This tutorial will enable you to write Trusted Computing enabled software for Java using and testing JSR321 based on IAIK's reference implementation. Specifically, it will guide you to
This guide is written for Windows Vista and later and derivates of Debian Linux.
In this section we provide an Overview of the system architecture of the reference implementation. The following components are needed.
We will now walk you through all layers and show you how to configure your system for JSR321. Please follow all steps in the provided order, as each component depends its predecessor!
Install a Java Runtime Environment, or even better a Java Development Kit version 1.5 or higher. Make sure that you can call java on your command console; else add the JRE's bin directory it to your path. The jTSS core service will require a 64-bit JRE on Windows 64.
To make full use of the cryptographic capabilities of the JCE, the Unlimited Strength Jurisdiction Policy Files may need to be installed. This is a requirement for jTSS to be able to handle some TPM RSA keys. In case you experience errors like "Illegal key size or default parameters" or permission problems when initializing a JCE provider, chances are high that these policy files are not (or not correctly) installed. Note that JSR321 does not require the unlimted strengh policies, but some Java configurations might still need this workaround.
First you need to turn on the TPM, as it usually ships in a deactivated mode. Computer manufacturers and Microsoft provide detailed how-to instructions to enable and use the TPM. In general, you need to boot into the BIOS, and enable the TPM chip there. Sometimes it is also called "Security Device".
Modern Linux distributions and Microsoft Windows should now detect the TPM hardware and load the driver. In Windows, a "Trusted Platform Module 1.2" device show in the device manger. In Linux, ls /dev/tpm* should list at least one block device which may be accessed by user root.
Download the latest version of jTSS (at least 0.7) from trustedJava. Extract the archive and launch the installer for your operating system.
For Windows, launch setup.exe in the windows folder and follow the instructions. The test program should start automatically at the end of setup.
On Linux, jTSS provides a Debian package in the deb folder. Debian installation packages are supported on several popular LInux distributions, including Ubuntu. Ubuntu package dependencies are jsvc and libcommons-daemon-java, which should be installed first. On Ubuntu, the jTSS package is installed by $ sudo dpkg -i jtss_*_all.deb. For other Linux derivates, or if you encounter any problems, you may need to follow the manual installation guidelines found on the TrustedJava: jTSS Documentation.
We can now test the installation of jTSS with the simple GUI tool started at the end of setup (Linux: launch /usr/share/jtss/tests/run_tests_simple.sh manually - Windows C:\Program Files\JTSS\tests\run_tests_simple.cmd (java.exe needs to be on the PATH)).
A successful test will look like on the picture on the right.
We will now take ownership of the TPM.
Linux Users should download the latest version (0.7 or higher) of IAIK jTpmTools (jTT) and install them to their system (a debian package is provided). For windows, extract the *.tar.gz file using your favorite (de-)compression tool, like WinRAR to a directory of your choice.
jTT also requires the IAIK JCE provider to be place in its ext_libs folder. You can download an evaluation version from Stiftung SIC.
First test the installation an learn the version of your tpm
Then choose a ownership password that is used to identity the owner of the plattform. Execute the following command. It will create a Storage Root Key with TSS_WELL_KNOWN_SECRET (20 bytes of zero) and inject the owner passphrase into the TPM.
jtt take_owner -o YourOwnerPassphrase
Windows users can either use jTT analogously (manual installation required) or just follow the Windows Trusted Platform Module Management Step-by-Step Guide to initialize the TPM and take ownership. Note that the default configuration of Windows blocks some TPM commands at driver level. Among these are commands for quoting and PCR access. You have to use the group policy editor to unblock this functions. To unblock these commands, run the Group Policy Editor: gpedit.msc | Computer Configuration | Administrative Templates | System | Trusted Platform Module Services | Ignore the default list of blocked TPM commands = enabled.
If taking ownership succeeded, your TPM can now be accessed by Java applications, if they use the right set libraries.
Depending on your project or application a number of configuration settings need to be made to your Java environment.
Any Java application or project using the jTSS TSP requires the following libraries on its Classpath. jTSS provides all these files in its /lib resp. /ext_libs folders. See the jTSS documentation for more information and detailed license terms.
iaik_jtss_tsp.jar iaik_jtss_tsp_soap.jar activation.jar axis-ant.jar axis.jar commons-discovery-0.2.jar commons-logging-1.0.4.jar jaxrpc.jar log4j-1.2.8.jar mail.jar saaj.jar wsdl4j-1.5.1.jar xerces.jar hsqldbmin.jar
Get the API definition from http://jsr321.java.net. The archive also includes Javadoc which guides you through the API.
Get IAIK's JSR Reference and unzip the archive.
Add the JAR to your classpath. It is advisable to set the jsr321.tpmcontextimpl to the classname of your TPMContext implementation. For example
java -cp YourClasspath -Djsr321.tpmcontextimpl=iaik.tc.jsr321.tpm.TPMContextImpl yourjavaapplication.class
Examples and code here!