Gemalto is now part of the Thales Group, find out more.

You are here

Signing MIDlets

Tutorial, June 4, 2015 - 8:26am, 3584 views

To protect your device and make sure that no third party or modified JAVA MIDLET is installed signing the MIDlet is recommended. This is described in the Cinterion Java Users Guide in details.

Intention of this article is to break it down to the essential steps without using all other security mechanisms such as SSL verification etc.

Steps to do:

  1. Generate keystore, keys and certificates
  2. Install/load certificate onto the module
  3. sign the midlet
  4. install midlet as usual

Step by step:

1)Generate keystore, keys and certificates

1.1) open a shell and go to the "bin" directory of your JDK installation. e.g. cd c:\Program Files (x86)\Java\jdk1.7.0_25\bin>

1.2)use the keytool.exe to create a J2SE keystore and private key, example below 

 c:\Program Files (x86)\Java\jdk1.7.0_25\bin>keytool -genkey -alias mykey -keypass mykeypass -keystore c:\temp\my_se_customer.ks -storepass mykeystorepass -sigalg SHA1withRSA -keyalg RSA -keysize 2048

   What is your first and last name?

     [Unknown]:  Markus Enck

   What is the name of your organizational unit?

     [Unknown]:  Technical Sales

   What is the name of your organization?

     [Unknown]:  Gemalto M2M

   What is the name of your City or Locality?

     [Unknown]:  Berlin

   What is the name of your State or Province?

     [Unknown]:  Berlin

   What is the two-letter country code for this unit?

     [Unknown]:  DE

   Is CN=Markus Enck, OU=Technical Sales, O=Gemalto M2M, L=Berlin, ST=Berlin, C=DE

   correct?

     [no]:  yes 

I use the c:/temp folder of my computer to store all generated certificates, stores etc.

1.3) generate a module keystore using mekeytool from the Cinterion CMTK. You typically find this here C:\Program Files (x86)\Cinterion\CMTK\EHS5\WTK\bin>

    C:\Program Files (x86)\Cinterion\CMTK\EHS5\WTK\bin>mekeytool -import -MEkeystore c:\temp\my_me_customer.ks -alias mykey -domain operator -keystore c:\temp\my_se_customer.ks -storepass mykeystorepass 

   Hint: -domain operator is defined by the CINTERION implementation other paths, names and passwords are subject to change

1.4) create the install certificate for the module using jseccmd.jar from the CINTERION CMTK

 C:\Program Files (x86)\Cinterion\CMTK\EHS5\WTK\bin>java -jar jseccmd.jar -cmd SetCustomerKeystore -imei 004401080940188 -alias mykey -keypass mykeypass -keystore c:\temp\my_se_customer.ks -storepass mykeystorepass -filename c:\temp\my_me_customer.ks > c:\temp\SetCustomerKeystore.bin 

   Hint: IMEI of the module can ge read by at command AT+GSN

1.5)create the deinstall command/hash for the module using jseccmd.jar from the CINTERION CMTK

 C:\Program Files (x86)\Cinterion\CMTK\EHS5\WTK\bin>java -jar jseccmd.jar -cmd DelCustomerKeystore -imei 004401080940188 -alias mykey -keypass mykeypass -keystore c:\temp\my_se_customer.ks -storepass mykeystorepass > c:\temp\DelCustomerKeystore.txt 

2)Install/load certificate onto the module

  This is done by MES and AT command AT^SMSEC

  Copy the SetCustomerKeystore.bin generated in step 1.4 to the modules FFS into the root

  Execute on a AT command interface: at^sjmsec="file","SetCustomerKeystore.bin"

  Now only signed MIDlets can be installed

  Already installed midlets are not influenced and can be executed and deinstalled

3)sign the midlet

  How to do this in the shell is described in the CINTERION JAVA USERS GUIDE using the jadtool which is part of the CMTK.

  Using Eclipse or Netbeans is much more convenient. Below how to set up ECLIPSE.

 First select in the menue bar Window - Preferences - Java ME - Signing -> select the J2SE keystore, not the J2ME, enter the keystorepass, press OK and close the windows

Then  open the Application Description in the root of the project and go to register card signing. Select sign generated packages and select the key alias. Save and close

4) install & run signed MIDlet as usual, not signed MIDlets can't be installed anymore

5) Remove the certificate if you want to open the module for unsigned MIDlets again

  Execute on a AT command interface: at^sjmsec="cmd","content of the DelCustomerKeystore.txt file generated in step 1.5"

  
antero.markkula@enkom.fi's picture
antero.markkula...

Very good!
This is useful information, as most new applications today require more security.
Using signed MIDlets also via OTAP makes the end application much safer.
Passwords, secure http (https / SSL / encryption), signed MIDlets w/certificates, MES off, tied to a certain IMEI and module makes a mission critical or money transfer much safer than the old text based CSD transfers :)

Antero Markkula
Communication and Mechatronics

Enkom Active Oy – www.enkom-active.fi
Upseerinkatu 3 A, 02600 Espoo, Finland
Mobile: +358 400 411368
Office: +358 10 204 0000
Fax: +358 10 204 0010
E-mail: antero.markkula@enkom-active.fi

robin.stridh's picture
robin.stridh

Great tutorial!

I really like this kind of short hands-on tutorials without too much theory so you can test and get a feeling that it will work before reading all the background documentation.

I'm trying to do the same thing in a Linux environment, but realise some of the needed tools are windows binaries. mekeytool.exe is only used once for creating the keystore so this can possibly be done on a Windows machine and transfered, but jadtool.exe is needed every time a midlet needs to be signed.

Are there any Cinterion magic in those tools, or would it be possible to find similar tools for Linux?

/Robin

Markus