Previous | Next | Trail Map | Security in JDK 1.2  | Summaries

Tools Summary

Below is a brief summary of the security tools, with links to the more detailed documentation.

The keytool, jar, jarsigner, and policytool tools are available in JDK 1.2 to facilitate various security-related operations. (Note: the jar tool was also available in JDK 1.1.)

The keytool and jarsigner tools replace javakey, which was an interim tool introduced in JDK 1.1. These new tools provide more features than javakey, including the ability to protect the keystore and private keys with passwords, and the ability to verify signed JAR files in addition to generating them. The new keystore architecture replaces the identity database that javakey created and managed. It is possible to import the information from an identity database into a keystore, via a keytool command.

Key and Certificate Management Tool (keytool)

Use the Key and Certificate Management Tool (invoked by using the keytool command) to create public/private key pairs, issue certificate requests (which you send to the appropriate Certification Authority), import certificate replies (obtained from the Certification Authority you contacted), designate public keys belonging to other parties as trusted, and to manage your keystore.

Keys and certificates are used to digitally sign your applications and applets (see jarsigner below). A keystore is a protected database that holds keys and certificates for an enterprise. Access to a keystore is guarded by a password (defined at the time the keystore is created, by the person who creates the keystore, and changeable only when providing the current password). In addition, each private key in a keystore can be guarded by its own password.

The basic format of the command for invoking keytool is:

keytool command options
Sample commands are: Each command has a number of options, some of which are required, and some of which have default values if not specified.

There are three options that may appear for all commands operating on a keystore:

Other sample options are:

Examples of the use of keytool are shown in the Signing Code and Granting It Permissions(in the Java Security 1.2 trail) and Exchanging Files(in the Java Security 1.2 trail) lessons.

Java Archive Tool (jar)

Use the Java Archive Tool (invoked by using the jar command) to create JAR files.

The Java Archive (JAR) file format enables you to bundle multiple files into a single archive file. Typically a JAR file will contain the class files and auxiliary resources associated with applets and applications. When you want to "digitally sign" code, you use the jar tool to place it in a JAR file and the jarsigner tool to sign the JAR file (after generating or importing appropriate keys into your keystore using keytool).

The basic format of the command for creating a JAR file is:

jar cf jar-file input-file(s)
Let's look at the options and arguments used in this command:

The c and f options can appear in either order, but there must not be any space between them.

You can add a number of additional options to the cf options of the basic command. One we'll use in our lessons is the v option:

See the The Java Archive (JAR) File Format(in the Learning the Java Language trail) trail for more information about JAR files and the jar tool. Also see the Signing Code and Granting It Permissions(in the Java Security 1.2 trail) and Exchanging Files(in the Java Security 1.2 trail) lessons for examples of the use of the jar tool.

JAR Signing and Verification Tool (jarsigner)

Use the JAR Signing and Verification Tool (invoked by using the jarsigner command) to sign JAR files, or to verify signatures on signed JAR files.

The jarsigner tool accesses a keystore that is created and managed by keytool, when it needs to find the private key and its associated certificate chain to use when signing a JAR file. Since accesses to the keystore and to private keys are protected by passwords, only people who know the passwords will be able to access a key and use it to sign a JAR file. The jarsigner tool prompts for needed passwords.

The basic form of the command for signing a JAR file is

jarsigner options jar-file alias
In this command:

The jarsigner tool will prompt you for the passwords for the keystore and for the private key whose keystore entry is referenced by the alias.

This basic form of the command assumes that the keystore to be used is in a file named .keystore in your home directory. It will overwrite the original JAR file with the signed JAR file.

In practice, you may want to use this command in conjunction with one or more of the following options, which must precede the jar-file pathname:

See the Signing and Verifying JAR Files(in the Learning the Java Language trail) lesson of the Java Archive (JAR) File Format trail for more information about the JAR Signing and Verification Tool. Also see the Exchanging Files(in the Java Security 1.2 trail) lessons for examples of the use of the jarsigner tool.

Policy Tool (policytool) GUI tool

Use the Policy Tool (invoked by using the policytool command) to create and modify the external policy configuration files that define your installation's security policy.

This tool has a Graphical User Interface, so you select buttons and other options rather than type in commands as for the other tools. See the Quick Tour of Controlling Applets(in the Java Security 1.2 trail) , Quick Tour of Controlling Applications(in the Java Security 1.2 trail) , and Signing Code and Granting It Permissions(in the Java Security 1.2 trail) lessons for examples of the use of the policytool.

Online Tools Documentation

Complete documentation for the security tools is available on the public java.sun.com web site:


Previous | Next | Trail Map | Security in JDK 1.2  | Summaries