StrongAuth, Inc.'s StrongKey
Symmetric Key Management System software
--------------------------------------------------------
Release Candidate 1.4 - April 16, 2009
------------------------------------------------
This release, available for download from
http://sourceforge.net/projects/strongkey/., implements a two new features.
- It is now possible to use a different password for the private-keys of digital certificates in JKS keystores, from the password of the keystore itself. In previous releases, StrongKey assumes that the password of the JKS keystore and all cryptographic keys inside the keystore were identical. Now, they can be separated. Use of this feature requires changing the following properties:
'symkey.skcl.config.jceprovider.skcl.keystore.samepasswordforcert'
'symkey.skcl.config.jceprovider.xwss.keystore.samepasswordforcert'
'symkey.sks.config.jceprovider.sks.keystore.samepasswordforcert'
'symkey.sks.config.jceprovider.xwss.keystore.samepasswordforcert'
'symkey.skcl.config.jceprovider.skcl.certificateDNPassword'
'symkey.skcl.config.jceprovider.xwss.certificateDNPassword'
'symkey.sks.config.jceprovider.sks.certificateDNPassword'
'symkey.sks.config.jceprovider.xwss.certificateDNPassword'
The default value for all '*samepasswordforcert' properties is 'true', indicating that the password for the keystore and the appropriate private-key is the same (note that the XWSS entries are used by the underlying WSS layer for message-level security, while the non-XWSS entries are used by StrongKey directly. It is possible to have unique keys/certificates for each of these 4 entries, unlike the samples included in StrongKey that share keys/certificates between XWSS and StrongKey).
To use a different password for the XWSS private-key on the client, change the setting from 'true' to 'false for the property: 'symkey.skcl.config.jceprovider.xwss.keystore.samepasswordforcert' and set the new private-key password for the property entry: 'symkey.skcl.config.jceprovider.xwss.certificateDNPassword'. It is necessary to restart the server at that point so that the software reloads the new values. - The xenc utility implements key-rotation and shows how this is accomplished using StrongKey. While key-rotation was always possible with StrongKey even in 1.0, the xenc utility did not explicitly show how it could be accomplished. The source code for xenc now shows key-rotation for file, directories and for database-columns. With StrongKey, a key-rotation utility can rotate keys even while the primary application continues to run.
NOTE: This release has been tested with the 32-bit JDK1.5.0_15 on RHEL 5.2, t.3, CentOS 5.2 and Fedora 9. It does NOT work with JDK 1.5.0_17 since the Sun Application server does not work with the 1.5.0_17 release of JDK. If you're having trouble installing JWSDP 2.0, you'll find the answer here:
http://forums.sun.com/thread.jspa?threadID=527889&start=10&tstart=345BUG-ID: 3
SUMMARY: Printing of keystore password in logs
DESCRIPTION: The SecurityEnvironmentHandler.java had a logging entry that was printing the password to the JKS keystore after acquiring it. This entry has now been suppressed.
Cryptographic hashes for the distribution are as follows:
SHA1 Message-digests
-----------------------------
5bab33eff560d73ebfe90400abaa38170c3323dc strongkey-rc1.4-build-208.zip
96a6ee2d1dd5ad7af0d9196f91781d2490d6f194 strongkey-src-rc1.4-build-208.zip
SHA256 Message-digests
--------------------------------
e2222f49717dfa8f9115707eec2849259b86540f4ebd6a84075fe204efdb5f4d strongkey-rc1.4-build-208.zip
8ad6e045a2f78ee663644e97cc5a155d5a7f87805433942fe74e1f179095e8b0 strongkey-src-rc1.4-build-208.zip
As always, support on the distribution is available to registered users on this forum.
September 09, 2010, 06:34:06 AM
Author
