INSTALL[for load] command without Security Domain AID

Hello all,
I have a question for the INSTALL[for load] command.
The Security Domain AID is optional field, so I'm wondering if I didn't specify the AID, then which Security Domain performs the INSTALL[for load] command?
Thanks,
Julie.

Which ever one you are sending your APDU commands to. Which SD did you select ? Usually, the default applet is the ISD, so the commands are going to that applet.

Similar Messages

  • How to calc load parameters field for INSTALL for LOAD command

    Hi everyone ,
    I'll appreciate it if anyone could help me to find out how to calculate load parameters field for Install for Load Command .
    (which tags and parameters I should use to make this field )
    Best Regards,
    SHKas

    SHKas wrote:
    I'll appreciate it if anyone could help me to find out how to calculate load parameters field for Install for Load Command .
    (which tags and parameters I should use to make this field )Hi SHKas,
    The field is deffined in the GP card spec 2.1.1 under 9.5.2.3.6 INSTALL [for load] and INSTALL [for install] Parameters. The section of text explains what each field is and the tag to use to encode. Each value is a two byte short.
    Cheers,
    Shane

  • Install for load

    Hello,
    I work with GemXpresso pro R3 and I want to upload my applet on the card.
    I begin to write a script but I have a problem with the install for load command.
    According to the gp specifications, the data field must contain the appplet aid length, the applet aid, the security domain aid length and the security domain aid.
    Is it right or anything more?

    If we are reading on the same spec, then you would have seen this,
    Mandatory 1 Length of Load File AID
    Mandatory 5-16 Load File AID
    Mandatory 1 Length of Security Domain AID
    Conditional 0-16 Security Domain AID
    Mandatory 1 Length of Load File Data Block Hash
    Conditional 0-n Load File Data Block Hash
    Mandatory 1 Length of Load Parameters field
    Conditional 0-n Load Parameters field
    Mandatory 1 Length of Load Token
    Conditional 0-n Load Token
    Above is the data field in install for load command.

  • How to install an applet on a Security Domain

    Dear all,
    I have installed a new SD on my card but I cant install my applet on it! I dont know what is the problem and I havent found any related reference! I was wondering that maybe I am doing sth wrong with my SD and applet installation, here is what I have done:
    1.Select ISD
    2.Authenticate with ISD keys
    3.Install a new instance of ISD with Security Domain privilege
    4.Select new SD
    5.Authenticate with default keys
    6.Put key command
    7.Authenticate with new keys
    8.install for load my applet ----> (6A86) failed!
    Thanks for your helps!

    that means associating an application (applet instance) with another security domain than the ISD.
    an SSD is basically a keystore application, even if its aid can be selected to open a secure channel with the keys it contains.
    The main use is to make GPSystem.getSecureChannel() refer to the other (SSD) keys. This way, a card owner can install an applet and delegate secure channel services to the SSD, using dedicated keys.
    You can also open a secure channel with the SSD (using its own keys) and use INSTALL FOR PERSONNALIZATION / STORE DATA.
    this way you don't have to give the ISD keys to a applet provider for him to be able to personnalize its own applet.
    the owner of the ISD keys manages the card contents (install for install / delete) and the applet provider manages the personnalization.
    Note that normal SSD are able to manage channels, but generally are not allowed to load/install/delete applets.
    DAP requires the applet owner to sign its CAP file and to verify the signature on the card. the card manager loads the cap, the signature ensures the CAP file provided by the applet provider was not tampered.
    with DM, the applet provider runs the card management commands, but the card requires these commands to be signed by the card manager. The card manager can choose which commands are allowed.

  • Installing a Loopback adapter without a Domain Name

    Im trying to install the microsoft loopback adapter for the oracle 10g database. In one of the steps I was supposed to configure the "hosts" file within the driver directory of the windows folder.
    Below is the precise directions... I dont have a domain name, I just have a internet service that gives me a dynamic IP address... what do I do?
    Add a line to the SYSTEM_DRIVE:\WINDOWS\system32\drivers\etc\hosts file with the following format, after the localhost line:
    IP_address hostname.domainname hostname
    where:
    IP_address is the non-routable IP address you entered in step 16.
    hostname is the name of the computer.
    domainname is the name of the domain.
    For example:
    10.10.10.10 mycomputer.mydomain.com mycomputer

    Make one up.
    Or not.
    The domain name in the /etc/hosts is optional.
    Since you use /etc/hosts, you are not using a DNS server for that specific interpretation. Therefore you can use whatever you want. I'd use something like 'glomph.tst' just so I can have thje joy of typing that in the browser URL box.

  • How to manage ApplicationDomain for loaded SWFs across different domains?

    I've been getting this following error -- when I'm loading a subsidiary SWF into a main one. The sub swf contains the overlays. OverlayOne is a subclass of Overlay.
    TypeError: Error #1034: Type Coercion failed: cannot convert OverlayOne@18684f89 to Overlay.
         at HSRawVideoPlayer/setCurrentOverLay()
         at HSRawVideoPlayer/showOverlay()
         at HSRawVideoPlayer/dotRoll()
    I googled and found that I should probably be setting the applicationDomain of the loader context of the loaded swf to be that of the loading SWF (as per Senocular's article on the subject) -- although I thought that in cases of conflict this would resolve to the loading SWFs ApplicationDomain, so not necessary.
    But I've also read that this won't work across different domains, and that's the situation here -- the client wants the urls of loading and loaded swf's to be fully qualified . Will setting the ApplicationDomain of the loaded SWF to be that of the parent solve the problem above, even if they are in different domains? Can someone show me a short code snippet? Thanks!

    Hi,
    DSS has inbuilt functionalities to compare the transactions against the in built rules.If the transactions take place not in accordance with the in-built rules,it is treated as a "violation" and is reporetd.
    Virsa is an example of DSS tool.Here you can build rules for access and process ;constantly compare the actuals Vs the rules;report the violations.
    In SAP R3 for example,the T/code:pfcg is tailored for access control,while the invoice parking [f-63] is tailored for process control.Using VIRSA,you can address to risks involved both,namely,access and process control.This is an example of how DSS can help in Risk integration.
    In these tools,we have an Engine for building the rules-based on this we build the rules.These rules are stored in a table.when a transaction-for which we have built a rule - takes place,the system compares the rules VS actuals.The inconsistencies if any are reported as violations.
    Hope this helps.
    Regards,
    Ramesh

  • INSTALL [for install] error

    Hi,
    I am currently writing my own cap uploader, but am currently getting in the INSTALL command. My current steps are:
    Authenticate Secure Channel // reply 90 00
    80 E6 02 - Install for Load command // reply 90 00
    80 E8 - Upload data block // all give reply 90 00
    but here:
    80 E6 0C // install for install command - reply is 69 85
    I know the 69 85 error is "Conditions of use not satisfied", but has anyone got any ideas of what I could be doing wrong here, as all my other commands get a response on 90 00?
    Cheers,
    Dan

    Are you sure that the install-method of the applet that you are loading is correct?
    As the install-method of your applet is invoked during the INSTALL [for install] command, an exception might be thrown during the execution of this method, which might be mapped to this common error.
    The Javacard we are using here (JCOP from IBM) throws an ISOException with reasoncode 0x6A80 (WRONG DATA) when an exception is thrown during the execution of the install-method of an applet.

  • Help: Algorithm for Load File Data Block Hash?

    Hi guys
    I would like to understand the algorithm of a field in INSTALL for LOAD command. It is "Load File Data Block Hash". I'm concerning about it in JCOP tool + Eclipse
    (All I want to to is designing the new INSTALL for LOAD command, and I want to imitate JCOP tool)
    Can I use DES algorithm for this field?
    Thanks in advance.

    The load file data block hash is described in GP Card Spec v2.1.1 sections 6.7.6.1, 7.7.7 and C.2 all titled Load File Data Block Hash.
    The hash is a SHA-1 hash of the load file data block.
    Cheers,
    Shane

  • Extradition of an AID to a security domain that is in "selectable" state

    following this post: http://forum.java.sun.com/thread.jspa?messageID=10227711
    in following this example (i've found it very helpful), i want to know if it is a requirement that the SSD be personalized instead of in "Selectable" state? if so, that would explain the errors i get when i try to extradite an AID to it from the ISD.
    your example:
    GP 2.1.1, SSD section (concept) and APDU commands Install [for load], [install] and [extradition].
    Example:
    - select ISD
    - open a secure channel
    - Install [for install & make selectable] on a pre-loaded SD package/module --> optionally you need to specify in the install parameters that this SD accepts extradition
    - select SSD
    - open a secure channel (using the default keys)
    - personalize (put secure channel keys)
    - install [for load] an application, specify the SSD to be associated

    Clemson wrote:
    ... errors i get when i try to extradite an AID to it from the ISD.
    GlobalPlatform Card Specification 2.1.1, 03/25/2003, p. 70
    +6.4.3 Content Extradition+
    The GlobalPlatform Card Content extradition process is designed to allow the association, to a different Security Domain, of a previously installed Application. The Issuer Security Domain shall verify the extradition request before the OPEN will allow the extradition.
    Runtime Behavior
    The following runtime behavior requirements apply to the OPEN during the Card Content extradition process.
    The OPEN shall:
    +...+
    Check that this Security Domain is in a valid Life Cycle State (i.e. PERSONALIZED)+,
    +...+
    Therefore, the SD which should accept the applet has to be in state PERSONALIZED.

  • Who shall create a specific Security Domain compliant to GP 2.1?

    Particularly, in case of the delegated management, the GP card specification 2.1.1 decribes as follows:
    "Security Domains authorized by the Card Issuer to perform Card Content changes shall request the OPEN to load, install, extradite, and delete applications."
    I think that the Security Domain is implemented by the Application Provider using GP API. The OPEN is ,however, the component of the Card Manager which should be implemented by a GP compliant JCVM provider or a GP component provider.
    My questions are:
    1. How does a Security Domain request the OPEN to load, install.. ? How do they interface with each other? Does the GP compliant JCVM provider have to provide the specific interfaces used to change Card Contents for the Application Providers who implement their own Security Domain?
    2. If the GP compliant JCVM provider is also responsible for implementing a specific Security Domain, what is the role of the Application Provider? only as a provider of his own security policy for the GP compliant JCVM provider? Can't a Application Provider implement his own Security Domain himself (using only GP2.1 public API)?
    I am grateful to you for a kind assistance.

    I think that the Security Domain is implemented by theApplication Provider using GP API. The OPEN is
    ,however, the component of the Card Manager which
    should be implemented by a GP compliant JCVM provider
    or a GP component provider. Typically and due to the fact that the GP specification is missing the API that would allow a Security Domain to be loaded on the card, Security Domains are developed by the card vendor and present on the card at production. The vendor can decide which features are implemented in the Security Domain e.g. Secure Channel services, DAP Verification, Delegated Management. If, as an Application Provider, you wish to develop your own Security Domain, your vendor may be willing to provide you with details of their proprietary API but this would be specific to this vendors product.
    >
    My questions are:
    1. How does a Security Domain request the OPEN to
    load, install.. ? How do they interface with each
    other? Does the GP compliant JCVM provider have to
    provide the specific interfaces used to change Card
    Contents for the Application Providers who implement
    their own Security Domain?Yes.
    >
    2. If the GP compliant JCVM provider is also
    responsible for implementing a specific Security
    Domain, what is the role of the Application Provider?
    only as a provider of his own security policy for the
    GP compliant JCVM provider? Can't a Application
    Provider implement his own Security Domain himself
    (using only GP2.1 public API)?No.
    >
    I am grateful to you for a kind assistance.

  • INSTALL [for PERSONALIZATION]

    Hi
    I'm using the JCOP Dev Tools V1.4.0 within Eclipse V3.7.1 to develop a card applet that loads a secret key using the INSTALL [for Personalization] and Store Data commands after instantiation.  The commands I use are:
    INSTALL [for Perso] 80E62000<blah>
    STORE DATA 80E28000<secret blah>
    This works well when loading to the phone but fails when loading to either the simulator or the development Java card I use.  It returns 0x6A86 (Incorrect parameters P1-P2) in response to the INSTALL command and it does this whether I'm using the send command in the JCShell script or my own PC application (again, both of which work with the phone).
    So my questions are:
    1) Am I right in thinking that the error response is being returned simply because neither the card nor the simulator supports the INSTALL [for Perso] command or is there something more that I'm missing?
    2) If it’s not supported then can anyone tell me if there is a card I can select in the simulator that will support it and allow me to test the code in DEBUG mode?  I’ve tried a selection but each one has failed.
    3) I've done this using the send command to send both the INSTALL and STORE DATA commands.  Is there a JCShell command that implements the INSTALL [for Perso]?
    The INSTALL [for Perso] / STORE DATA system has been imposed upon me by the system I'm using so I can’t use alternatives like using the INSTALL’s C9 data to load the key.  In order to continue using the simulator I've had to create a back-door command that allows me to load the key outside of the INSTALL / STORE DATA method.  This is obviously not ideal and so any options the community can give me to get this solution working in the simulator would be much appreciated.
    Thanks in advance

    hi
    processData() is called after you send a GP INSTALL FOR PERSONNALIZATION, then send STORE DATA commands. you get the contents of the store data apdu's after unwrapping by the secure channel.
    the extended process data is the same as this, except that it can also return data. To use it you have to implement the org.globalplatform.Personnalization interface.
    All of this is described in:
    GlobalPlatform Card
    Confidential Card Content Management
    Card Specification v 2.2 - Admendment A
    Version 1.0
    Public Release
    October 2007
    Document Reference: GPC_SPE_007
    The document is available on the gp web site.
    Regards
    Sebastien

  • Application set as 'Install for User' but deployed to device collection - what happens ?

    Hi All,
    If i package an application and set it to 'install for User' - if i then deploy that application to a device collection as required will it install for every user each time they log onto the computer.. ???
    Cheers.

    Install for User determines the security context in which it will install.  If the logged on user is not an admin, the install will likely fail.  And yes, technically the app will be available for all users who log in (to be installed) however
    if you have your detection method configured properly the app will be installed only once as the detection will determine its already there.
    Someone please correct me if I am wrong.  ;-)

  • Have been running version 4 for a week without problems. Today, downloaded MS live security update, and have had problems since. when I click on a favorite site, it takes 20 to 40 seconds before the page load's and the same if I click a link on the page.

    been running version 4 for a week without problems. Today, downloaded MS live security update, and have had problems since. when I click on a favorite site, it takes 20 to 40 seconds before the page load's.'''bold text'''

    http://portableapps.com/apps/internet/firefox_portable/localization#legacy36

  • Loadfile to install a Supplementary Security Domain in GP 2.2?

    Hi all,
    I have Secure Elements with GP 2.2 and would like install Supplementary Security Domains there.
    In my previously chips GP 2.1 that was not a problem, there was a preloaded Loadfile with AID:A0000000035350 (Security Domain)
    For my Supplementary Security Domains I just made an instance of this Loadfile AID:A0000000035350, and I had an Security domain Instance.
    Now, in the new version I have no such a Loadfile for a Security Domain. So How I can install Supplementary Security Domains instances in GP 2.2?
    Attached a GET STATUS Response with all Loadfiles and Modules in the new chip.
    Anybody any idea? It would be really helpful.
    br Markus
    GET STATUS:
    e3 42
    4f 09 a00000001884010102 9f70 02 0100 ce 02 01 00
    84 0a a0000000188401010201
    84 0a a0000000188401010202
    84 0a a0000000188401010203
    cc 08 a000000151000000
    e3 1e
    4f 09 a00000001884010101
    9f 70 02 0100
    ce 02 01 00
    cc 08 a000000151000000
    e3 36
    4f 09 a00000001820010108
    9f 70 02 01 00
    ce 02 01 00
    84 0a a0000000182001010801
    84 0a a0000000182001010802
    cc 08 a000000151000000
    e3 42
    4f 09 a00000001820010106
    9f 70 02 01 00
    ce 020100
    84 0a a0000000182001010302
    84 0a a0000000182001010300
    84 0a a0000000182001010301
    cc 08 a0000001510000006310

    You will either need to tell us what card you are using or contact the manufacturer/vendor to get the developer documentation for it.
    - Shane

  • Built in security domains are missing on windows after installing wtk

    hi,
    i am just experimenting a bit with j2me technologies so i have installed the latest wtk on my windows machine from sun. but a problem has raised with built-in security domains.
    if i run emulator.exe -Xquery with my Windows user then the security domains lines are empty.
    example: DefaultColorPhone.security.domains:
    in case i launch this with Administrator it works fine
    example: DefaultColorPhone.security.domains: manufacturer,minimum,identified_third_party,unidentified_third_party,maximum
    everything else (environment etc.) is the same but the user account. my user name is in the form of firstname.lastname so in my opinion this won't be a whitespace issue. i have also tried uninstalling the wtk then installing with my user but it did not help.
    do you have any clue what could go wrong?

    Ron Apra wrote:
    I installed Leopard on a G5 tower with 2 new 750 GB's seagate drives. Disk Utility shows a total capacity of 698.6 GB's out of 750 GB's so I am missing 50 GB's. Also first aide hangs up on Verify/repair disk permissions. It looks like I am dealing with an "erase" issue since their must be other files on the new drives that are causing problems, My new thoughts on this are:
    (1)For MacHD 2, in DU click on the "hard Drive(698.6 GB ST3750640AS)/security option-zero out data/erase
    (2) For MacHD 1 (Leopard) insert the installation disk/go to option-erase and install/ok
    Will this work or is there a better way to go about it.
    Thanks for looking at my Post
    Ron
    Most drives are listed as unformatted size and take advantage of the "1000" kilo which is really 1024.
    Also a system with folders, &c. takes up space with no actual files.
    Your "loss" of less than 10% is normal and expected.
    For example, the "250GB" HD on this MBP as reported by DU says:
    Total Capacity : 232.9 GB (250,059,350,016 Bytes)
    But I have not lost 17GB.
    Since your drive is 3 times the size of mine, I would expect to see a "loss" of 51 GB (3x17) which is exactly what you are reporting.

Maybe you are looking for