perfSONAR User Q&A and Other Discussion

[Aaron Brown <>]

Hey Roy,

On Jun 12, 2014, at 10:40 PM, Hockett, Roy 
<>
 wrote:

> Don't these JAR files have to be resigned every time there is an update to 
> NDT or NPAD rpms?

That is the case. 

> If so, would it not be easier if the maintainers for each sign the JAR 
> files?

We’re looking into what we’d need to do to sign them, but haven’t yet got the 
requisite certs to do so yet.

Cheers,
Aaron

> 
> Thanks,
> -Roy Hockett
> 
> Network Architect,
> ITS Communications Systems and Data Centers
> University of Michigan
> Tel: (734) 763-7325
> Fax: (734) 615-1727
> email: 
> 
> 
> On May 9, 2014, at 12:07 PM, Nickless, Bill wrote:
> 
>> Good morning John,
>> 
>> I'm not an expert on Java certificate signing requirements; all I know is 
>> what the local Java experts tell me.  They didn't tell me the EV 
>> certificate was necessary, only that they had one.  If the non-EV 
>> certificate works for you then I would guess it would work for anyone.
>> 
>> Very good point about clearing the JVM cache in addition to the browser 
>> cache; I should have mentioned that in my original post.
>> 
>> I'll send you the Source RPMs under separate cover (no need to spam the 
>> whole list).
>> 
>> Best regards,
>> 
>> Bill Nickless
>> Secure Cyber Systems
>> Pacific Northwest National Laboratory
>> 
>> +1 509 713 2455
>> 
>> -----Original Message-----
>> From: 
>> 
>>  
>> [mailto:]
>>  On Behalf Of John W. O'Brien
>> Sent: Thursday, May 08, 2014 10:41 AM
>> To: Nickless, Bill
>> Cc: 
>> 
>> Subject: Re: [perfsonar-user] Signed NDT and NPAD Applets
>> 
>> On 4/28/14 3:07 PM, Nickless, Bill wrote:
>>> Good afternoon,
>>> 
>>> Please try running http://perfsonar-sef2.labworks.org:7123 (NDT) and
>>> http://perfsonar-sef2.labworks.org:8000 (NPAD).  Their associated 
>>> applets are signed and should work with a stock client installation of 
>>> current Oracle Java with default security settings.
>> 
>> Bill,
>> 
>> Thank you for preparing these notes.
>> 
>> I can confirm that my machine (OS X 10.8.5, Java 7u55 with "High"
>> security, Firefox 29.0) accepts and runs these apps.
>> 
>>> This took four steps:
>>> 
>>> 1. Modify the NDT and NPAD source RPMs to incorporate a "Permissions:
>>> sandbox" line in MANIFEST.MF.  (The NPAD tarball in the source RPM 
>>> includes a precompiled DiagClient.jar file so by default it is never 
>>> recompiled; fixing that took another small change to the .spec file 
>>> %prep section.)
>> 
>> I have very little experience mucking about with SRPMS, and even less with 
>> Java, and I was able to make my way through this thanks to your hints.
>> 
>> My solution to the pre-compiled JAR was simply to add MANIFEST.MF as a 
>> dependency in the Makefile.
>> 
>> It would be interesting to hear from those better versed than I, though, 
>> about ways to integrate the signing step into the RPM building process. 
>> Perhaps that's a discussion better suited to another venue.
>> 
>>> 2. Have the resulting .jar files signed by someone at PNNL who went 
>>> through the trouble and expense of securing an Extended Validation 
>>> Java code signing certificate from Entrust.
>> 
>> Is the EV cert intended to meet policy requirements at your organization, 
>> or is there some aspect of the stock client config I haven't discovered? I 
>> obtained a regular code signing cert from InCommon, and it seems to 
>> achieve your stated objective.
>> 
>> Try my staging (read: temporary) node, if you like, at:
>> 
>>   http://hulk.perf-hnt.net.isc.upenn.edu:7123/
>>   http://hulk.perf-hnt.net.isc.upenn.edu:8000/
>> 
>>> 3. Copy over /usr/ndt/Tcpbw100.jar and /var/lib/npad/DiagClient.jar 
>>> with the signed .jar files.
>>> 
>>> 4. Stop and restart the NDT and NPAD services.
>> 
>> And be aware that clearing your browser cache will not be sufficient to 
>> obtain the updated JAR. The JRE maintains its own local cache, from which 
>> I had to manually deleted the affected JAR with:
>> 
>>   *   Java Control Panel
>>   *   General tab, Temporary Internet Files, "View..."
>>   *   Show: "Resources"
>>   *   Select the JAR and click the X (Remove selected resources)
>> 
>>> I'm happy to share the modified NDT and NPAD source RPMs for (e.g.) 
>>> peer review.  Just let me know.
>> 
>> I would like to take a look to check my answer, so to speak.
>> 
>> --
>> John W. O'Brien
>> Senior Network Engineer
>> Information Systems and Computing
>> University of Pennsylvania
>> 
>>  215-898-9818
>> OpenPGP key ID: 0x155016CB
>> 
>