Home > |
---|
The Luna JSP is part of an application program interface (API) that allows Java applications to make use of certain Luna products.
As with other APIs, some existing Java-based applications might have generic requirements and calls that can already work with Luna products. In other cases, it might be necessary for you or your vendor to create an application or to adapt one, using the JSP API.
You have the choice of:
•using a previously integrated third-party application, known to work with this Luna product
•performing your own integration with a Java-based application supplied by you or a third party, or
•developing your own application using our Java API.
Develop your own Java apps using our included Software Development Kit, which includes Luna Java API usage notes for developers, as well as development support by SafeNet. A standard Java development environment is required, in addition to the API provided by SafeNet.
Please refer to the current-version Luna Customer Release Notes (CRN) for the most up-to-date list of supported platforms and APIs.
We formally test Luna HSMs and our Java provider with SUN JDK for all platforms except AIX, and with IBM JDK for the AIX platform. We have not had problems with OpenJDK, although it has not been part of our formal test suite. The Luna JCE provider is compliant with the JCE specification, and should work with any JVM that implements the Java language specification.
Occasional problems have been encountered with respect to IBM JSSE.
GNU JDK shipped with most Linux systems has historically been incomplete and not suitable.
To use the Luna JavaSP service providers four main components are needed.
First, acquire and install the Java SDK or RTE (available from the Java site, not included with the Luna software). Java must be installed before the Luna software, as some of the Java files must be manipulated as described in the JSP portions of the Getting Started section of this Help. Note that the JVM 1.6.x_xx or JVM 1.7.x is part of the Java SDK.
If you intend to generate large key sizes, you will need two cryptographic JCE Policy files v 1.6.x or v 1.7.x (available from the Java web site). The Getting Started section of this Help has instructions on what to do with the two files (local_policy.jar and US_export_policy.jar).
If you see errors like "Invalid Key size", that is usually an indication that the JCE is not properly installed.
Follow the installation procedure for the Luna Client as described in the Installation Guide.
When installing the Luna Client software, also choose the option to install Luna JSP. Instructions are provided in the platform-specific pages, including instructions for installing Luna JSP for each operating system (files to copy/replace, editing to perform, etc.) so that Luna SA and Luna JSP can work with the JRE.
The Luna provider provides an option to make newly secret keys extractable from the HSM, via the LunaSlotManager.setSecretKeysExtractable() method.
Some situations exist in which keys should be extractable but this method cannot be used; for example, when the Luna provider is performing crypto operations for a java.security:
. We now provide a configuration option to enable this behavior. To make secret keys extractable, add the following line tocom.safenetinc.luna.provider.createExtractableKeys=true
This value will be read by the Luna provider on startup; to change the setting after the application has started, use the LunaSlotManager method. Using that method overrides the setting in the file for that application, but does not overwrite it permanently.
When Java, the Luna Client and Luna JSP are installed as directed, you may then perform any integration required for your own, or third-party Java application.
If you are using Luna JCE/JCA with the 64-bit libraries for Luna SA, you must include the "-d64" switch in the Java command-line.
For example: java -d64 -jar jMultitoken.jar
For most 64-bit platforms, 64-bit is supported. Some 64-bit platforms support the option of running in 32-bit mode), as a backward compatibility feature.
If you use the 64-bit installation and do not use the "- d64" command-line switch in your Java command lines, the system attempts (by default) to use the 32-bit library (which is not installed, because you installed 64-bit in this example...), and the result is an error message complaining about the kernel model.
For optimal Java performance when using Elliptic Curve keys to perform TLS with Java 7, where those keys reside in the HSM, you must configure the SunEC security provider (sun.security.ec.SunEC) to be below the LunaProvider in your java.security file.
We suggest that you not attempt to resolve a performance issue by having the LunaProvider as the default because that would result in the symmetric keys also being used in the HSM which is not optimal for performance.
The Luna JSP is a Java API that is intended to be used as an interface between customer-written or third-party Java applications and the Luna HSM. Managing security issues associated with the overall operational environment in which the application is running, including the user interface, is the responsibility of the application.
A common example would be input and capture of user name and password. The application, or a set of organizational procedures, is responsible for making the access control decision regarding whether the user has the necessary permissions (at the organizational level) to access the HSM's services and then must provide protection for the password as it is entered, and erasure from memory after the operation is completed. The Luna JSP will control access to the HSM based on the correct password being input from the application via the Login method, but security outside the HSM is your responsibility.
The Luna provider maps the "ECDSA" signature algorithm to "NONEwithECDSA". The Java convention is to map it to "SHA1withECDSA". This is noted here in case you wish to use it in provider inter-operability testing. This mapping is noted in the Javadoc as well.
For comparison, "RSA" maps to "NONEwithRSA" while "DSA" maps to "SHA1withDSA".