Skip to Content.
Sympa Menu

perfsonar-user - RE: [perfsonar-user] Signed NDT and NPAD Applets

Subject: perfSONAR User Q&A and Other Discussion

List archive

RE: [perfsonar-user] Signed NDT and NPAD Applets


Chronological Thread 
  • From: "Nickless, Bill" <>
  • To: "'John W. O'Brien'" <>
  • Cc: "" <>
  • Subject: RE: [perfsonar-user] Signed NDT and NPAD Applets
  • Date: Fri, 9 May 2014 16:07:43 +0000
  • Accept-language: en-US

Good morning John,

I'm not an expert on Java certificate signing requirements; all I know is
what the local Java experts tell me. They didn't tell me the EV certificate
was necessary, only that they had one. If the non-EV certificate works for
you then I would guess it would work for anyone.

Very good point about clearing the JVM cache in addition to the browser
cache; I should have mentioned that in my original post.

I'll send you the Source RPMs under separate cover (no need to spam the whole
list).

Best regards,

Bill Nickless
Secure Cyber Systems
Pacific Northwest National Laboratory

+1 509 713 2455

-----Original Message-----
From:


[mailto:]
On Behalf Of John W. O'Brien
Sent: Thursday, May 08, 2014 10:41 AM
To: Nickless, Bill
Cc:

Subject: Re: [perfsonar-user] Signed NDT and NPAD Applets

On 4/28/14 3:07 PM, Nickless, Bill wrote:
> Good afternoon,
>
> Please try running http://perfsonar-sef2.labworks.org:7123 (NDT) and
> http://perfsonar-sef2.labworks.org:8000 (NPAD). Their associated
> applets are signed and should work with a stock client installation of
> current Oracle Java with default security settings.

Bill,

Thank you for preparing these notes.

I can confirm that my machine (OS X 10.8.5, Java 7u55 with "High"
security, Firefox 29.0) accepts and runs these apps.

> This took four steps:
>
> 1. Modify the NDT and NPAD source RPMs to incorporate a "Permissions:
> sandbox" line in MANIFEST.MF. (The NPAD tarball in the source RPM
> includes a precompiled DiagClient.jar file so by default it is never
> recompiled; fixing that took another small change to the .spec file
> %prep section.)

I have very little experience mucking about with SRPMS, and even less with
Java, and I was able to make my way through this thanks to your hints.

My solution to the pre-compiled JAR was simply to add MANIFEST.MF as a
dependency in the Makefile.

It would be interesting to hear from those better versed than I, though,
about ways to integrate the signing step into the RPM building process.
Perhaps that's a discussion better suited to another venue.

> 2. Have the resulting .jar files signed by someone at PNNL who went
> through the trouble and expense of securing an Extended Validation
> Java code signing certificate from Entrust.

Is the EV cert intended to meet policy requirements at your organization, or
is there some aspect of the stock client config I haven't discovered? I
obtained a regular code signing cert from InCommon, and it seems to achieve
your stated objective.

Try my staging (read: temporary) node, if you like, at:

http://hulk.perf-hnt.net.isc.upenn.edu:7123/
http://hulk.perf-hnt.net.isc.upenn.edu:8000/

> 3. Copy over /usr/ndt/Tcpbw100.jar and /var/lib/npad/DiagClient.jar
> with the signed .jar files.
>
> 4. Stop and restart the NDT and NPAD services.

And be aware that clearing your browser cache will not be sufficient to
obtain the updated JAR. The JRE maintains its own local cache, from which I
had to manually deleted the affected JAR with:

* Java Control Panel
* General tab, Temporary Internet Files, "View..."
* Show: "Resources"
* Select the JAR and click the X (Remove selected resources)

> I'm happy to share the modified NDT and NPAD source RPMs for (e.g.)
> peer review. Just let me know.

I would like to take a look to check my answer, so to speak.

--
John W. O'Brien
Senior Network Engineer
Information Systems and Computing
University of Pennsylvania

215-898-9818
OpenPGP key ID: 0x155016CB




Archive powered by MHonArc 2.6.16.

Top of Page