-
Enhancement
-
Resolution: Not an Issue
-
P3
-
None
-
5.0u16
-
x86
-
windows_2003
In order to prevent users globally from being asked to trust a cert for a javaws application, one can put trusted certs into various keystores at 'system-level'. However, there are limitations which are not clearly mentioned in the deployment-guide.
http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/jcp.html#security
A javaws application has to validate the cert being stored in one of the keystores at 'system-level' and requires that keystore to be an empty string ("") password protected one. If the keystore is protected with a password other then empty string (""), the validation will fail with an java.io.IOException: 'Keystore was tampered with, or password incorrect'.
The limitation here is that we are not able to generate such a required empty string ("") password protected keystore with native tools, eg. 'keytool'. This is not documented in the deployment-guide.
That limitation can be 'work around' by using a automatically generated keystore at 'user-level' as a template. Invoke a jawaws application and acknowledged 'Always trust content from this publisher.'. This will generate a keystore with an empty string ("") password, which can be managed with 'keytool', eg. to add/remove certificates.
Note: keytool option "-storepass ''" is required
Once the keystore has the wished certificates, just copy trusted.certs from 'user-level' to 'system-level'.
example:
'user-level' keystore from administrator..
deployment.user.security.trusted.certs = C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\security\trusted.certs
has to be copied to 'system-level'..
deployment.system.security.trusted.certs = C:\Program Files\Java\jre1.5.0_15\lib\security\trusted.certs
This keystore is globally used, for all users on that machine.
$ keytool -v -list -storepass '' -keystore trusted.empty
Keystore type: jks
Keystore provider: SUN
Your keystore contains 0 entries
$ keytool -import -storepass '' -keystore trusted.empty -file baltimore.csr
Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Serial number: 20000b9
Valid from: Fri May 12 20:46:00 CEST 2000 until: Tue May 13 01:59:00 CEST 2025
Certificate fingerprints:
MD5: AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
Trust this certificate? [no]: yes
Certificate was added to keystore
$ keytool -v -list -storepass '' -keystore trusted.empty
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: mykey
Creation date: Aug 22, 2008
Entry type: trustedCertEntry
Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Serial number: 20000b9
Valid from: Fri May 12 20:46:00 CEST 2000 until: Tue May 13 01:59:00 CEST 2025
Certificate fingerprints:
MD5: AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
*******************************************
*******************************************
$ keytool -v -delete -storepass '' -alias mykey -keystore trusted.empty
[Storing trusted.empty]
http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/jcp.html#security
A javaws application has to validate the cert being stored in one of the keystores at 'system-level' and requires that keystore to be an empty string ("") password protected one. If the keystore is protected with a password other then empty string (""), the validation will fail with an java.io.IOException: 'Keystore was tampered with, or password incorrect'.
The limitation here is that we are not able to generate such a required empty string ("") password protected keystore with native tools, eg. 'keytool'. This is not documented in the deployment-guide.
That limitation can be 'work around' by using a automatically generated keystore at 'user-level' as a template. Invoke a jawaws application and acknowledged 'Always trust content from this publisher.'. This will generate a keystore with an empty string ("") password, which can be managed with 'keytool', eg. to add/remove certificates.
Note: keytool option "-storepass ''" is required
Once the keystore has the wished certificates, just copy trusted.certs from 'user-level' to 'system-level'.
example:
'user-level' keystore from administrator..
deployment.user.security.trusted.certs = C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\security\trusted.certs
has to be copied to 'system-level'..
deployment.system.security.trusted.certs = C:\Program Files\Java\jre1.5.0_15\lib\security\trusted.certs
This keystore is globally used, for all users on that machine.
$ keytool -v -list -storepass '' -keystore trusted.empty
Keystore type: jks
Keystore provider: SUN
Your keystore contains 0 entries
$ keytool -import -storepass '' -keystore trusted.empty -file baltimore.csr
Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Serial number: 20000b9
Valid from: Fri May 12 20:46:00 CEST 2000 until: Tue May 13 01:59:00 CEST 2025
Certificate fingerprints:
MD5: AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
Trust this certificate? [no]: yes
Certificate was added to keystore
$ keytool -v -list -storepass '' -keystore trusted.empty
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: mykey
Creation date: Aug 22, 2008
Entry type: trustedCertEntry
Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Serial number: 20000b9
Valid from: Fri May 12 20:46:00 CEST 2000 until: Tue May 13 01:59:00 CEST 2025
Certificate fingerprints:
MD5: AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
*******************************************
*******************************************
$ keytool -v -delete -storepass '' -alias mykey -keystore trusted.empty
[Storing trusted.empty]