perfSONAR User Q&A and Other Discussion

["Nickless, Bill" <>]

Good morning John,

I'm not an expert on Java certificate signing requirements; all I know is 
what the local Java experts tell me.  They didn't tell me the EV certificate 
was necessary, only that they had one.  If the non-EV certificate works for 
you then I would guess it would work for anyone.

Very good point about clearing the JVM cache in addition to the browser 
cache; I should have mentioned that in my original post.

I'll send you the Source RPMs under separate cover (no need to spam the whole 
list).

Best regards,

Bill Nickless
Secure Cyber Systems
Pacific Northwest National Laboratory

+1 509 713 2455

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of John W. O'Brien
Sent: Thursday, May 08, 2014 10:41 AM
To: Nickless, Bill
Cc: 

Subject: Re: [perfsonar-user] Signed NDT and NPAD Applets

On 4/28/14 3:07 PM, Nickless, Bill wrote:
> Good afternoon,
> 
> Please try running http://perfsonar-sef2.labworks.org:7123 (NDT) and
> http://perfsonar-sef2.labworks.org:8000 (NPAD).  Their associated 
> applets are signed and should work with a stock client installation of 
> current Oracle Java with default security settings.

Bill,

Thank you for preparing these notes.

I can confirm that my machine (OS X 10.8.5, Java 7u55 with "High"
security, Firefox 29.0) accepts and runs these apps.

> This took four steps:
> 
> 1. Modify the NDT and NPAD source RPMs to incorporate a "Permissions:
> sandbox" line in MANIFEST.MF.  (The NPAD tarball in the source RPM 
> includes a precompiled DiagClient.jar file so by default it is never 
> recompiled; fixing that took another small change to the .spec file 
> %prep section.)

I have very little experience mucking about with SRPMS, and even less with 
Java, and I was able to make my way through this thanks to your hints.

My solution to the pre-compiled JAR was simply to add MANIFEST.MF as a 
dependency in the Makefile.

It would be interesting to hear from those better versed than I, though, 
about ways to integrate the signing step into the RPM building process. 
Perhaps that's a discussion better suited to another venue.

> 2. Have the resulting .jar files signed by someone at PNNL who went 
> through the trouble and expense of securing an Extended Validation 
> Java code signing certificate from Entrust.

Is the EV cert intended to meet policy requirements at your organization, or 
is there some aspect of the stock client config I haven't discovered? I 
obtained a regular code signing cert from InCommon, and it seems to achieve 
your stated objective.

Try my staging (read: temporary) node, if you like, at:

    http://hulk.perf-hnt.net.isc.upenn.edu:7123/
    http://hulk.perf-hnt.net.isc.upenn.edu:8000/

> 3. Copy over /usr/ndt/Tcpbw100.jar and /var/lib/npad/DiagClient.jar 
> with the signed .jar files.
> 
> 4. Stop and restart the NDT and NPAD services.

And be aware that clearing your browser cache will not be sufficient to 
obtain the updated JAR. The JRE maintains its own local cache, from which I 
had to manually deleted the affected JAR with:

    *   Java Control Panel
    *   General tab, Temporary Internet Files, "View..."
    *   Show: "Resources"
    *   Select the JAR and click the X (Remove selected resources)

> I'm happy to share the modified NDT and NPAD source RPMs for (e.g.) 
> peer review.  Just let me know.

I would like to take a look to check my answer, so to speak.

--
John W. O'Brien
Senior Network Engineer
Information Systems and Computing
University of Pennsylvania

 215-898-9818
OpenPGP key ID: 0x155016CB