Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] Signed NDT and NPAD Applets

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Signed NDT and NPAD Applets


Chronological Thread 
  • From: "John W. O'Brien" <>
  • To: "Nickless, Bill" <>
  • Cc: "" <>
  • Subject: Re: [perfsonar-user] Signed NDT and NPAD Applets
  • Date: Thu, 8 May 2014 13:40:45 -0400
  • Organization: University of Pennsylvania, Information Systems and Computing

On 4/28/14 3:07 PM, Nickless, Bill wrote:
> Good afternoon,
>
> Please try running http://perfsonar-sef2.labworks.org:7123 (NDT) and
> http://perfsonar-sef2.labworks.org:8000 (NPAD). Their associated
> applets are signed and should work with a stock client installation
> of current Oracle Java with default security settings.

Bill,

Thank you for preparing these notes.

I can confirm that my machine (OS X 10.8.5, Java 7u55 with "High"
security, Firefox 29.0) accepts and runs these apps.

> This took four steps:
>
> 1. Modify the NDT and NPAD source RPMs to incorporate a "Permissions:
> sandbox" line in MANIFEST.MF. (The NPAD tarball in the source RPM
> includes a precompiled DiagClient.jar file so by default it is never
> recompiled; fixing that took another small change to the .spec file
> %prep section.)

I have very little experience mucking about with SRPMS, and even less
with Java, and I was able to make my way through this thanks to your hints.

My solution to the pre-compiled JAR was simply to add MANIFEST.MF as a
dependency in the Makefile.

It would be interesting to hear from those better versed than I,
though, about ways to integrate the signing step into the RPM building
process. Perhaps that's a discussion better suited to another venue.

> 2. Have the resulting .jar files signed by someone at PNNL who went
> through the trouble and expense of securing an Extended Validation
> Java code signing certificate from Entrust.

Is the EV cert intended to meet policy requirements at your
organization, or is there some aspect of the stock client config I
haven't discovered? I obtained a regular code signing cert from
InCommon, and it seems to achieve your stated objective.

Try my staging (read: temporary) node, if you like, at:

http://hulk.perf-hnt.net.isc.upenn.edu:7123/
http://hulk.perf-hnt.net.isc.upenn.edu:8000/

> 3. Copy over /usr/ndt/Tcpbw100.jar and /var/lib/npad/DiagClient.jar
> with the signed .jar files.
>
> 4. Stop and restart the NDT and NPAD services.

And be aware that clearing your browser cache will not be sufficient to
obtain the updated JAR. The JRE maintains its own local cache, from
which I had to manually deleted the affected JAR with:

* Java Control Panel
* General tab, Temporary Internet Files, "View..."
* Show: "Resources"
* Select the JAR and click the X (Remove selected resources)

> I'm happy to share the modified NDT and NPAD source RPMs for (e.g.)
> peer review. Just let me know.

I would like to take a look to check my answer, so to speak.

--
John W. O'Brien
Senior Network Engineer
Information Systems and Computing
University of Pennsylvania

215-898-9818
OpenPGP key ID: 0x155016CB

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.16.

Top of Page