Deploying RSA Signed Applets in Java Plug-in

Print-friendly Version

Introduction

By popular demand, Java Plugin 1.3 adds support for RSA signed applets. This provides the following benefits:

1. Supports standard Verisign and Thawte RSA certificates.
2. Provides identical RSA signed applet support in Internet Explorer and Netscape Navigator.
3. Provides pop-up dialogs to let users validate signers.
4. You don't need to deploy security key files to each machine!

This page describes how to create and deploy RSA signed applets. For an overview of how they are implemented, see How RSA Signed Applet Support Works.

How to Create RSA Signed Applets

The RSA signed applet support in Java Plugin 1.3 uses the Netscape Object Signing conventions.

To create an RSA signed applet you need:

• The Netscape Signing Tools.
• A Netscape Object Signing Certificate from an RSA Certificate Authority (CA) such as Verisign or Thawte.

To install the Netscape signing tool and the certificate see Netscape's Signing Tools documentation and the web sites for the CAs.

Once the Object Signing Certificate and the Netscape Signing Tool are properly installed, they can be used to sign applets. For security reasons, please make sure the Netscape Signing Tool and the Object Signing Certificate are installed in a secure location.

To create an RSA signed applet:

1. Archive the applet .class files into a JAR file using the "jar" command in the Java 2 SDK.
2. Use the Netscape Signing Tool to sign the JAR file.

How to Deploy RSA Signed Applets

To deploy RSA signed applets:

1. Reference the JAR from the HTML page using ARCHIVE=xyz.jar in the APPLET tag.
2. Put the JAR file and the HTML page on the web server.

When users of Java Plug-in encounter an RSA signed applet, the Plug-in will verify that the applet is correctly signed, and that the RSA certificate chain and the root CA are valid. If these are all valid, the Plug-in will pop-up a security dialog that tells the user who signed the applet and provides four options:

1. Grant always: If selected, the applet will be granted "AllPermission". Any signed applet signed using the same certificate will be trusted automatically in the future, and no security dialog will pop up again when this certificate is encountered again. This decision can be changed from the Java Plug-in Control Panel.
   
2. Grant this session: If selected, the applet will be granted "AllPermission". Any signed applet signed using the same certificate will be trusted automatically within the same browser session.
   
3. Deny: If selected, the applet will be treated as an untrusted applet.
   
4. More Info: If selected, users can examine the attributes of each certificate in the certificate chain in the JAR file.

Once the user selects the options from the security dialog, the applet will be run in the corresponding security context. Please notice that all these decisions are determined on the fly, and no preconfiguration is required.

Converting old Netscape signed applets

Existing RSA signed applets designed for Netscape may use Netscape specific security APIs. These Netscape specific APIs are not supported in the Java Plug-in. Instead the Plug-in supports the standard Java security APIs in both Netscape Navigator and Internet Explorer.

To migrate Netscape signed applets using the Netscape security APIs to run in Java Plug-in:

1. Comment or remove all netscape.security.* related statements from the Java applet.
2. Compile and archive the applet as a JAR file.
3. Re-sign the JAR file using Object Signing.

This ensures that your RSA signed applet will run in both Netscape Navigator and Internet Explorer with the Java Plug-in.

Authenticode

Certificate Management

The Java Plug-in Control Panel provides a panel for managing RSA signed applets. This panel contains a list of certificates that have been chosen as "Grant always" when the Java Plug-in security dialog popped up. Users can remove any certificate from the list, and if any applet signed by these removed certificates is encountered again, a security dialog will pop up and ask for permission again.

Supported Configurations

The certificate chain verification process supported in Java Plug-in is implemented using Microsoft Crypto API (CAPI) 2.0 on Win32. This means that the Root CA certificate at the top of a signed applet's supporting certificate chain must be contained in Internet Explorer's database of trusted Root CAs in order for the Plug-in to be able to authenticate that applet. Currently, CAPI is supported in Windows 95 OSR2, Windows 98, and Windows NT 4.0 Service Pack 3. It is also supported in Internet Explorer 3.0 or later. Since CAPI does not come with Netscape Navigator, there are cases when the certificate chain verification process is disabled. RSA signed applets will be disabled in those cases.

Disabling RSA Signed Applet Support

RSA signed applets can be entirely disabled in Java Plug-in by specifying a new permission named "usePolicy" in the policy file. If the "usePolicy" permission is among the permissions granted to the given codesource (by the configured security policy), no user prompting will take place, and only the permissions (if any) specified in the security policy will be granted to the codesource. By default, RSA signed applets are enabled in the Java Plug-in.

Conclusion

The Java Plug-in 1.3 makes signed applet deployment much easier in the enterprise by supporting RSA signed applets. Users and administrators no longer need to preconfigure user machines to run signed applets with Java Plug-in. It can be used in both Internet Explorer and Netscape Navigator.

More Information

Signing Software with Netscape Signing Tool 1.1

Object Signing Resources

Netscape Object Signing- Establishing Trust for Downloaded Software

How RSA Signed Applet Support Works.