Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6740616

Java Control Panel / Security tab documentation improvements in deployment-guide (5.0)

    Details

    • Subcomponent:
    • CPU:
      x86
    • OS:
      windows_2003

      Description

      In order to prevent users globally from being asked to trust a cert for a javaws application, one can put trusted certs into various keystores at 'system-level'. However, there are limitations which are not clearly mentioned in the deployment-guide.

      http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/jcp.html#security


      A javaws application has to validate the cert being stored in one of the keystores at 'system-level' and requires that keystore to be an empty string ("") password protected one. If the keystore is protected with a password other then empty string (""), the validation will fail with an java.io.IOException: 'Keystore was tampered with, or password incorrect'.

      The limitation here is that we are not able to generate such a required empty string ("") password protected keystore with native tools, eg. 'keytool'. This is not documented in the deployment-guide.

      That limitation can be 'work around' by using a automatically generated keystore at 'user-level' as a template. Invoke a jawaws application and acknowledged 'Always trust content from this publisher.'. This will generate a keystore with an empty string ("") password, which can be managed with 'keytool', eg. to add/remove certificates.

      Note: keytool option "-storepass ''" is required

      Once the keystore has the wished certificates, just copy trusted.certs from 'user-level' to 'system-level'.

      example:
      'user-level' keystore from administrator..
      deployment.user.security.trusted.certs = C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\security\trusted.certs

      has to be copied to 'system-level'..
      deployment.system.security.trusted.certs = C:\Program Files\Java\jre1.5.0_15\lib\security\trusted.certs

      This keystore is globally used, for all users on that machine.

      $ keytool -v -list -storepass '' -keystore trusted.empty

      Keystore type: jks
      Keystore provider: SUN

      Your keystore contains 0 entries


      $ keytool -import -storepass '' -keystore trusted.empty -file baltimore.csr
      Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
      Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
      Serial number: 20000b9
      Valid from: Fri May 12 20:46:00 CEST 2000 until: Tue May 13 01:59:00 CEST 2025
      Certificate fingerprints:
               MD5: AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
               SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
      Trust this certificate? [no]: yes
      Certificate was added to keystore


      $ keytool -v -list -storepass '' -keystore trusted.empty

      Keystore type: jks
      Keystore provider: SUN

      Your keystore contains 1 entry

      Alias name: mykey
      Creation date: Aug 22, 2008
      Entry type: trustedCertEntry

      Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
      Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
      Serial number: 20000b9
      Valid from: Fri May 12 20:46:00 CEST 2000 until: Tue May 13 01:59:00 CEST 2025
      Certificate fingerprints:
               MD5: AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
               SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74


      *******************************************
      *******************************************


      $ keytool -v -delete -storepass '' -alias mykey -keystore trusted.empty
      [Storing trusted.empty]

        Attachments

          Activity

            People

            • Assignee:
              vrao Vivek Rao (Inactive)
              Reporter:
              ohey Olaf Hey (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: