Chapter 30 Network Security Services

The Network Security Services are a set of open source libraries and tools used to implement and deploy applications for Internet security based on open standards. The security tools help to perform diagnostics, manage certificates, keys and cryptography modules, and debug SSL- and TLS-based applications. This chapter provides information on the tools. It contains the following sections:

Overview

Network Security Services (NSS), which is built on the same code base as the original Netscape Security Services, is available from mozilla.org as open source software. The NSS tools are introduced in this chapter. Each tool is briefly described, and followed by a URL from which you can access more complete documentation. The DSRK includes the NSS in the DSRK_base/lib/nss/ directory.



Note	If you are unfamiliar with the concepts of Internet security, you should start with this overview at: http://www.mozilla.org/projects/security/pki/nss/overview.html

In addition to libraries and APIs, NSS provides security tools required for debugging, diagnostics, certificate and key management, cryptography module management, and other development tasks. The security tools are located in the DSRK_base/lib/nss/bin directory. In order to run them, you will need to add the following library locations to your LD_LIBRARY_PATH environment variable:

Security Standards

This section describes the security standards implemented by the NSS libraries and tools. More information and links to the official standards documents may be found on the Mozilla web site.

The Secure Sockets Layer (SSL) protocol allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection.

The Transport Layer Security (TLS) protocol from the IETF (Internet Engineering Task Force) will eventually supersede SSL while remaining backward-compatible with SSL implementations.

PKCS #1 is an RSA standard that governs implementation of public-key cryptography based on the RSA algorithm (invented by Rivest, Shamir, Aldeman). This algorithm is the basis for all other PKCS standards.

PKCS #3 is an RSA standard that governs implementation of the Diffie-Hellman key agreement.

PKCS #5 is an RSA standard that governs password-based cryptography. For example, it can be used to encrypt private keys for storage.

PKCS #7 is an RSA standard that governs the application of cryptography to data, such as for digital signatures.

PKCS #8 is an RSA standard that governs the storage and encryption of private keys.

PKCS #9 is an RSA standard that governs selected attribute types, including those used with PKCS #7, PKCS #8, and PKCS #10.

PKCS #11 is an RSA standard that governs communication with cryptographic tokens (such as hardware accelerators and smart cards) and permits application independence from specific algorithms and implementations.

PKCS #12 is an RSA standard that governs the format used to store or transport private keys, certificates, and other secret material.

S/MIME (Secure/Multipurpose Internet Mail Extensions) is an IETF message specification based on the popular MIME standard. It provides a consistent way to send and receive signed and encrypted MIME data.

This is an International Telecommunication Union (ITU) standard that governs the format of certificates used for authentication in public-key cryptography.

The Online Certificate Status Protocol (OCSP) governs real-time confirmation of certificate validity.

The first part of the four-part standard under development by the Public-Key Infrastructure (X.509) working group of the IETF (known as PKIX) for a public-key infrastructure for the Internet.

These are common cryptographic algorithms used in public-key and symmetric-key cryptography.

Managing Certificates and Keys

The tools described in this section store, retrieve and protect the keys and certificates on which encryption and identification rely. Understanding Certificates, a chapter from the documentation for Sun Microsystem’s discontinued Certificate Management System, provides information on how keys and certificates are used to protect data and identity in secure communication.

certutil

The Certificate Database Tool, certutil, is a command-line utility that can create and modify the cert7.db and key3.db database files. The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database. More information on certutil can be found at:

cmsutil

The cmsutil command-line utility uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages. It performs basic certificate management operations such as encrypting, decrypting, and signing messages. More information on cmsutil can be found at:

modutil

The Security Module Database Tool, modutil, is a command-line utility for managing the database of PKCS #11 modules (secmod.db files). You can use the tool to add and delete PKCS #11 modules, change passwords, set defaults, list module contents, enable or disable slots, enable or disable FIPS-140-1 compliance, and assign default providers for cryptographic operations. More information on modutil can be found at:

pk12util

The pk12util command-line utility imports and exports both keys and certificates, defined by the PKCS #12 standard, to and from their respective database and file formats. More information on pk12util can be found at:

signtool

The signtool command creates signed jar archives containing files, code, or both. This command is fully documented in the documentation for Sun Microsystem’s discontinued Certificate Management System. This can be found at:

signver

The signver tool verifies signatures on digitally-signed objects, such as jar files signed with signtool. This command is fully documented in the documentation for Sun Microsystem’s discontinued Certificate Management System. This can be found at:

ssltap

The SSL Debugging Tool, ssltap, is an SSL-aware command-line proxy. It can proxy requests for an SSL server and display the contents of the messages exchanged between the client and server. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking. More information can be found at either of the following URLs:

Format Conversion Commands

atob

atob converts ASCII base-64 encoded data to binary base-64 encoded data. It reads an encoded file, strips off any leading and trailing lines added by mailers, and recreates a copy of the original file on the standard output.

btoa

btoa converts binary base-64 encoded data to ASCII base-64 encoded data. It is a filter that reads anything from standard input, and encodes it into printable ASCII on the standard output. It also attaches a header and checksum information used by the reverse filter atob to find the start of the data and to check integrity.

Other Utilities

This section lists the remaining commands provided in the DSRK_base/lib/nss/bin directory. Minimal documentation detailing each tool’s options is available by invoking the command without any arguments. The tools are:

bltest

makepqg

certcgi

newuser

rsaperf

checkcert

ocspclnt

sdrtest

client

oidcalc

selfserv

crlutil

p7content

strsclnt

derdump

p7env

tstclnt

digest

p7sign

instinit

p7verify

Previous Contents Index Next
Sun ONE Directory Server Resource Kit 5.2 Tools Reference