2

We have an in-house-only app that can be run from both Unix workstations and Windows PCs. Some background of our environment:

  • The Unix system is "live" (read/write) whereas the Windows system is a read-only system of day-old data.
  • The Unix users have the option to run from the command line (using a shell script provided), or via Java Web Start.
  • The Windows users can only run via Java Web Start.
  • The Unix system has no internet access, but the Windows system does.
  • The security setting in the jnlp is set to "all-permissions", which is currently needed.
  • The app is compiled on the Unix system with Java 5, and the jars are self-signed from there. The app is then deployed to the Unix system, and then "sneaker-netted" over to the Windows system.

Problem: With the security updates to Java 7, some users on the PCs are having trouble launching the app, since it's self-signed.

Q1: Sifting through the mountain of documentation, it appears that self-signing will soon be a thing of the past, and that the app won't run at all. Is this an absolute? I can't find a definitive answer that applies to in-house JWS apps that aren't deployed outside of a local, restriced domain.

Q2: Making changes to our code so that it can run as a sandboxed app would not be trivial. Would doing so solve this, or will we still be stuck with the security issues?

Q3: Would distributing/installing/registering/whatever-ing our self-made certificate to the clients solve this?

Any help or suggestions <cough> Andrew Thompson I'm talking to you </cough> is appreciated.

EDIT: We do have the option of signing our jars with a trusted Root CA, but the signing would not be done by us (long story) and would make our deployment rise from a couple of hours to many days, which is why we're wondering if an alternate route is available for in-house apps.

splungebob
  • 5,357
  • 2
  • 22
  • 45
  • For Q3: does this mean, that the certificate you used to sign the app has not been imported into the users truststore? I suspect this could resolve most of your pain. see here [Google: java install self signed certificate](http://www.google.com/#q=java+install+self+signed+certificate&safe=off). On a side note: see the possible duplicate I just posted. – mwhs Oct 23 '13 at 20:33
  • possible duplicate of [Java Web Start broken since JDK 1.7](http://stackoverflow.com/questions/9623837/java-web-start-broken-since-jdk-1-7) – mwhs Oct 23 '13 at 20:36
  • @mwhs The SO link you provided looks promising. However, my enthusiasm is curbed by the statement, `Your cert does NOT have to be signed, but unsigned certs will prompt the client with a trust message that they can ignore`. My understanding is that this (the prompting) will not be true in the future. – splungebob Oct 23 '13 at 20:46
  • Then a combination of clearing the temporary internet files and installing your certificate in the users Java VM truststore will do the trick. – mwhs Oct 23 '13 at 20:48
  • Also, the OP's problem in that "possible duplicate" link was due to the app hanging. My app isn;t hanging. Java 7 is preventing the end-user from running the app due to an untrusted certificate error (which used to be an option to the user but now is not). – splungebob Oct 23 '13 at 20:51

1 Answers1

1

You need to import your self-created certificate in the keystore/certificate store used by the Java VM that is used to start your WebStart application.

Another option (my choice) would definitely be to spend the few coins and have your certificate signed by a well known Root CA. You can do that for intranet domains too I think.

mwhs
  • 5,878
  • 2
  • 28
  • 34
  • See my EDIT regarding why we're trying to avoid signing with a trusted authority. – splungebob Oct 23 '13 at 21:25
  • Oh sorry, I didn't see your edit. If signing with a Root CA is not an option then you have to install your self-created CA in the CA-stores of your users. – mwhs Oct 23 '13 at 21:32
  • I will try this once our systems get updated with the latest Java 7, which may be a while. I'll then check back with an update. Thanks. – splungebob Oct 25 '13 at 18:38
  • UPDATE: I still don't have a newer version of Java 7 installed to experiment with, but I'll mark this as correct since it matches the advice here: [Self-signed certificates for a known community](https://blogs.oracle.com/java-platform-group/entry/self_signed_certificates_for_a) – splungebob Nov 11 '13 at 21:35