42

I read on the web that Java version 7u51 (to be released in January 2014) will no longer accept Java Webstart applications that are self-signed by me.

Is that true?

In case it is true, do I have any chance to build a workaround for my JNLP application, so that I am able to start the application even after January 2014?

I have seen that the option to suppress the security warnings because of the usage of a self-signed certificate was removed in 7u40.

ajp15243
  • 7,704
  • 1
  • 32
  • 38
Fabian
  • 775
  • 2
  • 8
  • 18

8 Answers8

30

Yes, this is true. This blog entry from Oracle has the details.

As I understand it, you have three options for continuing to work:

  1. Sign your app with a trusted cert
  2. Have your end users configure their machines to trust your app despite it being self-signed
    • via deployment rule sets (Oracle's intention is that DRSs are only to be used in corporate environments, where you can push out this configuration update via a centralized management technology)
    • via the exception site list (I believe this is intended to be analogous to DRSes, but for individual end users without centralized management)
  3. Have your users lower their security slider from High (the default) to Medium

See also my question about obtaining pre-release versions of these updates to test with.

hellboy
  • 1,567
  • 6
  • 21
  • 54
Matt McHenry
  • 20,009
  • 8
  • 65
  • 64
  • 2
    Hi, I am one of the authors on that blog posted above. For internet-wide distribution, a certificate from a valid CA is ideal. For a small known community, it is feasible to distribute your certificate to people you can contact. Clients can then import these self-signed certificates. Large organizations do this to act as their own CAs and it's also ok for small groups like university students in a class. – Costlow Oct 23 '13 at 22:36
  • @Costlow That's correct, if you're fortunate enough to be in an environment where all of your client machines are managed & it's plausible to deploy a new trusted cert to them, it's a good alternative to a cert signed by a CA. (Great to see someone from Oracle on SO, too!) – Matt McHenry Oct 24 '13 at 01:14
  • 1
    The release notes of update 51 state that: Block Self-Signed and Unsigned applets on High Security Setting. This means it will not be blocked when the security settings are set to Medium. – NickL Jan 17 '14 at 14:13
  • 1
    @NickL thanks for pointing that out, I've added a note about the security slider, as well as the new exception site list feature. Note that I have not tested either of these personally. – Matt McHenry Jan 17 '14 at 18:07
  • 1
    It looks like event with exception site list, a self-signed app will be blocked on High! – Jochen Bedersdorfer Jan 23 '14 at 20:36
  • @Costlow Does this mean there should actually be a third bullet point under 2? How exactly can we import self-signed certificates on the clients in our network? The other ways aren't very practical: you would have to manually lower the security slider or add an exception site for each and every client. I also checked the documentation of deployment rule sets, but it says "The JAR file must be signed with a valid certificate from a trusted certificate authority." so this won't help with self-signed certificates. – Henno Vermeulen Feb 17 '14 at 13:29
  • I think the answer to my own question is that you should act as your own Certificate Authority to validate your self-signed certificate. I m' not sure how to set this up though. – Henno Vermeulen Feb 17 '14 at 13:33
  • Through google I just found another one of @Costlow 's blogs which answers my question, see https://blogs.oracle.com/java-platform-group/entry/self_signed_certificates_for_a – Henno Vermeulen Feb 17 '14 at 13:48
  • @Costlow Could you please point what's the best solution for my case? We've been developing an internal file downloader which is invoked within our web application. This is being used for more than 100 users in our intranet, but we don't rule the whole network (there are more than 800 people working here). I don't want the users to do anything (is just a downloader, it makes no sense, otherwise we would develop an standard web application). We don't want to pay for CA, so, what we should do? Basically I'm looking for solutions implemented from server side and requiring no setup from clients.Ty – Aitor Mar 24 '14 at 13:19
  • @Aitor, consider this: is there any solution that costlow could suggest to you that would not also be a great way for bad guys to get their Java-based malware to infect those same 100 users? :-/ – Matt McHenry Mar 24 '14 at 16:33
15

Oracle just announced that a new feature called the Exception Site List will be available in 7u51.

If it means what I think it means, then in-house-only apps who are currently self-signing their jars can simply ask their users to whitelist the app without the user having to do anything "complicated" for an end user, like importing a cert (for example).

UPDATE:

Java 7u51 was just released, and I can confirm that the Exception Site List solution works quite easily. Just go to Java Control Panel -> Security -> Edit Site List, and add the URL of the self-signed JNLP app to the list of Locations.

splungebob
  • 5,357
  • 2
  • 22
  • 45
3

This is for Windows ONLY

Go to Java configuration in Windows, "java configure", choose "Security" tab and Choose "Edit Site List", add your self signed url into the list.

Sometimes you need to add the full url of the java application into the list to make it work, you cannot just add https://xxx.abc.com, should be https://xxx.abc.com/application_blah_blah instead.

After added the url, restart the java application by input that url in the browser, it will work.

Xianlin
  • 1,139
  • 5
  • 20
  • 34
2

Is that true?

Don't know, but had heard the same. What is your source?

In case it is true, do I have any chance to build a workaround for my JNLP application, so that I am able to start the application even after January 2014?

The only realistic way to deploy code in that situation is have it signed using a digital certificate from a Certification Authority (i.e. signed, but not self-signed).

Any 'workaround' would be a security bug. So if you find one, please let us know so we can raise a bug report and get it fixed.

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
1

I have a self-signed app that just needs to run through the end of the semester (December), so I won't be affected by the January deadline. However, we are experiencing trouble even with earlier builds. This just started last week (perhaps due to some kind of automatic update). The JRE is build 40.

I changed the manifest file to include the required attributes of permission and codebase and then re-signed the jar, but it still causes a security block to appear at our school.

Can anyone suggest other steps I should take? Is a commercial certificate my only option?

Thanks, Nina

Nina Koch
  • 81
  • 9
1

for me..sel-signed web is working when changed security setting to Medium..

m.a.mustafar
  • 11
  • 1
1

Check out Java official help to allow the access:

Control untrusted programs

Evandro Pomatti
  • 13,341
  • 16
  • 97
  • 165
0

I hope this isn't too out of scope, but generally the usecase being a server with a very old java remote console.

I've built a portable JAVAWS launcher for JNLP files that come from IPMI / IMM / ILO / IRMC / IDRAC / KVM servers that should work on a fair high number of old servers. Security settings in my portable launcher are already preset to support prehistoric devices.

You can find the project at https://github.com/netinvent/ipmi-starter

Orsiris de Jong
  • 2,819
  • 1
  • 26
  • 48