Loadfile to install a Supplementary Security Domain in GP 2.2?

Similar Messages

• How to create a Supplementary security domain

  Hi all, i am new to javaCard. i want to create a Supplementary security domain, but i have no idea.
  is it that i need to create an applet implements SecureChannel, then install the applet with the privileges 0x80(security domain)?
  is it right? Anybody any suggest? It would be really helpful.

  I've seen this if the database is down or in a funky state. Try shutting down BPEL, and restart the database, then bring BPEL back up. If you're using Oracle Lite just use the "Stop SOA Suite" GUI from the Start Menu.

• Applet's associated security domain

  Hi All.
  I have the mobile device with embededd secure element:
  Global Platform version : 2.1.1
  Global Platform Secure Channel Protocol: 02 option 15
  Java Card version : 2.2
  There is the content of it:
  Card Manager AID : A000000003000000
  Card Manager state : SECURED
  Application: SELECTABLE (--------) "2PAY.SYS.DDF01"
  Application: SELECTABLE (--------) A0000000041010
  Application: SELECTABLE (--------) A0000000041010BB5449435301
  Sec. Domain:PERSONALIZED (S-------) A00000000353504101
  Load File : LOADED (--------) A0000000035350 (Security Domain)
  Module : A000000003535041
  Load File : LOADED (--------) 4D66344D0002
  Module : A0000003964D66344D0002
  Load File : LOADED (--------) "2PAY."
  Module : "2PAY.SYS.DDF01"
  Load File : LOADED (--------) A000000004
  Module : A00000000410100001
  Module : A0000000041010
  Applet with AID A0000000041010BB5449435301 has been extradited to supplementary security domain with AID A00000000353504101.
  Other applets belongs to ISD.
  Is there any possibilities to discover this relations?
  GP GET STATUS command does not have such options in GP Card Spec v2.1.1.
  In v2.2.1 I found optional tag CC (Associated Security Domain's AID) in GET STATUS command description and tag 2F00 (List of Applications belonging to the Security Domain) in GET DATA description.
  But I need to get this info from card 2.1.1.
  Thanks in advance.
  Vasiliy.
  Edited by: 1010453 on Jun 7, 2013 7:00 PM

  i have same problem in GP2.1.1,
  i think if Applet A associated with SD A, then when I select ISD, i cannot delete Applet A. but i'm wrong. JCOP also  deleted it

• INSTALL[for load] command without Security Domain AID

  Hello all,
  I have a question for the INSTALL[for load] command.
  The Security Domain AID is optional field, so I'm wondering if I didn't specify the AID, then which Security Domain performs the INSTALL[for load] command?
  Thanks,
  Julie.

  Which ever one you are sending your APDU commands to. Which SD did you select ? Usually, the default applet is the ISD, so the commands are going to that applet.

• How to install an applet on a Security Domain

  Dear all,
  I have installed a new SD on my card but I cant install my applet on it! I dont know what is the problem and I havent found any related reference! I was wondering that maybe I am doing sth wrong with my SD and applet installation, here is what I have done:
  1.Select ISD
  2.Authenticate with ISD keys
  3.Install a new instance of ISD with Security Domain privilege
  4.Select new SD
  5.Authenticate with default keys
  6.Put key command
  7.Authenticate with new keys
  8.install for load my applet ----> (6A86) failed!
  Thanks for your helps!

  that means associating an application (applet instance) with another security domain than the ISD.
  an SSD is basically a keystore application, even if its aid can be selected to open a secure channel with the keys it contains.
  The main use is to make GPSystem.getSecureChannel() refer to the other (SSD) keys. This way, a card owner can install an applet and delegate secure channel services to the SSD, using dedicated keys.
  You can also open a secure channel with the SSD (using its own keys) and use INSTALL FOR PERSONNALIZATION / STORE DATA.
  this way you don't have to give the ISD keys to a applet provider for him to be able to personnalize its own applet.
  the owner of the ISD keys manages the card contents (install for install / delete) and the applet provider manages the personnalization.
  Note that normal SSD are able to manage channels, but generally are not allowed to load/install/delete applets.
  DAP requires the applet owner to sign its CAP file and to verify the signature on the card. the card manager loads the cap, the signature ensures the CAP file provided by the applet provider was not tampered.
  with DM, the applet provider runs the card management commands, but the card requires these commands to be signed by the card manager. The card manager can choose which commands are allowed.

• Built in security domains are missing on windows after installing wtk

  hi,
  i am just experimenting a bit with j2me technologies so i have installed the latest wtk on my windows machine from sun. but a problem has raised with built-in security domains.
  if i run emulator.exe -Xquery with my Windows user then the security domains lines are empty.
  example: DefaultColorPhone.security.domains:
  in case i launch this with Administrator it works fine
  example: DefaultColorPhone.security.domains: manufacturer,minimum,identified_third_party,unidentified_third_party,maximum
  everything else (environment etc.) is the same but the user account. my user name is in the form of firstname.lastname so in my opinion this won't be a whitespace issue. i have also tried uninstalling the wtk then installing with my user but it did not help.
  do you have any clue what could go wrong?

  Ron Apra wrote:
  I installed Leopard on a G5 tower with 2 new 750 GB's seagate drives. Disk Utility shows a total capacity of 698.6 GB's out of 750 GB's so I am missing 50 GB's. Also first aide hangs up on Verify/repair disk permissions. It looks like I am dealing with an "erase" issue since their must be other files on the new drives that are causing problems, My new thoughts on this are:
  (1)For MacHD 2, in DU click on the "hard Drive(698.6 GB ST3750640AS)/security option-zero out data/erase
  (2) For MacHD 1 (Leopard) insert the installation disk/go to option-erase and install/ok
  Will this work or is there a better way to go about it.
  Thanks for looking at my Post
  Ron
  Most drives are listed as unformatted size and take advantage of the "1000" kilo which is really 1024.
  Also a system with folders, &c. takes up space with no actual files.
  Your "loss" of less than 10% is normal and expected.
  For example, the "250GB" HD on this MBP as reported by DU says:
  Total Capacity : 232.9 GB (250,059,350,016 Bytes)
  But I have not lost 17GB.
  Since your drive is 3 times the size of mine, I would expect to see a "loss" of 51 GB (3x17) which is exactly what you are reporting.

• How can I create a new Security Domain ?

  Hi everyone,
  I would like to know how can I create an Security Domain other than ISD ?(If my card support multi SD and delegated management)
  I read Global Platform v2.1.1 ,but I don't know how can I create new SD practically(how can I write it's code ,how can I install it and how can I associate an applet to it,...).
  if there is any document or link can help me ,please inform me.
  I'll appreciate for any one if explain it to me step by step.
  yours sincerely.
  Orchid.

  You're right, it is not visible looking at your script, but at the APDU log. /card is an internal JCShell script to do the following:
  cm>  /card
  resetCard with timeout: 0 (ms)First the card is reset. This is analogous with /atr
  --Waiting for card...
  ATR=3B FA 13 00 00 81 31 FE 45 4A 43 4F 50 34 31 56    ;.....1.EJCOP41V
      32 33 31 97                                        231.
  ATR: T=1, FI=1/DI=3 (93clk/etu), N=0, IFSC=254, BWI=4/CWI=5, Hist="JCOP41V231"Then an /identify command is issued.
  => 00 A4 04 00 09 A0 00 00 01 67 41 30 00 FF          .........gA0..
  (163429 nsec)
  <= 09 01 01 29 00 00 00 00 50 48 36 35 30 41 00 00    ...)....PH650A..
      6A 82                                              j.
  Status: File not foundNow the Issuer Security Domain (ISD) is selected. You can do the same sending the JCShell 'select' command.
  => 00 A4 04 00 07 A0 00 00 00 03 00 00 00             .............
  (650082 nsec)
  <= 6F 65 84 08 A0 00 00 00 03 00 00 00 A5 59 9F 65    oe...........Y.e
      01 FF 9F 6E 06 40 51 70 92 29 00 73 4A 06 07 2A    ...n.@Qp.).sJ..*
      86 48 86 FC 6B 01 60 0C 06 0A 2A 86 48 86 FC 6B    .H..k.`...*.H..k
      02 02 01 01 63 09 06 07 2A 86 48 86 FC 6B 03 64    ....c...*.H..k.d
      0B 06 09 2A 86 48 86 FC 6B 04 02 15 65 0B 06 09    ...*.H..k...e...
      2B 85 10 86 48 64 02 01 03 66 0C 06 0A 2B 06 01    +...Hd...f...+..
      04 01 2A 02 6E 01 02 90 00                         ..*.n....
  Status: No ErrorThe answer is the File Control Information (FCI) returned by the ISD. The format is also described in GP.

• Who shall create a specific Security Domain compliant to GP 2.1?

  Particularly, in case of the delegated management, the GP card specification 2.1.1 decribes as follows:
  "Security Domains authorized by the Card Issuer to perform Card Content changes shall request the OPEN to load, install, extradite, and delete applications."
  I think that the Security Domain is implemented by the Application Provider using GP API. The OPEN is ,however, the component of the Card Manager which should be implemented by a GP compliant JCVM provider or a GP component provider.
  My questions are:
  1. How does a Security Domain request the OPEN to load, install.. ? How do they interface with each other? Does the GP compliant JCVM provider have to provide the specific interfaces used to change Card Contents for the Application Providers who implement their own Security Domain?
  2. If the GP compliant JCVM provider is also responsible for implementing a specific Security Domain, what is the role of the Application Provider? only as a provider of his own security policy for the GP compliant JCVM provider? Can't a Application Provider implement his own Security Domain himself (using only GP2.1 public API)?
  I am grateful to you for a kind assistance.

  I think that the Security Domain is implemented by theApplication Provider using GP API. The OPEN is
  ,however, the component of the Card Manager which
  should be implemented by a GP compliant JCVM provider
  or a GP component provider. Typically and due to the fact that the GP specification is missing the API that would allow a Security Domain to be loaded on the card, Security Domains are developed by the card vendor and present on the card at production. The vendor can decide which features are implemented in the Security Domain e.g. Secure Channel services, DAP Verification, Delegated Management. If, as an Application Provider, you wish to develop your own Security Domain, your vendor may be willing to provide you with details of their proprietary API but this would be specific to this vendors product.
  >
  My questions are:
  1. How does a Security Domain request the OPEN to
  load, install.. ? How do they interface with each
  other? Does the GP compliant JCVM provider have to
  provide the specific interfaces used to change Card
  Contents for the Application Providers who implement
  their own Security Domain?Yes.
  >
  2. If the GP compliant JCVM provider is also
  responsible for implementing a specific Security
  Domain, what is the role of the Application Provider?
  only as a provider of his own security policy for the
  GP compliant JCVM provider? Can't a Application
  Provider implement his own Security Domain himself
  (using only GP2.1 public API)?No.
  >
  I am grateful to you for a kind assistance.

• Extradition of an AID to a security domain that is in "selectable" state

  following this post: http://forum.java.sun.com/thread.jspa?messageID=10227711
  in following this example (i've found it very helpful), i want to know if it is a requirement that the SSD be personalized instead of in "Selectable" state? if so, that would explain the errors i get when i try to extradite an AID to it from the ISD.
  your example:
  GP 2.1.1, SSD section (concept) and APDU commands Install [for load], [install] and [extradition].
  Example:
  - select ISD
  - open a secure channel
  - Install [for install & make selectable] on a pre-loaded SD package/module --> optionally you need to specify in the install parameters that this SD accepts extradition
  - select SSD
  - open a secure channel (using the default keys)
  - personalize (put secure channel keys)
  - install [for load] an application, specify the SSD to be associated

  Clemson wrote:
  ... errors i get when i try to extradite an AID to it from the ISD.
  GlobalPlatform Card Specification 2.1.1, 03/25/2003, p. 70
  +6.4.3 Content Extradition+
  The GlobalPlatform Card Content extradition process is designed to allow the association, to a different Security Domain, of a previously installed Application. The Issuer Security Domain shall verify the extradition request before the OPEN will allow the extradition.
  Runtime Behavior
  The following runtime behavior requirements apply to the OPEN during the Card Content extradition process.
  The OPEN shall:
  +...+
  Check that this Security Domain is in a valid Life Cycle State (i.e. PERSONALIZED)+,
  +...+
  Therefore, the SD which should accept the applet has to be in state PERSONALIZED.

• Java Card Security domain

  Hi ,
  According to the visa Open platform architecture, each Java card applet is associated with a Security domain.
  I am using GemXpressoRAD211 toolkit for developing Java Card applets.
  In the Gemxpresso211IS card, the default security domain is the Card Manager, whose AID is A0 00 00 00 03 00 00 . It is basically the card issuer security domain.
  When I install an applet to the card , the Card Manager is assumed to be the associated security domain .
  My questions are....
  1.
  How can I associate my applet to application provider security domain rather than the card issuer security domain? Form where Do I get this security domain ? Do I need to write my own security domain, or some body else provide it ?

  there's a card issuer, with its ISD
  then there's another company who wants to have ability to install/remove some applets on this card
  we create another SD for this company and "delegate" some limited capabilities to manage the contents of the card
  read about the delegated managament in GP
  regards
  Kuba

• Help: Fail to retrieve Security Domains. Please try again later.

  Fail to retrieve Security Domains. Please try again later. - [DOM_10072] The master gateway node to the domain is currently not available.
  Can anyone help with this error on the web admin informatica.

  Please post full details Informatica version, OS, is this first install, did you apply hot fixes like 8.6 and P4?
  you could also look at this thread, but we need to understand you are trying to do, fully:
  Re: BI AP - Informatica 8.6.0 config (linux)
  Thanks

• Security Domain privileges

  I'm trying to install a security domain using the JCOP simulator with a Token Management privileges.
  I've installed the security domain with the available privileges by the INSTALL [for install] command provided by JCOP shell:
  cm>  install -s -e -b -m -q C90145 -i A000000151535041 A0000001515350 A000000151535041
  => 80 E6 0C 00 21 07 A0 00 00 01 51 53 50 08 A0 00
      00 01 51 53 50 41 08 A0 00 00 01 51 53 50 41 01
      E1 03 C9 01 45 00 00
  (12088 usec)
  <= 00 90 00         
  Status: No Error
  then tried to update the privileges using INSTALL [for registry update] command:
  cm>  send 80E6400011000008A00000015153504103E12000000000
  => 80 E6 40 00 11 00 00 08 A0 00 00 01 51 53 50 41
      03 E1 20 00 00 00 00
  (5642 usec)
  <= 6A 80              
  Status: Wrong data
  Also, I tried to set the privilege bytes while installing the Security domain but failed too
  cm>  send 80E60C002307A000000151535008A00000015153504108A00000015153504103E1200003C901450000
  => 80 E6 0C 00 23 07 A0 00 00 01 51 53 50 08 A0 00
      00 01 51 53 50 41 08 A0 00 00 01 51 53 50 41 03 
      E1 20 00 03 C9 01 45 00 00
  (7888 usec)
  <= 6A 80             
  Status: Wrong data
  Anyone can help
  thanks in advance,
  Khadrawy

  Hi,
  It seems, you are trying to Install Security Domain with Delegated Management Privilege (Privilege Byte 1 - 0xE1) and Token Verification Privilege(Privilege Byte 2 - 0x20).
  According to GP Specification 2.2.1, Token Verification and Receipt generation privilege can not be assigned to Security Domain with Delegated Management privilege.
  Token Verification and Receipt generation privilege may be assigned to security domain with Authorized Management privilege.
  Hope this helps you.
  regards,
  Karthik

• Provider Security Domain applet on JCOP

  hi, All
  I use the Eclipse plugin JCOP 3.0 tools, try to install myself Security Domain applet to OP.
  Is the JCOP card simulator support the Provider Security Domain ?
  If not, which JCOP real card can I use to upload & install my Security Domain ?
  thanks for advance!
  Andy Hua.

  MatiGdoc wrote:
  Hi,
  I'm newbie in JCOP programming, so I need help from "masters" ...
  Im using JCOP 10 v2.2 GP2.1.1 compliant with SCP02 support. I can compute sucesfully all neccessary session keys / cryptograms needed by initialize update / external authenticate commands.
  Original JCOP tools uses in external authenticate security mode "NO_SECURITY_LEVEL" - 84 82 00 00, so the load command contains plain Header, Directory, Import etc .cap files.
  But I want to load .cap in more secure way, using C_DECRYPTION mode. So, my questions are:
  - Is C_MAC mode mandatory with C_DECRYPTION ? In other way, can I use p1=0x02 instead of 0x03 in External Authenticate command ?C_DECRYPTION also mandates C_MAC. You can use for P1: 00, 01 and 03.
  - Which key must be used for Datafield encryption ? I suppose S_ENC key generated for secure channel, right ?Correct.
  - should datafield for Install_for_load command (80 E6 02) also be crypted with S_ENC ?Yes. Starting with C_MAC your class byte needs to be 84 though.
  - should the datafield also be padded before calculating the C_MAC ? You pad for C_MAC as first step, and then pad the data field as a second step, excluding C_MAC. Check out GP 2.1.1 card spec, figure E-6.

• Problem with Rescue and Recovery after installing Norton Internet Security 2010

  Hi all.
  It's my first time in this forum.
  I have a problem, with Rescue and Recovery, after installing Norton Internet Security 2010 on my T43.
  The message I get it:
  "Rescue and Recovery is unable to back up the file 'C:\Documents and settings\all Users\Application Data\ Norton\ 00000082\00000109\000003c1\cltMLS1.bat' Because the file is either corrupted or being used by another application. Please close any application that could be using the file.
  I tried to close the Norton but I couldn't find how.
  Tanks
  Doron71

  Hi and welcome to the forum,
  the reason for this situation is, that the antivir files are protected from being modified.
  This is the reason, why this file cannot be backed up. I assume, that you would get much more such messages, as there are surelly multiple files files, that are protected like this.
  So the solution is to block folders from being archived. Please start RnR application and in the configuration set this folder as the excluded one.
  This will skip the backup of this file and will fix your situation.
  Please let me know, if you have covered this.
  Cheers

• How to install Oracle Label Security in Oracle Database 10g EE

  Hello All
  I just want to know how to install Oracle Label Security in Oracle 10g Database EE.
  I read in Oracle Enterprise Manager Grid Control Installation and Basic Configuration that Label Security must be installed before installing Enterprise Manager Grid Control.
  I have Oracle Database 10g Release 1 (10.1.0.1) on my Windows XP System, and I patch it to 10.1.0.3.
  M.
  Sorry about my English.

  Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
  Find more ways in the Documentation here:
  http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm