Thales IoT Developer Community
Tutorial, June 4, 2015 - 8:26am, 5915 views
To protect your device and make sure that no third party or modified JAVA MIDLET is installed signing the MIDlet is recommended. This is described in the Cinterion Java Users Guide in details.
Intention of this article is to break it down to the essential steps without using all other security mechanisms such as SSL verification etc.
Steps to do:
- Generate keystore, keys and certificates
- Install/load certificate onto the module
- sign the midlet
- install midlet as usual
Step by step:
1)Generate keystore, keys and certificates
1.1) open a shell and go to the "bin" directory of your JDK installation. e.g. cd c:\Program Files (x86)\Java\jdk1.7.0_25\bin>
1.2)use the keytool.exe to create a J2SE keystore and private key, example below
c:\Program Files (x86)\Java\jdk1.7.0_25\bin>keytool -genkey -alias mykey -keypass mykeypass -keystore c:\temp\my_se_customer.ks -storepass mykeystorepass -sigalg SHA1withRSA -keyalg RSA -keysize 2048 What is your first and last name? [Unknown]: Markus Enck What is the name of your organizational unit? [Unknown]: Technical Sales What is the name of your organization? [Unknown]: Gemalto M2M What is the name of your City or Locality? [Unknown]: Berlin What is the name of your State or Province? [Unknown]: Berlin What is the two-letter country code for this unit? [Unknown]: DE Is CN=Markus Enck, OU=Technical Sales, O=Gemalto M2M, L=Berlin, ST=Berlin, C=DE correct? [no]: yes
I use the c:/temp folder of my computer to store all generated certificates, stores etc.
1.3) generate a module keystore using mekeytool from the Cinterion CMTK. You typically find this here C:\Program Files (x86)\Cinterion\CMTK\EHS5\WTK\bin>
C:\Program Files (x86)\Cinterion\CMTK\EHS5\WTK\bin>mekeytool -import -MEkeystore c:\temp\my_me_customer.ks -alias mykey -domain operator -keystore c:\temp\my_se_customer.ks -storepass mykeystorepass
Hint: -domain operator is defined by the CINTERION implementation other paths, names and passwords are subject to change
1.4) create the install certificate for the module using jseccmd.jar from the CINTERION CMTK
C:\Program Files (x86)\Cinterion\CMTK\EHS5\WTK\bin>java -jar jseccmd.jar -cmd SetCustomerKeystore -imei 004401080940188 -alias mykey -keypass mykeypass -keystore c:\temp\my_se_customer.ks -storepass mykeystorepass -filename c:\temp\my_me_customer.ks > c:\temp\SetCustomerKeystore.bin
Hint: IMEI of the module can ge read by at command AT+GSN
1.5)create the deinstall command/**** for the module using jseccmd.jar from the CINTERION CMTK
C:\Program Files (x86)\Cinterion\CMTK\EHS5\WTK\bin>java -jar jseccmd.jar -cmd DelCustomerKeystore -imei 004401080940188 -alias mykey -keypass mykeypass -keystore c:\temp\my_se_customer.ks -storepass mykeystorepass > c:\temp\DelCustomerKeystore.txt
2)Install/load certificate onto the module
This is done by MES and AT command AT^SMSEC
Copy the SetCustomerKeystore.bin generated in step 1.4 to the modules FFS into the root
Execute on a AT command interface: at^sjmsec="file","SetCustomerKeystore.bin"
Now only signed MIDlets can be installed
Already installed midlets are not influenced and can be executed and deinstalled
3)sign the midlet
How to do this in the shell is described in the CINTERION JAVA USERS GUIDE using the jadtool which is part of the CMTK.
Using Eclipse or Netbeans is much more convenient. Below how to set up ECLIPSE.
First select in the menue bar Window - Preferences - Java ME - Signing -> select the J2SE keystore, not the J2ME, enter the keystorepass, press OK and close the windows
Then open the Application Description in the root of the project and go to register card signing. Select sign generated packages and select the key alias. Save and close
4) install & run signed MIDlet as usual, not signed MIDlets can't be installed anymore
5) Remove the certificate if you want to open the module for unsigned MIDlets again
Execute on a AT command interface: at^sjmsec="cmd","content of the DelCustomerKeystore.txt file generated in step 1.5"