Summary of Tools for Java^TM Platform Security

Below is a summary of the following security tools, with links to the more detailed documentation: keytool, jar, jarsigner, Policy Tool, kinit, klist, and ktab. All of these tools are command-line tools with the exception of Policy Tool, which has a graphical user interface.

The Tools

keytool (Solaris or Linux) (Windows)

Use keytool to manage your keystore, for example to

• create public/private key pairs
• issue certificate requests (which you send to the appropriate Certification Authority)
• import certificate replies (obtained from the Certification Authority you contacted)
• designate public keys belonging to other parties as trusted
• copy entries between two keystores

Keys and certificates are used to digitally sign your applications and applets (see jarsigner below). A keystore is a protected database that holds keys and certificates for an enterprise. Access to a keystore is guarded by a password (defined at the time the keystore is created, by the person who creates the keystore, and changeable only when providing the current password). In addition, each private key in a keystore can be guarded by its own password.

jar (Solaris or Linux) (Windows)

Use the jar tool to create JAR files.

The Java ARchive (JAR) file format enables you to bundle multiple files into a single archive file. Typically a JAR file will contain the class files and auxiliary resources associated with applets and applications. When you want to "digitally sign" code, you use the jar tool to place it in a JAR file and the jarsigner tool to sign the JAR file (after generating or importing appropriate keys into your keystore using keytool).

jarsigner (Solaris or Linux) (Windows)

Use the jarsigner tool to sign JAR files, or to verify signatures on signed JAR files.

The jarsigner tool accesses a keystore that is created and managed by keytool, when it needs to find the private key and its associated certificate chain to use when signing a JAR file. Since accesses to the keystore and to private keys are protected by passwords, only people who know the passwords will be able to access the key and use it to sign a JAR file. The jarsigner tool prompts for needed passwords.

Policy Tool (Solaris or Linux) (Windows)

Use the Policy Tool (invoked by using the policytool command) to create and modify the external policy configuration files that define your installation's security policy.

The policy is described in the Security Architecture Specification. Further information is provided in Default Policy Implementation and Policy File Syntax.

This tool has a graphical user interface, so you select buttons and other options rather than type in commands as for the other tools. Please read the Policy Tool Users Guide for details.

kinit (Windows)

kinit is used to obtain and cache Kerberos ticket-granting tickets. This tool is similar in functionality to the kinit tool commonly found in other Kerberos implementations, such as SEAM and MIT Reference implementations.

The user must be registered as a principal with the Key Distribution Center (KDC) prior to running kinit.

Solaris - Equivalent functionality is available for Solaris users via the kinit tool that is part of the Solaris operating environment.

Linux - Equivalent functionality is available for Linux users via the kinit tool in any Kerberos 5 installation.

klist (Windows)

klist is a command-line tool that allows the user to view entries in the local credentials cache and key table.

Solaris - Equivalent functionality is available for Solaris users via the klist tool that is part of the Solaris operating environment.

Linux - Equivalent functionality is available for Linux users via the klist tool in any Kerberos 5 installation.

ktab (Windows)

ktab is a command-line tool that allows the user to manage the principal names and service keys stored in a local key table. Principal and key pairs listed in the keytab allow services running on a host to authenticate themselves to the Key Distribution Center (KDC). Before a server can be setup to use Kerberos, the user must setup a keytab on the host running the server. Note that any updates made to the keytab using ktab do not affect the Kerberos database. If you change the keys in the keytab, you must also make the corresponding changes to the Kerberos database. Also note that the command line options are not case-sensitive.

Solaris - Equivalent functionality is available for Solaris users via the ktutil or kadmin tool that is part of Solaris operating environment.

Linux - Equivalent functionality is available for Linux users via the ktutil or kadmin tool in any Kerberos 5 installation.

Examples of Use of the Tools

Examples of the use of several of these security tools can be found in the Java^TM Platform Security trail of the Java Tutorials.