Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Intended Audience
• Documentation Accessibility
• Related Documents
• Conventions

What's New in Oracle Security Developer Tools?

• New Features for Release 11g (11.1.1)
• Oracle SAML Changes

1 Introduction to Oracle Security Developer Tools

• 1.1 Cryptography
  • 1.1.1 Types of Cryptographic Algorithms
    • 1.1.1.1 Symmetric Cryptographic Algorithms
    • 1.1.1.2 Asymmetric Cryptographic Algorithms
    • 1.1.1.3 Hash Functions
  • 1.1.2 Additional Cryptography Resources
• 1.2 Public Key Infrastructure (PKI)
  • 1.2.1 Key Pairs
  • 1.2.2 Certificate Authority
  • 1.2.3 Digital Certificates
  • 1.2.4 Related PKI Standards
  • 1.2.5 Benefits of PKI
• 1.3 Web Services Security
• 1.4 SAML
  • 1.4.1 SAML Assertions
  • 1.4.2 SAML Requests and Responses
    • 1.4.2.1 SAML Request and Response Cycle
    • 1.4.2.2 SAML Protocol Bindings and Profiles
    • 1.4.2.3 SAML and XML Security
• 1.5 Federation
• 1.6 Overview of Oracle Security Developer Tools
  • 1.6.1 Toolkit Architecture
  • 1.6.2 Supported Standards
  • 1.6.3 Oracle Crypto
  • 1.6.4 Oracle Security Engine
  • 1.6.5 Oracle CMS
  • 1.6.6 Oracle S/MIME
  • 1.6.7 Oracle PKI SDK
    • 1.6.7.1 Oracle PKI LDAP SDK
    • 1.6.7.2 Oracle PKI TSP SDK
    • 1.6.7.3 Oracle PKI OCSP SDK
    • 1.6.7.4 Oracle PKI CMP SDK
  • 1.6.8 Oracle XML Security
  • 1.6.9 Oracle SAML
  • 1.6.10 Oracle Web Services Security
  • 1.6.11 Oracle Liberty SDK
  • 1.6.12 Oracle XKMS

2 Migrating to the JCE Framework

• 2.1 The JCE Framework
• 2.2 JCE Keys
  • 2.2.1 Converting an Existing Key Object to a JCE Key Object
• 2.3 JCE Certificates
  • 2.3.1 Switching to a JCE Certificate
• 2.4 JCE Certificate Revocation Lists (CRLs)
• 2.5 JCE Keystores
  • 2.5.1 Working with standard KeyStore-type Wallets
  • 2.5.2 Working with PKCS12 and PKCS8 Wallets

3 Oracle Crypto

• 3.1 Oracle Crypto Features and Benefits
  • 3.1.1 Oracle Crypto Packages
• 3.2 Setting Up Your Oracle Crypto Environment
  • 3.2.1 System Requirements for Oracle Crypto
  • 3.2.2 Setting the CLASSPATH Environment Variable
    • 3.2.2.1 Setting the CLASSPATH on Windows
    • 3.2.2.2 Setting the CLASSPATH on UNIX
• 3.3 Core Classes and Interfaces
  • 3.3.1 Keys
    • 3.3.1.1 The oracle.security.crypto.core.Key Interface
    • 3.3.1.2 The oracle.security.crypto.core.PrivateKey Interface
    • 3.3.1.3 The oracle.security.crypto.core.PublicKey Interface
    • 3.3.1.4 The oracle.security.crypto.core.SymmetricKey Class
  • 3.3.2 Key Generation
    • 3.3.2.1 The oracle.security.crypto.core.KeyPairGenerator Class
    • 3.3.2.2 The oracle.security.crypto.core.SymmetricKeyGenerator Class
  • 3.3.3 Ciphers
    • 3.3.3.1 Symmetric Ciphers
    • 3.3.3.2 The RSA Cipher
    • 3.3.3.3 Password Based Encryption
  • 3.3.4 Signatures
  • 3.3.5 Message Digests
    • 3.3.5.1 The oracle.security.crypto.core.MessageDigest Class
    • 3.3.5.2 The oracle.security.crypto.core.MAC Class
  • 3.3.6 Key Agreement
  • 3.3.7 Pseudo-Random Number Generators
    • 3.3.7.1 The oracle.security.crypto.core.RandomBitsSource class
    • 3.3.7.2 The oracle.security.crypto.core.EntropySource class
• 3.4 The Oracle Crypto Java API Reference
• 3.5 Example Programs

4 Oracle Security Engine

• 4.1 Oracle Security Engine Features and Benefits
  • 4.1.1 Oracle Security Engine Packages
• 4.2 Setting Up Your Oracle Security Engine Environment
  • 4.2.1 System Requirements for Oracle Security Engine
  • 4.2.2 Setting the CLASSPATH Environment Variable
    • 4.2.2.1 Setting the CLASSPATH on Windows
    • 4.2.2.2 Setting the CLASSPATH on UNIX
• 4.3 Core Classes and Interfaces
  • 4.3.1 The oracle.security.crypto.cert.X500RDN Class
  • 4.3.2 The oracle.security.crypto.cert.X500Name Class
  • 4.3.3 The oracle.security.crypto.cert.CertificateRequest Class
  • 4.3.4 The java.security.cert.X509Certificate Class
• 4.4 The Oracle Security Engine Java API Reference
• 4.5 Example Programs

5 Oracle CMS

• 5.1 Oracle CMS Features and Benefits
  • 5.1.1 Content Types
  • 5.1.2 Differences Between Oracle CMS Implementation and RFCs
• 5.2 Setting Up Your Oracle CMS Environment
  • 5.2.1 System Requirements
  • 5.2.2 Setting the CLASSPATH Environment Variable
    • 5.2.2.1 Setting the CLASSPATH on Windows
    • 5.2.2.2 Setting the CLASSPATH on UNIX
• 5.3 Developing Applications with Oracle CMS
  • 5.3.1 CMS Object Types
  • 5.3.2 Constructing CMS Objects using the CMS***ContentInfo Classes
    • 5.3.2.1 Abstract Base Class CMSContentInfo
    • 5.3.2.2 The CMSDataContentInfo Class
    • 5.3.2.3 The ESSReceipt Class
    • 5.3.2.4 The CMSDigestedDataContentInfo Class
    • 5.3.2.5 The CMSSignedDataContentInfo Class
    • 5.3.2.6 The CMSEncryptedDataContentInfo Class
    • 5.3.2.7 The CMSEnvelopedDataContentInfo Class
    • 5.3.2.8 The CMSAuthenticatedDataContentInfo Class
    • 5.3.2.9 Wrapped (Triple or more) CMSContentInfo Objects
  • 5.3.3 Constructing CMS Objects using the CMS***Stream and CMS***Connector Classes
    • 5.3.3.1 Limitations of the CMS***Stream and CMS***Connector Classes
    • 5.3.3.2 Difference between CMS***Stream and CMS***Connector Classes
    • 5.3.3.3 Using the CMS***OutputStream and CMS***InputStream Classes
    • 5.3.3.4 Wrapping (Triple or more) CMS***Connector Objects
• 5.4 The Oracle CMS Java API Reference
• 5.5 Example Programs

6 Oracle S/MIME

• 6.1 Oracle S/MIME Features and Benefits
• 6.2 Setting Up Your Oracle S/MIME Environment
  • 6.2.1 System Requirements for Oracle S/MIME
  • 6.2.2 Setting the CLASSPATH Environment Variable
    • 6.2.2.1 Setting the CLASSPATH on Windows
    • 6.2.2.2 Setting the CLASSPATH on UNIX
• 6.3 Developing Applications with Oracle S/MIME
  • 6.3.1 Core Classes and Interfaces
    • 6.3.1.1 The oracle.security.crypto.smime.SmimeObject Interface
    • 6.3.1.2 The oracle.security.crypto.smime.SmimeSignedObject Interface
    • 6.3.1.3 The oracle.security.crypto.smime.SmimeSigned Class
    • 6.3.1.4 The oracle.security.crypto.smime.SmimeEnveloped Class
    • 6.3.1.5 The oracle.security.crypto.smime.SmimeMultipartSigned Class
    • 6.3.1.6 The oracle.security.crypto.smime.SmimeSignedReceipt Class
    • 6.3.1.7 The oracle.security.crypto.smime.SmimeCompressed Class
  • 6.3.2 Supporting Classes and Interfaces
    • 6.3.2.1 The oracle.security.crypto.smime.Smime Interface
    • 6.3.2.2 The oracle.security.crypto.smime.SmimeUtils Class
    • 6.3.2.3 The oracle.security.crypto.smime.MailTrustPolicy Class
    • 6.3.2.4 The oracle.security.crypto.smime.SmimeCapabilities Class
    • 6.3.2.5 The oracle.security.crypto.smime.SmimeDataContentHandler Class
    • 6.3.2.6 The oracle.security.crypto.smime.ess Package
  • 6.3.3 Using the Oracle S/MIME Classes
    • 6.3.3.1 Using the Abstract Class SmimeObject
    • 6.3.3.2 Signing Messages
    • 6.3.3.3 Creating "Multipart/Signed" Entities
    • 6.3.3.4 Creating Digital Envelopes
    • 6.3.3.5 Creating "Certificates-Only" Messages
    • 6.3.3.6 Reading Messages
    • 6.3.3.7 Authenticating Signed Messages
    • 6.3.3.8 Opening Digital Envelopes (Encrypted Messages)
    • 6.3.3.9 Adding Enhanced Security Services (ESS)
    • 6.3.3.10 Processing Enhanced Security Services (ESS)
• 6.4 The Oracle S/MIME Java API Reference
• 6.5 Example Programs

7 Oracle PKI SDK

• 7.1 Oracle PKI CMP SDK
  • 7.1.1 Oracle PKI CMP SDK Features and Benefits
    • 7.1.1.1 Package Overview for Oracle PKI CMP SDK
  • 7.1.2 Setting Up Your Oracle PKI CMP SDK Environment
    • 7.1.2.1 System Requirements for Oracle PKI CMP SDK
    • 7.1.2.2 Setting the CLASSPATH Environment Variable
  • 7.1.3 The Oracle PKI CMP SDK Java API Reference
  • 7.1.4 Example Programs
• 7.2 Oracle PKI OCSP SDK
  • 7.2.1 Oracle PKI OCSP SDK Features and Benefits
  • 7.2.2 Setting Up Your Oracle PKI OCSP SDK Environment
    • 7.2.2.1 System Requirements for Oracle PKI OCSP SDK
    • 7.2.2.2 Setting the CLASSPATH Environment Variable
  • 7.2.3 The Oracle PKI OCSP SDK Java API Reference
  • 7.2.4 Example Programs
• 7.3 Oracle PKI TSP SDK
  • 7.3.1 Oracle PKI TSP SDK Features and Benefits
    • 7.3.1.1 Class and Interface Overview for Oracle PKI TSP SDK
  • 7.3.2 Setting Up Your Oracle PKI TSP SDK Environment
    • 7.3.2.1 System Requirements for Oracle PKI TSP SDK
    • 7.3.2.2 Setting the CLASSPATH Environment Variable
  • 7.3.3 The Oracle PKI TSP SDK Java API Reference
  • 7.3.4 Example Programs
• 7.4 Oracle PKI LDAP SDK
  • 7.4.1 Oracle PKI LDAP SDK Features and Benefits
    • 7.4.1.1 Class Overview for Oracle PKI LDAP SDK
  • 7.4.2 Setting Up Your Oracle PKI LDAP SDK Environment
    • 7.4.2.1 System Requirements for Oracle PKI LDAP SDK
    • 7.4.2.2 Setting the CLASSPATH Environment Variable
  • 7.4.3 The Oracle PKI LDAP SDK Java API Reference
  • 7.4.4 Example Programs

8 Oracle XML Security

• 8.1 Oracle XML Security Features and Benefits
  • 8.1.1 Supported Algorithms
  • 8.1.2 Oracle XML Security API
• 8.2 Setting Up Your Oracle XML Security Environment
• 8.3 How Data is Signed
  • 8.3.1 Identify What to Sign
    • 8.3.1.1 Determine the Signature Envelope
    • 8.3.1.2 Decide How to Sign Binary Data
    • 8.3.1.3 Sign Multiple XML Fragments with a Signature
    • 8.3.1.4 Exclude Elements from a Signature
  • 8.3.2 Decide on a Signing Key
    • 8.3.2.1 Set Up Key Exchange
    • 8.3.2.2 Provide a Receiver Hint
• 8.4 How Data is Verified
• 8.5 How Data is Encrypted
  • 8.5.1 Identify what to Encrypt
    • 8.5.1.1 The Content Only Encryption Mode
    • 8.5.1.2 Encrypting Binary Data
  • 8.5.2 Decide on the Encryption Key
• 8.6 How Data is Decrypted
• 8.7 About Element Wrappers in the Oracle Security Developer Tools XML APIs
  • 8.7.1 Construct the Wrapper Object
  • 8.7.2 Obtain the DOM Element from the Wrapper Object
  • 8.7.3 Parse Complex Elements
  • 8.7.4 Construct Complex Elements
• 8.8 How to Sign Data with the Oracle XML Security API
  • 8.8.1 Basic Procedure to Create a Detached Signature
  • 8.8.2 Variations on the Basic Signing Procedure
    • 8.8.2.1 Multiple References
    • 8.8.2.2 Enveloped Signature
    • 8.8.2.3 XPath Expression
    • 8.8.2.4 Certificate Hint
    • 8.8.2.5 Sign with HMAC Key
• 8.9 How to Verify Signatures with the Oracle XML Security API
  • 8.9.1 Basic Procedure to Check What is Signed
  • 8.9.2 Set Up Callbacks
  • 8.9.3 Write a Custom Key Retriever
  • 8.9.4 Check What is Signed
  • 8.9.5 Verify the Signature
    • 8.9.5.1 If Callbacks are Set Up
    • 8.9.5.2 If Callbacks are Not Set Up
    • 8.9.5.3 Debugging Verification
• 8.10 How to Encrypt Data with the Oracle XML Security API
  • 8.10.1 Encrypt with a Shared Symmetric Key
  • 8.10.2 Encrypt with a Random Symmetric Key
• 8.11 How to Decrypt Data with the Oracle XML Security API
  • 8.11.1 Decrypt with a Shared Symmetric Key
  • 8.11.2 Decrypt with a Random Symmetric Key
• 8.12 Supporting Classes and Interfaces
  • 8.12.1 The oracle.security.xmlsec.util.XMLURI Interface
  • 8.12.2 The oracle.security.xmlsec.util.XMLUtils class
• 8.13 Common XML Security Questions
• 8.14 Best Practices
• 8.15 The Oracle XML Security Java API Reference
• 8.16 Example Programs

9 Oracle SAML

• 9.1 Oracle SAML Features and Benefits
• 9.2 Oracle SAML 1.0/1.1
  • 9.2.1 Oracle SAML 1.0/1.1 Packages
  • 9.2.2 Setting Up Your Oracle SAML 1.0/1.1 Environment
    • 9.2.2.1 System Requirements for Oracle SAML 1.0/1.1
    • 9.2.2.2 Setting the CLASSPATH Environment Variable
  • 9.2.3 Classes and Interfaces
    • 9.2.3.1 Core Classes
    • 9.2.3.2 Supporting Classes and Interfaces
  • 9.2.4 The Oracle SAML 1.0/1.1 Java API Reference
  • 9.2.5 Example Programs
• 9.3 Oracle SAML 2.0
  • 9.3.1 Oracle SAML 2.0 Packages
  • 9.3.2 Setting Up Your Oracle SAML 2.0 Environment
    • 9.3.2.1 System Requirements for Oracle SAML 2.0
    • 9.3.2.2 Setting the CLASSPATH Environment Variable
  • 9.3.3 Classes and Interfaces
    • 9.3.3.1 Core Classes
    • 9.3.3.2 Supporting Classes and Interfaces
  • 9.3.4 The Oracle SAML 2.0 Java API Reference
  • 9.3.5 Example Programs

10 Oracle Web Services Security

• 10.1 Setting Up Your Oracle Web Services Security Environment
• 10.2 Classes and Interfaces
  • 10.2.1 Element Wrappers
  • 10.2.2 The <wsse:Security> header
    • 10.2.2.1 Outgoing Messages
    • 10.2.2.2 Incoming Messages
  • 10.2.3 Security Tokens (ST)
    • 10.2.3.1 Creating a Username Token
    • 10.2.3.2 Creating an X509 Token
    • 10.2.3.3 Creating a Kerberos Token
    • 10.2.3.4 Creating a SAML Assertion Token
  • 10.2.4 Security Token References (STR)
    • 10.2.4.1 Creating a direct reference STR
    • 10.2.4.2 Creating a Reference STR for a username token
    • 10.2.4.3 Creating a Reference STR for a X509 Token
    • 10.2.4.4 Creating a Reference STR for Kerberos Token
    • 10.2.4.5 Creating a Reference STR for a SAML Assertion token
    • 10.2.4.6 Creating a Reference STR for an EncryptedKey
    • 10.2.4.7 Creating a Reference STR for a generic token
    • 10.2.4.8 Creating a Key Identifier STR
    • 10.2.4.9 Creating a KeyIdentifier STR for an X509 Token
    • 10.2.4.10 Creating a KeyIdentifier STR for a Kerberos Token
    • 10.2.4.11 Creating a KeyIdentifier STR for a SAML Assertion Token
    • 10.2.4.12 Creating a KeyIdentifier STR for an EncryptedKey
    • 10.2.4.13 Adding an STRTransform
  • 10.2.5 Signing and Verifying
    • 10.2.5.1 Signing SOAP Messages
    • 10.2.5.2 Verifying SOAP Messages
    • 10.2.5.3 Confirming Signatures
  • 10.2.6 Encrypting and Decrypting
    • 10.2.6.1 Encrypting SOAP messages with EncryptedKey
    • 10.2.6.2 Encrypting SOAP messages without EncryptedKey
    • 10.2.6.3 Encrypting SOAP Headers into an EncryptedHeader
    • 10.2.6.4 Decrypting SOAP messages with EncryptedKey
    • 10.2.6.5 Decrypting SOAP messages without EncryptedKey
• 10.3 The Oracle Web Services Security Java API Reference
• 10.4 Example Programs

11 Oracle Liberty SDK

• 11.1 Oracle Liberty SDK Features and Benefits
• 11.2 Oracle Liberty 1.1
  • 11.2.1 Setting Up Your Oracle Liberty 1.1 Environment
    • 11.2.1.1 System Requirements for Oracle Liberty 1.1
    • 11.2.1.2 Setting the CLASSPATH Environment Variable
  • 11.2.2 Overview of Oracle Liberty 1.1 Classes and Interfaces
    • 11.2.2.1 Core Classes and Interfaces
    • 11.2.2.2 Supporting Classes and Interfaces
  • 11.2.3 The Oracle Liberty SDK 1.1 API Reference
  • 11.2.4 Example Programs
• 11.3 Oracle Liberty 1.2
  • 11.3.1 Setting Up Your Oracle Liberty 1.2 Environment
    • 11.3.1.1 System Requirements for Oracle Liberty 1.2
    • 11.3.1.2 Setting the CLASSPATH Environment Variable
  • 11.3.2 Overview of Oracle Liberty 1.2 Classes and Interfaces
    • 11.3.2.1 Core Classes and Interfaces
    • 11.3.2.2 Supporting Classes and Interfaces
  • 11.3.3 The Oracle Liberty SDK 1.2 API Reference
  • 11.3.4 Example Programs

12 Oracle XKMS

• 12.1 Oracle XKMS Features and Benefits
  • 12.1.1 Oracle XKMS Packages
• 12.2 Setting Up Your Oracle XKMS Environment
  • 12.2.1 System Requirements for Oracle XKMS
  • 12.2.2 Setting the CLASSPATH Environment Variable
    • 12.2.2.1 Setting the CLASSPATH on Windows
    • 12.2.2.2 Setting the CLASSPATH on UNIX
• 12.3 Core Classes and Interfaces
  • 12.3.1 oracle.security.xmlsec.xkms.xkiss.LocateRequest
  • 12.3.2 oracle.security.xmlsec.xkms.xkiss.LocateResult
  • 12.3.3 oracle.security.xmlsec.xkms.xkiss.ValidateRequest
  • 12.3.4 oracle.security.xmlsec.xkms.xkiss.ValidateResult
  • 12.3.5 oracle.security.xmlsec.xkms.xkrss.RecoverRequest
  • 12.3.6 oracle.security.xmlsec.xkms.xkrss.RecoverResult
• 12.4 The Oracle XKMS Java API Reference
• 12.5 Example Programs

A References

Glossary

Index