think because the Ingrian JCE Provider uses a non-
blocking, multi-threaded connection management architecture, long–lived and
configurable SSL sessions, and a JVM–wide global connection resource pool. Because of
this, the communication channel between the Ingrian JCE Provider and the NAE Server is
extremely lightweight. As a result, very low latencies and high throughputs can be
achieved.
Ingrian Equipment
• Ingrian DataSecure Platform: This is available in various hardware configurations and
comes standard with two 10/100 Ethernet interfaces for connecting to the back-end
servers. Options are available for redundant power supplies, redundant fans, and
copper and fiber Gigabit Ethernet versions.
• Ingrian JCE Provider: This is provided in the form of a jar file (IngrianNAE.jar)
signed by Ingrian Networks.
System Requirements
The Ingrian JCE Provider runs on a Java Virtual Machine (JVM) that has installed support
for SSL and Java Cryptographic Extensions (JCE). It is not dependent on the underlying
back-end server.
Table 1.1
Supported Cryptographic Operations
Security Provided Algorithm Functions Supported
Data Privacy and Confidentiality AES, DESede, DES, • Encrypt
(Symmetric) RC4 • Decrypt
Data Privacy and Confidentiality RSA • Encrypt
(Asymmetric) • Decrypt
Data Integrity HmacSHA1 • MAC
• MAC Verify
Data Signatures RSA • Sign
• Sign Verify
Supported Content
There are no restrictions on the type of data and content that the NAE Server can secure.
Whether it is a 10 byte string of data, a 10K image, a 1 MB text file, a 10MB pdf file, a
financial spreadsheet, or a line of code, the NAE Server can perform all desired
cryptographic operations. In short, the NAE Server can handle any type of data or content.
Note: For files, the Ingrian JCE Provider can be used with the CipherOutputStream
streaming JCE mechanisms, which allow for medium to large files to be protected in an
efficient manner.
Alternate Configurations
This document does not go into the details of how to set up an NAE Server’s IP address
and other basic network settings. This configuration is very straightforward and is detailed
in the IngrianOS User Guide. This document assumes that you are have successfully
configured the System and Network sections on your NAE Servers. This document
provides the configuration information that is pertinent to the standard deployment of the
Ingrian JCE Provider. Please note that there are several alternate configurations that you
might want to deploy, depending on your requirements. Two of these configurations,
high–availability and extremely high load, are described below.
High Availability
The Ingrian DataSecure Platform supports an active–passive configuration. In case of
failure of the active device, the passive device automatically takes over in a VRRP–like
fashion. Of course, the two devices must be configured in exactly the same manner. When
the Ingrian DataSecure Platform is deployed in High Availability mode, the Ingrian
Cryptographic Provider or Database Connector continues processing requests as normal
on the newly active device (since the change is transparent to the provider).
Please see Chapter 12, “Network Configuration” in the IngrianOS User Guide for more
information.
For example,
460-IngrianJCE-4.6.0-003.zip
Important! Our Customer Support web site also includes an md5 signature for each
software download. After downloading the software, you can run the md5sum program to
verify the signature.
You can unzip the archive using any standard archive utility in Windows or Linux/UNIX.
One option for UNIX and Linux environments is Info–Zip, available at http://www.info-
zip.org. Once the utility is set up, extract the files using the following command:
unzip <zip_file>
In both Windows and Linux/UNIX environments, extracting the archive creates the
following directory structure:
/IngrianJCE
/bin
/documentation
/javadoc
/lib
/ext
/samples
/cryptotool
/tomcat_servlet
The IngrianJCE/lib/ext directory contains the Java archives (.jar files) and the
IngrianNAE.properties file. The jar files are described in the following table.
Filename Description
cryptix-jce-api.jar The Cryptix JCE API (mandatory for DB2 deployments and optional for SSL).
IngrianNAE.jar The Java components of the Ingrian JCE Provider.
jaxp.jar Sun’s Java API for XML parsing.
jce1_2_2.jar The Sun JCE Framework.
jcert.jar, jnet.jar, Files required to establish SSL connections in JDK 1.3.x environments.
jsse.jar Note: Do not use jsse.jar with the IBM JDK. Use ibmjsse.jar instead.
log4j-1.2.9.jar The log4j logging application.
parser.jar Sun’s XML parser implementation.
To use the Ingrian JCE Provider with J2SE/J2EE version 1.4.x or 1.5.x, you must install
the following jar files in the <jre-home>/lib/ext directory:
• IngrianNAE.jar – to access the Ingrian Java components.
• log4j-1.2.9.jar – to enable logging.
To use the Ingrian JCE Provider with J2SE/J2EE version 1.3.x, you must install the
following jar files in the <jre-home>/lib/ext directory:
• IngrianNAE.jar – to access the Ingrian Java components.
• log4j-1.2.9.jar – to enable logging.
• jce1_2_2.jar – to access the Sun JCE Framework.
• parser.jar and jaxp.jar – to enable Sun’s XML parser.
• jcert.jar, jnet.jar, and jsse.jar – to establish SSL connections.
The files above are required; the file below is required if you are using IBM JDK 1.3.x and
want to use SSL between the Ingrian JCE Provider and the NAE Server. We do not
distribute this file; you must obtain it from IBM.
• ibmjsse.jar
As part of the SSL handshake, the Ingrian JCE Provider must be able to generate random
bytes. To do this, the Ingrian JCE Provider first looks for the Cryptix JCE Provider; if it
cannot find the Cryptix JCE Provider, it uses the Sun JCE Provider. The Cryptix JCE
Provider is more efficient and offers better performance than the Sun JCE Provider. For
this reason, it is recommended, though not required, that you copy the cryptix-jce-
api.jar file to <jre-home>/lib/ext .
To manually add the Ingrian JCE Provider to the list of approved providers:
1 Open the java.security file in a text editor. The file is located in the <jre-
home>/lib/security directory.
Where the number n identifies the Ingrian Provider as the last entry on the list. For
example, if there are two providers already listed, you would add the following line:
security.provider.3=com.ingrian.security.nae.IngrianProvider
Important! The Ingrian JCE Provider should follow the other providers in the
java.security file; you might encounter errors otherwise.
To manually add the Ingrian JCE Provider to the list of approved providers when using
Sun J2SE/J2EE:
1 Open the java.security file in a text editor. The file is located in the <jre-
home>/lib/security directory.
2 Add the following lines to the end of the list of providers. The first line adds the
SunJSSE Provider. The second line adds the Ingrian JCE Provider.
security.provider.n=com.sun.net.ssl.internal.ssl.Provider
security.provider.n+1=com.ingrian.security.nae.IngrianProvider
Where the numbers n and n+1 identify the providers as the last entries on the list. For
example, if there are two providers already listed, you would add the following lines:
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.ingrian.security.nae.IngrianProvider
You would use this option when you are setting the Ingrian properties programmatically.
To add the Ingrian JCE Provider to the list of approved providers programmatically at
runtime:
1 Make any calls to System.setProperty() in your application.
2 Add the following line to your application:
java.security.Security.addProvider(new IngrianProvider());
The Cryptix JCE Provider is used by the Ingrian Database Connector for DB2, and it can
also be used to improve SSL performance. If you plan to use the Ingrian Database
Connector for DB2, or if you want to realize performance improvements when doing SSL,
you must add the Cryptix JCE Provider to the java.security file.
To add the Cryptix JCE Provider to the list of approved providers:
1 Open the java.security file in a text editor. The file is located in the <jre-
home>/lib/security directory.
Where the number n identifies the Cryptix Provider as the last entry on the list. For
example, if there are three providers already listed, you would add the following line:
security.provider.4=cryptix.jce.provider.CryptixCrypto
Important! The Cryptix Provider should be listed after the Ingrian JCE Provider.
3 Save and close the file.
2 Use an addProvider() statement in your application. This will store your new settings.
java.security.Security.addProvider(new IngrianProvider());
When you launch the Ingrian JCE Provider, it looks for the IngrianNAE.properties
file in the directory that contains the IngrianNAE.jar. The Provider stores these
parameters. Any parameters passed at runtime override the values contained in the
IngrianNAE.properties file.
You can also set the parameters programmatically at runtime without configuring the
IngrianNAE.properties file. You may opt for this setup if your environment does not
allow you to store a properties file locally.
To configure the parameters programmatically:
1 Include the appropriate calls to the System.setProperty() method for each Ingrian
system property that you want to set in your application.
Warning! The calls to System.setProperty() must occur before any calls that
require the JCE providers. The Ingrian Provider cannot be instantiated properly if
the system properties have not been set.
System.setProperty("com.ingrian.security.nae.NAE_IP.1", "10.20.1.9");
System.setProperty("com.ingrian.security.nae.NAE_Port","9000");
System.setProperty("com.ingrian.security.nae.Protocol","tcp");
2 Set the Ingrian Provider entry in the java.security file. This statement must occur after
the System.setProperty() calls.
java.security.Security.addProvider(new IngrianProvider());
Network Configuration 24
Connection Configuration 26
SSL/TLS Configuration 31
Logging Configuration 33
Use_Persistent_Connections=yes
Size_of_Connection_Pool=300
Load_Balancing_Algorithm=round-robin
Connection_Timeout=0
Connection_Read_Timeout=7000
Connection_Idle_Timeout=600000
Connection_Retry_Interval=600000
Unreachable_Server_Retry_Period=-1
Maximum_Server_Retry_Period=0
EdgeSecure_Name=
Client_Cert_Alias=
Client_Cert_Passphrase=
Key_Store_Location=
Key_Store_Password=
Symmetric_Key_Cache_Enabled=no
Symmetric_Key_Cache_Expiry=43200
Local_Crypto_Provider=
CA_File=
Cert_File=
Key_File=
Passphrase=
Log_Level=LOW
Log_File=
Log_Rotation=Daily
Log_Size_Limit=100k
Log_Config_Advanced=
Note: Version indicates the version of the properties file and should not be modified.
To maintain your existing configuration, the upgrade process does not overwrite your
existing properties file. If you are upgrading, you must manually add any new parameters.
For example, this release includes four new parameters: Symmetric_Key_Cache_
Enabled, Symmetric_Key_Cache_Expiry, Local_Crypto_Provider, and
Read the “Local Encryption Configuration” and “Logging Configuration” sections for
information on these parameters.
When the client is launched, it checks for the presence of the properties file in the <java-
home>\lib\ext directory; if it finds the properties file, it stores those values and uses
them throughout the session. If the client does not find the properties file, it assumes that
the properties will be set programmatically at runtime. Values set programmatically at
runtime override any existing values in the properties file.
To set the properties at runtime, simply call the setProperty() method of the System
class. For each property, you must make a separate call. You must make these calls before
establishing a connection with the NAE Server. An example is shown below:
System.setProperty(“com.ingrian.security.nae.NAE_IP”, “192.168.1.9”)
2 Include the appropriate calls to the System.setProperty() method for each Ingrian
system property you want to set in your application.
3 Set the Ingrian Provider entry programmatically in the java.security file after you
have set all other properties. To set the Ingrian Provider at runtime, call the
insertProviderAt() method of the Security class, as shown below:
Provider prvdr = new com.ingrian.security.nae.IngrianProvider();
java.security.Security.insertProviderAt(prvdr, n);
where n establishes the Ingrian Provider as the last entry in the list.
Important! Set the system properties before the provider is declared. The Ingrian
Provider cannot be instantiated properly if the system properties have not been
set.
Network Configuration
The Network Configuration settings include the following parameters:
• NAE Server IP and Port
• Protocol
Protocol
There are two valid values for the Protocol parameter: tcp and ssl. The protocol
specified here is the protocol used to communicate between the client and the NAE
Servers. The SSL option uses TLSv1 as the protocol. By default, TLSv1 is enabled on all
NAE Servers. If you have disabled the use of TLSv1 on your servers, then you cannot
establish SSL connections with between your NAE clients and servers.
Important! Clients and servers must use the same protocol. If your NAE Servers are
listening for SSL requests, and your clients aren’t sending SSL requests, you will
inevitably run into problems.
Tip: Though SSL is the recommended protocol for your production environment, we
recommend that you gradually increase security after confirming connectivity between the
client and the NAE Server. Once you have established a TCP connection between the
client and server, it is safe to move on to SSL. Initially configuring a client under the most
stringent security constraints can complicate troubleshooting.
In a load balancing group, the following parameters will be identical for each NAE Server:
• NAE_Port • Protocol • Connection Configuration
• Client Certificate Configuration • SSL/TLS Configuration • Logging Configuration
If the NAE Servers in your load balancing group are also members of the same cluster, the
consistency of the port and protocol settings are assured.
Important! All members of a load balancing group must be either FIPS-compliant or
non-FIPS. You cannot mix FIPS-compliant and non-FIPS servers.
We recommend that you set the Load Balancing Algorithm parameter to round-robin. For
more information, see “Load Balancing” on page 27
To vary the values by tier, add the suffix .n to the parameter name, where n is the tier
number. You can opt to apply one value to all tiers by omitting the .n suffix.
For example, to set up the port for tiers 1 and 2 and 3, you could set the following:
Port.1=9000
Port.2=9000
Port.3=7000
Port=9000
Port.3=7000
Because tiers 1 and 2 do not have their own settings, they would use the Port value. Tier
3 would use the Port.3 value.
You could not set the following:
Port.2=9000
Port.3=7000
This configuration is useful when testing your Multi-Tier Load Balancing setup.
Connection Configuration
The Connection Configuration settings include the following parameters:
• Persistent Connection
• Connection Pooling
• Load Balancing
• Connection Timeout
• Connection Read Timeout
• Connection Idle Timeout
• Connection Retry
• Unreachable Server Retry
• Maximum Server Retry
Persistent Connection
The Use_Persistent_Connections parameter enables the persistent connections
functionality.
Possible settings are:
• yes (default) - Enables the feature. The client establishes persistent connections with
the NAE Servers.
• no - Disables the feature. A new connection is made for each connection request. The
connection is closed as soon as the client receives the server response.
Connection Pooling
The Size_of_Connection_Pool parameter is the total number of client-server
connections that your configuration could possibly allow. (Not what actually exists at a
given moment.) Connections in the pool can be active or waiting, tcp or ssl. A connection
is created as needed, and the pool scales as needed. So, your pool automatically starts at
size 0, and can grow to whatever value you set here. Once the pool is full, additional
connection requests must wait for an existing connection to close.
Connection pooling is configured on a per-client basis. The size of the pool applies to each
client, it is not a total value for an NAE Server or for a load balancing group. If there are
multiple clients running on the same machine, separate connection pools are maintained
for each client.
Possible settings are:
• Any positive integer. The default is 300.
Load Balancing
The Ingrian JCE Providersupports one load balancing algorithm: round–robin. As such,
there are two possible values for this setting: none and round-robin. Load Balancing is
enabled when you specify multiple IP addresses in the NAE_IP field and a load balancing
algorithm in the Load_Balancing_Algorithm field. The Round Robin load balancing
algorithm keeps load distribution even across all NAE Servers. All servers in a load
balancing group are treated equally by the client. If there are five servers in a load
balancing group, the first request for a cryptographic operation is sent to server 1, the
second request is sent to server 2, and so on, until all five servers have received one
request. The sixth request is then sent to server 1 and the cycle starts again.
If an NAE Server goes down, an exception is thrown for each connection, all open
connections on that server are closed, the operation fails, and the event is logged (if
logging is enabled). It is unlikely that an NAE Server will go down; however, if a server
does go down, it cannot off-load client requests to another NAE Server in the load
balancing group. As such, it is important that your client applications have some provision
for catching exceptions thrown when an NAE Server goes down.
If an NAE Server is unable to fulfill a request, the client takes that server out of the
rotation and sends subsequent requests to the other servers in the load balancing group.
The client waits the time period specified in the Connection_Retry_Interval field
before putting that server back into the rotation. If the server is still unreachable, the client
again marks the server down and takes it out of the rotation.
Connection Timeout
The Connection_Timeout parameter specifies how long the client waits for the TCP
connect() function before timing out. It is recommended that you use the default value of
0, which means that the client waits as long as the operating system’s TCP stack normally
waits on a connect() call.
If your application is time-sensitive, then setting this parameter to a few hundred
milliseconds less than your operating system’s connection timeout parameter makes
connections to a down server fail more quickly, in which case failover happens sooner. If a
connection cannot be established before the timeout expires, then the server is marked as
down and taken out of the rotation.
If you want the client to wait indefinitely until the NAE Server can be reached, set this
value to 0. When this value is set to 0, requests remain outstanding until the request is
successfully satisfied by the NAE Server.
Connection Retry
The Connection_Retry_Interval parameter determines how long the client waits
before trying to reconnect to a disabled server. If one of the NAE servers in a load
balanced configuration is not reachable, the client assumes that the server is down, and
then waits for the specified number of milliseconds before trying to connect to it again.
Setting this value to 0 is equivalent to an infinite retry interval (meaning the disabled
server will never be brought back into use). This value is expressed in milliseconds. It
must be greater than or equal to zero. The default value is 600000 (10 minutes).
key is found, the provider downloads the key from the Ingrian device to the key cache and
performs the crypto. The key is stored in the cache for a limited time.
• Symmetric Key Cache
• Symmetric Key Cache Expiration
• Local Crypto Provider
SSL/TLS Configuration
The parameters listed below affect how SSL connections are established. These properties
only need to be set if you are configuring the Ingrian JCE Provider as part of a DB2
Database Connector installation; otherwise, they are ignored. Additionally, you You can
disregard these sections if you are not using SSL as the protocol between clients and
servers.
Client Certificate
In addition to using SSL connections between the NAE clients and servers, you can
further require clients to provide a client certificate to authenticate to the servers. The
sections immediately below are used to establish client certificate authentication.
The Client Certificate Configuration section determines which client certificate the client
application provides to the NAE Server when client certificate authentication is required.
The value you supply for the Cert_File parameter should be a path to a valid client
certificate recognized by the NAE Servers. The path to the certificate you specify can be
absolute or relative to the application. Unless otherwise noted, when prompted for a file,
you should specify both a path and file name.
Important! Client certificates must be PEM encoded. There is a line at the top of all
certificates that includes five dashes, the words BEGIN CERTIFICATE, and five more
dashes followed by a carriage return. Likewise, at the end of the certificate, there is a line
that includes five dashes, the words END CERTIFICATE, and five more dashes followed
by a carriage return. If these lines are not a part of the client certificate specified in the
Cert_File section, the certificate cannot be recognized by the Ingrian device. These
same issues pertain to the private key as well. The lines look like the following:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Logging Configuration
The Logging Configuration section allows you to enable logging on the client machine. If
you experience a situation where you do not understand the error returned by the
application, you should check the log file. It might be the case that the events logged by
the NAE Servers will help you understand the condition that caused the error.
The Logging Configuration section allows you to enable logging on the client machine.
This logging is performed by the Database Connector and records information returned by
the crypto library running inside the database provider. You should not confuse this log
file with the DB Log File, which records data from the Ingrian Bulk Loader.
These properties only need to be set if you are configuring the Ingrian JCE Provider as
part of a DB2 Database Connector installation; otherwise, they are ignored.
The settings that fall into the Logging Configuration section include:
• Log Level
• Log File
• Log Rotation
• Log Size
• Additional log4j Properties
Log Level
The Log_Level parameter determines the level of logging that to be performed by the
client.
Valid values for this parameter are:
• NONE – disables client logging. It is recommended that you not disable logging.
• LOW – only essential events are logged.
• MEDIUM – the client logs error messages and one entry per request.
• HIGH – the client logs error messages and at least three entries per request. Setting
this parameter to high generates a very large number of log entries. This level of
logging is usually reserved for debugging purposes.
Important! The user running your client application must have permission to write to the
log file, and to create new files in the directory where the log file(s) are created.
Log File
The Log_File parameter specifies a name (and possibly a path) for the log file. If you
specify only a name, the log file is created in the directory where the client was installed.
If you specify a path, it can be absolute or relative to the application.
You can create separate log files for each client application by setting the
INGRIAN_LOGFILE_SUFFIX environment variable to a unique value for each
application. When the variable is set, its value is appended to the value set in the
Log_File parameter. For example, if your Log_File parameter is set to /foo/bar/
Logfile. and your application’s INGRIAN_LOGFILE_SUFFIX is set to app1, then that
client’s log file will be written to /foo/bar/Logfile.app1. Likewise, if you set
Log Rotation
The Log_Rotation parameter specifies whether logs are rotated daily or once they reach
a certain size. By default, logs are rotated daily. If you want them to be rotated once they
reach a certain size, you must specify “SIZE” for this parameter, and then specify a size in
the Log_Size_Limit parameter.
If you specify MaxBackupIndex in your log4j configuration file, that parameter can
override the Log_Rotation and Log_Size_Limit settings. For example, if you rotate
your logs when they reach 10Kb, 100Kb of data would result in 10 log files at 10Kb each.
But, if you also configure MaxBackupIndex to hold 6 files, the same 100Kb of data would
yield only 6 files - the other log files would not be saved.
Log Size
If you want to rotate logs based on the size of the log file, specify a value for the
Log_Size_Limit parameter. This parameter is disregarded if the Log_Rotation is set
to anything other than “SIZE.” Unless you specify otherwise, the log size limit is
expressed in bytes. As such, you can simply enter a number with no units, such as 10000.
Alternatively, you can specify the size in kilobytes (using a number and a unit designator
of “k” or “K”, such as “10k”), or megabytes (using a number and a unit designator of “m”
or “M”, such as “1M”).
log4jIngrian.appender.ingrian.logfileAppender.MaxBackupIndex=n
where n is one greater than the maximum number of log files stored on the client file
system.
For information on log4j configuration and functionality, review the log4j documentation.
Only when this checkbox is selected can the client do the following:
• create, delete and import keys.
• create, delete, and modify users and groups*
* This last ability is only available to users who also have administration permission. The
NAE User Administration Permission field is found on the NAE User & Group
Configuration page. (From the Management Console, navigate to Security >> Local Users
& Groups >> Local NAE Users.)
To export keys you must select the Allow Key Export field, which is also on the
Management Console’s NAE Server page. Once enabled, the client can export
‘exportable’ keys. (Exportable keys are keys that have the Exportable option selected.)
Fig. 3.3 Exportable Key
By default, the NAE User Administration Permission and Allow Key Export fields are
disabled on all new Ingrian devices.
Setting up SSL
This chapter provides an overview of our SSL and SSL with Client Certificate
Authentication features, and provides a walkthrough of both configuration procedures.
This chapter contains the following topics:
SSL Overview 40
SSL Overview
Standard SSL communication requires a certificate that identifies the server. This
certificate is signed by a certificate authority (CA) known to both the server and the client.
During the SSL handshake, the server certificate is passed to the client. The client uses a
copy of the CA certificate to validate the server certificate, thus authenticating the server.
While the CA can be a third-party CA or your corporate CA, you will most likely use a
local CA on the Ingrian device. If you are not using a local CA, consult your CA
documentation for instructions on signing requests and exporting certificates.
Tip: We recommend that you increase security only after confirming network
connectivity. You should establish a TCP connection before enabling SSL. Otherwise, an
unrelated network connection mistake could interfere with your SSL setup and complicate
the troubleshooting process.
To use an SSL connection when communicating with the Ingrian device, you must
configure both the server and the client.
To configure the server, you must:
• Create a server certificate. (If you’re using a cluster, each member must have its own,
unique certificate.)
This may involve the following steps:
• Creating a Local CA.
• Creating a Server Certificate Request on the Management Console.
• Signing a Server Certificate Request with a Local CA.
• Update the NAE Server settings on the Management Console (Device, NAE Server,
NAE Server).
You’ll need to check Use SSL and select your server certificate in the Server
Certificate field.
To configure the client, you must:
• Place a copy of the CA certificate on your client.
This may involve the following steps:
• Downloading the Local CA Certificate.
• Adding the CA Certificate to the Java Keystore.
• Update the SSL-related parameters on the client, using one of the following
procedures:
Note: When using JDK 1.3.x you must also download and install the Java Secure Socket
Extension (JSSE) 1.0.3 package from Sun. For more information on downloading and
installing this software, see “Files Needed for J2SE/J2EE Version 1.3.x” on page 14.
Creating a Local CA
To create a local CA:
1 Log on to the Management Console as an administrator with Certificate Authorities
access control.
2 Navigate to the Create Local Certificate Authority section on the Certificate and CA
Configuration page (Security, Certificates & CAs, Local CAs).
3 Modify the fields as needed.
4 Select either Self-signed Root CA or Intermediate CA Request as the Certificate
Authority Type.
5 Click Create.
Note: Only a local CA can sign certificate requests on the Ingrian device. If you are using
a CA that does not reside on the Ingrian device you cannot use the Management Console
to sign certificate requests.
11 Paste the actual certificate in the Certificate Response text box. Click Save. The
Management Console returns you to the Certificate List section. The section will now
show that the Certificate Purpose is Server and that the Certificate Status is Active.
The certificate can now be used as the server certificate for the NAE Server.
3 Enter the keystore password when prompted. By default, the password is “changeit”.
4 Indicate that the CA is trusted, when prompted.
The utility will then issue a message confirming that the certificate has been added to the
keystore. For information about the keytool utility, please refer to Sun’s documentation at:
http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html
There are a few different ways that you could configure SSL. For example, you can use a
CA that does not reside on the Ingrian device or you can create a new one. This
walkthrough makes such decisions for you. By following these instructions, you will:
• Create a Local CA.
• Create a Certificate Request.
• Create a Server Certificate by signing the Certificate Request with the Local CA.
• Download the Local CA to the client.
• Import the Local CA to the cacerts keystore.
Once you have completed and understood this walkthrough, you might decide to alter
some of the steps to better fit your organization’s policies.
To configure SSL:
1 Log in to the Management Console as an administrator with Certificates, Certificate
Authorities, and NAE Server access controls.
2 Navigate to the Create Local Certificate Authority section (Security, Certificates &
CAs, Local CAs). Enter the values shown below to create a new local CA. Click
Create.
Fig. 4.4
Create Local Certificate Authority
3 Navigate to the Create Certificate Request section (Security, Certificates & CAs,
Certificates). Enter the values shown below to create a request. Click Create
Certificate Request.
Fig. 4.5
Create Certificate Request
4 Select your new certificate request from the Certificate List section (right above the
Create Certificate Request section). Click Properties. Copy the actual request
(highlighted below). Include the header and footer.
Fig. 4.6
Certificate Request Information
5 Navigate back to the Local Certificate Authority List section (Security, Certificates &
CAs, Local CAs). Select your new local CA and click Sign Request.
6 Select Certificate Purpose Server and paste the certificate request into the
Certificate Request field, as shown below.
Fig. 4.7
Sign Certificate Request
7 Click Sign Request. This will take you to the CA Certificate Information section.
8 Copy the actual certificate (highlighted below). Include the header and footer.
Fig. 4.8
CA Certificate Information
9 Navigate back to the Certificate List section (Security, Certificates & CAs,
Certificates). Select your certificate request and click Properties.
10 Click Install Certificate.
Fig. 4.9
Certificate Installation
The Certificate List section will now indicate that NewServerCert is an active
certificate.
12 Navigate to the NAE Server Settings section (Device, NAE Server, NAE Server).
Click Edit.
13 Check Use SSL and select your new server certificate in the Server Certificate field.
Click Save.
14 Navigate back to the Local Certificate Authority List section (Security, Certificates &
CAs, Local CAs). Select your new CA and click Download. Place the CA certificate
on your client.
15 Move the certificate from the download location to <Java_Home>\lib\security.
17 Install the CA certificate into the cacerts keystore using the command below. Follow
the prompts as shown.
keytool -keystore cacerts -import -alias NewLocalCA -file NewLo-
calCA.crt.cer
Enter keystore password: changeit
...
Trust this certificate?[no]: yes
Certificate was added to keystore
Note: The value for the -file option must reflect your actual filename. The
keystore password must reflect your actual keystore password.
You can test your configuration by running our CryptoTool application, which is described
in Chapter 6, “Using the Sample Applications”.
If your system requires password authentication, use the following command:
java CryptoTool LIST -auth username:password
If your system permits unauthenticated sessions, you can use the following command:
java CryptoTool LIST
For more information about setting up SSL, see “SSL Overview” on page 40.
Tip: We recommend that you increase security only after confirming network
connectivity. You should establish an SSL connection before enabling Client Certificate
Authentication. Otherwise, an SSL configuration mistake could interfere with your Client
Certificate Authentication setup and complicate the troubleshooting process.
To enable SSL with Client Certificate Authentication, you must configure both the client
and the server.
To configure a client, you must:
• Create a client certificate.
This may involve the following steps:
• Generating a Client Certificate Request with Keytool.
• Signing a Certificate Request and Downloading the Certificate.
You can create a certificate request using either Java’s keytool utility or OpenSSL.
You can then sign the request with the local CA on the Ingrian device. Once signed,
the certificate request becomes a valid certificate.
If you are not using a local CA, consult your CA documentation for instructions on
signing requests and exporting certificates.
• Place the client certificate and the CA on the client.
This involves the following step:
• Adding the CA and Client Certificates to the Java Keystore.
Important! Be sure that this keystore contains the CA used to sign the server
certificate as well. This will be true if you used the same CA to sign both the client
and server certificates, or you use the same keystore that you used to configure
SSL.
• Update the SSL-related parameters on the client, using one of the following
procedures:
• Update IngrianNAE.properties file as follows:
• Key_Store_Location=<path and name of keystore that contains
a copy of the server’s local CA, the client certificate,
and the CA that signed the client certificate.>
• Key_Store_Password=<keystore password>
• Client_Cert_Alias=<client certificate alias>
• Client_Cert_Password=<client certificate password, if
used>
The key generation process will then request the following data:
• A keystore password.
• The distinguished name.
The distinguished name is a series of fields whose values are incorporated into the
certificate request. These fields include country name, state or province name, city
or locality name, organization name, organizational unit name, and the users first
and last name.
• The key password.
The certificate password must be the same as the keystore password. You can
simply press Return to set the password. You need not retype the keystore
password.
3 Create the certificate request by issuing the command below. Reference the Key Pair
Alias you created above.
keytool -certreq -alias <KeyPairAlias>
-file <CertReqFileName> -keystore <KeystoreName>
3 Import the signed client certificate using the following command. Reference the key
pair alias you used to create the certificate request. When prompted, enter the keystore
password.
keytool -keystore <KeystoreName> -alias <KeyPairAlias>
-import -file <CertFileName.crt>
4 Verify that the client certificate was properly imported by executing the following
command. Reference the key pair alias you used above. The system should display the
certificate.
keytool -keystore <KeystoreName> -alias <KeyPairAlias>
-list -v
Important! To enable Client Certificate Authentication, your keystore must have a copy
of the CA certificate that signed the server certificate. If you used one CA to sign both the
server and client certificates, you’ve already accomplished this in step 2. If not, repeat step
2 for the CA certificate that signed the server certificate. (You may have already done this
when configuring SSL.)
Once you have completed and understood this walkthrough, you might decide to alter
some of the steps to better fit your organization’s policies.
To configure client certificate authentication:
1 Open a command prompt on your client and navigate to
<Java_Home>\lib\security.
4 Open the client certificate request file and copy the actual request (highlighted below).
Include the header and footer.
Fig. 4.10
ccert.csr
8 Click Sign Request. This will take you to the CA Certificate Information section.
9 Click Download to download your new client certificate (signed.crt) to your client.
10 Return to the Local Certificate Authority List section (click Back on the CA
Certificate Information section).
11 Select NewLocalCA and click Download.
15 On the client, move the client certificate and the CA certificate from the download
location to <Java_Home>\lib\security.
16 Open a command prompt on your client and navigate to
<Java_Home>\lib\security.
17 Import the CA certificate (NewLocalCA) into the client keystore. For example,
$ keytool -keystore clientcerts -import -alias NewLocalCA
-file NewLocalCA.crt
Enter keystore password: changeit
Owner:
Issuer:
Serial number: 0
Valid from: mm/dd/yy hh:mm until: mm/dd/yy hh:mm
Certificate fingerprints:
MD5: F0:2D:2F:ED:55:31:6F:F0:A6:E4:AA:37:1F:83:E7:FA
SHA1:8A:08:61:AB:73:32:E2:18:0E:B7:8D:69:2E:91:A6:24:BC:65:C4:DE
Trust this certificate? [no]: yes
Certificate was added to keystore
18 Import the signed client certificate into the client keystore file.
$ keytool -keystore clientcerts -import -alias ccert -file signed.crt
Enter keystore password: changeit
Certificate reply was installed in keystore
19 Verify that the certificates are correctly installed. You will need to see a certificate
chain length of 2, and two certificates: the client certificate and the CA.
Important! The CA used to sign the client certificate must be a member of the
Trusted CA List Profile.
You can test your configuration by running our CryptoTool application, which is described
in Chapter 6, “Using the Sample Applications”.
If your system permits unauthenticated sessions, you can use the following command:
java CryptoTool LIST
Creating an NAESession 64
Creating an NAESession 64
Using Keys 67
Chaining Operations 84
64 USING THE JCE PROVIDER
Creating an NAESession
At the start of each session, the client can authenticate by passing an NAE username and
password to the server.
An authenticated user:
• Has access to all global keys, all keys owned by the user, and all keys accessible to
groups to which the user belongs.
• Can create keys owned by the user, but cannot create global keys.
Depending on your NAE Server settings, you may not need to pass a username and
password. In this scenario, you are accessing the NAE Server as a global user.
An unauthenticated user, a.k.a. a global user:
• Has access to global keys only.
• Can create global keys only.
The decisions you make regarding authentication must be consistent with the NAE Server
settings. If your client attempts to connect with the NAE Server using an unsupported
method, the session will be terminated. For example, if your client attempts to create a
global session, but global sessions are disabled, the server closes the connection
immediately. Review the NAE Server settings before using the Ingrian JCE Provider.
The NAE Server can be configured to allow clients to:
• Create a global session.
* The Ingrian device enables you to configure SSL using a server certificate or a server
certificate and a client certificate. Using a server certificate does not affect how the session
is created, only your keystore settings, as explained in Chapter 4, “Setting up SSL”. If you
use client certificates you have a few options when creating a session. These options are
explained below.
This section describes the following procedures:
• Creating a Global Session
• Creating a Global Session Using SSL with Client Certificates
• Creating an Authenticated Session Using an NAE Username and Password
• Creating an Authenticated Session Using SSL with Client Certificates
Important! To create a global session by sending the NAE Server a client certificate,
Client Certificate Authentication must be enabled on the server and set to “Used for SSL
session only.”
1 Create an NAEClientCertificate object, which includes the alias and password for the
client certificate you want to send to the NAE Server.
2 Create a session object. Pass the NAEClientCertificate object, username and password
as parameters.
For example:
/ "user1" is a valid user and "password1" is the valid password for that
user. "Cert2" is a valid client cert and "Cert2Password" is the password
associated with that certificate. */
NAEClientCertificate clientCert = new NAEClientCertificate ("Cert2",
"Cert2Password");
NAESession session = NAESession.getSession("user1", "password1", cli-
entCert);
Important! To create an authenticate session by send the NAE Server a client certificate,
Client Certificate Authentication must be enabled on the server and set to “Used for SSL
session and NAE username.”
Using Keys
The NAE Server allows you to perform key operations through the Ingrian JCE Provider;
such operations include creating, deleting, importing and exporting keys.
Important! In order to create, delete, import, and export keys from your client, you must
enable the Allow Key and Policy Configuration Operations checkbox on the NAE
Server page. If this option is not enabled, these operation requests will fail.
In addition, you can use the Ingrian JCE Provider to get information about keys that reside
on the NAE Server. When creating keys, the Ingrian JCE Provider requires that you
specify a name for the key; beyond that, you have the option to specify the key length,
whether the key is exportable or deletable, an NAE session object (in case you want to
assign the key an owner), and permissions for the key. If you do not specify a key size, the
NAE Server uses the default key size for the key type.
Note: If a global key is marked as exportable or deletable during generation, then all
users have permission to export or delete that key. If a non-global key is marked as
exportable or deletable, then only the key owner can later export or delete that key.
This section describes the following procedures:
• Creating a Global Key
• Creating a Key Owned by an NAE User
To create a global key that is exportable and deletable, you must pass those boolean values
to the NAEParameterSpec object. For example:
NAEParameterSpec spec = new NAEParameterSpec("mykey", true, true);
To create a global key that is exportable, non-deletable, and 256 bits in length, you would
call NAEParameterSpec as follows:
NAEParameterSpec spec = new NAEParameterSpec("mykey", true, false, 256);
When the bit length is not specified, the default key size is used.
The following code sample gives encryption permission to Group1 and assigns those
permissions to a new AES key named foo. Note that the permissions are configured first
and then assigned when the key is created.
NAEPermission[] permissions = new NAEPermission[1];
NAEPermission permission_group1 = new NAEPermission("Group1");
permission_group1.setEncrypt(true);
permissions[0] = permission_group1;
NAESession session = NAESession.getSession("user1", "password1");
NAEParameterSpec spec = new NAEParameterSpec("foo", "session", true,
true, 256, permissions);
KeyGenerator keygen = KeyGenerator.getInstance("AES", "IngrianProvid-
er");
keygen.init(spec);
SecretKey aesKey = keygen.generateKey();
The following code sample gives encryption permission to Group1 and encryption and
decryption permission to Group2. Notice the size of the NAEPermission array, the
additional NAEPermission object, and the calls to the setEncrypt and setDecrypt methods.
NAEPermission[] permissions = new NAEPermission[2];
NAEPermission permission_group1 = new NAEPermission("Group1");
NAEPermission permission_group2 = new NAEPermission("Group2");
permission_group1.setEncrypt(true);
permission_group2.setEncrypt(true);
permission_group2.setDecrypt(true);
permissions[0] = permission_group1;
permissions[1] = permission_group2;
Note: getKeys() returns key handles, not key bytes. To access key bytes, use the export()
method.
Note: getKeys() returns key handles, not key bytes. To access key bytes, use the export()
method.
This feature can improve performance, specifically if network latency is high, encryption
sizes are small, and local CPU cycles are available. Once keys are cached, the client’s
cryptographic operations can continue without accessing the NAE Server.
Keys cached on the client are stored in process memory only, they are not stored on disk.
Warning! Your client and its connection to the Ingrian device must be secure.
Downloading keys over this connection and storing them on your client exposes them to
possible attack. When using the symmetric key caching feature, be sure that you are using
a secure method of download and that your client’s operating system is secure.
The following sections explain how to configure and use this feature. It contains the
following sections:
• Eligible Keys
• Client Properties
• API Support
• Logging
Eligible Keys
Only symmetric keys (AES, DES, DESede, SEED, RC4) that have been marked
Exportable may be cached. In addition, the NAE User must have export privileges for the
key. Thus, the NAE User must be the key owner or the key must be global. The NAE User
automatically has full encryption and decryption privileges for all keys in the client cache;
while in the cache, key permissions and authorization policies are ignored.
Client Properties
To cache keys, you must set the Symmetric_Key_Cache_Enabled and
Symmetric_Key_Cache_Expiry parameters on the client. Both are located in the
IngrianNAE.properties file.
When setting the Symmetric_Key_Cache_Enabled parameter, you can enable the
feature over SSL or TCP. Selecting yes enables key caching over an SSL connection, so
you must also configure SSL. Selecting tcp_ok enables key caching over both TCP and
SSL connections.
Warning! TCP is not a secure communication protocol. We recommend that you use
SSL.
You can predetermine the minimum length of time a key will remain in the client cache
using the Symmetric_Key_Cache_Expiry parameter. Because the key cache is purged
only when it is called, keys may stay in the cache longer than the expiration period if there
are no calls to the Ingrian library.
API Support
Key caching is supported by the following APIs:
• Cipher.init()
• Cipher.update()
• Cipher.doFinal()
All other APIs run remotely (occur on the Ingrian device) regardless of your key caching
configuration.
Logging
The Client log will indicate when key caching has been enabled whenever client logging is
enabled.
When Log_Level is set to HIGH, the client log will record the following key caching-
related actions:
• Key export from the Ingrian device.
• Cryptographic operations that use cached keys.
• Deletion of a key from the client cache.
The server log will likewise record when keys have been downloaded.
• Encrypting a File
Generating a Random IV
When encrypting with symmetric algorithms in ECB mode, a random IV provides a high
level of security.
To generate a random IV:
1 Call the getInstance method of the SecureRandom class. Pass the random number
generator and the JCE Provider as arguments. To use the local RNG, pass SHA1PRNG
for the algorithm name and SUN (or IBM) as the provider. To use the RNG on the
Ingrian device, pass IngrianRNG and IngrianProvider as arguments.
2 Create a byte array, sized for your key. An AES key needs a 16 byte array, a DES or
DESede key needs an 8 byte array.
3 Call the nextBytes method of SecureRandom object. Pass the byte array as an
argument.
The following code sample generates a 16 byte random IV.
SecureRandom sr = SecureRandom.getInstance("IngrianRNG",
"IngrianProvider");
byte[] iv = new byte[16];
sr.nextBytes(iv);
Important! You cannot decrypt your data without the random IV. Save and secure this
value.
If the NAE Server requires password authentication, then you must circumvent the JCE
framework when generating a random IV. This is because the JCE framework does not
allow you to pass in the NAESession object that contains the authentication information.
To generate a random IV when the NAE Server requires password authentication:
1 Create an NAESession object. Pass the NAE username and password as arguments.
2 Create an NAESecureRandom object. Pass the NAESession object as an argument.
The following code sample generates a 16 byte random IV in an authenticated session.
Important! You cannot decrypt your data without the random IV. Save and secure this
value.
4 Obtain an instance of the key you want to use for the encryption operation.
5 Initialize the Cipher object to encrypt mode. If necessary, create a new
IvParameterSpec object and set it to the value contained in the IV byte array.
6 Create and open a file to which the encrypted data can be written.
7 Specify that the Cipher object is used to write to the file.
8 Invoke getBytes to write the plaintext to the CipherOutputStream.
9 Close the cipher stream.
NAESession session = NAESession.getSession("user1", "password1");
byte[] iv = ... /* set iv byte array to 16 byte value of the IV */
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "IngrianPro-
vider");
SecretKey key = NAEKey.getSecretKey("user1key", session);
cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
OutputStream fos = new FileOutputStream("hello.enc");
OutputStream cos = new CipherOutputStream(fos, cipher);
cos.write("Hello World!".getBytes());
cos.close();
fos.close();
Encrypting a File
The Ingrian JCE Provider interfaces with the standard JCE streaming interface, which
allows for easy cryptographic protection of all types of files: sensitive documents,
financial spreadsheets, images, or any other type of file. The steps below demonstrate how
the Ingrian JCE Provider uses the streaming mechanism.
To encrypt a file:
1 Create an NAESession object. Pass the NAE username and password as arguments.
2 Set the IV.
3 Get an instance of the cipher object, passing as an argument the algorithm, mode, and
padding you want for that Cipher object.
4 Obtain an instance of the key you want to use for the encryption operation. The
example below uses “user1key”.
5 Initialize the Cipher object to encrypt mode.
6 Create a new buffer of 2048 bytes and declare the ciphertext byte array, which is used
later.
11 Pass the buffer to the update method of the cipher object. This is where the actual
encryption is done. The file is read 2048 bytes at a time; however, unless the file size
is a multiple of 2048 bytes, on its last pass, the read method reads some number of
bytes less than 2048. To prevent passing garbage characters (left over from the
previous read operation) to the update method, it's necessary to specify how many
bytes were read, which is why the len variable was included.
Because some block algorithms require a certain number of bytes to perform an
Encrypt operation, it might be the case that cipher.update returns null.
12 Check that cipher.update has not returned a null value.
13 Call the doFinal method and write out the encrypted text to the output file.
message (in this example: “Hello World!”). In the first part of the Sign Verify operation,
the NAE Server applies a hash function (using the same algorithm as was used in the
original Sign operation) to the message text that needs to be verified. This produces the
first hash. In the second part of the Sign Verify operation, the NAE Server decrypts the
message digest using the sender’s public key. This produces the second hash. The NAE
Server then compares the two hashes: if they are identical, the signature is valid; if the
hashes are not identical, then the signature is not valid.
To verify signed text:
1 Get an instance of a Signature object, passing as an argument the SHA1withRSA
algorithm.
2 Obtain an instance of the key you want to use for the Sign Verify operation using the
getPublicKey method of the NAEKey class.
3 Initialize the Signature object with the key.
4 Specify the text string that you want to verify and convert it to a byte array.
5 Perform the verify operation, passing as an argument the previously calculated
signature. At this point, the NAE Server generates a hash from the text string and
decrypts the previously calculated signature, which produces a second hash. The NAE
Server compares the two hashes and returns true if the they are identical and false if
they are not.
byte[] signature = ... /* get previously calculated signature*/
Signature sig = Signature.getInstance("SHA1withRSA", "IngrianProvid-
er");
PublicKey key = NAEKey.getPublicKey("rsakey");
sig.initVerify(key);
sig.update("Hello World".getBytes());
boolean verified = sig.verify(signature);
Ingrian JCE Provider. The hashed password is then stored in a database or other server.
The next time Irwin logs in, he provides his password as part of the request. The Ingrian
JCE Provider is sent the password from Irwin and the hashed password stored in the
database. The Ingrian device once again applies the keyed hash function to the password
submitted from Irwin and compares that value to the hash value stored in the database. For
this operation, the NAE Server returns only one byte: 1 if the two hash values match; 0 if
they do not.
This section describes the following procedures:
• Generating a MAC
• Verifying a MAC
Generating a MAC
To generate a MAC:
1 Get an instance of a Mac object. Pass the algorithm as an argument.
2 Obtain an instance of the key.
3 Initialize the Mac object.
4 Convert the plaintext to a byte array and invoke the doFinal method of the Mac object
to create the MAC.
The following code sample uses the HmacSHA1 algorithm to create a MAC of the string
“password”.
Mac mac = Mac.getInstance("HmacSHA1", "IngrianProvider");
SecretKey key = NAEKey.getSecretKey("mackey");
mac.init(key);
byte[] mactext = mac.doFinal("password".getBytes());
Verifying a MAC
To verify a MAC:
1 Obtain a previously calculated MAC value. Put that value in a byte array.
2 Get an instance of a Mac object. Pass the algorithm as an argument.
3 Obtain an instance of the key that was used to create the MAC.
4 Initialize the Mac object and pass the previously calculated MAC value by
encapsulating the byte array in a MACValue object.
5 Convert the original plaintext to a byte array and invoke the doFinal method of the
Mac object to verify the previously calculated MAC.
The following code sample compares the value of prevMac with a newly calculated MAC
of the string “password”.
byte[] prevMac = ... /* get previously calculated MAC */
Mac mac = Mac.getInstance("HmacSHA1Verify", "IngrianProvider");
SecretKey key = NAEKey.getSecretKey("mackey");
mac.init(key, new MACValue(prevMac));
byte[] result = mac.doFinal("password".getBytes());
boolean verified = (result[0] == 1);
Chaining Operations
Using the ChainedOperations object, you can perform multiple operations on data - each
subsequent operation using the output of the previous operation.
The legal combinations of chained operations are listed below:
• encrypt / decrypt
• decrypt / encrypt
• mac / encrypt
• sign / encrypt
6 Call the cipher.doFinal method, passing the bytes of data you want to encrypt and
MAC.
Cipher cipher = Cipher.getInstance("ChainedCipher", "IngrianProvider");
ChainedOperations ops = new ChainedOperations();
ops.addEncrypt(NAEKey.getSecretKey("mykey"), "AES/CBC/ PKCS5Padding",
iv);
ops.addSend();
ops.addMAC(NAEKey.getSecretKey("mackey"), "HmacSHA1");
ops.seal();
cipher.init(Cipher.ENCRYPT_MODE, ops);
byte[] ciphertext = cipher.doFinal("Hello World!".getBytes());
Examples of CryptoTool 91
You can access the help for the sample application by running the same command above,
only this time add the -help option.
java CryptoTool -help
Tip: Before invoking the CryptoTool, make sure that the values specified in the
IngrianNAE.properties file are correct.
Usage
The syntax for the JCE sample application is as follows:
java CryptoTool OPERATION options
Operations
The CryptoTool provides support for all cryptographic operations supported by the Ingrian
JCE Provider and some key management operations.
You can use standard input from the command line (e.g. text that is manually typed on the
command line) as input for any of the cryptographic operations; however, the more
practical application of the CryptoTool is to use a file as input. This is because the output
from an ENCRYPT operation, for example, generates binary output. To decrypt that
string, you would have to copy the binary output from the ENCRYPT operation and pass it
in as input for the DECRYPT operation. It is most likely that the binary data would be
misrepresented, causing the DECRYPT operation to throw a Java exception
Supported cryptographic operations:
• ENCRYPT – encrypt a file or string
• DECRYPT – decrypt a file or string
• MAC – generate a MAC on a string or file
• MACV – verify a MAC
• SIGN – generate a signature on a file or string
• SIGNV – verify a signature
Important! You must use all capital letters when specifying an operation, and you can
specify only one operation at a time. Chain operations are not supported.
Options
This section describes options that can be used in conjunction with the operations above.
Options can be specified in any order, but they must be specified after the operation. In the
following table, the option is listed in the Flag column, and the expected input is
immediately after the option in italics. For example, the -in option requires that you
specify a file to be used as input for the cryptographic operation. If the input file is not in
your present working directory, you must specify the path to the file.
Table 6.1
Sample Application Usage Options
Flag Expected Input Description
–in filename specifies an input file to use for a cryptographic operation. If you are
not using a file, then you must type the data that you want to use for
the cryptographic operation on the command line.
–out filename specifies a file that receives the output of the cryptographic operation.
If you do not specify a file, the output appears on the screen.
–key filename specifies a key name for either a key management or cryptographic
operation.
–alg algorithm_name specifies a cryptographic algorithm. The parameter for this option
must be a valid algorithm name, as specified in Appendix A,
“Supported Algorithms.” Such algorithms include DES, DESede,
AES, RSA, HMAC, or RC4.
–iv value this option specifies an IV. The IV must be hex ASCII encoded. An
IV is only required when using either DES, DESede, or AES in CBC
mode; in ECB mode, the IV is not allowed.
–sig value allows you to specify on the command line a signature value that you
want to verify. The signature value must be hex ASCII encoded.
Alternatively, you can specify a file that contains the hex ASCII
encoded signature value by using the –sigfile option instead of the
–sig option. That option is described immediately below.
–sigfile filename an alternative to the –sig option above. It allows you to specify a file
that contains the hex ASCII encoded signature value for verification.
–mac value allows you to specify on the command line a MAC value for
verification. The MAC value must be hex ASCII encoded.
Alternatively, you can specify a file that contains the hex ASCII
encoded MAC value by using the –macfile option instead of the –mac
option. That option is described immediately below.
–macfile filename an alternative to the –mac option above. It allows you to specify a file
that contains the hex ASCII encoded MAC value for verification.
–auth username:password allows you to specify an NAE username and password to use for
authentication.
–keysize size specifies the size of the key to be created.
–exportable when used with the GENERATE operation, this option allows you to
create an exportable key.
–deletable when used with the GENERATE operation, this option allows you to
create a deletable key.
Examples of CryptoTool
The examples below demonstrate how to use the operations and options available in the
Ingrian JCE sample application. When using the JCE sample application, remember that
you must specify the operation before any options, and that options can be specified in any
order.
Important! All of the examples below include the use of the -auth flag; this is not
required. It might be the case that you have configured the NAE Server to not require
password authentication, in which case it would not be necessary to include an NAE user
name and password in the requests you send to the NAE Server from CryptoTool. By not
including a user name and password, you are essentially creating an unauthenticated
session with the NAE Server; all keys created during an unauthenticated session are global
keys, meaning that they can be used without restriction by any NAE user.
The command below generates an AES key named “mykey” and owned by User1.
Use the command below to make sure that the key was created on the correct NAE Server.
java CryptoTool LIST -auth User1:pwd
The command below creates a 256–bit AES key named “my256key”, owned by User1.
java CryptoTool GENERATE -auth User1:pwd -key mykey256 -alg AES -keysize 256
The command below creates an HMAC key named “hmackey”, owned by NAE_User1.
java CryptoTool GENERATE -auth User1:pwd -key hmackey -alg HmacSHA1
The command below generates an RSA key named “rsakey”, owned by User1.
java CryptoTool GENERATE -auth User1:pwd -key rsakey -alg RSA
The command below creates a global AES key named globalAESkey. Notice that the
username and password are omitted in this example. Remember that you can only create
global keys if the NAE Server is configured to allow unauthenticated sessions.
java CryptoTool GENERATE -key globalAES -alg AES
You can include the -exportable and/or -deletable flags in any request to generate a key.
The command below creates an exportable and deletable DESede key called DESkey27.
java CryptoTool GENERATE -auth User1:pwd -key DESkey27 -alg DESede -exportable -
deletable
Note: The exportable and deletable options specify no arguments. You should also notice
that the -alg option came before the -key option. This is to illustrate the point that you
can list options in any order.
Export a Key
The example below exports AESkey27, created immediately above. Make sure that you
do not discard the key text; it is used again later.
java CryptoTool EXPORT -auth User1:password -key AESkey27
Notice that you only have to specify the key name to export a key; you do not have to
specify the algorithm. The authentication information was included because the mykey2 is
owned by nae_user.
Delete a Key
Import a Key
Once you execute the command above, you must provide the key that you want to import.
You can copy the key text that was displayed when you exported mykey2 above. When
you have entered the key text, press Return, then press Ctrl+d (Linux) or Ctrl+z
(Windows). You should see a message confirming that the key was imported.
Cryptographic Operations
Encrypt a String
This example is included for illustrative purposes only. Because you cannot decrypt the
ciphtertext printed to the screen after the encrypt operation, there is little use in encrypting
a string.
In this example we encrypt the string “Hello World!” with the AES key created above.
After you execute the command below, you must type in the text you want to encrypt.
When you are done entering the text, press Return, then press Ctrl+d (Linux/Unix) or
Ctrl+z (Windows). The system prints the ciphertext to the console.
java CryptoTool ENCRYPT -auth User1:pwd -key mykey -alg AES
Encrypt a File
While it is possible to supply text for cryptographic operations from the command line, it
is more convenient and less error–prone to perform cryptographic operations on files. The
example below uses the -in and -out options to encrypt a file called test.txt and write the
ciphertext to a file called test.txt.enc.
java CryptoTool ENCRYPT -auth User1:password -key mykey -alg AES -in /jcetest/
test.txt -out /jcetest/test.txt.enc
Decrypt a File
The example below decrypts the output file that was created in the encrypt example above.
Again, the -in option is used to specify what file the DECRYPT operation is performed
on, and the -out option specifies the file to which the decrypted text is written.
java CryptoTool DECRYPT -auth User1:password -key mykey -alg AES -in /jcetest/
test.txt.enc -out /jcetest/test.txt.dec
Open the output file (test.txt.dec) and verify that the text of the file matches the text of the
input file (text.txt).
Create a MAC
The example below creates a MAC using the same test.txt file as was used in the examples
above. This example uses the HMAC key created above.
java CryptoTool MAC -auth User1:password -key hmackey -alg HmacSHA1 -in /jcetest/
test.txt -out /jcetest/test.mac
To verify a MAC, you have to provide the NAE Server with the previously–calculated
MAC and the text the MAC was created from. In this example, you use the -macfile option
to specify the MAC, and you use the -in option to provide the original text.
java CryptoTool MACV -auth User1:password -key hmackey -alg HmacSHA1 -in /jcetest/
test.txt -macfile /jcetest/test.mac
Create a Signature
This example creates a signature using the file test.txt and the RSA key created above.
java CryptoTool SIGN -auth User1:password -key rsakey -alg SHA1withRSA -in /jcet-
est/test.txt -out /jcetest/test.sig
Verify a Signature
To verify a signature, you must provide the NAE Server with the previously–calculated
signature value and the text that the signature was created from. In this example, you use
the -sigfile option to specify the signature, and you use the -in option to provide the text.
java CryptoTool SIGNV -auth User1:password -key rsakey -alg SHA1withRSA -in /
jcetest/test.txt -sigfile /jcetest/test.sig
3 Update the ingrian.home property with the location of the IngrianNAE.jar, log4j-
1.2.9.jar, and IngrianNAE.properties files.
<property name="ingrian.home" value="C:\Java\jre1.6.0_03\lib\ext"/>
6 Run ant dist to build the war file. This will create the dist directory and copy the
sample.war file.
Note: If you are rebuilding the war file after a previous test, you may need to restart
Tomcat prior to running ant dist if your environment was somehow corrupted.
2 Test your server by visiting http://localhost:8080. You should see the standard Apache
Tomcat page.
3 Run ant install to deploy the sample servlet. The servlet will be available at
http://localhost:8080/sample/Hello.
Fig. 6.1
Sample Application Servlet: Query section
4 Enter the name and password of a previously defined NAE User on the Ingrian device.
5 Enter the name of a previously defined key on the Ingrian device.
6 Click Submit Query. The servlet will now use the username/password combination to
connect to the Ingrian device. It will then call on the device to encrypt the string
‘Hello servlet’. The string will then be decrypted and the servlet will list the available
JCE providers. All results are shown in the web browser.
Fig. 6.2
Sample Application Servlet: Results section
Index K
keystore 44, 55
L
load balancing
C configuration 27
CA certificate Load_Balancing_Algorithm
installing on server 56 IngrianNAE.properties file 27
CA certificates logging
clustering 32 configuration 33
ssl configuration 32
client certificate authentication 32 N
clustering NAE device
CA certificates 32 content restrictions 8
connection pooling
configuration 27 P
Connection Read Timeout Configuration 28
parameters
content restrictions, NAE device 8
Size_of_Connection_Pool 27
cryptographic operations
performance
asymmetric encryption 7
connection read timeout 28
digital signatures 7
connection timeout 28
MAC 7
timeout configuration 28
MAC Verify 7
persistent connection configuration 27
random number generation 7
protocol configuration 24
symmetric encryption 7
R
D
requirements
data restrictions, NAE device 8
hardware and software 7
round-robin
H
load balancing algorithm 27
hardware
requirements 7 S
setProperty method 23
I
Size_of_Connection_Pool parameter 27
importing Ingrian Java Package 64 software
Ingrian Data Privacy Solution requirements 7
alternate configurations, extremely high load 8 SSL
alternate configurations, high availability 8 client certificate 32
Ingrian Java Package client certificate authentication 32
importing 64 client private key 33
Ingrian JCE Provider, communication channel with client private key passphrase 33
server 7 protocol configuration 24
IngrianNAE.properties server CA certificate 32
setting system properties 23 System Properties
SSL configuration 31 client certificate authentication 32
IngrianNAE.properties file 9 client certificate private key 33
client private key passphrase 33
J connection pooling 27
java keystore 44, 55 connection read timeout configuration 28
connection retry 29
load balancing 27