| Previous Contents Index Next |
| iPlanet Directory Server Resource Kit 5.1 Tools Reference |
Chapter 27 Security Tools
The Netscape Security Services (NSS) are a set of open source libraries and tools for implementing and deploying applications based on open standards for Internet security. The security tools help you perform diagnostics, manage certificates and keys, manage cryptography modules, and debug SSL- and TLS-based applications.The NSS security tools are only introduced in this chapter. Each tool is given a brief description followed by a URL to more complete documentation on the Mozilla or iPlanet web sites. If you are unfamiliar with the concepts of Internet security, you should start with the overview of the NSS project at the following URL:
The iPlanet Certificate Management System product relies on NSS to provide "a highly scalable, easily deployable certificate infrastructure for supporting encryption, authentication, tamper detection, and digital signatures in networked communications." You can use Certificate Management System to set up and manage your own public-key infrastructure or to deploy a public certification authority. For more information, see the following URLs:
- http://www.mozilla.org/projects/security/pki/nss/overview.html
This chapter contains the following sections:
- www.iplanet.com/products/iplanet_certificate/home_2_1_1ad.html
- docs.iplanet.com/docs/manuals/cms/42/adm_gide/contents.htm
Overview of Security Standards
Overview of Security Standards
This section gives an overview of all of the security standards implemented by the NSS libraries and tools. The following list is copied from the Mozilla web site (http://www.mozilla.org/projects/security/pki/nss/overview.html), and further links to the official standard documents may be found at the same location.
SSL v2 and v3 - The Secure Sockets Layer (SSL) protocol allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection.
TLS v1 (RFC 2246) - The Transport Layer Security (TLS) protocol from the IETF (Internet Engineering Task Force) will eventually supersede SSL while remaining backward-compatible with SSL implementations.
PKCS #1 - RSA standard that governs implementation of public-key cryptography based on the RSA algorithm (invented by Rivest, Shamir, Aldeman). This algorithm is the basis for all PKCS (Public-Key Cryptography System) standards.
PKCS #3 - RSA standard that governs implementation of Diffie-Hellman key agreement.
PKCS #5 - RSA standard that governs password-based cryptography, for example to encrypt private keys for storage.
PKCS #7 - RSA standard that governs the application of cryptography to data, such as for digital signatures.
PKCS #8 - RSA standard that governs the storage and encryption of private keys.
PKCS #9 - RSA standard that governs selected attribute types, including those used with PKCS #7, PKCS #8, and PKCS #10.
PKCS #10 - RSA standard that governs the syntax for certificate requests.
PKCS #11 - RSA standard that governs communication with cryptographic tokens (such as hardware accelerators and smart cards) and permits application independence from specific algorithms and implementations.
PKCS #12 - RSA standard that governs the format used to store or transport private keys, certificates, and other secret material.
S/MIME (RFC 2311 and RFC 2633) - IETF message specification based on the popular Multipurpose Internet Mail Extensions (MIME) standard and that provides a consistent way to send and receive signed and encrypted MIME data.
X.509 v3 - International Telecommunication Union (ITU) standard that governs the format of certificates used for authentication in public-key cryptography.
OCSP (RFC 2560) - The Online Certificate Status Protocol (OCSP) governs real-time confirmation of certificate validity.
PKIX Certificate and CRL Profile (RFC 2459) - The first part of the four-part standard under development by the Public-Key Infrastructure (X.509) working group of the IETF (known as PKIX) for a public-key infrastructure for the Internet.
AES, RSA, DSA, Triple DES, DES, Diffie-Hellman, RC2, RC4, SHA-1, MD2, MD5 - Common cryptographic algorithms used in public-key and symmetric-key cryptography.
Managing Certificates and Keys
The tools in this section store, retrieve and protect the keys and certificates on which encryption and identification rely. The following URL provides documentation about how keys and certificates are used to protect data and identity in secure communication:
The security tools are located in installDir /lib/nss/bin of your iPlanet DSRK installation. In order to run them, you will need to add the following library locations to your LD_LIBRARY_PATH environment variable:
- docs.iplanet.com/docs/manuals/security.html
- installDir /lib/nss/lib:installDir /lib
certutil
The certutil command manages certificate and key databases (cert7.db and key3.db files).See the following web site for more information:
- www.mozilla.org/projects/security/pki/nss/tools/certutil.html
cmsutil
The cmsutil command performs basic certificate management operations such as encrypting, decrypting, and signing messages.See the following web site for more information:
- www.mozilla.org/projects/security/pki/nss/tools/cmsutil.html
modutil
The modutil command manages the database of PKCS #11 modules (secmod.db files). It allows you to add new cryptography modules or modify the properties of existing modules, such as whether a module is the default provider of some cryptography service.See the following web site for more information:
- www.mozilla.org/projects/security/pki/nss/tools/modutil.html
pk12util
The pk12util command imports and exports both keys and certificates to and from their respective database and file formats defined by the PKCS #12 standard.See the following web site for more information:
- www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
signtool
The signtool command creates signed jar archives containing files, code, or both. This command is fully documented in the Certificate Management System.See the following web sites for more information:
- docs.iplanet.com/docs/manuals/cms/42/adm_gide/app_sign.htm
signver
The signver tool verifies signatures on digitally-signed objects, such as the jar files signed with signtool.See the following web site for more information:
- docs.iplanet.com/docs/manuals/security/signver/signver.htm
ssltap
The ssltap tool can proxy requests for an SSL server and display the contents of the messages exchanged between the client and server. The tool does not decrypt data, but it shows the type of SSL message, for example clientHello or serverHello, and connection data such as the protocol version and cipher suite. The ssltap tool is used for debugging SSL messages in the Certificate Management System.
- www.mozilla.org/projects/security/pki/nss/tools/ssltap.html
docs.iplanet.com/docs/manuals/cms/42/adm_gide/app_ssld.htm
Other Utilities
This section list the remaining, mostly undocumented commands provided with the iPlanet DSRK in the installDir /lib/nss/bin directory.The following format conversion commands are documented in docs.iplanet.com/docs/manuals/cms/42/adm_gide/app_tool.htm:
atob - Converts ASCII base-64 encoded data to binary base-64 encoded data.
The remaining tools have only command-line documentation available by invoking the command without any arguments:btoa - Converts binary base-64 encoded data to ASCII base-64 encoded data.
bltest
makepqg
pp
certcgi
newuser
rsaperf
checkcert
ocspclnt
sdrtest
client
oidcalc
selfserv
crlutil
p7content
strsclnt
derdump
p7env
tstclnt
digest
p7sign
instinit
p7verify
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc.. All rights reserved.Last Updated April 15, 2002