Java(tm) Secure Socket Extension 1.0.3 Installation Instructions ----------------------------------------------------------------------- Installation ----------------------------------------------------------------------- JSSE 1.0.3 is supplied as an extension to the Java 2 platform. JSSE is implemented via a Java Cryptography Architecture (JCA) security provider class called "SunJSSE." Note: (Windows and Solaris use different pathname separators, so please use the appropriate one ("\", "/") for your environment.) refers to the directory where the Java 2 Runtime Environment (JRE) was installed. The Java 2 SDK (aka JDK) contains the JRE, but at a different level in the file hierarchy. For example, if the Java 2 SDK or JRE was installed in /home/user1, would be: /home/user1/jre1.2.x [JRE] /home/user1/jdk1.2.x/jre [SDK] 1) Download JSSE 1.0.3. You can save the downloaded file anywhere on your local disk. Note that JSSE 1.0.3 requires that you have Java(tm) 2 SDK v 1.2.x or 1.3.x already installed. This release will not work on Java(tm) 2 Runtime Environment v 1.4.x or greater. 2) Uncompress and extract the downloaded file. This will create a directory named jsse1.0.3, with two subdirectories named doc and lib. 3) Install the JSSE jar files. The JSSE lib subdirectory contains the extension files jsse.jar, jcert.jar, and jnet.jar. You can either install these files in the JDK/JRE ("installed extension") or bundle them with your applet or application ("bundled extension"). If you wish to install them as an installed extension, place them in the following directory: /lib/ext 4) Register the SunJSSE provider. JSSE 1.0.3 comes standard with a Cryptographic Service Provider, or "provider" for short, named "SunJSSE". Although the "SunJSSE" provider is supplied with every JSSE 1.0.3 installation, it still needs to be configured explicitly, either statically or dynamically, before its services can be accessed. 4a) Static registration of SunJSSE provider. Add the "SunJSSE" provider to your list of approved providers. This is done statically by editing the security properties file: \lib\security\java.security [Win32] /lib/security/java.security [Solaris] One of the types of properties contained in the java.security file is of the following form: security.provider.n=providerClassName This declares a provider, and specifies its preference order "n". The preference order is the order in which providers are searched for requested algorithms (when no specific provider is requested). The order is 1-based; 1 is the most preferred, followed by 2, and so on. Add the above line to java.security, replacing providerClassName with com.sun.net.ssl.internal.ssl.Provider, and substituting n with the priority that you would like to assign to the "SunJSSE" provider. For example, to add the Sun internal SSL provider to the standard provider shipped with the JRE, your entries would look like:
security.provider.1=sun.security.provider.Sun security.provider.2=com.sun.net.ssl.internal.ssl.Provider "SunJSSE" would now be the second preferred provider 4b) Dynamic registration of SunJSSE provider. Instead of registering the provider statically, you can add the provider dynamically at runtime by adding the following lines of code at the beginning of your program: Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider()); Dynamically adding a provider requires that the application have the appropriate permission. 5) Install a JSSE-specific cacerts file, if desired. When creating a default TrustManager, Sun's JSSE implementation will first check for alternate cacert files before falling back on the standard cacerts file, so that you can provide a JSSE-specific set of trusted root certificates separate from ones that might be present in cacerts for code signing purposes. The search order for locating the default trustStore file is: 1) The file specified by javax.net.ssl.trustStore, see 5a) below, then 2) /lib/security/jssecacerts, then 3) /lib/security/cacerts. The first element to be found will be used as the trust store, and successive elements will not be consulted. 5a) Overriding the KeyManager/TrustManager keystore default locations. In this JSSE implementation, the default keystore locations can be overriden by specifying the appropriate system properties: javax.net.ssl.keyStore specifies the location of where to find key material for the default KeyManager. There is no default location. javax.net.ssl.keyStoreType specifies the KeyStore file type for key material for the default KeyManager. The default is the default keystore type. (e.g. KeyStore.getDefaultType()) javax.net.ssl.keyStorePassword specifies the password to be used with this KeyStore. javax.net.ssl.trustStore specifies the location of where to find key material for the default TrustManager. If specified, this overrides jssecacerts and cacerts. javax.net.ssl.trustStoreType specifies the KeyStore file type for key material for the default TrustManager. The default is the default KeyStore type. (e.g. KeyStore.getDefaultType()) javax.net.ssl.trustStorePassword specifies the password to be used with this KeyStore. Note: javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword are not removed from the System properties after the default SSLContext and default TrustManagerFactory are initialized. You should remove these properties when you no longer need them so that they are not available. 6) HTTPS Support The JSSE reference implementation contains a URL handler for the "https" URL protocol type. In order to use this handler, you must add the handler's implementation package name to the list of packages which are searched by the java URL class. This is configured via the "java.protocol.handler.pkgs" system property. See the java.net.URL class documentation for details. System properties can be set via the command line or at runtime through the java.lang.System class. For example, you can set this property on the command line via: java -Djava.protocol.handler.pkgs=\ com.sun.net.ssl.internal.www.protocol When accessing HTTPS servers through a web proxy, you must set the "https.proxyHost" and "https.proxyPort" system properties to the correct host name and port number of the web proxy. For example, to set this property on the command line to access HTTPS servers through the proxy host "webproxy" running at port 8080 you would use: java -Dhttps.proxyHost=webproxy -Dhttps.proxyPort=8080 7) Debugging JSSE By setting the System property "javax.net.debug", this JSSE implementation can provide very useful and detailed debug information for the various phases of SSL/TLS handshaking. For a list of the current options, please run: java -Djavax.net.debug=help MyApp MyApp will exit after printing the debug help information. EXAMPLE: java -Djavax.net.debug=ssl,handshake,data,trustmanager MyApp This option is currently unsupported, and is provided for your convenience only.