站内搜索: 请输入搜索关键词
当前页面: 在线文档首页 > Java Tutorial 5.0 英文版

Security-related Files Summary - Java Tutorial 5.0 英文版

The JavaTM Tutorial
Previous Page Lesson Contents Next Page Start of Tutorial > Start of Trail > Start of Lesson Search
Feedback Form

Trail: Security in Java 2 SDK 1.2
Lesson: Summaries

Security-related Files Summary

The security-related files that are built into JDK 1.2 are:
These built-in files all reside in the JRE security properties directory, 
java.home/lib/security/    (Solaris)
java.home\lib/security\    (Windows)
(Note: java.home indicates the directory into which the JRE was installed.)

The security-related files that you may optionally create are:

Each security-related file is described below.

The java.security Security Properties File

In the java.security security properties file, various security properties are set for use by classes in the java.security package.

This file specifies

  • provider package names, locations, and precedence orders.

  • the class to be instantiated as the Policy object that will determine which permissions are available for code from various sources.

  • URLs for the policy files to be loaded and utilized when making policy decisions (if the Policy object instantiated is one that utilizes policy files).

  • whether or not property file expansion should be allowed in policy files, for example, expanding ${java.home} to the value of the "java.home" property. (initially true)

  • whether or not an additional policy file can be specified on the command line with -Djava.security.policy=somefile. (initially true)

  • the default keystore type. (initially "jks", the proprietary keystore type created by Sun Microsystems)

See the file for further details. It is located at 
java.home/lib/security/java.security    (Solaris)
java.home\lib/security\java.security    (Windows)
(java.home indicates the directory into which the JRE was installed.)

The java.policy "System" Policy File

A policy file specifies which permissions are available for code from various sources.

The java.policy file is referred to as the "system" policy file meant to grant system-wide code permissions. The java.policy file installed with the JDK grants all permissions to standard extensions, allows anyone to listen on un-privileged ports, and allows any code to read certain "standard" properties, such as the "os.name" and "file.separator" properties.

If necessary, the system policy file can be modified, either by a text editor (it's an ASCII text file), or by the policytool. The latter doesn't require you to know the policy file format; using it saves typing and reduces errors.

The java.policy file is by default located at 

java.home/lib/security/java.policy	(Solaris)
java.home\lib/security\java.policy	(Windows)
(java.home indicates the directory into which the JRE was installed.)

Policy file locations are actually specified in the security properties file as the values of properties whose names are of the form 

policy.url.n=URL
where "n" is a number. The default system policy file is defined in the security properties file as 
policy.url.1=file:${java.home}/lib/security/java.policy

The cacerts Certificates Keystore File

The cacerts file represents a system-wide keystore with Certification Authority (CA) certificates. CAs are entities (for example, businesses) that are trusted to sign (issue) certificates for other entities.

System administrators can configure and manage the cacerts file using keytool, specifying "JKS" as the keystore type (a proprietary type defined by Sun Microsystems).

At this time, the cacerts keystore file ships with five VeriSign root CA certificates.

The cacerts file is located at 

java.home/lib/security/cacerts (Solaris)
java.home\lib/security\cacerts (Windows)
(java.home indicates the directory into which the JRE was installed.)
IMPORTANT: Verify Your cacerts File
Since you trust the CAs in the cacerts file as entities for signing and issuing certificates to other entities, you must manage the cacerts file carefully. The cacerts file should contain only certificates of the CAs you trust. It is your responsibility to verify the trusted root CA certificates bundled in the cacerts file and make your own trust decisions. To remove an untrusted CA certificate from the cacerts file, use the delete option of the keytool command. You can find the cacerts file in the JRE installation directory. Contact your system administrator if you do not have permission to edit this file.

The .java.policy or Other "User" Policy Files

If you would like to create one or more policy files for your own use, you may do so, using either a text editor (it's an ASCII text file), or the policytool. The latter doesn't require you to know the policy file format; using it saves typing and reduces errors.

The security properties file included with the JDK contains a "placeholder" line specifying a default name and location for one user policy file: 

policy.url.2=file:${user.home}/.java.policy
where ${user.home} is replaced at runtime by the user's "home" directory, as determined by the value of the "user.home" system property. On Solaris, the value is simply the user's home directory, such as /home/susanj. On Windows, given user name uName, the "user.home" property value defaults to 
C:\Winnt\Profiles\uName on multi-user Windows NT systems
C:\Windows\Profiles\uName on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems

Thus, if the user name is "cathy", "user.home" defaults to 

C:\Winnt\Profiles\cathy on multi-user Windows NT systems
C:\Windows\Profiles\cathy on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems

The specified file does not have to exist. But if you create a file of that name, in that location, the system will load it and use it when making policy decisions.

If you want to create a user policy file but name or locate it differently, simply edit that line in the security properties file appropriately.

If you want to have additional policy files as well, add a line for each, of the form 

policy.url.n=URL
where n is 3, 4, 5, and so on, and URL is the URL specification. Note: you can't have any gaps in the numbers, or the ones after the gap will be ignored.

Keystores

A keystore is a database of keys. Private keys in a keystore have a certificate chain associated with them, which authenticates the corresponding public key. A keystore also contains certificates from trusted entities. You need a keystore if
  • you want to generate public and private keys for yourself.

  • you want to use your private key to digitally sign files.

  • you want to export your public key certificate so others can verify digital signatures made using your corresponding private key.

  • you want to generate a Certificate Signing Request (CSR) to submit to a Certification Authority (CA). CAs are entities (for example, businesses) that are trusted to sign (issue) certificates for other entities. The CA will authenticate you, the requestor (usually off-line), and then will return a certificate, signed by them, authenticating your public key.

  • you want to import others' keys (for example, so you can verify their signatures) or a certificate reply from a CA.
Use the keytool tool to create and manage your keystore.

Previous Page Lesson Contents Next Page Start of Tutorial > Start of Trail > Start of Lesson Search
Feedback Form

Copyright 1995-2005 Sun Microsystems, Inc. All rights reserved.