Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun ONE Directory Server Resource Kit 5.2 Tools Reference 

Chapter 30
Network Security Services

The Network Security Services are a set of open source libraries and tools used to implement and deploy applications for Internet security based on open standards. The security tools help to perform diagnostics, manage certificates, keys and cryptography modules, and debug SSL- and TLS-based applications. This chapter provides information on the tools. It contains the following sections:


Network Security Services (NSS), which is built on the same code base as the original Netscape Security Services, is available from as open source software. The NSS tools are introduced in this chapter. Each tool is briefly described, and followed by a URL from which you can access more complete documentation. The DSRK includes the NSS in the DSRK_base/lib/nss/ directory.


If you are unfamiliar with the concepts of Internet security, you should start with this overview at:

In addition to libraries and APIs, NSS provides security tools required for debugging, diagnostics, certificate and key management, cryptography module management, and other development tasks. The security tools are located in the DSRK_base/lib/nss/bin directory. In order to run them, you will need to add the following library locations to your LD_LIBRARY_PATH environment variable:


Security Standards

This section describes the security standards implemented by the NSS libraries and tools. More information and links to the official standards documents may be found on the Mozilla web site.

SSL v2 and v3    

The Secure Sockets Layer (SSL) protocol allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection.

TLS v1 (RFC 2246)    

The Transport Layer Security (TLS) protocol from the IETF (Internet Engineering Task Force) will eventually supersede SSL while remaining backward-compatible with SSL implementations.

PKCS (Public-Key Cryptography System) #1    

PKCS #1 is an RSA standard that governs implementation of public-key cryptography based on the RSA algorithm (invented by Rivest, Shamir, Aldeman). This algorithm is the basis for all other PKCS standards.

PKCS #3    

PKCS #3 is an RSA standard that governs implementation of the Diffie-Hellman key agreement.

PKCS #5    

PKCS #5 is an RSA standard that governs password-based cryptography. For example, it can be used to encrypt private keys for storage.

PKCS #7    

PKCS #7 is an RSA standard that governs the application of cryptography to data, such as for digital signatures.

PKCS #8    

PKCS #8 is an RSA standard that governs the storage and encryption of private keys.

PKCS #9    

PKCS #9 is an RSA standard that governs selected attribute types, including those used with PKCS #7, PKCS #8, and PKCS #10.

PKCS #10    

PKCS #10 is an RSA standard that governs the syntax for certificate requests.

PKCS #11    

PKCS #11 is an RSA standard that governs communication with cryptographic tokens (such as hardware accelerators and smart cards) and permits application independence from specific algorithms and implementations.

PKCS #12    

PKCS #12 is an RSA standard that governs the format used to store or transport private keys, certificates, and other secret material.

S/MIME (RFC 2311 and RFC 2633)    

S/MIME (Secure/Multipurpose Internet Mail Extensions) is an IETF message specification based on the popular MIME standard. It provides a consistent way to send and receive signed and encrypted MIME data.

X.509 v3    

This is an International Telecommunication Union (ITU) standard that governs the format of certificates used for authentication in public-key cryptography.

OCSP (RFC 2560)    

The Online Certificate Status Protocol (OCSP) governs real-time confirmation of certificate validity.

PKIX Certificate and CRL Profile (RFC 2459)    

The first part of the four-part standard under development by the Public-Key Infrastructure (X.509) working group of the IETF (known as PKIX) for a public-key infrastructure for the Internet.

AES, RSA, DSA, Triple DES, DES, Diffie-Hellman, RC2, RC4, SHA-1, MD2, MD5    

These are common cryptographic algorithms used in public-key and symmetric-key cryptography.

Managing Certificates and Keys

The tools described in this section store, retrieve and protect the keys and certificates on which encryption and identification rely. Understanding Certificates, a chapter from the documentation for Sun Microsystem’s discontinued Certificate Management System, provides information on how keys and certificates are used to protect data and identity in secure communication.


The Certificate Database Tool, certutil, is a command-line utility that can create and modify the cert7.db and key3.db database files. The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database. More information on certutil can be found at:


The cmsutil command-line utility uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages. It performs basic certificate management operations such as encrypting, decrypting, and signing messages. More information on cmsutil can be found at:


The Security Module Database Tool, modutil, is a command-line utility for managing the database of PKCS #11 modules (secmod.db files). You can use the tool to add and delete PKCS #11 modules, change passwords, set defaults, list module contents, enable or disable slots, enable or disable FIPS-140-1 compliance, and assign default providers for cryptographic operations. More information on modutil can be found at:


The pk12util command-line utility imports and exports both keys and certificates, defined by the PKCS #12 standard, to and from their respective database and file formats. More information on pk12util can be found at:


The signtool command creates signed jar archives containing files, code, or both. This command is fully documented in the documentation for Sun Microsystem’s discontinued Certificate Management System. This can be found at:


The signver tool verifies signatures on digitally-signed objects, such as jar files signed with signtool. This command is fully documented in the documentation for Sun Microsystem’s discontinued Certificate Management System. This can be found at:


The SSL Debugging Tool, ssltap, is an SSL-aware command-line proxy. It can proxy requests for an SSL server and display the contents of the messages exchanged between the client and server. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking. More information can be found at either of the following URLs:

Format Conversion Commands

The following are format conversion commands. More information can be found in the Sun ONE Certificate Server 4.7 Command-Line Tools Guide and by invoking the command without any arguments on the command-line.


atob converts ASCII base-64 encoded data to binary base-64 encoded data. It reads an encoded file, strips off any leading and trailing lines added by mailers, and recreates a copy of the original file on the standard output.


btoa converts binary base-64 encoded data to ASCII base-64 encoded data. It is a filter that reads anything from standard input, and encodes it into printable ASCII on the standard output. It also attaches a header and checksum information used by the reverse filter atob to find the start of the data and to check integrity.

Other Utilities

This section lists the remaining commands provided in the DSRK_base/lib/nss/bin directory. Minimal documentation detailing each tool’s options is available by invoking the command without any arguments. The tools are:

Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.