Signed applets certificates keystore

Similar Messages

• Where does Plug-in store the signed applets certificates ?

  Hello
  How can I delete (manually) all the imported signed applets certificates ? Where are they stored ?
  Thanx

  I've already found !!! :-)

• Problem with a sign Applet - certificate isn't recognized

  Hello to all the java experts
  I have created a certificate using keytool. I have exported the certificate and installed it on the computers of the users. The certificate worked well on all the computers except one. I have got a message:
  java.security.cert.certificateException unable to verify the certificate CA root
  I want to add that when I installed this certificate I got a message that it was imported successfully and I have also seen that the certificate is valid. I imported it by double-clicking on the crt file and choosing "install certificate". I also tried to import it by using the command: keytool -import -alias company -keystore carets -storepass changeit -file c:\crtfile.crt.
  I have checked that the certificate was imported by the command:
  keytool -list -v -keystore company
  The only thing which is different on this computer is the plugin of swing (1.3.01 and not 1.3.02)
  What can cause to this problem? How can I fix it?

  Noone has any idea?

• Java Applet Certificate Signing Window comes up BLANK!

  Hi Everyone I have a problem where
  Java Applet Certificate Signing Window comes up BLANK!
  It comes up as blank gray panel with the java logo on the upper left.
  the title bar says "Java Plugin Security Warning"
  And I can't figure out what to do to make it come up properly. I tried double clicking it dragging it around to make it repaint itself nothing happens.
  I have tried clearing temp files deleting files from IE, deleting cookies, clearing the history.
  Now i'm going to restart the computer and see if it works.
  It is supposed to give me buttons.
  1. Accept for this session
  2. Grant
  3. Deny
  4. View Certificate
  But does anyone have any idea how to address this issue ?
  Stephen

  You might try setting the trace level to 5 in the plugin's Java console and looking what it spits out while the applet is launching. I remember seeing loads of information in there including stuff relating to certificate validation. It might be helpful.
  The trick to getting this info during start up:
  1) get the plugin to load by directing your browser to page with a known applet. Write your own little stub applet and load it or go to http://java.sun.com/. There's an applet on that page.
  2) bring up the plugin's console if it's not already and then go to a blank page.
  3) set the trace level to 5 in the console. (just press the 5 key).
  4) go to the page that launches your applet. You'll have tons of information pour out in your console.
  Happy hunting.

• Display of certificate when accessing a signed applet

  HI
  I have a signed applet which obviously displays a Certificate whenever it is Accessed.Now i would like the certificate to be displayed only once ie. ONLY when the applet is accessed for the first time and the user accepts(trusts) the certificate.The next time the user access the applet i do
  not want the certificate to be displayed again as he has already accepted (trusted)the certificate.
  is there a way to do this?
  best regards
  sumesh

  Your user must import your certificate and store it as a trusted CA -- see step #9 on the link shown below:
  http://developer.java.sun.com/developer/qow/archive/167/index.jsp
  V.V.

• Running signed applet on Java 5: Certificate not verified

  Hello!
  I am running my signed applet, it uses Bouncy Castle provider bcprov-jdk15-125.jar.
  My applet.jar is signed by my own certificate. When running from a browser, I get error message:
  Certificate Not Verified. Code will be treated as unsigned. Clicking on details button, read:
  Check leaf key usage failed in certificate. Then goes the stack trace.
  What is the problem? I was successfully ran it on J2SDK 1.4.2_05.
  Thanks.

  I get this same error for a signed webstart app in Java 5.0.
  In 1.4.2.x it works fine.
  Sun?

• Signed Applet and certificate Expiration

  Hi,
  I have got an applet that was signed with a Thawte certificate because it must access printers and TCP/IP layer.
  It's running in a JRE 1.3.1.
  The certifcate will soon expire.
  What will happen ?
  Will my signed applet still keep on running ?
  Will I be able to renew my certificate once expired or must i do it before ?
  Thanks in advance.

  it'll run... fine... except that the user will be warned that the certificate has expired and they'll have to decide to let the applet run or not... so the user can have it not run.
  you can renew your certificate any time you want, and re-sign your jars with the new certificate.

• Signed Applet not loading on Mac OS X if using HTTPS protocol

  Hi All,
  I need to open a trusted applet on Mac OS 10.2. The applet works fine if using HTTP protocol. But if the protocol used is HTTPS the the applet does not loads and "javax.net.ssl.SSLException - untrusted server cert chain" exception comes on the console.
  The error comes for both - Verisign and javakey - signed applet.
  On seaching for possible solution on the net, i came across following link: http://www.macosxhints.com/article.php?story=20020525101202503&query=Workaround+for+secure+Java+applet+problems
  It says that this is Mac's known bug and gives the workaround as:
  1. Access the problematic site with Internet Explorer on Windows. Click on the padlock item and export the certificate to a file.
  2. Copy the certificate to your Mac.
  3. Use the command
  sudo keytool -import -trustcacerts -keystore /Library/Java/Home/lib/security/cacerts -file mycert.cer
  to import the certificate file to your keystore (substitute mycert.cer with the name of the file containing the certificate). The keystore is password protected - the default password is "changeit".
  4. Restart your browser
  But the client cannot be asked to do all this to run the applet.
  Is this problem being solved by Mac in their java implementation or is there any other possible solution?
  Thanx in advance.
  Regards,
  Charu

  I am experiencing the same problem - I notice it does not happen on OS9.2 using IE but appears a problem on all browsers on OSX
  Apple gave me the following reply.....
  Re: Bug ID# 3268633: cannot load applet class under https connection
  Hello Andrew,
  Thank you for bringing this problem to our attention. We have received feedback
  from engineering on your
  reported issue.
  Please know that to get Java to recognize the certificate you will need to do
  one of two things, depending
  on which VM you are using. Since you want it to work with Internet Explorer, we
  will assume Java 1.3.1.
  In Java 1.3.1 you'll need to add the certificate to
  /Library/Java/Home/lib/security/cacerts using
  /usr/bin/keytool to import the certificate into the certificate database.
  In Java 1.4.1 you should be able to just add the certificate to the keychain
  using certtool. For more
  details on how to do this, please refer to the information found at
  <http://java.sun.com/j2se/1.4.1/docs/tooldocs/solaris/keytool.html>. After
  doing so, if you should require
  further help from Apple in resolving this issue, we recommend that you request
  assistance from Developer
  Technical Support. This must be done by filing a Technical Support Incident.
  So I am supposed to tell every Mac user to do the above am I?!!!

• File read access denied for signed applet

  Hi:
  I have a signed applet with a certificate generated with the keytool. Yet, I keep getting this error:
  java.lang.Exception: java.security.AccessControlException:
      access denied (java.io.FilePermission C:\WINDOWS\system32\aetpkss1.dll read)The error is produced when the method loadKeyStore(pin) below is called.
      private KeyStore ks;
      private Provider provider;
      private static final String providerName    = "PKCS11";
      private static final String providerLibrary = "aetpkss1.dll";
      public void loadKeyStore(String pin) throws IOException,
       CertificateException, KeyStoreException, NoSuchAlgorithmException {
       if (provider == null)
           registerProvider(providerLibrary);
       try {
           ks = KeyStore.getInstance(providerName,provider);
       } catch (Exception e) {
           throw new KeyStoreException("Failed get keystore instance\n"
                           + e.getMessage());
       try {
           ks.load(null, pin.toCharArray());
       } catch (Exception e) {
           throw new KeyStoreException("Failed load keystore\n"
                           + e.getMessage());
      public void registerProvider(String library)
       throws FileNotFoundException, KeyStoreException {
       String fileName;
       if (new File(library).isAbsolute())
           fileName = library;
       else
           fileName = getAbsolutePath(library);
       if (!(new File(fileName).exists()))
           throw new FileNotFoundException("No such file: " + fileName);
       String config = "name = " + providerName + "\n"
           + "library = " + fileName;
       ByteArrayInputStream confStream =
           new ByteArrayInputStream(config.getBytes());
       try {
           provider = new sun.security.pkcs11.SunPKCS11(confStream);
           Security.addProvider(provider);
       } catch (Exception e) {
           throw new KeyStoreException("Can initialize " +
                           "Sun PKCS#11 provider. Reason: " +
                           e.getCause().getMessage());
      private String getAbsolutePath(String lib) throws FileNotFoundException {
       String[] searchPath;
       /* NOTE: This should be modified to suit different versions of   *
        *       Windows and not just Windows XP                         */
       if (System.getProperty("os.name").matches("^(?i)Windows.*")) {
           searchPath = new String[] { "C:\\WINDOWS\\system32" ,
                           "C:\\java" };
       } else {
           searchPath = new String[] { "/usr/local/lib/" };
       for (int i = 0; i < searchPath.length; i++) {
           if ((new File(searchPath[i] + File.separator + lib).exists()))
            return (searchPath[i] + File.separator + lib);
       throw new FileNotFoundException("Library not in search path " + lib);
      }The above code is called by a java script, the class' constructor is empty.
  The error appears not to be caught by my code. I have tried to insert try/catch statements everywhere to figure out where this error is produced.
  The code is write off of the applet for signing with a smart card by Svetlin Nakov - and his applet works!
  I have also made a CLI application that uses the above code and it works perfectly.
  So: Something is wrong either with my certificate, the signing method, signature verification or something completely different. Any hints?
  The certificate I generated with
  keytool -genkey -keystore mystore -alias me
  keytool -seflcert -keystore mystore -alias meI have tired both with and without the selfcert step.
  Thanks! Erik

  The problem has been identified: Placing registerProvider() in the constructor the error no longer occurs, instead an error is produced when the key store is loaded.
  It appears that the javascript code is not trusted and so, even though the applet is signed, access privileges are restricted to those of the java script.
  A solution to this problem is not clear, but possibly, serving the pages from a trusted server, the java script will be trusted, some documentation seem to indicate.

• Signed Applet ClassNotFoundException

  I'm new to signed Applets and have ran into problems getting my Applet to load with IE Version 6. I create my jar (GUI.jar) and sign it using jarsigner and verify that the jar has a signature (see below).
  C:\mykeytools>jarsigner -keystore keys/my.keystore GUI.jar myalias
  Enter Passphrase for keystore:
  C:\mykeytools>jarsigner -verify -verbose GUI.jar
  272 Fri Jul 04 21:44:12 MDT 2008 META-INF/MANIFEST.MF
  439 Fri Jul 04 21:44:14 MDT 2008 META-INF/MYALIAS.SF
  925 Fri Jul 04 21:44:14 MDT 2008 META-INF/MYALIAS.RSA
  sm 3459 Wed Jul 02 19:48:16 MDT 2008 GUI.class
  sm 2937 Wed Jul 02 19:48:16 MDT 2008 GUI.java
  sm 232 Fri Jun 27 13:09:56 MDT 2008 .classpath
  sm 379 Fri Jun 27 13:09:56 MDT 2008 .project
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope
  jar verified.
  C:\mykeytools>
  I'm using the following in my HTML file:
  <APPLET CODE ="GUI.class" codebase = "." archive=&rdquo;GUI.jar" WIDTH=200 HEIGHT=253>
  </APPLET>
  I have also tried using the following HTML and get the same results:
  <APPLET CODE ="GUI.class" archive=&rdquo;GUI.jar" WIDTH=200 HEIGHT=253>
  </APPLET>
  The signed jar file and HTML file are in the same directory. When I execute the HTML file I get the following error:
  Java Console messages:_
  basic: Exception: java.lang.ClassNotFoundException: GUI.class
  java.lang.ClassNotFoundException: GUI.class
  at sun.applet.AppletClassLoader.findClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at sun.applet.AppletClassLoader.loadClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at sun.applet.AppletClassLoader.loadCode(Unknown Source)
  at sun.applet.AppletPanel.createApplet(Unknown Source)
  at sun.plugin.AppletViewer.createApplet(Unknown Source)
  at sun.applet.AppletPanel.runLoader(Unknown Source)
  at sun.applet.AppletPanel.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)
  Any guidance on this is appreciated.

  I found that the problem was something in my HTML file.
  The HTML that works is:
  <html>
  <head>
  <meta HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
  <meta HTTP-EQUIV="Expires" CONTENT="-1">
  <title> Applet Test</title>
  </head>
  <applet code="GUI"
  archive="GUI.jar"
  width=400 height=300>
  </applet>
  <p><img border="0" src="Company.jpg" width="326" height="88"></p>
  </html>

• Signed applets (are policy files needed!)

  I have experienced on a number of different machines that a signed applet that the client trusts (via clicking on yes to the prompt asking to trust the applet), is able to access the local resources with NO policy file on the client machine. I'm using JRE 1.4.1_02
  Is this the expected behavior?
  I sure hope it is because how in the world can you install applications to many clients and update their policy file? you can't via the web! BUT why am I reading that you have to have a policy file even if you sign an applet. I want to get rid of using Netscape security model but I can not update many client machine policy files... Please help!!! thanks. Is signing an applet all you have to do to access local machines, I sure hope so! Thanks in advance.

  I've done some more research specifically a very good article at http://developer.java.sun.com/developer/technicalArticles/Security/applets/index.html. I'll try to highlight the more interesting comments that I found. At least for the JRE 1.3 there appears to be a new class loader, sun.plugin.security.PluginClassLoader that allows a signed jar file (once trusted by the client) to have access to local resources.
  Code signed using the private key of the signer can be run on client machines once the public key corresponding to the signer is deemed as trusted on the respective machine.
  Applet security in browsers strives to prevent untrusted applets from performing potentially dangerous operations, while simultaneously allowing optimal access to trusted applets.
  There is no simply way to deploy and use customized policy files, a policy will have to be set by files based on the JRE installation. Customized class loaders or security managers cannot be installed easily.
  Policy files are difficult or at least not very straightforward for normal users, which could be thousands of machines where an applet is deployed.
  The java plug-in (I believe its 1.3 and later) provides a workaround although its recommended to use policy files wherever practical and applicable. (This implies to me that using the plug-in, all that is required is to sign the jar file to have access to local resources).
  RSA-signed applets can be deployed using the Java plug-in. (which can run in an identical way for Netscape and IE).
  In order for a plug-in enhanced browser to trust an applet and grant it all privileges or a set of fine-grained permissions (as specified in a J2EE policy file), the user has to preconfigure his or her cache of trusted signer certificates (the .keystore file in JRE 1.3) to add the applet's signer to it. However, this solution does not scale well if the applet needs to be deployed on thousands of client machines, and may not always be feasible because users may not know in advance who signed the applet that they are trying to run. A NEW CLASS LOADER, sun.plugin.security.PluginClassLoader in the Java Plug-in 1.3, OVERCOMES THE LIMITATIONS MENTIONED ABOVE.
  I hope this helps, I've been looking for this solution for quite some time, trying to understand why singed applets work with no policy files for version 1.4... Talk to you later, Jay.

• JRE 1.4.x Plugin - Signed Applets and Weird Behaviour (Policy)

  Hello.
  I have recently experienced some strange behaviour related to signed applets and policy files in JRE 1.4.2-b28 ( a friend got the same behaviour in a flavour of 1.4.1-xx as well ). Both tests were on Windows 2000 Professional platforms.
  Initially my unsigned applet, which attempts socket connections to a server different from the download location, fails with security exceptions ( as expected ). Then I did the following to sign the applet jar and configure my environment
  Steps: 1) Import "trusted CA" certificate into ${java.home}/lib/security/cacerts. (JRE home outside the JDK)
  2) Signed the jar using jarsigner and a certificate generated from the "trusted CA" (Entrust CA and certificate).
  3) Imported the signing certificate into the Java plugin using import in the plugin control panel.
  4) Created a new keystore (keytool,jks) and imported the signing certificate into the keystore with alias "developer". The keystore is stored in the user home as .keystore.
  5) Created a .java.policy for the user and attaching the keystore in 4) to it. ( also stored in user home ).
  6) Used the policy tool to grant socketpermissions to the specific codebase ( testing with file:/C:/test/* initially ) signed by "developer"
  After this, when I ran the test page under IE 5.5SP2 and Netscape 7.1 it worked without any security exception. Ditto for using the appletviewer and the policy file I created for the user.
  The weird part occurred when I removed the policy entry from the user policy file. After doing this, Netscape and IE still allow the applet to execute - somehow remembering that it was granted permissions at some point. The appletviewer does not allow it to execute, generating security exceptions.
  It appears the old policy is being cached somewhere, but I cannot find where. If I replace the applet jar with an unsigned version it does fail in IE and Netscape. I tried cleaning the plugin cache and removing the "deployment.certs" files related to the users but still get the same behaviour.
  Does anyone know where the old policy information is being stored ? Does anyone know how to revoke the permissions so that I am restored to my original base environment ( no permissions for "designer" signed applets ) ? Would attempting to utilize the AccessController.doPriveleged( xxxx ) operations in JDK 1.4 avoid all of this confusion with policy files, keystores and certificate storage ? After all the messing about I would like a zero-footprint alternative ( or minimzed footprint anyway ).
  Any ideas would be most welcome.
  Regards,
  James.

  Hello Again.
  I am either enlightened or confused at this point. I found that as long as all of my related Jars are signed ( even by self-signed certificates ) I am granted SocketPermissions for calls outside of the originating server. Unsigned code is refused, but even when the Jars were signed using a self-signed certificate the Socket calls were allowed.
  Am I experiencing the appropriate behaviour in this case ( which would mean not having to utilize policy files to distribute an applet that uses calls to arbitrary servers - e.g. JavaMail ) or am I suffering from something damaged in my environment ?
  It has been a long time since I played with signed applets and I am having difficulty determining what operations require policy file entries/AccessController.doPrivileged() calls and which are granted when a user elects to trust a signed applet without policy.
  Any assistance in clearing up my confusion would be appreciated.
  Regards,
  James.

• What happen with my Signed applet

  Hi all
  I have just made a Signed applet
  Step by step:
  1. I made applet source code
  2. I made a HTML file
  3. I build applet source code
  *javac FirstApplet.java*
  *jar cf FirstApplet.jar *.class*
  *keytool -genkey -keystore mykeystore -alias launcheralias*
  *keytool -selfcert -keystore mykeystore -alias launcheralias*
  *jarsigner -keystore mykeystore FirstApplet.jar launcheralias*
  *del *.class*After that i run HTML the first.
  it appears to me a message
  *WARING SECURITY*
  *The application's digital signature can not vertifed*
  *Do you want to run the application ?*I check option *"Always trust content from this pulisher"* --> My program still runs well
  I dont understand why when i run my applet the firt it appears to me that message.
  What is wrong and how to solve ?
  Please help me.
  Thanks in advance.
  Diego

  Actually the above same prob is faced by me in my application.
  The application's digital signature can not vertifed
  Due to this pop up, our customer thinks our certi is nt valid & its nt possible to make them understand abt it since they feel insecure.
  This warning appears due to JVM running along with application.
  If we go to
  Control Panel->Java->Security->Certificates and choose secure sites in Certificate type.
  Here link of my web application should appear, in order to remove this warning.
  So is there any way so that link of my web application shpuld be directly installed on the above mentioned location on Client's PC??? or any other alternative
  Please Helppp...

• Signed Applets And IE Security

  Hi, all!
  I have a signed applet (x.509) run in IE with plug-in 1.4.0b92. In most cases the behavior is as it is expected - a window prompting user to deny, allow or always alow the certificate in the applet appears. But there are some cases when this window doesn't appear and the users are able to run the applet. No certificates are previously installed or granted(at least there aren't any items in Certificates tab or in .keystore file in user home).
  Does anybody could say what is the normal behavior of the plug-in - does it always prompt the user when a signed content is run; does it depend on Security setting in the browser?
  Thanks in advance for any help or further information!
  Regards, Ivo Kolev

  Hi,
  Do you clear you Plug-in Cache explicity ?
  May be sometimes your IE uses the plug in to restore the applet from the cache.
  But I remember having observed the same problem when I used a signed applet. The dialog box appears 'mostly always' but sometimes it just doesnt :)
  if you are able to resolve the problem...let me know

• Signed Applet - Using same alias while development

  Hi,
  I am working on Embedded Java Signed Applet. My applet using the TCP/IP thus required to load each time to my Lantronix XPort.
  The problem is, every time I change something in the applet, I need to run the following commands again and finally load to Lantronix XPort.
  And every time, I required to change the alias name i.e. signapplet17 in the following commands.
  Is there any easy way while developing the signed applet
  e.g. we can use the same alias name each time i.e. signapplet1 ( I reached to signapplet17)
  Or we can avoid the following commands while developing.
  jar cmf mainClass.txt DataMain.jar *.class
  : Generate key pairs
  keytool -genkey -alias signapplet17 -keystore mykeystore -keypass mykeypass -storepass mystorepass
  : Sign the JAR file
  jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar SDataMain.jar DataMain.jar signapplet17
  : Export the public key certificate
  keytool -export -keystore mykeystore -storepass mystorepass -alias signapplet17 -file mycertificate.cer
  Thanks.

  This is my code that i use to read the graph:
  private Graph<Integer, Integer> loadGraph(int year, String type) {
       String graph_dir = ProjectDir.data_dir + "input/Network/vt_kn." + year + "-" + year + "/";
       String graph_name = "vt_kn." + year + "-" + year +".intern." + type;
            Graph<Integer, Integer>graph = new UndirectedSparseMultigraph<Integer, Integer>();
            try{
                 GraphMLReader<Graph<Integer, Integer>, Integer, Integer> gmlReader
                      = new GraphMLReader<Graph<Integer, Integer>, Integer, Integer>();     
                 gmlReader.load(graph_dir + graph_name +".graphml", graph);               
            } catch (Exception e) {
                 e.printStackTrace();
  System.out.println("loaded: " + graph_name);
  return graph;
  public class ProjectDir {
       public static final String data_dir = "F:/Apache/Tomcat 6.0/webapps/ROOT/app/Data/";
       public static final String script_dir = "../Script/";
       //F:/Apache/Tomcat 6.0/webapps/ROOT/VT/data/
  Could you tell me how i could change this code so that i can load from a url instead of a file?