Last updated:  
Apr 10, 2018 @ 7:13 PM
Globalsight Security

 

If you are a GlobalSight user, the following Globalsight Java Security Dialog is no stranger to you:

Globalsight Java Security Dialog Application

Do you want to run this application? Really?

Why does the Globalsight Java Security Dialog pop up?

This Java security dialog notifies the user that the application is considered insecure as it is not signed by a publisher. You could click Run and continue with your work as in the past, but things changed with 1.7 update 51. Java no longer allows the user to let this happen on the spot.

Globalsight Java Security Dialog App Blocked

Oh no! I can’t use GlobalSight anymore?

There is still a workaround, the user can add a site exception. However, this requires a few more steps to be taken and is definitely not user friendly. Especially because every single GloabalSight user – project manager, translator, reviewer, client – will get this error message on one screen or another.

There must be a solution you say, and there is one indeed – sign the applets with a valid security certificate.

How to sign GlobalSight Java applets with a certificate?

Note: I performed the operation after doing some research on Oraclecertificate provider and various other resources. I am no Java security expert and this is just a how-to on how we got the GlobalSight applets signed. It is not intended to represent best practices for securing your GlobalSight instance.

Purchase a code signing certificate

The first step is getting your hands on a code signing certificate. We got a certificate from Comodo through this reseller for about $80/year. You will need to go through a simple verification process and at the end Comodo will provide you with a .p12 certificate. Transfer this certificate to your server.

codepare the certificate for signing

On the server, run the following command to verify your certificate

keytool -list -v -storetype pkcs12 -keystore file.p12

If the server is able to read your certificate, it will return a bunch of details. One thing to check here is the alias which will be used during the signing process. The alias certificate provider defined was very long and included spaces. To avoid potential errors later on, I replaced it with a simpler alias. Here is the command to get that done:

keytool -changealias -storetype pkcs12 -keystore file.p12 -alias "Existing Alias" -destalias "NewAlias" -storepass yourpass

Run the -list command once again to verify your alias has been updated successfully. If so, you are all ready for starting signing.

Backup the GlobalSight applets that require signing

The applets that need to be signed are at the following location:

GlobalSightRoot/jboss/server/standalone/deployments/globalsight.ear/globalsight-web.war/applet/lib/

Backup all these jars to a different location. Removing the signature from a jar is tedious so you can just replace the mis-signed file using your backup in case something goes wrong.

Sign applets using jarsigner tool

This is where things got a little tricky for me. The following is the command that I initially used for signing the jars, followed by the command that I used for verifying the signature:

jarsigner -storetype pkcs12 -keystore file.p12 myjar.jar "myalias" jarsigner -verify myjar.jar

The command uses the default Java version on the server, in my case 1.7.0_09-b05. However when I tried verifying the signature, I kept getting this error message:

jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for ......

I was never able to resolve this fully however I was able to work around the error. I used an older jarsigner (1.6.26) which did not generate the same error message. Here is the command run from within the applets lib directory

/usr/lib/jvm/java-6-sun-1.6.0.26/bin/jarsigner -storetype pkcs12 -storepass xxxxx -keystore file.p12 ant.jar "globalme"

If the signing goes well, the verification message you get should be “jar verified”. Do the same for all files that are under the applets directory. Then restart your GlobalSight server.

How do I know that signing worked?

Browse to a page with an applet, for instance Data Sources > Create Job. This time, instead of the usual security dialog you will get a dialog that shows the publisher’s information.

Globalsight Java Security Dialog

Tick the “Do not show this again for apps from the publisher and location above” box and click Run. You will no longer get the security warning as your browser will save this Publisher as a trusted entry.