perfSONAR User Q&A and Other Discussion

[Roy Hockett <>]

Thanks Aaron, do you have a target timeframe, I realize everyone is busy, so 
I am
not trying to push.  

I am just trying to figure out if this needs to be part of our ongoing 
upgrade procedure, 
or if this can be a one time for us and the next version will have signed jar 
files.

Thanks,
-Roy Hockett

Network Architect,
ITS Communications Systems and Data Centers
University of Michigan
Tel: (734) 763-7325
Fax: (734) 615-1727
email: 


On Jun 18, 2014, at 4:56 PM, Aaron Brown 
<>
 wrote:

> Hey Roy,
> 
> On Jun 12, 2014, at 10:40 PM, Hockett, Roy 
> <>
>  wrote:
> 
>> Don't these JAR files have to be resigned every time there is an update to 
>> NDT or NPAD rpms?
> 
> That is the case. 
> 
>> If so, would it not be easier if the maintainers for each sign the JAR 
>> files?
> 
> We’re looking into what we’d need to do to sign them, but haven’t yet got 
> the requisite certs to do so yet.
> 
> Cheers,
> Aaron
> 
>> 
>> Thanks,
>> -Roy Hockett
>> 
>> Network Architect,
>> ITS Communications Systems and Data Centers
>> University of Michigan
>> Tel: (734) 763-7325
>> Fax: (734) 615-1727
>> email: 
>> 
>> 
>> On May 9, 2014, at 12:07 PM, Nickless, Bill wrote:
>> 
>>> Good morning John,
>>> 
>>> I'm not an expert on Java certificate signing requirements; all I know is 
>>> what the local Java experts tell me.  They didn't tell me the EV 
>>> certificate was necessary, only that they had one.  If the non-EV 
>>> certificate works for you then I would guess it would work for anyone.
>>> 
>>> Very good point about clearing the JVM cache in addition to the browser 
>>> cache; I should have mentioned that in my original post.
>>> 
>>> I'll send you the Source RPMs under separate cover (no need to spam the 
>>> whole list).
>>> 
>>> Best regards,
>>> 
>>> Bill Nickless
>>> Secure Cyber Systems
>>> Pacific Northwest National Laboratory
>>> 
>>> +1 509 713 2455
>>> 
>>> -----Original Message-----
>>> From: 
>>> 
>>>  
>>> [mailto:]
>>>  On Behalf Of John W. O'Brien
>>> Sent: Thursday, May 08, 2014 10:41 AM
>>> To: Nickless, Bill
>>> Cc: 
>>> 
>>> Subject: Re: [perfsonar-user] Signed NDT and NPAD Applets
>>> 
>>> On 4/28/14 3:07 PM, Nickless, Bill wrote:
>>>> Good afternoon,
>>>> 
>>>> Please try running http://perfsonar-sef2.labworks.org:7123 (NDT) and
>>>> http://perfsonar-sef2.labworks.org:8000 (NPAD).  Their associated 
>>>> applets are signed and should work with a stock client installation of 
>>>> current Oracle Java with default security settings.
>>> 
>>> Bill,
>>> 
>>> Thank you for preparing these notes.
>>> 
>>> I can confirm that my machine (OS X 10.8.5, Java 7u55 with "High"
>>> security, Firefox 29.0) accepts and runs these apps.
>>> 
>>>> This took four steps:
>>>> 
>>>> 1. Modify the NDT and NPAD source RPMs to incorporate a "Permissions:
>>>> sandbox" line in MANIFEST.MF.  (The NPAD tarball in the source RPM 
>>>> includes a precompiled DiagClient.jar file so by default it is never 
>>>> recompiled; fixing that took another small change to the .spec file 
>>>> %prep section.)
>>> 
>>> I have very little experience mucking about with SRPMS, and even less 
>>> with Java, and I was able to make my way through this thanks to your 
>>> hints.
>>> 
>>> My solution to the pre-compiled JAR was simply to add MANIFEST.MF as a 
>>> dependency in the Makefile.
>>> 
>>> It would be interesting to hear from those better versed than I, though, 
>>> about ways to integrate the signing step into the RPM building process. 
>>> Perhaps that's a discussion better suited to another venue.
>>> 
>>>> 2. Have the resulting .jar files signed by someone at PNNL who went 
>>>> through the trouble and expense of securing an Extended Validation 
>>>> Java code signing certificate from Entrust.
>>> 
>>> Is the EV cert intended to meet policy requirements at your organization, 
>>> or is there some aspect of the stock client config I haven't discovered? 
>>> I obtained a regular code signing cert from InCommon, and it seems to 
>>> achieve your stated objective.
>>> 
>>> Try my staging (read: temporary) node, if you like, at:
>>> 
>>>  http://hulk.perf-hnt.net.isc.upenn.edu:7123/
>>>  http://hulk.perf-hnt.net.isc.upenn.edu:8000/
>>> 
>>>> 3. Copy over /usr/ndt/Tcpbw100.jar and /var/lib/npad/DiagClient.jar 
>>>> with the signed .jar files.
>>>> 
>>>> 4. Stop and restart the NDT and NPAD services.
>>> 
>>> And be aware that clearing your browser cache will not be sufficient to 
>>> obtain the updated JAR. The JRE maintains its own local cache, from which 
>>> I had to manually deleted the affected JAR with:
>>> 
>>>  *   Java Control Panel
>>>  *   General tab, Temporary Internet Files, "View..."
>>>  *   Show: "Resources"
>>>  *   Select the JAR and click the X (Remove selected resources)
>>> 
>>>> I'm happy to share the modified NDT and NPAD source RPMs for (e.g.) 
>>>> peer review.  Just let me know.
>>> 
>>> I would like to take a look to check my answer, so to speak.
>>> 
>>> --
>>> John W. O'Brien
>>> Senior Network Engineer
>>> Information Systems and Computing
>>> University of Pennsylvania
>>> 
>>>  215-898-9818
>>> OpenPGP key ID: 0x155016CB
>>> 
>> 
>