With the Java 8 security update, uploading a java application onto a webpage has been a nightmare. Self-signing is no longer a valid option (as it appears to me). I have recently bought a GeoTrust RapidSSL certificate in hopes that the website will be secured enough for Java not to block the application, but hasn't been like that (its been so confusing all-round).
My webhost setup the ssl so its there, website uses https. But the second area needs to be configured (I'm thinking by me), it wants me to choose the 'Web Server Type' which I believe its CPanel & WHM and underneath 'CSR' (image: http://postimg.org/image/jdnjjt6gr/).
Now I use Eclipse, and I installed this Keytool plugin (link: http://marketplace.eclipse.org/content/keytool) which allows me to create a keystore & csr (I really have no idea what a keystore, keytool, csr and jks are; I tried to study them on docs and available websites but its just all confusing). When i tried to create a simple one it gave me a bunch of numbers which Im presuming is encrypted with a Begin and a End on its borders (top and bottom).
I'm really confused on what I need to do, I just want to get my application running - I'm just really annoyed by this security block. What can I do? or What am I supposed to do? & Could anyone briefly explain what keystore, keytool, csr and jks are briefly?
Thanks in advance. If you could simplify things and/or give examples, that would be extremely helpful.
Related
I would really like to know if it is even possible to run a self-signed java applet in Java 8. I have tried everything possible except buying a certificate and I my self-signed applet gets blocked every time. I can only just make it accessible if I add an exception in Java Security Settings but Ive never had to do that for anything else and what user is actually going to go to that much trouble. Im using applets because I want to embed a DosBox on my site... But Im beginning to think that Java 8 just can't do self-signed applets, period.
Can anyone else manage to get their self signed applet through security? I'm about to lose my mind with this to be honest.
Self-signed certificates are not trusted, by definition. You have two choices:
Buy a code signing certificate.
Have the user adjust his Java Security Settings, or trust the publisher via the popup dialog.
This is how the system is designed and intended to work. It's been that way for 20 years.
Java Applet is signed by Comodo and looks fine. It starts as per picture:
I am not allowed to post pictures so I will try to describe it. The Java Applet starts and it says, "the publisher name is verified and the digital signature for this application was generated with a certificate from a trusted authority"
but when I press on "run" the following is popped up straight away:
"The publisher name is unknown. There is no digital signature for this application."
and the security warning as per picture above pops up all the time the applet is accessed / started. I tried cleaning Java cache and browsers' cache but no joy. I also tried re-installing Java completely to make it thoroughly clean "vanilla" but no dice either. The certificates are not expired, their validity is up to March 2016. I even tried importing the certs into Java's keystore but it did not help. Java is version 8 update 45 (build 1.8.0_45-b15) and it's run on Windows 8. Could anybody suggest anything, please as I am completely lost... Many thanks in advance!
In other words in order to get to the applet I have to click through the warning each time the applet is accessed..
I'm deploying an application using JAWS, and it worked until late 2013 when I got a warning, and then this morning Java completely blocked it. The message in French is:
Application bloquée par les paramètres de sécurité
Vos paramètres de sécurité ont bloqué l'exécution d'une application auto-signée avec une version obsolete ou arrivée à expiration de Java.
which would translate roughly as:
Application blocked by the security settings
Your security settings have blocked from running an application that has been self-signed with an obsolete or outdated Java.
The grammar is not that clear, the end of the sentence could be read as either:
...blocked a self-signed application from running with an obsolete or outdated Java [runtime], meaning that the local runtime is too old, but the self-signature is fine
...blocked an application that has been self-signed with an obsolete or outdated Java [compiler], meaning that the Java compiler used is too old
I searched online for the exact same message in English, but I couldn't find it. So the grammar is still unclear. Note that on the message there is no Name: xyz / From: http://url/, there's only the text I typed above, and a blue "i" icon.
Now, I don't really understand the exact meaning of this error message, but I know that there is an issue because my JAR files are all self-signed. I have already faced this on other Windows clients, and it was easy:
I extracted a .cer certificate from my keystore;
Downloaded it on the client machine, open it;
Made the customers install it as a trusted source on their local machine.
It worked like a charm on my test setup and for one customer, but another one still has the issue and cannot run my software.
This is a big issue from me, and I don't know what to do. Should I upgrade my Java compiler, recompile everything, sign every JAR file again and cross fingers? How can I make that Windows box trust my certificate and let the Java application run?
Just Go To *Startmenu >>Java >>Configure Java >> Security >> Edit site list >> copy and paste your Link with problem >> OK
Problem fixed :)*
SERIOUS DISCLAIMER
This solution has a serious security flaw. Please use at your own risk.
Have a look at the comments on this post, and look at all the answers to this question.
OK, I had to go to the customer premises and found a solution. I:
Exported the keystore that holds the signing keys in PKCS #12 format
Opened control panel Java -> Security tab
Clicked Manage certificates
Imported this new keystore as a secure site CA
Then I opened the JAWS application without any warning. This is a little bit cumbersome, but much cheaper than buying a signed certificate!
I was having the same issue. So I went to the Java options through Control Panel. Copied the web address that I was having an issue with to the exceptions and it was fixed.
I had the same problem, but i solved it from Java Control Panel-->Security-->SecurityLevel:MEDIUM.
Just so, no Manage certificates, imports ,exports etc..
I am able to run applets that have signed jar files on Internet Explorer with Java 1.7 Update 45.
I am however not able to run applets with unsigned jar files.
I tried clearing the cache.
I have also changed the security java control panel settings to Medium.
I still get the error JarSigningException.
Is there any way I can proceed here?
Are only signed jar files allowed? This looks like a major limitation.
Is there anyway I can tweak some settings to get unsigned applets to load?
Any help is appreciated.
Is there any way I can proceed here?
Sure. Digitally sign the code with a certificate that links back to a trusted key chain.
Are only signed jar files allowed?
It is progressing towards that, yes.
Is there anyway I can tweak some settings to get unsigned applets to load?
On your own machine? Probably for a little while longer, as Oracle continues to tighten the security along the lines you have discovered.
For the users? No, nothing that is practical beyond 'educate your users as to the advantages of the digitally signed code', and to 'click OK when prompted'.
The best thing you can do if these are your applets is to sign them with a decent signing key. (Or if the applets are solely for your own use, a self-signed certificate will do once you have imported it into your JVM's keystore as trusted.)
If these are applets supplied by someone else, either convince the supplier to sign them (with a good key), or stop using their applets. Period.
The reason that Oracle are moving in this direction is that applets can do a variety of nasty things to your machine by exploiting security holes of various kinds. Disabling unsigned applets helps protect the user from being a victim of malicious applets ... since the "bad guys" are unlikely to sign their code with a certificate that says who they are.
From appearances, Oracle really screwed up. Not only did they break hundreds of thousands of man-hours worth of benign legacy applets... Having to digitally sign applets between local builds undermines new applet production. They seriously need to give some thought to this.
I guess you can always download and use an old version of Java (one that actually works...):
http://www.oldapps.com/java.php
I will never undestand why have the security slider in the Java settings if it does nothing...
After install, restart your browser.
It works like a charm for me.
I have developed an applet. But when my browser fetches it from the webserver it pops a security warring. I don't want this message to come. Meaning applet should run without the end users permession. How can I do that? Do I need to get my applet signed? If yes, from where can i get it signed? What's the cost of geting it signed?
Your description might relate to a number of problems, such as the code trying to do things which require trust. That does not sound like the case in this instance. If your unsigned code tried to do things that required trust, it would not prompt the user at start-up, but either prompt them when the trusted action is attempted (e.g. for cross site access in later JREs) or just fail with an AccessControlException or similar.
It could be that your applet uses multiple Jars and has run into the mixed code restrictions introduced in Java 1.6.0_20. But the symptoms do not sound quite right for that either.
Is your applet publicly available? What is the URL where I/we can visit it?
As an aside, if your applet tries to break out of the security sand-box, it must be trusted. That means the code must be digitally signed, and OK'd by the end user at the prompt. There is no way around it.
But it does not require a code signing certificate issued from a CA. You can roll your own code signing certificate using the tools of the SDK. I have a few small demos. of code projects that compile and build code before signing it.
You need to get yourself a code-signing certificate. Probably by some "well-known" CA if you want to avoid all warnings. The certificate itself costs money, but once you have it, you can use it to sign as many applets as you want (you do the signing yourself).