Self-Sign HowTo?
Calvin D. Webster
cwebster@ec.rr.com
Wed, 30 Apr 2003 11:55:37 -0400
Mike Vanecek wrote:
>
>---------- Original Message -----------
>From: "Calvin D. Webster" <cwebster@ec.rr.com>
>To: mindterm-users@mindterm.appgate.com
>Sent: Tue, 29 Apr 2003 17:06:03 -0400
>Subject: Self-Sign HowTo?
>
[snip]
>>I found a post on this list from Tim Grogan that was answered by
>>Martin Forssen which appears to be related. Martin explains that an
>>unsigned applet will work with the server from which it was
>>downloaded, but no others. When I attempted to connect to another
>>server, the SSH session failed. I think that, had the telnet daemon
>>been enabled on the web server on which "MindTerm" resides, it would
>>have succeeded there as SSH did.
>>
>
>I am not sure exactly what the above paragraph is telling me. I have
>downloaded the unsigned applet zip file, unzipped it, and copied it over to
>where it is accessible via a browser. I then connect using a browser and use
>the terminal. I can then use it to ssh to other servers or whatever I need to
>do. I have not tried running X apps since that was not the purpose of the
>install. I use it basically to run slrn and read newsgroups.
>
>I have it installed on a Linux RH box, but can access it with either Linux or
>Microsoft browsers.
>
I have installed the MindTerm applet and created a link to it on an
Apache web server hosted on RedHat Linux 8. This same RHL system hosts
an OpenSSH service, but the Telnet daemon has been disabled. My testing
was done from a WinNT workstation using Microsoft Internet Explorer 6.
From this WinNT workstation I was able to establish a MindTerm SSH
session with the RHL server where the applet was installed. From the
same WinNT workstation, using the same MindTerm applet, I was unable to
connect via Telnet to a different server which has the Telnet daemon
enabled. I was saying above that, had the Telnet daemon been enabled on
the server where the applet was installed, I probably would have been
able to connect. However, as described in Martin Forssen's reply, I
could not connect (using ssh or telnet) to any host except the host
where the unsigned applet was installed.
>
>I gave up on signing ....
>
I cannot give up. This must work for me to deploy it here. There must be
a way and I will find it, either with or without help. When all else
fails I use the "crap slinging" method. If you sling enough crap against
the wall, some of it eventually will stick. This requires persistance
and a lot of patience. Hopefully, someone on this list will weigh-in and
help simplify the self-signing procedure.
>>Daniel Griscom's cookbook essay "Code Signing for Java Applets"
>>[http://www.suitable.com/docs/signing.html] seems to have a well
>>organized write-up on "Creating and Installing your own
>>Certificates" but opens with an ominous warning about the Microsoft
>>
>
>I have no problem using openssh on the RH 9 server to create a signed .crt and
>.key certificate. It comes with a sample script that does it is a couple of
>seconds. However, getting an applet connected to a certificate is what is
>unclear to me.
>
I too have created certificates and keys on Linux. Apparently, there is
some special vodoo that goes on in the signing tools contained in the
SDK's to create a signature that various browsers and plugins can recognize.
>>Java SDK. There are also warnings later in the reading that seem to
>>imply that methods required to get self-signed certificates to work
>>will compromise overall browser security.
>>
>
>Only because the certificate is unsigned and could be open to invalid uses.
>Otherwise, no big deal.
>
Actually, it sounded like some of these methods would only work in a
broad scope, removing safeguards not only for certain applets, but for
all applets or even all sites.
>
>>Does anyone know of a clear, concise HowTo for implementing self-
>>signed Java Applets (MindTerm in particular) that will not
>>compromise overall browser security? This would go a long way toward
>>making MindTerm more deployable and consequently appealing to a much
>>broader audience.
>>
>>I haven't seen my previous posts appear on the archives yet and have
>>received no replies so I'll keep digging on this. As with the other
>>queries, I'll probably come up with some answers on my own before
>>anyone replies. Hopefully, someone else in my shoes will benefit
>>from the dialog (or monolog as the case may be).
>>
>>Here's what I've come up with so far in terms of what it takes to
>>get MindTerm running on a small LAN/WAN:
>>
>>1. Download the MindTerm application binaries and documentation from:
>>
>> http://www.appgate.com/mindterm/download.php
>>
>>2. Unpack the application binaries on the web server from which you
>>will launch MindTerm.
>>
>> a. Create a directory under your main web documents (html) directory.
>>
>> # mkdir mindterm ; cd mindterm
>>
>> b. Unzip the archive
>>
>> # unzip {download_dir}/mindterm_2.3.1-bin.zip
>>
>
>This is a bit different on a Linux box. I wonder if the differences we see are
>due to MS versus Linux.
>
This _was_ on a Linux box. The web server runs on Linux, but the test
workstation was WinNT. Actually, I ended up having to install the cab
and jar files directly in the html directory. I got errors trying to run
them from a subdirectory.
>>3. Create the applet files for MSIE and Netscape:
>>
>> a. Make a copy of the ".jar" file and rename it with a ".cab" suffix.
>>
>> # cp mindterm.jar mindterm_ie.cab
>>
>> b. extract the files from the ".jar" file into a temporary directory
>>
>> # mkdir tmp ; cd tmp
>> # unzip ../mindterm.jar
>>
>> c. Delete netscape directory
>>
>> # rm -rf netscape
>>
>> Note: I'm not sure this is necessary or even good, but the
>>"Running MindTerm" page [http://www.appgate.com/mindterm/using.php]
>>said I "should remove all the com/netscape classes which MindTerm
>>provides." Since there were no "netscape" directories under "com" I
>>deleted the only netscape directory I could find. Mozilla on Linux
>>won't open the MindTerm client either way, though.
>>
>> d. Create the new Netscape ".jar" file:
>>
>> # zip -r -9 ../mindterm_ns.jar *
>>
>>4. Create a web page to launch the applet:
>>
>> <APPLET CODE="com.mindbright.application.MindTerm.class"
>> ARCHIVE="mindterm_ns.jar" WIDTH=0 HEIGHT=0\>
>> <PARAM NAME="cabinets" VALUE="mindterm_ie.cab">
>> <PARAM NAME="sepframe" value="true">
>> <PARAM NAME="debug" value="true">
>> </APPLET>
>>
>
>This is about the same. I just copied the jar to the appropriate folder,
>renamed it mindtermfull.jar, added a few options for Linux (no cabinets, for
>example), and it tooks off.
>
Please post the procedures you used. It would be helpful to compare. I
suspect that many of the instructions on the web site are not current
too. For example, the instruction to remove the "com/netscape" classes
seems to be out of date when compared to the actual contents of the
mindterm.jar file. There are no netscape classes under the "com"
directory. It appears that they have instead included a "netscape"
directory in which they place the classes. I had originally removed the
netscape directory before recreating the mindterm_ns.jar file as I
indicated above, but could not get it to work. Leaving the mindterm.jar
file the way it was successfully brings up the MindTerm applet in both
MSIE and Mozilla on Windows NT.
>>5. Place a link to this document on a web page on your site.
>>
>> <P>
>> <A HREF="/mindterm.html" >MindTerm</A> is here.
>> </P>
>>
>>6. Download and install the Java Runtime Engine on the test workstation.
>>
>> http://java.sun.com/getjava/index.html
>>
>>The docs are programmer notes, useful only if you intend to modify
>>the applet. The "Help" menu item in the applet doesn't work.
>>
>>To get the MindTerm SSH and Telnet clients connect to anything other
>>than the server from which the applet was downloaded. There's more
>>work to be done. Apparently, most of the tools to make a signed
>>applet are in the Sun Java SDK, which I have also downloaded.
>>
>
>I just open up a terminal window with mindterm, login, and type ssh to go to
>another server. Could you execute puTTy on the windows server to accomplish
>the same thing?
>
Yes, this is a good workaround to offer ssh and telnet access to other
hosts. However, it complicates connections and confuses many users. I'd
rather have it working as advertised if possible.
Thanks for the comments.
Cal Webster
Network Manager
NavAir TSD
In-Service Engineering Office
MCAS Cherry Point, NC
cwebster@ec.rr.com