Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] Signed NDT and NPAD Applets

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Signed NDT and NPAD Applets


Chronological Thread 
  • From: Aaron Brown <>
  • To: Roy Hockett <>
  • Cc: "" <>, "John W. O'Brien" <>, "Nickless, Bill" <>
  • Subject: Re: [perfsonar-user] Signed NDT and NPAD Applets
  • Date: Thu, 19 Jun 2014 13:02:48 +0000
  • Accept-language: en-US

Hey Roy,

On Jun 18, 2014, at 5:30 PM, Roy Hockett
<>
wrote:

> Thanks Aaron, do you have a target timeframe, I realize everyone is busy,
> so I am
> not trying to push.
>
> I am just trying to figure out if this needs to be part of our ongoing
> upgrade procedure,
> or if this can be a one time for us and the next version will have signed
> jar files.

The goal is to have signing in place before the next major NDT RPM release to
avoid having this be a constant manual process.

Cheers,
Aaron

>
> Thanks,
> -Roy Hockett
>
> Network Architect,
> ITS Communications Systems and Data Centers
> University of Michigan
> Tel: (734) 763-7325
> Fax: (734) 615-1727
> email:
>
>
> On Jun 18, 2014, at 4:56 PM, Aaron Brown
> <>
> wrote:
>
>> Hey Roy,
>>
>> On Jun 12, 2014, at 10:40 PM, Hockett, Roy
>> <>
>> wrote:
>>
>>> Don't these JAR files have to be resigned every time there is an update
>>> to NDT or NPAD rpms?
>>
>> That is the case.
>>
>>> If so, would it not be easier if the maintainers for each sign the JAR
>>> files?
>>
>> We’re looking into what we’d need to do to sign them, but haven’t yet got
>> the requisite certs to do so yet.
>>
>> Cheers,
>> Aaron
>>
>>>
>>> Thanks,
>>> -Roy Hockett
>>>
>>> Network Architect,
>>> ITS Communications Systems and Data Centers
>>> University of Michigan
>>> Tel: (734) 763-7325
>>> Fax: (734) 615-1727
>>> email:
>>>
>>>
>>> On May 9, 2014, at 12:07 PM, Nickless, Bill wrote:
>>>
>>>> Good morning John,
>>>>
>>>> I'm not an expert on Java certificate signing requirements; all I know
>>>> is what the local Java experts tell me. They didn't tell me the EV
>>>> certificate was necessary, only that they had one. If the non-EV
>>>> certificate works for you then I would guess it would work for anyone.
>>>>
>>>> Very good point about clearing the JVM cache in addition to the browser
>>>> cache; I should have mentioned that in my original post.
>>>>
>>>> I'll send you the Source RPMs under separate cover (no need to spam the
>>>> whole list).
>>>>
>>>> Best regards,
>>>>
>>>> Bill Nickless
>>>> Secure Cyber Systems
>>>> Pacific Northwest National Laboratory
>>>>
>>>> +1 509 713 2455
>>>>
>>>> -----Original Message-----
>>>> From:
>>>>
>>>>
>>>> [mailto:]
>>>> On Behalf Of John W. O'Brien
>>>> Sent: Thursday, May 08, 2014 10:41 AM
>>>> To: Nickless, Bill
>>>> Cc:
>>>>
>>>> Subject: Re: [perfsonar-user] Signed NDT and NPAD Applets
>>>>
>>>> On 4/28/14 3:07 PM, Nickless, Bill wrote:
>>>>> Good afternoon,
>>>>>
>>>>> Please try running http://perfsonar-sef2.labworks.org:7123 (NDT) and
>>>>> http://perfsonar-sef2.labworks.org:8000 (NPAD). Their associated
>>>>> applets are signed and should work with a stock client installation of
>>>>> current Oracle Java with default security settings.
>>>>
>>>> Bill,
>>>>
>>>> Thank you for preparing these notes.
>>>>
>>>> I can confirm that my machine (OS X 10.8.5, Java 7u55 with "High"
>>>> security, Firefox 29.0) accepts and runs these apps.
>>>>
>>>>> This took four steps:
>>>>>
>>>>> 1. Modify the NDT and NPAD source RPMs to incorporate a "Permissions:
>>>>> sandbox" line in MANIFEST.MF. (The NPAD tarball in the source RPM
>>>>> includes a precompiled DiagClient.jar file so by default it is never
>>>>> recompiled; fixing that took another small change to the .spec file
>>>>> %prep section.)
>>>>
>>>> I have very little experience mucking about with SRPMS, and even less
>>>> with Java, and I was able to make my way through this thanks to your
>>>> hints.
>>>>
>>>> My solution to the pre-compiled JAR was simply to add MANIFEST.MF as a
>>>> dependency in the Makefile.
>>>>
>>>> It would be interesting to hear from those better versed than I, though,
>>>> about ways to integrate the signing step into the RPM building process.
>>>> Perhaps that's a discussion better suited to another venue.
>>>>
>>>>> 2. Have the resulting .jar files signed by someone at PNNL who went
>>>>> through the trouble and expense of securing an Extended Validation
>>>>> Java code signing certificate from Entrust.
>>>>
>>>> Is the EV cert intended to meet policy requirements at your
>>>> organization, or is there some aspect of the stock client config I
>>>> haven't discovered? I obtained a regular code signing cert from
>>>> InCommon, and it seems to achieve your stated objective.
>>>>
>>>> Try my staging (read: temporary) node, if you like, at:
>>>>
>>>> http://hulk.perf-hnt.net.isc.upenn.edu:7123/
>>>> http://hulk.perf-hnt.net.isc.upenn.edu:8000/
>>>>
>>>>> 3. Copy over /usr/ndt/Tcpbw100.jar and /var/lib/npad/DiagClient.jar
>>>>> with the signed .jar files.
>>>>>
>>>>> 4. Stop and restart the NDT and NPAD services.
>>>>
>>>> And be aware that clearing your browser cache will not be sufficient to
>>>> obtain the updated JAR. The JRE maintains its own local cache, from
>>>> which I had to manually deleted the affected JAR with:
>>>>
>>>> * Java Control Panel
>>>> * General tab, Temporary Internet Files, "View..."
>>>> * Show: "Resources"
>>>> * Select the JAR and click the X (Remove selected resources)
>>>>
>>>>> I'm happy to share the modified NDT and NPAD source RPMs for (e.g.)
>>>>> peer review. Just let me know.
>>>>
>>>> I would like to take a look to check my answer, so to speak.
>>>>
>>>> --
>>>> John W. O'Brien
>>>> Senior Network Engineer
>>>> Information Systems and Computing
>>>> University of Pennsylvania
>>>>
>>>> 215-898-9818
>>>> OpenPGP key ID: 0x155016CB
>>>>
>>>
>>
>




Archive powered by MHonArc 2.6.16.

Top of Page