If you are a GlobalSight user, the following Globalsight Java Security Dialog is no stranger to you:
Why does the Globalsight Java Security Dialog pop up?
This Java security dialog notifies the user that the application is considered insecure as it is not signed by a publisher. You could click Run and continue with your work as in the past, but things changed with 1.7 update 51. Java no longer allows the user to let this happen on the spot.
There is still a workaround, the user can add a site exception. However, this requires a few more steps to be taken and is definitely not user friendly. Especially because every single GloabalSight user – project manager, translator, reviewer, client – will get this error message on one screen or another.
There must be a solution you say, and there is one indeed – sign the applets with a valid security certificate.
How to sign GlobalSight Java applets with a certificate?
Note: I performed the operation after doing some research on Oracle, certificate provider and various other resources. I am no Java security expert and this is just a how-to on how we got the GlobalSight applets signed. It is not intended to represent best practices for securing your GlobalSight instance.
Purchase a code signing certificate
The first step is getting your hands on a code signing certificate. We got a certificate from Comodo through this reseller for about $80/year. You will need to go through a simple verification process and at the end Comodo will provide you with a .p12 certificate. Transfer this certificate to your server.
codepare the certificate for signing
On the server, run the following command to verify your certificate
keytool -list -v -storetype pkcs12 -keystore file.p12
If the server is able to read your certificate, it will return a bunch of details. One thing to check here is the alias which will be used during the signing process. The alias certificate provider defined was very long and included spaces. To avoid potential errors later on, I replaced it with a simpler alias. Here is the command to get that done:
keytool -changealias -storetype pkcs12 -keystore file.p12 -alias "Existing Alias" -destalias "NewAlias" -storepass yourpass
Run the -list command once again to verify your alias has been updated successfully. If so, you are all ready for starting signing.
Backup the GlobalSight applets that require signing
The applets that need to be signed are at the following location:
Backup all these jars to a different location. Removing the signature from a jar is tedious so you can just replace the mis-signed file using your backup in case something goes wrong.
Sign applets using jarsigner tool
This is where things got a little tricky for me. The following is the command that I initially used for signing the jars, followed by the command that I used for verifying the signature:
jarsigner -storetype pkcs12 -keystore file.p12 myjar.jar "myalias" jarsigner -verify myjar.jar
The command uses the default Java version on the server, in my case 1.7.0_09-b05. However when I tried verifying the signature, I kept getting this error message:
jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for ......
I was never able to resolve this fully however I was able to work around the error. I used an older jarsigner (1.6.26) which did not generate the same error message. Here is the command run from within the applets lib directory
/usr/lib/jvm/java-6-sun-220.127.116.11/bin/jarsigner -storetype pkcs12 -storepass xxxxx -keystore file.p12 ant.jar "globalme"
If the signing goes well, the verification message you get should be “jar verified”. Do the same for all files that are under the applets directory. Then restart your GlobalSight server.
How do I know that signing worked?
Browse to a page with an applet, for instance Data Sources > Create Job. This time, instead of the usual security dialog you will get a dialog that shows the publisher’s information.
Tick the “Do not show this again for apps from the publisher and location above” box and click Run. You will no longer get the security warning as your browser will save this Publisher as a trusted entry.