The JavaTM Tutorial
Previous Page Lesson Contents Next Page Start of Tutorial > Start of Trail > Start of Lesson Search
Feedback Form

Trail: Security in Java 2 SDK 1.2
Lesson: Summaries

Security-related Files Summary

The security-related files that are built into JDK 1.2 are:
These built-in files all reside in the JRE security properties directory,
java.home/lib/security/    (Solaris)
java.home\lib/security\    (Windows)
(Note: java.home indicates the directory into which the JRE was installed.)

The security-related files that you may optionally create are:

Each security-related file is described below.

The java.security Security Properties File

In the java.security security properties file, various security properties are set for use by classes in the java.security package.

This file specifies

See the file for further details. It is located at
java.home/lib/security/java.security    (Solaris)
java.home\lib/security\java.security    (Windows)
(java.home indicates the directory into which the JRE was installed.)

The java.policy "System" Policy File

A policy file specifies which permissions are available for code from various sources.

The java.policy file is referred to as the "system" policy file meant to grant system-wide code permissions. The java.policy file installed with the JDK grants all permissions to standard extensions, allows anyone to listen on un-privileged ports, and allows any code to read certain "standard" properties, such as the "os.name" and "file.separator" properties.

If necessary, the system policy file can be modified, either by a text editor (it's an ASCII text file), or by the policytool. The latter doesn't require you to know the policy file format; using it saves typing and reduces errors.

The java.policy file is by default located at

java.home/lib/security/java.policy	(Solaris)
java.home\lib/security\java.policy	(Windows)
(java.home indicates the directory into which the JRE was installed.)

Policy file locations are actually specified in the security properties file as the values of properties whose names are of the form

policy.url.n=URL
where "n" is a number. The default system policy file is defined in the security properties file as
policy.url.1=file:${java.home}/lib/security/java.policy

The cacerts Certificates Keystore File

The cacerts file represents a system-wide keystore with Certification Authority (CA) certificates. CAs are entities (for example, businesses) that are trusted to sign (issue) certificates for other entities.

System administrators can configure and manage the cacerts file using keytool, specifying "JKS" as the keystore type (a proprietary type defined by Sun Microsystems).

At this time, the cacerts keystore file ships with five VeriSign root CA certificates.

The cacerts file is located at

java.home/lib/security/cacerts (Solaris)
java.home\lib/security\cacerts (Windows)
(java.home indicates the directory into which the JRE was installed.)

IMPORTANT: Verify Your cacerts File
Since you trust the CAs in the cacerts file as entities for signing and issuing certificates to other entities, you must manage the cacerts file carefully. The cacerts file should contain only certificates of the CAs you trust. It is your responsibility to verify the trusted root CA certificates bundled in the cacerts file and make your own trust decisions. To remove an untrusted CA certificate from the cacerts file, use the delete option of the keytool command. You can find the cacerts file in the JRE installation directory. Contact your system administrator if you do not have permission to edit this file.

The .java.policy or Other "User" Policy Files

If you would like to create one or more policy files for your own use, you may do so, using either a text editor (it's an ASCII text file), or the policytool. The latter doesn't require you to know the policy file format; using it saves typing and reduces errors.

The security properties file included with the JDK contains a "placeholder" line specifying a default name and location for one user policy file:

policy.url.2=file:${user.home}/.java.policy
where ${user.home} is replaced at runtime by the user's "home" directory, as determined by the value of the "user.home" system property. On Solaris, the value is simply the user's home directory, such as /home/susanj. On Windows, given user name uName, the "user.home" property value defaults to
C:\Winnt\Profiles\uName on multi-user Windows NT systems
C:\Windows\Profiles\uName on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems

Thus, if the user name is "cathy", "user.home" defaults to

C:\Winnt\Profiles\cathy on multi-user Windows NT systems
C:\Windows\Profiles\cathy on multi-user Windows 95 systems
C:\Windows on single-user Windows 95 systems

The specified file does not have to exist. But if you create a file of that name, in that location, the system will load it and use it when making policy decisions.

If you want to create a user policy file but name or locate it differently, simply edit that line in the security properties file appropriately.

If you want to have additional policy files as well, add a line for each, of the form

policy.url.n=URL 
where n is 3, 4, 5, and so on, and URL is the URL specification. Note: you can't have any gaps in the numbers, or the ones after the gap will be ignored.

Keystores

A keystore is a database of keys. Private keys in a keystore have a certificate chain associated with them, which authenticates the corresponding public key. A keystore also contains certificates from trusted entities. You need a keystore if Use the keytool tool to create and manage your keystore.

Previous Page Lesson Contents Next Page Start of Tutorial > Start of Trail > Start of Lesson Search
Feedback Form

Copyright 1995-2002 Sun Microsystems, Inc. All rights reserved.