perfSONAR User Q&A and Other Discussion

[Roy Hockett <>]

Wow, Aaron, that would be awesome, it is very helpful when Internet2 is able 
to
do something like this.  It is much more efficient to have one group do this 
than
to have each university spending time doing this.

Please let us know if we should be letting others in Internet2 know the value 
of
something like this to help support your efforts.

Thanks,
-Roy Hockett

Network Architect,
ITS Communications Systems and Data Centers
University of Michigan
Tel: (734) 763-7325
Fax: (734) 615-1727
email: 


On Jun 19, 2014, at 9:02 AM, Aaron Brown wrote:

> Hey Roy,
> 
> On Jun 18, 2014, at 5:30 PM, Roy Hockett 
> <>
>  wrote:
> 
>> Thanks Aaron, do you have a target timeframe, I realize everyone is busy, 
>> so I am
>> not trying to push.  
>> 
>> I am just trying to figure out if this needs to be part of our ongoing 
>> upgrade procedure, 
>> or if this can be a one time for us and the next version will have signed 
>> jar files.
> 
> The goal is to have signing in place before the next major NDT RPM release 
> to avoid having this be a constant manual process.
> 
> Cheers,
> Aaron
> 
>> 
>> Thanks,
>> -Roy Hockett
>> 
>> Network Architect,
>> ITS Communications Systems and Data Centers
>> University of Michigan
>> Tel: (734) 763-7325
>> Fax: (734) 615-1727
>> email: 
>> 
>> 
>> On Jun 18, 2014, at 4:56 PM, Aaron Brown 
>> <>
>>  wrote:
>> 
>>> Hey Roy,
>>> 
>>> On Jun 12, 2014, at 10:40 PM, Hockett, Roy 
>>> <>
>>>  wrote:
>>> 
>>>> Don't these JAR files have to be resigned every time there is an update 
>>>> to NDT or NPAD rpms?
>>> 
>>> That is the case. 
>>> 
>>>> If so, would it not be easier if the maintainers for each sign the JAR 
>>>> files?
>>> 
>>> We’re looking into what we’d need to do to sign them, but haven’t yet got 
>>> the requisite certs to do so yet.
>>> 
>>> Cheers,
>>> Aaron
>>> 
>>>> 
>>>> Thanks,
>>>> -Roy Hockett
>>>> 
>>>> Network Architect,
>>>> ITS Communications Systems and Data Centers
>>>> University of Michigan
>>>> Tel: (734) 763-7325
>>>> Fax: (734) 615-1727
>>>> email: 
>>>> 
>>>> 
>>>> On May 9, 2014, at 12:07 PM, Nickless, Bill wrote:
>>>> 
>>>>> Good morning John,
>>>>> 
>>>>> I'm not an expert on Java certificate signing requirements; all I know 
>>>>> is what the local Java experts tell me.  They didn't tell me the EV 
>>>>> certificate was necessary, only that they had one.  If the non-EV 
>>>>> certificate works for you then I would guess it would work for anyone.
>>>>> 
>>>>> Very good point about clearing the JVM cache in addition to the browser 
>>>>> cache; I should have mentioned that in my original post.
>>>>> 
>>>>> I'll send you the Source RPMs under separate cover (no need to spam the 
>>>>> whole list).
>>>>> 
>>>>> Best regards,
>>>>> 
>>>>> Bill Nickless
>>>>> Secure Cyber Systems
>>>>> Pacific Northwest National Laboratory
>>>>> 
>>>>> +1 509 713 2455
>>>>> 
>>>>> -----Original Message-----
>>>>> From: 
>>>>> 
>>>>>  
>>>>> [mailto:]
>>>>>  On Behalf Of John W. O'Brien
>>>>> Sent: Thursday, May 08, 2014 10:41 AM
>>>>> To: Nickless, Bill
>>>>> Cc: 
>>>>> 
>>>>> Subject: Re: [perfsonar-user] Signed NDT and NPAD Applets
>>>>> 
>>>>> On 4/28/14 3:07 PM, Nickless, Bill wrote:
>>>>>> Good afternoon,
>>>>>> 
>>>>>> Please try running http://perfsonar-sef2.labworks.org:7123 (NDT) and
>>>>>> http://perfsonar-sef2.labworks.org:8000 (NPAD).  Their associated 
>>>>>> applets are signed and should work with a stock client installation of 
>>>>>> current Oracle Java with default security settings.
>>>>> 
>>>>> Bill,
>>>>> 
>>>>> Thank you for preparing these notes.
>>>>> 
>>>>> I can confirm that my machine (OS X 10.8.5, Java 7u55 with "High"
>>>>> security, Firefox 29.0) accepts and runs these apps.
>>>>> 
>>>>>> This took four steps:
>>>>>> 
>>>>>> 1. Modify the NDT and NPAD source RPMs to incorporate a "Permissions:
>>>>>> sandbox" line in MANIFEST.MF.  (The NPAD tarball in the source RPM 
>>>>>> includes a precompiled DiagClient.jar file so by default it is never 
>>>>>> recompiled; fixing that took another small change to the .spec file 
>>>>>> %prep section.)
>>>>> 
>>>>> I have very little experience mucking about with SRPMS, and even less 
>>>>> with Java, and I was able to make my way through this thanks to your 
>>>>> hints.
>>>>> 
>>>>> My solution to the pre-compiled JAR was simply to add MANIFEST.MF as a 
>>>>> dependency in the Makefile.
>>>>> 
>>>>> It would be interesting to hear from those better versed than I, 
>>>>> though, about ways to integrate the signing step into the RPM building 
>>>>> process. Perhaps that's a discussion better suited to another venue.
>>>>> 
>>>>>> 2. Have the resulting .jar files signed by someone at PNNL who went 
>>>>>> through the trouble and expense of securing an Extended Validation 
>>>>>> Java code signing certificate from Entrust.
>>>>> 
>>>>> Is the EV cert intended to meet policy requirements at your 
>>>>> organization, or is there some aspect of the stock client config I 
>>>>> haven't discovered? I obtained a regular code signing cert from 
>>>>> InCommon, and it seems to achieve your stated objective.
>>>>> 
>>>>> Try my staging (read: temporary) node, if you like, at:
>>>>> 
>>>>> http://hulk.perf-hnt.net.isc.upenn.edu:7123/
>>>>> http://hulk.perf-hnt.net.isc.upenn.edu:8000/
>>>>> 
>>>>>> 3. Copy over /usr/ndt/Tcpbw100.jar and /var/lib/npad/DiagClient.jar 
>>>>>> with the signed .jar files.
>>>>>> 
>>>>>> 4. Stop and restart the NDT and NPAD services.
>>>>> 
>>>>> And be aware that clearing your browser cache will not be sufficient to 
>>>>> obtain the updated JAR. The JRE maintains its own local cache, from 
>>>>> which I had to manually deleted the affected JAR with:
>>>>> 
>>>>> *   Java Control Panel
>>>>> *   General tab, Temporary Internet Files, "View..."
>>>>> *   Show: "Resources"
>>>>> *   Select the JAR and click the X (Remove selected resources)
>>>>> 
>>>>>> I'm happy to share the modified NDT and NPAD source RPMs for (e.g.) 
>>>>>> peer review.  Just let me know.
>>>>> 
>>>>> I would like to take a look to check my answer, so to speak.
>>>>> 
>>>>> --
>>>>> John W. O'Brien
>>>>> Senior Network Engineer
>>>>> Information Systems and Computing
>>>>> University of Pennsylvania
>>>>> 
>>>>>  215-898-9818
>>>>> OpenPGP key ID: 0x155016CB
>>>>> 
>>>> 
>>> 
>> 
>