Configure KMES for code signing and verification of JAR files

Perform the following tasks to configure the KMES Series 3 to provide all functionality that Java Jarsigner needs for code signing and verification of JAR files:

Enable Host API commands.
Create a Jarsigner role with the required permissions.
Create a Jarsigner identity with the correct assigned roles.
Create a signing approval group and give it appropriate permissions.
Create a Jarsigner code signing certificate.
Apply an issuance policy to the Jarsigner code signing certificate.

The following sections show you how to complete these tasks.

Enable the commands

Perform the following steps to enable the required Host API commands:

Go to Administration > Configuration > Host API Options.

Enable the following commands:

Command	Description
ECHO	Communication Test/Retrieve Version
RAFA	Enumerate issuance policies
RAGA	Retrieve issuance policy details
RAGO	Retrieve Request (Hash Signing)
RAUO	Upload Request (Hash Signing)
RKCP	Get Command Permissions
RKLN	Lookup Objects
RKLO	Login User
RKRK	Retrieve Generated Keys
TIME	Set Time

Select [ Save ] to finish.

Create a Jarsigner role

Perform the following steps to create a Jarsigner role with the required permissions:

Go to Identity Management > Roles, and select [ Add ] at the bottom of the page.

Select Application as the role Type, specify a name for the role, and set the Logins Required to 1.

On the Permissions tab, ensure that you select only the following permissions:

Permission	Additional sub permissions (if applicable)
Certificate Authority	Export, Upload
Keys	Top-level permission only

On the Advanced tab, select only Host API for Allowed Ports.

Select [ OK ] to save and create the role.

Create a Jarsigner identity

Perform the following steps to create a Jarsigner identity with the correct assigned roles:

Go to Identity Management > Identities, right-click the background, and select Add > Client Application.

On the Info tab, select Application for the storage type and specify a name for the identity.

On the Assigned Roles tab, select the role you created in the previous section.

On the Authentication tab, remove the API Key mechanism, add the password mechanism, and set a password.

Select [ OK ] to save and create the identity.

Create a signing approval group

Perform the following steps to create a signing approval group and give it appropriate permissions:

Go to PKI > Signing Workflow and select [ Add Approval Group ] at the bottom of the page.

Set a name for the Approval Group, such as Jarsigner, and select [ OK ] to save.

Right-click the Jarsigner Approval Group and select [ Permission ].

Select the Show all roles and permissions checkbox, and grant the Jarsigner role the Use permission. Select [ OK ] to save and finish.

Create a code signing certificate

This section describes using a CA on the KMES to issue a Jarsigner code signing certificate:

Go to PKI > Certificate Authorities, and select [ Add CA ] at the bottom of the page.

In the Certificate Authority window, enter a name for the Certificate Container, such as Jarsigner. Set the owner of the field to the Jarsigner role and select [ OK ].

The new certificate container now displays in the Certificate Authorities menu.

Right-click the Jarsigner certificate container and select Add Certificate > New Certificate.

On the Subject DN tab, set a Common Name for the certificate, such as Code Signing.

Go to the V3 Extensions tab, select the Code Signing Certificate profile, and select [ OK ].

The code signing certificate now displays under the Root CA certificate inside of the Jarsigner certificate container.

Apply an issuance policy

Perform the following steps to apply an issuance policy to the Jarsigner code signing certificate:

Go to PKI > Certificate Authorities.

Right-click the Code Signing certificate and select Issuance Policy > Add.

On the Basic Info tab, set Approvals to 0 to allow anonymous singing. Select SHA-384 as an allowed hash. You do not need to specify an Alias.

On the X.509 tab, set the Default approval group to Jarsigner.

On the Object Signing tab, select the Allow object signing checkbox.

Select [ OK ] to apply the issuance policy to the Jarsigner code signing certificate.

​Enable the commands

​Create a Jarsigner role

​Create a Jarsigner identity

​Create a signing approval group

​Create a code signing certificate

​Apply an issuance policy

Enable the commands

Create a Jarsigner role

Create a Jarsigner identity

Create a signing approval group

Create a code signing certificate

Apply an issuance policy