I have a web application that downloads a jar file from the web server using java web start. The jar is signed using J2SE security tool. However, I get the security warning "The application digital signature cannot be verified. Do you want to run the application?"
Am I missing something that is causing this??
If it is self-signed you also need to add the certificate into windows certificate store.
If you use a Certificate Authority such as Verisign then you will not have the problem.
See here for an explanation (from Verisign) on why to sign from them.
Related
I'm trying make mutual autentification using Tomcat and Android. I did everything as stated on Created self signed certificates
How I install this certificates in Tomcat and Android application and test between connection?
The first step is creating the self signed certificates which you did following creating self signed certificates.
Next the certificates need to be set up in Tomcat
The interaction between Tomcat and Android has been answered here.
First i would like to say that the .jar does not contain any malicious software or code. It's not harmfull, everything is fine. I signed my .jar and I'm trying to load it into my website using this code:
<applet width="765" height="503" code="Loader.java" archive="HolyDivinity718V1.1.jar" name="Holy Divinity"></applet></p>
But when i run it i get this error:
Application Blocked. Click for details. Your security settings have blocked a self-signed application from running.
The client is a webclient of a game that I'm running. What's the reason that it's getting blocked?
Since recently all self signed java applets are blocked. You can do one of the following things:
Buy and sign your applet with an official certificate
Decrease your security slider to medium
Use the exception site list
Sign your app with a self signed certificate and add your certificate to the java trust store
I've read a lot of articles regarding the import of a cert, but I am still unclear on a couple things.
When connecting to an SSL site from a Java application [in this case, a JBOSS web app], does the client cert need to be explicitly installed on the application server prior?
I can install a client cert manually, but there is an expiration date. So I'll need to manage the expiration dates of all client installed certs on our application server, and take an outage to update each one.
It feels like there should be a better way.
Shouldn't the application automatically accept a valid signed cert? [In this case, it is signed by VeriSign]
We are getting an exception currently when trying to access an https url from the application without explicitly installing the cert.
The API proxy library is swallowing the internal exception, so I dont know the details.
If the cert should be accepted automatically, then there may be a different issue here...
Can a signed certificate be used without importing explicitly?
Yes, it does not need to be installed prior to use. In fact, if you know in advance of what to expect, then you can include that information into the application. That has an added benefit of improving the application's security posture.
To avoid importing the certificate, use a custom X509TrustManager and override checkServerTrusted. In checkServerTrusted, ensure the server's public key is expected (i.e., pin the server's certificate or public key); or verify the server's certificate is valid (i.e., is within validity and forms a chain to your trusted root).
When connecting to an SSL site from a Java application [in this case, a JBOSS web app], does the client cert need to be explicitly installed on the application server prior?
In the case of client certificates, the server advertises the issuer whom it relies upon to issue client certificates. So the server will need to know the trust point for issuing client certifcates for authenticating clients.
In this case, it is signed by VeriSign
This could be really bad. In this case, you will trust all of your clients signed under the Verisign PKI, and all of Verisign's other clients signed under the Verisign PKI.
In this case, it would probably be better to avoid public CAs and run your own PKI (i.e., be your own CA). In this case, pick up a copy of Network Security with OpenSSL. The book will show you how to accomplish the customary tasks using both the openssl command and programmatically.
How can I get the PrivateKey from a Windows-MY (MSCAPI) Certificate (marked as not exportable) to use it for the HTTPS Connection to authentificate the Client.
Thanks
I ended up having to use Java Web Start to wrap my application. It handles the SSL context stuff including prompting the user for the certificate. I attempted at first to get the private key through SunMSCAPI but the private key became corrupt every time.
Java web start was my solution. Your JAR's need to be signed to run under JWS. Your application will be launched via a JNLP file. Google JWS JNLP example for an example. It's pretty easy.
I have a swing application deployed in HTTP Server. Users use the browser to point an URL and install the client using java webstart. Now I need to enable https access to my application deployed on HTTP server. I am using JDK 1.5 as default jdk supported in the jnlp file. For time being I use a self signed certificate to the sign the jars (by default created using Sun's jarsigner, keytool, etc, utils).
Solution/steps would be much appreciated.
Thanks in advance
Ramesh
As far as I understand your question you don't need to change anything to your code of the client. If you only want to give access to the JNLP via HTTPS you would only need to reconfigure the application server distributing the JNLP or if you have a webserver in front of the application server (as we do here: user - https -> apache -> AJP -> tomcat) you need to reconfigure the webserver to allow the access to the JNLP via HTTPS.
You need to enable HTTPS on the web server. To get the certificate you need to provide credentials and the host name of the server to a certificate authority (CA) like VeriSign or Thawte. They can provide you with a server certificate signed by their root certificate or some intermediate certificate. This certificate must then be imported into the web server to enable HTTPS over SSL. The web clients, like a browser or webstart will then verify the certificate chain when accessing the server.
If you use a self signed jar, all your users will be presented with a warning message about potentially unsafe code. To avoid this you should get a code signing certificate from a CA, which would be somewhat similar to the web server certificate. This CA-provided certificate can be imported into the keystore and used in the same way you use the self signed certificate. The code signing certificate will be signed by the CA so that the certificate chain can be verified by webstart.
What is the feature of https that you are hoping to leverage?
The signing/server authentication is done by code signing, though you are undermining this using a self-signed certificate.
Does your application code contain secrets that must be hidden from eavesdroppers?
As you say you "need to enable" there must be an underlying reason.
I believe that before you "need https" you need a proper code signing certificate. You might want to rephrase your question so that your underlying problem can be solved instead of the very specific question.