Self-Sign HowTo?
Miroslav Luptak
mluptak@email.com
Thu, 01 May 2003 17:49:03 -0500
Hello, Calvin.
> Does anyone know of a clear, concise HowTo for implementing self-signed
> Java Applets (MindTerm in particular)
Here is a simple Mindterm signing cookbook for MS Internet Explorer that worked for me:
1. Signing mindterm.cab for use with Microsoft VM in MSIE:
- download and unpack the following stuff:
- Authenticode from http://download.microsoft.com/download/b/e/f/bef2551b-401d-4311-ab8f-13d3892b8154/codesigningx86.exe
- Cabarc from http://download.microsoft.com/download/platformsdk/cab/2.0/w98nt42kmexp/en-us/Cabsdk.exe
- javasign.dll from http://www.webzila.com/dll/JAVASIGN.DLL
- create mindterm.cab. If you already have it, skip to the next step. Here is how to create mindterm.cab from mindterm.jar:
- unpack mindterm.jar with e.g. WinZip
- create .cab file with "cabarc -r -p n mindterm.cab *"
- create certificate with command:
makecert -sk MyKeyName -n "CN=My Company Name" MyTestCert.cer
- transform the certificate to Software Publisher Certificate
cert2spc MyTestCert.cer MyTestCert.spc
- sign mindterm.cab:
signcode -j javasign.dll -jp low -spc MyTestCert.spc -k MyKeyName mindterm.cab
2. Signing mindterm.jar for use with SUN Java VM:
- install the Java SDK from http://java.sun.com/j2se/downloads.html
- Create a key:
keytool -alias keyname -genkey
- Sign mindterm.jar:
jarsigner mindterm.jar keyname
For applet signing for Netscape, see http://www.securingjava.com/appdx-c/index.html.
Best regards,
Miro
----- Original Message -----
From: "Calvin D. Webster" <cwebster@ec.rr.com>
Date: Tue, 29 Apr 2003 17:06:03 -0400
To: mindterm-users@mindterm.appgate.com
Subject: Self-Sign HowTo?
> I'm pretty much convinced that the two problems I posted today ("Telnet
> Fails" and "Netscape security model") are related to the fact that the
> applet is unsigned. Hey, I figured it was worth a try, especially since
> I could find no clear, concise, procedure for self-signing.
>
> I found a post on this list from Tim Grogan that was answered by Martin
> Forssen which appears to be related. Martin explains that an unsigned
> applet will work with the server from which it was downloaded, but no
> others. When I attempted to connect to another server, the SSH session
> failed. I think that, had the telnet daemon been enabled on the web
> server on which "MindTerm" resides, it would have succeeded there as SSH
> did.
>
> Researching self-signed applets has been painful. Several attempts to
> connect to the URL [http://mindprod.com/signedapplets.html] listed on
> the appgate site and mailing lists failed with permissions errors. Even
> connections to the main index page failed this way until I placed it in
> the "Trusted Sites" list of MSIE. Mozilla gave me the same errors until
> it eventually relented and brought up the pages on its own following a
> long wait. I brought up the first two links on that site under "Signed
> Applet Tutorials and Documentation" and was presented with way too much
> information for what I need to do. It's hard to determine what's relevant.
>
> All I want to be able to do is to run this applet on a local intranet
> consisting of around 30 WinNT/2K/9x/ME workstations with MSIE 6, a
> couple of RHL 8/9 workstations with Mozilla, and a handful of servers.
> It will be used to open terminal sessions on some RHL machines and
> whatever else I can get OpenSSH to build on. I'm also planning to run
> the VNC Java client both as-is and through the MindTerm SSH tunnel. For
> our use, and I presume a large number of others, the self-sign method
> will be the most efficient.
>
> Mitch Gallant's site, cited as "the best source of information" was
> packed with information, but I only found a small example
> [http://home.istar.ca/~neutron/Thawte/index.html] on self-signing which
> referred back to other places in the article. It was difficult for me
> (not a Java programmer) to follow.
>
> Daniel Griscom's cookbook essay "Code Signing for Java Applets"
> [http://www.suitable.com/docs/signing.html] seems to have a well
> organized write-up on "Creating and Installing your own Certificates"
> but opens with an ominous warning about the Microsoft Java SDK. There
> are also warnings later in the reading that seem to imply that methods
> required to get self-signed certificates to work will compromise overall
> browser security.
>
> Does anyone know of a clear, concise HowTo for implementing self-signed
> Java Applets (MindTerm in particular) that will not compromise overall
> browser security? This would go a long way toward making MindTerm more
> deployable and consequently appealing to a much broader audience.
>
> I haven't seen my previous posts appear on the archives yet and have
> received no replies so I'll keep digging on this. As with the other
> queries, I'll probably come up with some answers on my own before anyone
> replies. Hopefully, someone else in my shoes will benefit from the
> dialog (or monolog as the case may be).
>
> Here's what I've come up with so far in terms of what it takes to get
> MindTerm
> running on a small LAN/WAN:
>
> 1. Download the MindTerm application binaries and documentation from:
>
> http://www.appgate.com/mindterm/download.php
>
> 2. Unpack the application binaries on the web server from which you will
> launch
> MindTerm.
>
> a. Create a directory under your main web documents (html) directory.
>
> # mkdir mindterm ; cd mindterm
>
> b. Unzip the archive
>
> # unzip {download_dir}/mindterm_2.3.1-bin.zip
>
> 3. Create the applet files for MSIE and Netscape:
>
> a. Make a copy of the ".jar" file and rename it with a ".cab" suffix.
>
> # cp mindterm.jar mindterm_ie.cab
>
> b. extract the files from the ".jar" file into a temporary directory
>
> # mkdir tmp ; cd tmp
> # unzip ../mindterm.jar
>
> c. Delete netscape directory
>
> # rm -rf netscape
>
> Note: I'm not sure this is necessary or even good, but the "Running
> MindTerm"
> page [http://www.appgate.com/mindterm/using.php] said I "should remove
> all the
> com/netscape classes which MindTerm provides." Since there were no
> "netscape"
> directories under "com" I deleted the only netscape directory I could
> find. Mozilla
> on Linux won't open the MindTerm client either way, though.
>
> d. Create the new Netscape ".jar" file:
>
> # zip -r -9 ../mindterm_ns.jar *
>
> 4. Create a web page to launch the applet:
>
> <APPLET CODE="com.mindbright.application.MindTerm.class"
> ARCHIVE="mindterm_ns.jar" WIDTH=0 HEIGHT=0\>
> <PARAM NAME="cabinets" VALUE="mindterm_ie.cab">
> <PARAM NAME="sepframe" value="true">
> <PARAM NAME="debug" value="true">
> </APPLET>
>
> 5. Place a link to this document on a web page on your site.
>
> <P>
> <A HREF="/mindterm.html" >MindTerm</A> is here.
> </P>
>
> 6. Download and install the Java Runtime Engine on the test workstation.
>
> http://java.sun.com/getjava/index.html
>
> The docs are programmer notes, useful only if you intend to modify the
> applet. The "Help" menu item in the applet doesn't work.
>
> To get the MindTerm SSH and Telnet clients connect to anything other
> than the server from which the applet was downloaded. There's more work
> to be done. Apparently, most of the tools to make a signed applet are in
> the Sun Java SDK, which I have also downloaded.
>
> This is where I'm at now. If there are any safe shortcuts or simplified
> procedures I'd be delighted to try them.
>
> Cal Webster
> Network Manager
> NavAir TSD
> In-Service Engineering Office
> MCAS Cherry Point, NC
>
> cwebster@ec.rr.com
>
>
>
> _______________________________________________
> Mindterm-users mailing list
> Mindterm-users@mindterm.appgate.com
> http://www.mindbright.se/mailman/listinfo/mindterm-users
--
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup