keytool
You can use either the Oracle keytool
utility or the IBM keytool
utility to read and edit an nShield KeyStore.
These utilities are shipped with the Oracle and IBM JVMs.
You must specify the correct nCipher.sworld
KeyStore type when you run the keytool
utility, and you must specify the correct package name for the Oracle or IBM keytool
utility.
To generate a new key in an OCS-protected KeyStore with the Oracle or IBM keytool
utility, run the appropriate command:
-
Sun Microsystems
keytool
utility:For Java 11 and Java 17, use the following command:
java --module-path /opt/nfast/java/classes sun.security.tools.keytool.Main -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -storepass <KeyStore_passphrase> -keystore <KeyStore_path>
For Java 8, use the following command:
java sun.security.tools.keytool.Main -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -storepass <KeyStore_passphrase> -keystore <KeyStore_path>
-
IBM keytool utility:
java com.ibm.crypto.tools.KeyTool -genkey -storetype nCipher.sworld -keyalg RSA - sigalg SHA1withRSA -storepass <KeyStore_passphrase> -keystore <KeyStore_path>
In these example commands, <KeyStore_passphrase>
is the passphrase for the OCS that protects the KeyStore and <KeyStore_path>
is the path to that KeyStore.
To generate a new key in a module-protected KeyStore with the Oracle or IBM keytool
utility, run the appropriate command:
-
Sun Microsystems
keytool
utility:For Java 11 and Java 17, use the following command:
java --module-path /opt/nfast/java/classes -Dprotect=module -DignorePassphrase=true sun.security.tools.keytool.Main -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -keystore <KeyStore_path>
For Java 8, use the following command:
java -Dprotect=module -DignorePassphrase=true sun.security.tools.KeyTool -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -keystore <KeyStore_path>
-
IBM
keytool
utility:java -Dprotect=module -DignorePassphrase=true com.ibm.crypto.tools.KeyTool -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -keystore <KeyStore_path>
In these example commands, <KeyStore_path>
is the path to the KeyStore.
By default, the keytool
utilities use the MD5withRSA
signature algorithm to sign certificates used with a KeyStore.
This signature mechanism is unavailable on modules with firmware version 2.33.60 or later.