perfSONAR User Q&A and Other Discussion

["Hockett, Roy" <>]

Don't these JAR files have to be resigned every time there is an update to 
NDT or NPAD rpms?
If so, would it not be easier if the maintainers for each sign the JAR files?

Thanks,
-Roy Hockett

Network Architect,
ITS Communications Systems and Data Centers
University of Michigan
Tel: (734) 763-7325
Fax: (734) 615-1727
email: 


On May 9, 2014, at 12:07 PM, Nickless, Bill wrote:

> Good morning John,
> 
> I'm not an expert on Java certificate signing requirements; all I know is 
> what the local Java experts tell me.  They didn't tell me the EV 
> certificate was necessary, only that they had one.  If the non-EV 
> certificate works for you then I would guess it would work for anyone.
> 
> Very good point about clearing the JVM cache in addition to the browser 
> cache; I should have mentioned that in my original post.
> 
> I'll send you the Source RPMs under separate cover (no need to spam the 
> whole list).
> 
> Best regards,
> 
> Bill Nickless
> Secure Cyber Systems
> Pacific Northwest National Laboratory
> 
> +1 509 713 2455
> 
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of John W. O'Brien
> Sent: Thursday, May 08, 2014 10:41 AM
> To: Nickless, Bill
> Cc: 
> 
> Subject: Re: [perfsonar-user] Signed NDT and NPAD Applets
> 
> On 4/28/14 3:07 PM, Nickless, Bill wrote:
>> Good afternoon,
>> 
>> Please try running http://perfsonar-sef2.labworks.org:7123 (NDT) and
>> http://perfsonar-sef2.labworks.org:8000 (NPAD).  Their associated 
>> applets are signed and should work with a stock client installation of 
>> current Oracle Java with default security settings.
> 
> Bill,
> 
> Thank you for preparing these notes.
> 
> I can confirm that my machine (OS X 10.8.5, Java 7u55 with "High"
> security, Firefox 29.0) accepts and runs these apps.
> 
>> This took four steps:
>> 
>> 1. Modify the NDT and NPAD source RPMs to incorporate a "Permissions:
>> sandbox" line in MANIFEST.MF.  (The NPAD tarball in the source RPM 
>> includes a precompiled DiagClient.jar file so by default it is never 
>> recompiled; fixing that took another small change to the .spec file 
>> %prep section.)
> 
> I have very little experience mucking about with SRPMS, and even less with 
> Java, and I was able to make my way through this thanks to your hints.
> 
> My solution to the pre-compiled JAR was simply to add MANIFEST.MF as a 
> dependency in the Makefile.
> 
> It would be interesting to hear from those better versed than I, though, 
> about ways to integrate the signing step into the RPM building process. 
> Perhaps that's a discussion better suited to another venue.
> 
>> 2. Have the resulting .jar files signed by someone at PNNL who went 
>> through the trouble and expense of securing an Extended Validation 
>> Java code signing certificate from Entrust.
> 
> Is the EV cert intended to meet policy requirements at your organization, 
> or is there some aspect of the stock client config I haven't discovered? I 
> obtained a regular code signing cert from InCommon, and it seems to achieve 
> your stated objective.
> 
> Try my staging (read: temporary) node, if you like, at:
> 
>    http://hulk.perf-hnt.net.isc.upenn.edu:7123/
>    http://hulk.perf-hnt.net.isc.upenn.edu:8000/
> 
>> 3. Copy over /usr/ndt/Tcpbw100.jar and /var/lib/npad/DiagClient.jar 
>> with the signed .jar files.
>> 
>> 4. Stop and restart the NDT and NPAD services.
> 
> And be aware that clearing your browser cache will not be sufficient to 
> obtain the updated JAR. The JRE maintains its own local cache, from which I 
> had to manually deleted the affected JAR with:
> 
>    *   Java Control Panel
>    *   General tab, Temporary Internet Files, "View..."
>    *   Show: "Resources"
>    *   Select the JAR and click the X (Remove selected resources)
> 
>> I'm happy to share the modified NDT and NPAD source RPMs for (e.g.) 
>> peer review.  Just let me know.
> 
> I would like to take a look to check my answer, so to speak.
> 
> --
> John W. O'Brien
> Senior Network Engineer
> Information Systems and Computing
> University of Pennsylvania
> 
>  215-898-9818
> OpenPGP key ID: 0x155016CB
>