Java 7u51 will not accept JNLP with self-signed certificate?

Asked 20/10, 2013 at 19:29 Answered 8/10, 2022 at 9:16

I read on the web that Java version 7u51 (to be released in January 2014) will no longer accept Java Webstart applications that are self-signed by me.

Is that true?

In case it is true, do I have any chance to build a workaround for my JNLP application, so that I am able to start the application even after January 2014?

I have seen that the option to suppress the security warnings because of the usage of a self-signed certificate was removed in 7u40.

Operant answered 20/10, 2013 at 19:29 Comment(0)

Yes, this is true. This blog entry from Oracle has the details.

As I understand it, you have three options for continuing to work:

Sign your app with a trusted cert
- Normally, this is done by acquiring a cert from one of the vendors whose root certs are trusted by Java by default.
- You can also use a self-signed certificate if your community of users is controlled (e.g. all within a managed corporate network, or all students in the same intro to programming class).
Have your end users configure their machines to trust your app despite it being self-signed
- via deployment rule sets (Oracle's intention is that DRSs are only to be used in corporate environments, where you can push out this configuration update via a centralized management technology)
- via the exception site list (I believe this is intended to be analogous to DRSes, but for individual end users without centralized management)
Have your users lower their security slider from High (the default) to Medium

See also my question about obtaining pre-release versions of these updates to test with.

Countermove answered 21/10, 2013 at 1:40 Comment(10)

Hi, I am one of the authors on that blog posted above. For internet-wide distribution, a certificate from a valid CA is ideal. For a small known community, it is feasible to distribute your certificate to people you can contact. Clients can then import these self-signed certificates. Large organizations do this to act as their own CAs and it's also ok for small groups like university students in a class. – Backbencher 23/10, 2013 at 22:36

@Backbencher That's correct, if you're fortunate enough to be in an environment where all of your client machines are managed & it's plausible to deploy a new trusted cert to them, it's a good alternative to a cert signed by a CA. (Great to see someone from Oracle on SO, too!) – Countermove 24/10, 2013 at 1:14

The release notes of update 51 state that: Block Self-Signed and Unsigned applets on High Security Setting. This means it will not be blocked when the security settings are set to Medium. – Weirick 17/1, 2014 at 14:13

@Weirick thanks for pointing that out, I've added a note about the security slider, as well as the new exception site list feature. Note that I have not tested either of these personally. – Countermove 17/1, 2014 at 18:7

It looks like event with exception site list, a self-signed app will be blocked on High! – Kingsly 23/1, 2014 at 20:36

@Backbencher Does this mean there should actually be a third bullet point under 2? How exactly can we import self-signed certificates on the clients in our network? The other ways aren't very practical: you would have to manually lower the security slider or add an exception site for each and every client. I also checked the documentation of deployment rule sets, but it says "The JAR file must be signed with a valid certificate from a trusted certificate authority." so this won't help with self-signed certificates. – Ivette 17/2, 2014 at 13:29

I think the answer to my own question is that you should act as your own Certificate Authority to validate your self-signed certificate. I m' not sure how to set this up though. – Ivette 17/2, 2014 at 13:33

Through google I just found another one of @Backbencher 's blogs which answers my question, see blogs.oracle.com/java-platform-group/entry/… – Ivette 17/2, 2014 at 13:48

@Backbencher Could you please point what's the best solution for my case? We've been developing an internal file downloader which is invoked within our web application. This is being used for more than 100 users in our intranet, but we don't rule the whole network (there are more than 800 people working here). I don't want the users to do anything (is just a downloader, it makes no sense, otherwise we would develop an standard web application). We don't want to pay for CA, so, what we should do? Basically I'm looking for solutions implemented from server side and requiring no setup from clients.Ty – Tali 24/3, 2014 at 13:19

@Aitor, consider this: is there any solution that costlow could suggest to you that would not also be a great way for bad guys to get their Java-based malware to infect those same 100 users? :-/ – Countermove 24/3, 2014 at 16:33

Oracle just announced that a new feature called the Exception Site List will be available in 7u51.

If it means what I think it means, then in-house-only apps who are currently self-signing their jars can simply ask their users to whitelist the app without the user having to do anything "complicated" for an end user, like importing a cert (for example).

UPDATE:

Java 7u51 was just released, and I can confirm that the Exception Site List solution works quite easily. Just go to Java Control Panel -> Security -> Edit Site List, and add the URL of the self-signed JNLP app to the list of Locations.

Antevert answered 26/11, 2013 at 17:24 Comment(0)

This is for Windows ONLY

Go to Java configuration in Windows, "java configure", choose "Security" tab and Choose "Edit Site List", add your self signed url into the list.

Sometimes you need to add the full url of the java application into the list to make it work, you cannot just add https://xxx.abc.com, should be https://xxx.abc.com/application_blah_blah instead.

After added the url, restart the java application by input that url in the browser, it will work.

Sadick answered 4/2, 2014 at 7:56 Comment(0)

Is that true?

Don't know, but had heard the same. What is your source?

In case it is true, do I have any chance to build a workaround for my JNLP application, so that I am able to start the application even after January 2014?

The only realistic way to deploy code in that situation is have it signed using a digital certificate from a Certification Authority (i.e. signed, but not self-signed).

Any 'workaround' would be a security bug. So if you find one, please let us know so we can raise a bug report and get it fixed.

Envelope answered 21/10, 2013 at 1:24 Comment(0)

I have a self-signed app that just needs to run through the end of the semester (December), so I won't be affected by the January deadline. However, we are experiencing trouble even with earlier builds. This just started last week (perhaps due to some kind of automatic update). The JRE is build 40.

I changed the manifest file to include the required attributes of permission and codebase and then re-signed the jar, but it still causes a security block to appear at our school.

Can anyone suggest other steps I should take? Is a commercial certificate my only option?

Thanks, Nina

Schopenhauer answered 22/10, 2013 at 0:39 Comment(0)

for me..sel-signed web is working when changed security setting to Medium..

Slender answered 17/1, 2014 at 10:59 Comment(1)

This is probably not the "safest" way to get this to work, but for local lans it is quick... – Cubage 22/1, 2014 at 17:0

Check out Java official help to allow the access:

Control untrusted programs

Decane answered 3/11, 2014 at 22:33 Comment(0)

I hope this isn't too out of scope, but generally the usecase being a server with a very old java remote console.

I've built a portable JAVAWS launcher for JNLP files that come from IPMI / IMM / ILO / IRMC / IDRAC / KVM servers that should work on a fair high number of old servers. Security settings in my portable launcher are already preset to support prehistoric devices.

You can find the project at https://github.com/netinvent/ipmi-starter

Weanling answered 8/10, 2022 at 9:16 Comment(0)

Recommended topics

Hot tags