Skip to Content Sun Java Solaris Communities My SDN Account Join SDN

SDN Home > Products & Technologies > Java Technology > J2SE > Desktop Java > Java Plug-in > Reference > Documentation > Java Plug-in 1.2.2 Documentation >

Java Plug-in 1.2.2 Documentation

Deploying RSA Signed Applets in Java Plug-in

Print-friendly Version

DEPLOYING RSA SIGNED
APPLETS IN JAVA ^TM PLUG-IN

Java Plug-in HTML Specification | Java Plug-in Scripting | Java Plug-in Home Page

- Introduction
- How to create RSA Signed Applets
- How to deploy RSA Signed Applets
- Converting old Netscape signed applets
- Authenticode
- Certificate Management
- Supported Configurations
- Disabling RSA signed applet support
- Conclusion

Introduction

By popular demand, Java Plugin 1.2.2 adds support for RSA signed applets. This provides the following benefits:

Supports standard Verisign and Thawte RSA certificates.
Provides identical RSA signed applet support in Internet Explorer and Netscape Navigator.
Provides pop-up dialogs to let users validate signers.
You don't need to deploy security key files to each machine!

This page describes how to create and deploy RSA signed applets. For an overview of how they are implemented, see How RSA Signed Applet Support Works.

How to Create RSA Signed Applets

The RSA signed applet support in Java Plugin 1.2.2 is compatible with the Netscape Object Signing conventions.

You can create an RSA signed applet in two different ways:

by using the Netscape Signing Tools to both "jar" and sign a directory structure of (applet) class files, or
by archiving the (applet) class files into a JAR file (using the "jar" command in the Java 2 SDK) and signing the JAR file using the jarsigner tool.

Either approach requires that you obtain an Object Signing Certificate from an RSA Certificate Authority (CA) (such as Verisign or Thawte) and make it available to your codesigning utility:

To install the Netscape signing tool and the certificate see Netscape's Signing Tools documentation.
To install the certificate for the "jarsigner" tool see Generating a Certificate Signing Request (CSR) for a Public Key Certificate and Importing the Certificate Reply from the CA.

Once the Object Signing Certificate and signing utility are properly installed, they can be used to sign applets.

How to Deploy RSA Signed Applets

RSA signed applets are deployed in much the same way as their unsigned counterparts, i.e., the fact that the applet was signed (using RSA) is "hidden" in the applet's JAR file and not exposed in its HTML page.

When users of Java Plug-in encounter an RSA signed applet, the Plug-in will verify that the applet is correctly signed, and that the RSA certificate chain and the root CA are valid. If these are all valid, the Plug-in will pop-up a security dialog that tells the user who signed the applet and provides four options:

Grant always: If selected, the applet will be granted "AllPermission". Any signed applet signed using the same certificate will be trusted automatically in the future, and no security dialog will pop up again when this certificate is encountered again. This decision can be changed from the Java Plug-in Control Panel.
Grant this session: If selected, the applet will be granted "AllPermission". Any signed applet signed using the same certificate will be trusted automatically within the same browser session.
Deny: If selected, the applet will be treated as an untrusted applet.
More Info: If selected, users can examine the attributes of each certificate in the certificate chain in the JAR file.

Once the user selects the options from the security dialog, the applet will be run in the corresponding security context. Please notice that all these decisions are determined on the fly, and no preconfiguration is required.

Converting old Netscape signed applets

Existing RSA signed applets designed for Netscape may use Netscape specific security APIs. These Netscape specific APIs are not supported in the Java Plug-in. Instead the Plug-in supports the standard Java security APIs in both Netscape Navigator and Internet Explorer.

To migrate Netscape signed applets using the Netscape security APIs to run in Java Plug-in:

Comment or remove all netscape.security.* related statements from the Java applet.
Compile and archive the applet as a JAR file.
Re-sign the JAR file using Object Signing.

This ensures that your RSA signed applet will run in both Netscape Navigator and Internet Explorer with the Java Plug-in.

Authenticode

Authenticode is a proprietary signing technology that is used in Microsoft Internet Explorer on Win32 for supporting signed applets in IE's JVM. Authenticode is not supported in Java Plug-in. Instead the plug-in allows the use of RSA signed applets in both IE and Netscape.

Certificate Management

The Java Plug-in Control Panel provides a panel for managing RSA signed applets. This panel contains a list of certificates that have been chosen as "Grant always" when the Java Plug-in security dialog popped up. Users can remove any certificate from the list, and if any applet signed by these removed certificates is encountered again, a security dialog will pop up and ask for permission again.

Supported Configurations

The certificate chain verification process supported in Java Plug-in is implemented using Microsoft Crypto API (CAPI) 2.0 on Win32.

This means that the Root CA certificate at the top of a signed applet's supporting certificate chain must be contained in Internet Explorer's database of trusted Root CAs, in order for the Plug-in to be able to authenticate that applet (running under Netscape or Internet Explorer). In other words, the top level Root CA certificate (eg. VeriSign Class 3) contained in the user's IE CA database (as viewed from IE's Internet Options -> Content tab -> View Certificate) must exactly match (incl. validity timeframe!) the Root CA certificate in the cert7.db used in the JAR's signing process.

Currently, CAPI is supported in Windows 95 OSR2, Windows 98, and Windows NT 4.0 Service Pack 3. It is also supported in Internet Explorer 3.0 or later. Since CAPI does not come with Netscape Navigator, there are cases when the certificate chain verification process is disabled. RSA signed applets will be disabled in those cases.

OS	Internet Explorer	Netscape Navigator
Windows 95 original retail edition	Supported	Supported only if IE is installed
Windows 95 OSR2	Supported	Supported
Windows 98	Supported	Supported
Windows NT 4.0	Supported	Supported only if IE is installed
Windows NT 4.0 SP3 and later	Supported	Supported
Solaris	N / A	N / A

Disabling RSA Signed Applet Support

RSA signed applets can be entirely disabled in Java Plug-in by specifying a new permission named "usePolicy" in the policy file. If the "usePolicy" permission is among the permissions granted to the given codesource (by the configured security policy), no user prompting will take place, and only the permissions (if any) specified in the security policy will be granted to the codesource. By default, RSA signed applets are enabled in the Java Plug-in.

Conclusion

The Java Plug-in 1.2.2 makes signed applet deployment much easier in the enterprise by supporting RSA signed applets. Users and administrators no longer need to preconfigure user machines to run signed applets with Java Plug-in. It can be used in both Internet Explorer and Netscape Navigator.

More Information

Signing Software with Netscape Signing Tool 1.1

Object Signing Resources

Netscape Object Signing- Establishing Trust for Downloaded Software

How RSA Signed Applet Support Works.

Using JDK 1.1 Signed Applets.


	About Sun \| About This Site \| Newsletters \| Contact Us \| Employment How to Buy \| Licensing \| Terms of Use \| Privacy \| Trademarks Copyright Sun Microsystems, Inc.		A Sun Developer Network Site Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License. Sun Developer RSS Feeds