keytool

You can use either the Oracle keytool utility or the IBM keytool utility to read and edit an nShield KeyStore. These utilities are shipped with the Oracle and IBM JVMs. You must specify the correct nCipher.sworld KeyStore type when you run the keytool utility, and you must specify the correct package name for the Oracle or IBM keytool utility.

To generate a new key in an OCS-protected KeyStore with the Oracle or IBM keytool utility, run the appropriate command:

  • Sun Microsystems keytool utility:

    For Java 11 and Java 17, use the following command:

    java --module-path /opt/nfast/java/classes sun.security.tools.keytool.Main -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -storepass <KeyStore_passphrase> -keystore <KeyStore_path>

    For Java 8, use the following command:

    java sun.security.tools.keytool.Main -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -storepass <KeyStore_passphrase> -keystore <KeyStore_path>

  • IBM keytool utility:

    java com.ibm.crypto.tools.KeyTool -genkey -storetype nCipher.sworld -keyalg RSA -
sigalg SHA1withRSA -storepass <KeyStore_passphrase> -keystore <KeyStore_path>

In these example commands, <KeyStore_passphrase> is the passphrase for the OCS that protects the KeyStore and <KeyStore_path> is the path to that KeyStore.

To generate a new key in a module-protected KeyStore with the Oracle or IBM keytool utility, run the appropriate command:

  • Sun Microsystems keytool utility:

    For Java 11 and Java 17, use the following command:

    java --module-path /opt/nfast/java/classes -Dprotect=module -DignorePassphrase=true sun.security.tools.keytool.Main -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -keystore <KeyStore_path>

    For Java 8, use the following command:

    java -Dprotect=module -DignorePassphrase=true sun.security.tools.KeyTool -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -keystore <KeyStore_path>

  • IBM keytool utility:

    java -Dprotect=module -DignorePassphrase=true com.ibm.crypto.tools.KeyTool -genkey -storetype nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -keystore <KeyStore_path>

In these example commands, <KeyStore_path> is the path to the KeyStore.

By default, the keytool utilities use the MD5withRSA signature algorithm to sign certificates used with a KeyStore. This signature mechanism is unavailable on modules with firmware version 2.33.60 or later.