Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / March 2007

Tip: Looking for answers? Try searching our database.

Certificate chain and Java Web Start

Thread view: 
Enable EMail AlertsStart New Thread
kenshiro2000 - 28 Mar 2007 10:17 GMT
Hi,

I have an application as a JAR file with other JAR libraries. All
these files are signed with a certificate that I have generated with
my own CA (OpenSSL).

The trusted chain is this: rootCA.cer ->subCA1.cer ->jws.cer

jws.cer was generated with a Certificate Sign Request through the java
KEYTOOL and then my CA has signed this request. After done this, I
have put the jws.cer in the same keystore of the request but to do
this I needed to put the rootCA.cer and subCA1.cer before in the
keystore.

The keystore has now three certificates and the key pair of jws.cer.
This certificate works good to sign the JAR files.

Is it all good?

When I call this application with Java Web Start a popup always
appears and say "Certificate is valid, etc. etc.". All it's good but
pop-up is shown anyway.

I have inserted the rootCA and subCA1 certificate in the client Java
Web Start certificate store but the pop-up is always shown.

Why this?

Is It not enough to install the CA certificate (and then the SubCA
certificate) in the JavaWS certificate (client) store to not have the
pop-up visualization?

Thanks
Reply to this Message
Andrew Thompson - 28 Mar 2007 12:09 GMT
Noticed your (no reply) post on the JWS forum
a day or so ago, and decided to pass it up as
security is not one of my specialties.
OTOH now that we are here where I can speak more
freely (those Sun forums are v. restrictive) I
thought I'd chime in..

I am not sure what the behaviour of a trusted
key chain is supposed to be, with web start,
though your expectation of 'no prompt' seems
logical to me.

OTOH, I am interested in why you are wanting to
do it this way.  It does not make much sense for
either an individual user (they can approve it
once and be done with it) or general users
'out on the internet', the only place it makes
any sense is for a 'bunch of machines' over
which a SysAdmin or similar needs to install
a particular trusted app.

So, what is the set up you face, that this
makes sense?

Andrew T.
Reply to this Message
kenshiro2000 - 28 Mar 2007 14:07 GMT
Thanks for your reply (I have noticed that SUN forum are not very
responsive),

I try to explain you my needs. I have this application in an Intranet
environment. I would distribute the rootCA certificate at every client
machine in the client store of JWS and delete the pop-up confirm to
trust the certificate (JWS) of the application deployed via JWS. Note
that the JAR application on the sever has the entire chain of trust...

I hope now it is more clear :-)

thanks

> Noticed your (no reply) post on the JWS forum
> a day or so ago, and decided to pass it up as
[quoted text clipped - 21 lines]
>
> Andrew T.
Reply to this Message
Andrew Thompson - 28 Mar 2007 14:32 GMT
> Thanks for your reply

You lack of future 'top posting' will be
thanks enough.*
<http://www.physci.org/codes/javafaq.html#toppost>

>..(I have noticed that SUN forum are not very
> responsive),

* I would not feel comfortable mentioning
the above, on the Sun forums, because some
'delicate soul' might find it offensive,
and report me.  Here, thay can still get
offended, do as they please, and it affects
me not one bit.  ;-)

> I try to explain you my needs. I have this application in an Intranet
> environment.

OK - thanks for confirming.

Now I am not *sure* this will work, I
have not tried it myself, but..

Perhaps you should try doing a 'silent
import' of the application.

As I understand it, the 'import' aspect
gives you the power to install a web start
app. from the command line or script, and
with the added 'silent', it should (AFAIU)
remove those dialogs.

See the docs. for the javaws tool, for
details on using those options.

I'd be interested to hear how it goes..

Andrew T.
Reply to this Message
kenshiro2000 - 28 Mar 2007 16:13 GMT
> > Thanks for your reply
>
[quoted text clipped - 28 lines]
> with the added 'silent', it should (AFAIU)
> remove those dialogs.

But I wouldn't want a silent installation. JWS should trust the
application sign because this signature is done through a certificate
trusted by a rootCA certificate (and the subCA) that is in the client
JWS store. I don't understand why the pop-up appears anyway!

If JWS works as a Web Browser, rootCA certificate in the browser
certificate store should trust SSL connection and no pop-up appears.

So why for javaws the pop-up appear anyway?

Sorry for TOP POSTING ;-)

thanks

ken

> See the docs. for the javaws tool, for
> details on using those options.
>
> I'd be interested to hear how it goes..
>
> Andrew T.
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.