Request an Object Signing certificate from SunPKI Store with an Aladdin eToken Pro on Windows OS
Request an Object Signing certificate from SunPKI Store with an Aladdin eToken Pro on Windows OS
Software environment: Windows XP SP2 + eToken PKI Client 5.1 + JDK 1.6
Part 1: select Aladdin eToken Pro as the HSM device
An Object Signing certificate request can only be approved if the request was submitted using an HSM device. A HSM device is a specialized hardware cryptographic component that is used to generate and protect the private keys during any operations that involve that key.For object signing, especially for signing objects in the form of JAR files (using jarsigner), the cryptographic hardware devices of choice are:
(ii) SafeNet/Aladdin eToken (USB connected cryptographic device).
Considering the first one is too expensive (about $1300), we choose the Aladdin eToken Pro 72K (about $60).
Part 2: Prepare the Aladdin eToken Pro
2.1 Install Aladdin eToken PKI Client which could be downloaded from Aladdin web site or just require it from your Aladdin agent.
2.2 Plug the eToken into the USB slot of the system and select the "Initialization" function of the PKI Client to initialize the eToken.
2.3 Input a personal password (referred as <pin> as below) for the eToken.
Part 3: Request an Object Signing Certificate from SunPKI Store
3.1 Create (in current dir) file 'eToken-pkcs11.cfg' with the two lines
library = c:\WINDOWS\system32\eTPKCS11.dll
3.2 Generate the key pair with following command
keytool -genkey -alias <alias> -validity 365 -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>
Unknown: <your object name & version> (e.g. Sun Device Detection Tool)
What is the name of your organizational unit?
Unknown: <whatever> (e.g. Sun Microsystems Inc System)
What is the name of your organization?
Unknown: Sun Microsystems Inc (e.g. Sun Microsystems Inc)
What is the name of your City or Locality?
Unknown: <whatever> (e.g. Menlo Park)
What is the name of your State or Province?
Unknown: <whatever> (e.g. California)
What is the two-letter country code for this unit?
Unknown: US
Is CN=..., OU=..., O="Sun Microsystems Inc", L=..., ST=..., C=US correct?
no: yes
NOTE:
[1] Make sure JDK 1.6 is installed.
[2] In Special Publication SP 800-57 Part 1 [SP800-57], NIST recommends using at least 2048-bit public keys for securing information beyond 2010 (and 3072-bit keys for securing information beyond 2030). So we use the '-keysize 2048' to generate the key pair.
[3] The country code must be "US". Otherwise the next step would fail.
[4] The generated key pair could be checked with following command:
3.3 Generate the CSR with following command
keytool -certreq -alias <alias> -file ./certreq.csr -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>
3.4 Submit CSR
Reference to https://wikis.sun.com/display/SunPKIstore/Corp+Object+Signing
3.5 Receive the certificate
You would receive an email from pkiadm@sun.com containing the certificate chain. The email will contain the certificates in two forms, ASCII/Base64 encoded and a binary PKCS7 attachment. You should import the ASCII/Base64 encoded form (not the PKCS7) because the import of the PKCS7 chain may not work due to bug 6731685 (fixed in JDK 7, but not earlier releases).The ASCII/Base64 encoded form is a paragraph ascii characters embraced with
Copy the ASCII/Base64 encoded form certificate (those ascii characters including the two lines of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) and paste them into a single text file to save as 'cert.ascii'.
3.6 Import the certificate with following command
keytool -importcert -v -trustcacerts -file cert.ascii -alias <alias> -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>
3.7 Verify the installed certificate chain with following command
keytool -list -v -alias <alias> -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>
3.8 Signed jar files with following command
jarsigner -verbose -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin> <a jarfile name> <alias>
NOTE:
In step 2, 3, 6, 7 and 8, the eToken must be pluged in.
Reference:
PKI Store for Object Signing certificatesPKI Store FAQs
Posted at 03:42PM Jan 12, 2010 by Ye Julia Li in Sun | Comments[0]
Rescue openSUSE grub
NOTE: The solution has tested on openSUSE 1.2 and openSUSE 11.1.
I installed openSUSE 11.1 and Windows 7 on a single hard disk. When the Windows 7 was out of gear, I rescued the Windows 7. The Windows OS works. However, the openSUSE grub was overwritten. I rescued the grub by following steps:
[1] Reboot the system with OpenSUSE 11.1 installation disc.
[2] Select 'Rescue System' and login with root.
[3] Enter grub interface by executing 'grub' in command line.
[4] INPUT: grub> find /boot/grub/stage1
OUTPUT: (hd0, 4)
INPUT: grub> root (hd0, 4)
grub> setup (hd0)
OUTPUT displays that it succeed.
[5] Reboot system. The grub is rescued.
Posted at 12:10PM Dec 16, 2009 by Ye Julia Li in Java | Comments[0]
Is the cacerts file in diablo-JRE 1.6 incorrect?
The size of cacerts file of diablo-JRE 1.6 (JRE on FreeBSD OS) is only 32Bytes. Compare with the 63KB cacerts file of SUN Solaris JRE 1.6, the diablo cacerts is almost an empty file. When I run an java application which transports date with HttpClient with the diablo-JRE 1.6, the transportation fails. After I replaced the diablo cacerts with a cacerts file from Sun Solaris JRE 1.6, the application transports data successfully. Is it the diablo cacerts incorrect?BTW: I sent emails to freebsd java alias to ask this question. But I receive no reply.
Posted at 10:22AM Nov 12, 2009 by Ye Julia Li in Java | Comments[0]
配置FreeBSD图形界面
freebsd 7.1及之前的版本,在安装了Xorg,并执行 Xorg -configure 后,会在/root 目录下自动创建xorg.conf.new
运行#Xorg -config xorg.conf.new 测试新生成的xorg.conf.new配置文件。
如果看到一个黑灰的格子和一个X形的鼠标指针,那么配置就是成功的。如果要退出测试,只要同时键入Ctrl+Alt+Backspace。如果鼠标工作不正常,则需要先配置它。
将配置文件拷贝到公共目录中 #cp xorg.conf.new /etc/X11/xorg.conf
执行#startx,测试X11。如果看到一个黑灰的格子和一个X形的鼠标指针,那么Xorg就配置成功了,同时键入Ctrl+Alt+Backspace退出。
freebsd 7.2中的Xorg已升级,和以前不太一样,官方中文手册还没有更新,请参照英文手册
网址:http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/x-config.html
以下为不同之处:
先要在 /etc/rc.conf 文件中加入:
hald_enable="YES"
dbus_enable="YES"
然后重新启动
进入root,运行 Xorg -configure 生成 xorg.conf.new 文件
运行 Xorg -config xorg.conf.new -retro 进行测试
注意加上 -retro,就会出现灰格子和X形鼠标,Ctrl+Alt+Backspace 退出
接下来是调整 xorg.conf.new 配置文件并作测试。用文本编辑器如 emacs(1) 或 ee(1) 打开这个文件。要做的第一件事是为当前系统的显示器设置刷新率。 这些值包括垂直和水平的同步频率。把它们加到 xorg.conf.new 的 "Monitor" 小节中:
Section "Monitor"
Identifier "Monitor0"
VendorName "Monitor Vendor"
ModelName "Monitor Model"
HorizSync 30-107
VertRefresh 48-120
EndSection
在配置文件中也有可能没有 HorizSync 和 VertRefresh。 如果是这样的话, 就只能手动添加, 并在 HorizSync 和 VertRefresh 后面设置合适的数值了。 在上面的例子中, 给出了相应的显示器的参数。
X 能够使用显示器所支持的 DPMS (能源之星) 功能。 xset(1) 程序可以控制超时时间, 并强制待机、挂起或关机。 如果希望启用显示器的 DPMS 功能,则需要把下面的设置添加到 monitor 节中:
Option "DPMS"
关闭 xorg.conf.new 之前还应该选择默认的分辨率和色深。这是在 "Screen" 小节中定义的:
Section "Screen"
Identifier "Screen0"
Device "Card0"
Monitor "Monitor0"
DefaultDepth 24
SubSection "Display"
Viewport 0 0
Depth 24
Modes "1024x768"
EndSubSection
EndSection
DefaultDepth 关键字描述了要运行的默认色深。 这可以通过 Xorg(1) 的 -depth 命令行开关来替代配置文件中的设置。 Modes 关键字描述了给定颜色深度下屏幕的分辨率。 需要说明的是,目标系统的图形硬件只支持由 VESA 定义的标准模式。 前面的例子中, 默认色深是使用 24位色。在采用这个色深时, 允许的分辨率是 1024x768。
最后就是将配置文件存盘, 并使用前面介绍的测试模式测试一下。
注意: 在发现并解决问题的过程中, 包含了与 X11 服务器相关的各个设备的信息的 X11 日志文件会为您发现和排除问题有所帮助。 Xorg 日志的文件名是 /var/log/Xorg.0.log 这样的格式。 实际的日志文件名可能是 Xorg.0.log 到 Xorg.8.log 等等。
如果一切准备妥当, 就可以把配置文件放到公共的目录中了。 您可以在 Xorg(1) 里面找到具体位置。 这个位置通常是 /etc/X11/xorg.conf 或 /usr/local/etc/X11/xorg.conf。
完成相应配置,如刷新率、分辨率,测试完成之后,运行 #cp xorg.conf.new /etc/X11/xorg.conf即可
完成安装GNOME后,运行 #ee .xinitrc (没有这个文件也这样做)
在这里输入 exec gnome-session
保存退出 (这里就是加gnome的 自动启动,也可直接用命令完成: #echo "exec gnome-session " > ~/.xinitrc )
然后 #startx就可以进入你的X-gonme了(如果你想开机就用图形方式进入X,你可以在/etc/rc.conf中添加 gdm_enable="YES")
好了,看到了X就先行了,下面配置安装其它软件呢什么的呢。ctrl+alt+backspace退回终端。
执行startx
另外,完成安装KDE4之后,运行#ee .xinitrc ,加入 exec /usr/local/kde4/bin/startkde
保存退出,运行startx即可进入KDE。注意startkde 所在目录和KDE3中不同
参考网址:http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/x11-wm.html
Posted at 10:48AM Aug 17, 2009 by Ye Julia Li in Personal | Comments[2]
Device Detection Tool Design Doc has been updated.
The design doc of Device Detection Tool was updated to includes latest content of design. It is available at http://www.opensolaris.org/os/project/ddtool/designdoc/ .
Posted at 02:11PM Feb 27, 2009 by Ye Julia Li in SDDTool | Comments[0]
A new release of Sun Device Detection Tool -- support any platform and provide reports for OpenSolaris 2008.11
Sun Device Detection Tool 2.2 was released a few days ago. Besides the Solaris 10, OpenSolaris, Windows, Linux 2.6 and Mac X OS it supported before, Sun Device Detection Tool 2.2 can also run on FreeBSD 6 system. Now we can say that it runs on any platforms.
The new release provides driver db for the latest OpenSolaris and Solaris 10 OS . It could help you to decide whether OpenSolaris 2008.11 or Solaris 10 10/08 can run on your hardware.
The tool also enable you to submit your system configuration information to Sun for HCL auditing purpose (for Solaris 10 and OpenSolaris users only) or data mining.
Thanks for other's mention.
Posted at 12:36PM Jan 19, 2009 by Ye Julia Li in SDDTool | Comments[2]
How should I do to block garbage comments ?
I am really boring to delete hundreds garbage comments (advertisements, baleful jokes etc.) manually. Who would teach me how to block them?
Posted at 03:27PM Jun 24, 2008 by Ye Julia Li in Java | Comments[2]
Stand-alone version of Sun Device Detection Tool 2.1 is available.
Sun Device Detection Tool is also available as a stand-alone version. The stand-alone version does not require an internet access to run as it includes the built-in driver data. Its features are same as that of the version available on the web site.
Currently, the stand-alone version of Sun Device Detection Tool 2.1 is available at here. Download the binary package; copy it to any Solaris, Linux, Windows or Mac machine even without internet access; unpack it; and execute the corresponding script under ddtool_21_loc directory. You will get the Solaris driver availability report for the machine.
Posted at 03:55PM May 23, 2008 by Ye Julia Li in SDDTool | Comments[0]
Login OpenSolaris 2008.05 as *root* user
When you install the OpenSolaris 2008.05, there is page prompting you to input the root password along with creating a normal user. If you define a normal user at that time, you will find that you are not allowed to login the system with root user.
What should you do? Re-install the system? It is a solution. But there is a much easier one as follows:
Revise the following line in the file of /etc/user_attr
----------------------
root::::type=role;auths=solaris.*,solaris.grant;profiles=All;lock_after_retries=no;min_label=admin_low;clearance=admin_high
----------------------
to
----------------------
root::::auths=solaris.*,solaris.grant;profiles=All;lock_after_retries=no;min_label=admin_low;clearance=admin_high
----------------------
And then reboot the system. You can login as root again.
*^^*
Posted at 03:24PM May 21, 2008 by Ye Julia Li in Sun | Comments[8]
Sun Device Detection Tool 2.1 source code is available on OpenSolaris.org
Source code of Sun Device Detection Tool 2.1 is open sourced at OpenSolaris.org (http://www.opensolaris.org/os/project/ddtool/ddtool-2.1-src.tar.gz).
The tool is a Java application, and builds a JNI binding for each of the following interfaces to collect device information on mutiple platforms:
| OS |
Interface |
Solution |
| Solaris OS |
libdevinfo |
Looking up PCI nodes in prom tree and reading device data from the nodes |
| Windows OS |
Win32 API |
Reading device data from registry through Win32 API |
| Linux OS |
/proc/bus/pci | Scanning the file of /proc/bus/pci and reading device data from it |
| Mac OS X | IOPCIDevice | Collecting PCI Device Information |
Thanks a lot for Tony Hu's hard work of developing native programs for Solaris, Windows, Linux and Mac platforms to scan PCI devices.
Reference:
| Device Detection Tool product web page: |
http://www.sun.com/bigadmin/hcl/hcts/device_detect.jsp |
| Device Detection Tool open project web page: | http://www.opensolaris.org/os/project/ddtool/ |
| Device Detection Tool developer blog: | http://blogs.sun.com/moonocean/ |
| Device Detection Tool support alias: | device-detect-feedback@sun.com |
Posted at 11:18AM May 14, 2008 by Ye Julia Li in Java | Comments[0]
Help you to determine if OpenSolaris 2008.05 can be installed on your x86/x64 system
Sun Device Detection Tool 2.1 provides driver information for OpenSolaris 2008.05 now. You can check the OpenSolaris 2008.05 driver availability status for the PCI devices on your x86/x64 systems.
http://www.sun.com/bigadmin/hcl/hcts/device_detect.jsp
:-)
Posted at 11:16AM May 14, 2008 by Ye Julia Li in Java | Comments[0]
Sun Device Detection Tool will provide driver information for OpenSolaris 2008.05
OpenSolaris 2008.05 is released. We can expect that much more people want to try it. Providing users the Solaris driver availability information for their devices before downloading the OpenSolaris image would be helpful for many people.
Sun Device Detection Tool will provide driver information for OpenSolaris 2008.05 in few days. The OpenSolaris driver db is coming ...
Posted at 04:32PM May 07, 2008 by Ye Julia Li in SDDTool | Comments[0]
Run a jar file with ant
Ant is a very useful tool. We can use it to compile, package jar files, and run the packaged jar. Following is example to describe how to write the build.xml file to run a packaged jar file with ant.
The jar file's name is ddtool.jar, and the main class of it is com.sun.ddtool.manager.DDToolManager. If the jar file is executed manually in CLI mode, the running command will be as follows:
$ java -classpath ./lib/commons-codec-1.3.jar:./lib/commons-httpclient-3.0.1.jar:./lib/commons-logging-1.1.jar:./ddtool.jar -Djava.library.path=lib com.sun.ddtool.manager.DDToolManager http://129.158.218.41 DriverDB/ dblocation.xml.zip
NOTE: "http://129.158.218.41", "DriverDB/", and "dblocation.xml.zip" are 3 arguments passed to the main class.
In the build.xml, we can describe it like this:
<!--class path-->
<path id="execute-classpath">
<fileset dir="${dist.bin.dir}/">
<include name="ddtool.jar"/>
</fileset>
<fileset dir="${lib.dir}/">
<include name="*.jar"/>
</fileset>
</path>
<!--run-->
<target name="execute" depends="packjar" description="run the project">
<java classname="com.sun.ddtool.manager.DDToolManager" failonerror="true" fork="true">
<classpath refid="execute-classpath"/>
<sysproperty key="java.library.path" value="lib/"/>
<arg value="http://129.158.218.41"/>
<arg value="DriverDB/"/>
<arg value="dblocation.xml.zip"/>
</java>
</target>
Or, if you don't want to define the execute-classpath, the above targets could be replaced by the following one:
<target name="execute" depends="packjar" description="run the project">
<exec executable="java">
<arg line="-classpath ${dist.lib.dir}/commons-httpclient-3.0.1.jar:${dist.lib.dir}/commons-codec-1.3.jar:${dist.lib.dir}/commons-logging-1.1.jar:${dist.bin.dir}/ddtool_21.jar -Djava.library.path=${dist.lib.dir} com.sun.ddtool.manager.DDToolManager http://129.158.218.41 DriverDB/ dblocation.xml.zip"/>
</exec>
</target>
NOTE: "${dist.lib.dir}/commons-httpclient-3.0.1.jar:${dist.lib.dir}/commons-codec-1.3.jar:${dist.lib.dir}/commons-logging-1.1.jar" in the second example cannot be replaced with "${dist.lib.dir}/*.jar".
Posted at 03:25PM May 05, 2008 by Ye Julia Li in Java | Comments[0]
Detect PCI devices on Mac OS X
On Mac OS, PCI device object could be enumerated with the 'IOPCIDevice' service. Then PCI device information could be retrieved from object properties.
To detect PCI devices on Mac OS X, the following interface needs to be imported:
| OS Type | Interface | Purpose |
| Mac OS X | IOPCIDevice | Collecting PCI Device Information |
Posted at 04:15PM Apr 25, 2008 by Ye Julia Li in SDDTool | Comments[0]
Sun Device Detection Tool 2.1 is released.
Sun Device Detection Tool 2.1 has been released since April 18, 2008. It is accessible from http://www.sun.com/bigadmin/hcl/hcts/device_detect.html.
What's new of SDDTool 2.1:
1. Support Mac OS for device detection.
2. Display the device data (vendor id, device id, class code etc.) of each detected PCI device in Solaris driver availability report.
3. Collect add-in patch info, and attached driver name of each detected PCI device automatically along with other system configuration information on Solaris OS.
4. Enable users to save the HCL submission report in HTML format on Solaris OS.
5. Provide the driver db for latest Solaris 10 and Solaris Express Developer Edition release.
Posted at 03:30PM Apr 25, 2008 by Ye Julia Li in SDDTool | Comments[0]