Using Smart Card as Keystore in Java, setup

Using a smart card as a key store promises stronger security compared to storing keys or certificates on a disk. This can be further improved by using a card reader with a PIN pad, an effective counter-measure against key loggers.

This article should provide basic information how to use smart card as key store for Java applications. You do not need an expensive card for such application - a cheaper, specialized crypto-card will do. The installation instructions in this article focus on Linux, as it is my preferred platform and the setup a bit more complicated than on Windows.

The stack

                 application
                      |
           java.security.Keystore
                      |
                     JVM
                      |
                PKCS11 provider
                      |
              PC/SC middleware
                      |
                    CCID
                      |
            USB smart card reader
                      |
                 smart card 

Installing Software

1. Download a driver for your smart card reader from its producer's page and install it.
2. Download and install PC/SC middleware - PCSC-Lite. It does not require  any configuration if you use USB reader.
   
3. Get PKCS11 provider for your card. You can use open-source (OpenSC) or producer 's implementation, depending on which one works better with Java.

Setting PKCS11 Token for Java 

First you have to configure PKCS11 provider for Java. Open $JAVA_HOME/jre/lib/security/java.security and look for registered security providers - find lines starting with text security.provider. Add a new security provider by adding line security.provider.9=sun.security.pkcs11.SunPKCS11 /etc/pkcs11_java.cfg . Sun PKCS#11 provider allows integration of PKCS11 tokens with Java platform by interfacing a native library, usually delivered by the token producer.

The configuration file following the provider's fully qualified name may contain various PKCS11 settings. It usually contains only the three lines we can see in this setting for OpenSC:

name = OpenSC-PKCS11
description = SunPKCS11 via OpenSC
library = /usr/lib/opensc-pkcs11.so

The entry name serves as name of the PKCS11 provider and description is AFAIK optional. The most important is the library property, it contains a path to the PKCS11 implementation we want to use. 

Depending on environment in which the application will be used we would need  need to create a custom security policy,  the name of the provider is prefixed with "SunPKCS11-" :

grant { 

       permission java.security.SecurityPermission
       "authProvider.SunPKCS11-OpenSC-PKCS11";
 };

In the second part we will see how to create key and certificate, load them into the card and use the key on card to sign and verify.

Setting Firefox Preferences via Selenium 2 (WebDriver API)

I wanted to run Firefox from WebDriver with custom preferences.  So I looked into the well-known about:config for name of the option and, just to be sure, consulted About:config entries section of Mozilla Wiki.

With the name of desired config option to change, the rest is a pieceof cake:

FirefoxProfile profile = new FirefoxProfile();
profile.setPreference("dom.event.contextmenu.enabled",false);
WebDriver webDriver =  new FirefoxDriver(profile);

Apache-Tomcat Communication via mod_jk

Ever wondered why to use mod_jk and how to set it up? The reasons why are simple - Tomcat guys recommend it as more mature.

It certainly has better logging then mod_ajp_proxy and that helps alot during troubleshooting or performance tuning. The ability to set max packet size above 8kB is also a good point for some deployments. As for performance, some tests showed slight advantage of mod_jk to mod_ajp_proxy, but the main seemed to be the usage of Tomcat's native module regardless of AJP module used.

LoadModule jk_module /usr/lib/httpd/modules/mod_jk.so

# points to a file that provides a mapping between a worker name and a valid worker type
JkWorkersFile /etc/httpd/conf/worker.properties
JkLogFile /var/log/httpd/mod_jk.log

# allows log levels: debug, info, error
JkLogLevel   info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkRequestLogFormat      "%w %V %T"

# JkOptions - see http://tomcat.apache.org/connectors-doc/reference/apache.html

<Location /jkstatus/>
 JkMount status
 # Order deny,allow
 # Deny from all
 # Allow from 127.0.0.1
 Allow from all
</Location>

<VirtualHost *:80>
  # which URI contexts are sent to a ASF Tomcat worker - exact, context or suffix match
  JkMount /* tomcat1
</VirtualHost>

Note: JkMount must be defined in VirtualHost to work.

worker.properites:

worker.list=tomcat1
worker.tomcat1.type=ajp13
worker.tomcat1.host=localhost
worker.tomcat1.port=8009

## when using mpm prefork, the pool_size should be set to "1"
worker.tomcat1.connection_pool_size=1
worker.tomcat1.connection_pool_timeout=600
worker.tomcat1.socket_keepalive=1

max_packet_size=65536

JkWorkerProperty directive allows to move content of the worker.properties file to apache config.