Login/Register
How to make a machine trust a self-signed Java application
Asked Answered
Solved javasecuritycertificatejava-web-startself-signed
M

4

37

I'm deploying an application using JAWS, and it worked until late 2013 when I got a warning, and then this morning Java completely blocked it. The message in French is:

Application bloquée par les paramètres de sécurité
Vos paramètres de sécurité ont bloqué l'exécution d'une application auto-signée avec une version obsolete ou arrivée à expiration de Java.

which would translate roughly as:

Application blocked by the security settings
Your security settings have blocked from running an application that has been self-signed with an obsolete or outdated Java.

The grammar is not that clear, the end of the sentence could be read as either:

  • ...blocked a self-signed application from running with an obsolete or outdated Java [runtime], meaning that the local runtime is too old, but the self-signature is fine
  • ...blocked an application that has been self-signed with an obsolete or outdated Java [compiler], meaning that the Java compiler used is too old

I searched online for the exact same message in English, but I couldn't find it. So the grammar is still unclear. Note that on the message there is no Name: xyz / From: http://url/, there's only the text I typed above, and a blue "i" icon.

Now, I don't really understand the exact meaning of this error message, but I know that there is an issue because my JAR files are all self-signed. I have already faced this on other Windows clients, and it was easy:

  • I extracted a .cer certificate from my keystore;
  • Downloaded it on the client machine, open it;
  • Made the customers install it as a trusted source on their local machine.

It worked like a charm on my test setup and for one customer, but another one still has the issue and cannot run my software.

This is a big issue from me, and I don't know what to do. Should I upgrade my Java compiler, recompile everything, sign every JAR file again and cross fingers? How can I make that Windows box trust my certificate and let the Java application run?

Milline answered 16/1, 2014 at 9:6 Comment(3)
java.com/en/download/help/java_blocked.xmlShayne
See also #16196925Lemonade
Another option is adding the certificate to %JAVA_HOME%\lib\security\cacerts: #11617710Lemonade
I
63

Just Go To *Startmenu >>Java >>Configure Java >> Security >> Edit site list >> copy and paste your Link with problem >> OK Problem fixed :)*

Intellectuality answered 6/2, 2014 at 8:41 Comment(6)
Non-standard ports must also be included. As an example, an internal Proxmox server will use a URL that starts with https://hostname.example.com:8006/foo. The self-signed certificate check fails if you only allow https://hostname.example.com. You must include the full https://hostname.example.com:8006 for it to work properly.Shipp
Only acceptable on certain versions of Java. I know for a fact that Java 1.7_45 does not have a whitelist option.Barger
had the same problem but in linux mint, so i had to go to java 8 plugin control panel and edit the list, then restart firefox to changes to be applied.Feverfew
If launching via Java Web Start (JNLP file), open the file with a text editor, locate the <jnlp> tag and use the URL in the "codebase" attribute to add to the whitelist. It should launch after that.Unaware
Worked for me with java version 1.8.0_74 (make sure to include port in the url if it isn't the standard port 80, or else it assumes port 80 only).Mythopoeic
XFCE menu item was "Oracle Java 7 Plugin Control Panel" as I had installed "oracle-java7-installer"Travers
M
9

SERIOUS DISCLAIMER

This solution has a serious security flaw. Please use at your own risk.
Have a look at the comments on this post, and look at all the answers to this question.

OK, I had to go to the customer premises and found a solution. I:

  • Exported the keystore that holds the signing keys in PKCS #12 format
  • Opened control panel Java -> Security tab
  • Clicked Manage certificates
  • Imported this new keystore as a secure site CA

Then I opened the JAWS application without any warning. This is a little bit cumbersome, but much cheaper than buying a signed certificate!

Milline answered 16/1, 2014 at 12:43 Comment(6)
I just had same problem, except that I'm a simple user in this case - not developping nor deploying the app - so I can't access the signing keys and @Mehdi's solution perfectly worked.Stanfill
... which happens to be the exact same solution than @troscher's. Don't know why I didn't see it first.Stanfill
Adding a certificate as a CA isn't exactly secure... they could then use that certificate to sign certificates for any domain.Bowe
+1 for steveayre's comment. This is not really a very good idea and, as psycho pointed out, not at all practical in most situations. You should SERIOUSLY consider un-accepting your answer and accepting Mehdi's answer instead. Then remove your answer or just edit it and say that people should follow Mehdi's advice.Alwitt
Thanks for the note Andrew. I have edited my answer, I think it's now clear enough.Milline
a bit late but I must say that I prefer this solution: I trust my key or code signed with it more than i trust a remote site!Narcolepsy
S
3

I was having the same issue. So I went to the Java options through Control Panel. Copied the web address that I was having an issue with to the exceptions and it was fixed.

Stithy answered 27/1, 2014 at 15:15 Comment(0)
C
2

I had the same problem, but i solved it from Java Control Panel-->Security-->SecurityLevel:MEDIUM. Just so, no Manage certificates, imports ,exports etc..

Cos answered 24/4, 2014 at 17:4 Comment(1)
DANGER: This works but exposes your computer to many potential security risks. If you trust the source it is much less risky to add that site to the Exception Site List. See answers from Mehdi or troscher.Alwitt

© 2022 - 2024 — McMap. All rights reserved.