Java Code Signer Integration Guide

This guide demonstrates to Administrators how to sign Java artifacts using an encryption key generated on an HSM.

Java code signing is used for signing Java applications for desktops, digitally signing .jar files and Netscape Object signing recognized by Java Runtime Environment (JRE). In Java, the process for setting up your Code Signing Certificate consists of creating a keystore and a Certificate Signing Request (CSR) and then, installing your code signing certificate file to the keystore where the CSR was generated.

The Java platform enables one to digitally sign .jar files. The signer signs the .jar file using a private key. The corresponding public key is placed in the .jar file with its certificate, so that it is available for use by anyone who has access to the key. When the .jar file is signed, the user can timestamp the signature.

This guide demonstrates how to complete Java code signing using a signing key generated on an HSM on Demand Service.

Using an HSM on Demand service to generate the RSA keys for Java code signing provides the following benefits:

>secure generation, storage, and protection of the signing private keys on FIPS 140-2 level 3 validated hardware.

>full life cycle management of the keys.

>improved performance by off-loading cryptographic operations from the signing servers.

This document contains the following sections:

>Preparing for the Integration

>Integrating Java Code Signing with an HSM on Demand Service

Third Party Application Details

This integration guide uses the following third party applications:

>Java JDK 8

Supported Platforms

The following platforms are tested with SafeNet Data Protection On Demand:

Platforms Java Version
RHEL 64-bit JDK 8
Windows Server 2016 JDK 8