How to Configure Java JDK to Use the eToken
- Download the JDK from Oracle.com.
Note: Even if you are using a 64-bit version of Windows, the 32-bit JDK is required. - Open a text editor (such as Notepad) and do the following:
- Copy and paste the following 2 lines into the text (Notepad) document:
name=eToken
library=c:\WINDOWS\system32\eTPKCS11.dll - Save this file as eToken.cfg in the appropriate directory for your version of the JDK, for example:
- JDK 1.8
C:\Program Files (x86)\Java\jdk1.8.0_20\bin
- JDK 1.8
- Copy and paste the following 2 lines into the text (Notepad) document:
- Run WordPad (Start > Accessories > WordPad), open the java.security file from your Java Runtime Environment (JRE) installation (e.g. C:\Program Files\Java\jdk1.8_20\jre\lib\security), and then do the following:
- Search the file (Ctrl + F) for the following line:
security.provider.10=sun.security.mscapi.SunMSCAPI - If the following line isn't already present in the file, add it right after the line above:Note: ./etoken.cfg is the path to the etoken.cfg file, and cannot contain a drive letter (i.e., it must be on the same drive as the JDK installation).
security.provider.11=sun.security.pkcs11.SunPKCS11 ./etoken.cfg - When WordPad asks if you want to save the file as a text-only document, select yes.
- Search the file (Ctrl + F) for the following line:
- Open Windows explorer and go to the JDK installation folder (i.e. C:\Program Files\Java\jdk1.8_20\).
- Hold shift down and right-click on the bin folder and select Open command window here.
- Run the following command to find out in which token slot your certificate is stored:Note: This command displays a lot of information.
keytool -keystore NONE -storetype PKCS11 -list -J-Djava.security.debug=sunpkcs11 - Go to the top of the information display where the information starts, and search for a line similar to this:Where # is a number such as 0 or 2.
Slots with tokens:#
If the slot used is "0", skip to Step 9.
- Remove the eToken device from the USB drive for a few seconds and then plug it back since it only allows you to run one keytool command at a time.
- Open the file etoken.cfg you created in Step 2, and change the value after slot= to match the slot from the previous keytool command then save the file.Note: 0 is the default slot. If you have added additional certificates to the token or re-keyed/re-issued your certificate, you may have a different number than the default.
name=eToken
library=c:\WINDOWS\system32\eTPKCS11.dll
slot=0
How To Sign .jar Files Using the CLI Command Jarsigner
- In Windows Explorer, navigate to the JDK folder.
- In the JDK folder, push and hold Shift, right-click on the bin folder, and select Open command window here.
- To view the Code Signing Certificate and the certificate alias on the token:
- Plug in your token.
- Run the following command from the command prompt:
keytool -list -keystore NONE -storetype PKCS11 -J-Djava.security.debug=sunpkcs11
Enter keystore password: [enter password] - Sample output:
Keystore type: PKCS11
Keystore provider: SunPKCS11-eToken
Your keystore contains 1 entry
le-a66a-21c4-b862-3c4345271551, PrivateKeyEntry,
Certificate fingerprint (SHA2):
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX - In this example, le-a66a-21c4-b862-3c4345271551 is the certificate alias that you use to sign .jar files.
- To use the code signing certificate on the token to sign file.jar, run the following command from the command prompt:
jarsigner -verbose -keystore NONE -storetype PKCS11 -J-Djava.security.debug=sunpkcs11 "C:\path\to\file.jar" "le-a66a-21c4-b862-3c4345271551" - If the command executed successfully, you should see something similar to the following output:
Sample output:Enter Passphrase for keystore:
adding: META-INF/7800FA4C.SF
jar signed.
No comments:
Post a Comment