Start of Tutorial > Start of Trail > Start of Lesson |
Search
Feedback Form |
The security-related files that are built into JDK 1.2 are:These built-in files all reside in the JRE security properties directory,
- The
java.security
Security Properties File
- The
java.policy
"System" Policy File
- The
cacerts
Certificates Keystore File
(Note: java.home indicates the directory into which the JRE was installed.)java.home/lib/security/ (Solaris) java.home\lib/security\ (Windows)The security-related files that you may optionally create are:
Each security-related file is described below.
- The
.java.policy
or Other "User" Policy File
- Keystores
The
java.security
Security Properties FileIn thejava.security
security properties file, various security properties are set for use by classes in thejava.security
package.This file specifies
See the file for further details. It is located at
- provider package names, locations, and precedence orders.
- the class to be instantiated as the
Policy
object that will determine which permissions are available for code from various sources.
- URLs for the policy files to be loaded and utilized when making policy decisions (if the Policy object instantiated is one that utilizes policy files).
- whether or not property file expansion should be allowed in policy files, for example, expanding
${java.home}
to the value of the"java.home"
property. (initially true)
- whether or not an additional policy file can be specified on the command line with
-Djava.security.policy=somefile
. (initially true)
- the default keystore type. (initially "jks", the proprietary keystore type created by Sun Microsystems)
(java.home indicates the directory into which the JRE was installed.)java.home/lib/security/java.security (Solaris) java.home\lib/security\java.security (Windows)The
java.policy
"System" Policy FileA policy file specifies which permissions are available for code from various sources.The
java.policy
file is referred to as the "system" policy file meant to grant system-wide code permissions. Thejava.policy
file installed with the JDK grants all permissions to standard extensions, allows anyone to listen on un-privileged ports, and allows any code to read certain "standard" properties, such as the "os.name" and "file.separator" properties.If necessary, the system policy file can be modified, either by a text editor (it's an ASCII text file), or by the
policytool
. The latter doesn't require you to know the policy file format; using it saves typing and reduces errors.The
java.policy
file is by default located at(java.home indicates the directory into which the JRE was installed.)java.home/lib/security/java.policy (Solaris) java.home\lib/security\java.policy (Windows)Policy file locations are actually specified in the security properties file as the values of properties whose names are of the form
where "n" is a number. The default system policy file is defined in the security properties file aspolicy.url.n=URLpolicy.url.1=file:${java.home}/lib/security/java.policyThe
cacerts
Certificates Keystore FileThecacerts
file represents a system-wide keystore with Certification Authority (CA) certificates. CAs are entities (for example, businesses) that are trusted to sign (issue) certificates for other entities.System administrators can configure and manage the
cacerts
file usingkeytool
, specifying "JKS" as the keystore type (a proprietary type defined by Sun Microsystems).At this time, the
cacerts
keystore file ships with five VeriSign root CA certificates.The
cacerts
file is located at(java.home indicates the directory into which the JRE was installed.)java.home/lib/security/cacerts (Solaris) java.home\lib/security\cacerts (Windows)
IMPORTANT: Verify Yourcacerts
File
Since you trust the CAs in thecacerts
file as entities for signing and issuing certificates to other entities, you must manage thecacerts
file carefully. Thecacerts
file should contain only certificates of the CAs you trust. It is your responsibility to verify the trusted root CA certificates bundled in thecacerts
file and make your own trust decisions. To remove an untrusted CA certificate from thecacerts
file, use the delete option of thekeytool
command. You can find thecacerts
file in the JRE installation directory. Contact your system administrator if you do not have permission to edit this file.
The
.java.policy
or Other "User" Policy FilesIf you would like to create one or more policy files for your own use, you may do so, using either a text editor (it's an ASCII text file), or thepolicytool
. The latter doesn't require you to know the policy file format; using it saves typing and reduces errors.The security properties file included with the JDK contains a "placeholder" line specifying a default name and location for one user policy file:
wherepolicy.url.2=file:${user.home}/.java.policy${user.home}
is replaced at runtime by the user's "home" directory, as determined by the value of the"user.home"
system property. On Solaris, the value is simply the user's home directory, such as/home/susanj
. On Windows, given user name uName, the"user.home"
property value defaults toC:\Winnt\Profiles\uName on multi-user Windows NT systems C:\Windows\Profiles\uName on multi-user Windows 95 systems C:\Windows on single-user Windows 95 systemsThus, if the user name is "cathy",
"user.home"
defaults toC:\Winnt\Profiles\cathy on multi-user Windows NT systems C:\Windows\Profiles\cathy on multi-user Windows 95 systems C:\Windows on single-user Windows 95 systemsThe specified file does not have to exist. But if you create a file of that name, in that location, the system will load it and use it when making policy decisions.
If you want to create a user policy file but name or locate it differently, simply edit that line in the security properties file appropriately.
If you want to have additional policy files as well, add a line for each, of the form
where n is 3, 4, 5, and so on, and URL is the URL specification. Note: you can't have any gaps in the numbers, or the ones after the gap will be ignored.policy.url.n=URLKeystores
A keystore is a database of keys. Private keys in a keystore have a certificate chain associated with them, which authenticates the corresponding public key. A keystore also contains certificates from trusted entities. You need a keystore ifUse the
- you want to generate public and private keys for yourself.
- you want to use your private key to digitally sign files.
- you want to export your public key certificate so others can verify digital signatures made using your corresponding private key.
- you want to generate a Certificate Signing Request (CSR) to submit to a Certification Authority (CA). CAs are entities (for example, businesses) that are trusted to sign (issue) certificates for other entities. The CA will authenticate you, the requestor (usually off-line), and then will return a certificate, signed by them, authenticating your public key.
- you want to import others' keys (for example, so you can verify their signatures) or a certificate reply from a CA.
keytool
tool to create and manage your keystore.
Start of Tutorial > Start of Trail > Start of Lesson |
Search
Feedback Form |
Copyright 1995-2005 Sun Microsystems, Inc. All rights reserved.