We have a webstart application that downloads jars in 2 parts:
1) Jars are downloaded as part of webstart framework
2) Additional jars are downloaded when jnlp runs the main class of the application
We decided to download the jars over HTTPS. I changed the jnlp to download the jars over HTTPS and this triggers webstart framework that checks the server certificate. If the certificate is self-signed it pops up a warning to the user to approve or decline the connection.
If the user declines the connection, the jars won't download but if they were downloaded before and appear in the java cache, then the application will be run from the cache.
I am having a problem with part 2), where we download jars NOT as part of the webstart framework. At this point, I don't know if the user approved the certificate or declined.
The best behavior that I would like to get is that if user declines the connection, I would like the application to not run at all or to fail at the second phase.
How can I achieve that?
Is there a way to determine if the user accepted the certificate or declined it?
Related
I have written a restful API project which is developed using spring boot and I am using the embedded tomcat and running a jar on a linux server.
The APIs are live at:
https://api.arevogroup.com:8089/api/regions
and I can see the verified and correct SSL as well as in the given screenshot.
but I am getting an this exception in the postman when I call these apis.
These APIs are consumed by a Xamrin based app which seems to work all good when consumed using iPhone but gives this same exception when the APIs are accessed via android.
I guess, the way I have generated the ssl certificate has some issues.
I have used a pfx file and my SSL config in properties file looks like this:
###SSL Key Info
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=classpath:ssl_pfx.pfx
server.ssl.key-store-type=PKCS12
I have 2 questions, if disable the ssl verification, would the communication still be encrypted or not? (man in the middle attack is still possible but the info will still be encrypted, right?).
If not, how can I fix this?
You can't disable the verification of the server certificate. No browser will allow you to do it, except on an exceptional basis (the user must confirm the exception). If the client disables the verification, than the communication will be encrypted (i.e. no passive attack will be possible).
The errors you see are cause by a misconfiguration of your server.
Your certificate chain contains just the certificate for your server and lacks the intermediate certificate CN=Go Daddy Secure Certificate Authority - G2. You need to download it from Go Daddy (it is the one named gdig2.crt.pem) and add it to your keystore.
Refer to this question on how to do it.
Some browsers cache intermediate certificates and are able to verify your site even if one certificate is missing. However you should not rely on it.
security.require-ssl=true
server.ssl.key-store-password=PASSWORD
server.ssl.key-store=keystore.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS
Used the jks file instead of pfx and it worked all good. Thought to share with others too.
While associating J-Meter plugin jar file in lib/ext folder of J-Meter Setup,I am getting SSL certificate error after clicking 'Plugin manager' from 'Options' Menu.Could you please assist me for the same?
Thanks
Amitenter image description here
Most probably you're behind the corporate proxy which uses an SSL certificate for securing the traffic between itself and clients.
Java uses cacerts file to check the validity of the SSL certificates and you're getting this error because the certificate is not known to Java.
The solution would be obtaining the certificate from the proxy server (it can be done using either OpenSSL or just a web browser) and adding it to the Java cacerts
You can also try downloading Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files, it might be enough to resolve your issue.
More information:
How to Install the JMeter Plugins Manager
Plugins Manager Network Configuration
Our IdP is updating certificate in their IdP metadata.
They are offering one month period in which both old and new certificate will be valid so that we can switch to new certificate.
The issue is, that anytime they updated certificate, we have to redeploy IdP metadata containing new certificate and that includes downtime that we would like to avoid if possible (server restart).
My question is:
is there the possibility to switch to new IdP metadata file without server restart (Java app running in Tomcat 7)
Alternatively, is there the possibility to use 2 metadata files for same IdP, one with new, one with old certificate, and to switch in runtime to new one?
You can include both signature certificates in the same IDP metadata. Spring SAML will be trying to verify signature on an incoming message using all available certificates, until it finds a match or fails. Two files for the same IdP won't work.
You can use the org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider, which will automatically reload metadata when the file its configuration points to gets updated - without application restart.
Our organization developed some application on java before 8 years and we have some customers who have installed our product in their environment and providing services.
In java 7 update 51, java has updated their security, so it is asking us to sign the jar files using public certificate.
Customer is not fine with ask every user to reduce the security level or add the site in exception list in control pannel java.
The question here is, do all the customer needs to buy one certificate for them self and sign the jars or as an organization we buy a certificate and the single certificate can be used for all the customers?
If you get a certificate for your organization, you can use it to sign any Java applications that you wish to deploy. A different certificate is not needed for each application or customer.
It's not even necessary to avtually "buy" a certificate. You could create a self-signed certificate using the java keytool and use it to sign your code. Then your customers would have to install that certificate into their java trusted certificate store and everything should be fine.
"Buying" a certificate is only necessary when you need every computer with a standard-trustlist to be able to run your application, but if you're in close contact with your customers - as it seems you are - you should be able to hand them a self-created certificate for installation on their machines.
I am using some of the local machine's resources using COM interop functionality provided in Silverlight 4.0. Hence, naturally I need OOB with elevated permissions. However, in my case I am consuming the WCF services hosted on HTTPS channel. Here is where I am facing the problem. The OOB with elevated permissions applied, doesn't allow me consuming the HTTPS service hosted on either different or the same domain, giving me a NotFound exception. Please note that I have used the self-signed certificate for the development environment. The same is also installed in the Trusted Root folder of the client machine on which I am testing.
Interestingly, when I set the Fiddler options (in Fiddler session, Toos -> Fiddler Options -> HTTPS tab) to intercept the HTTPS traffic, with Decrypt HTTPS traffic checkbox set, I am able to use the same HTTPS service without any exception. But for that, I was told by Fiddler to store a temporary certificate inside my user profile's Fiddler directory, and I must have at least one Fiddler session at that time. Hence, it seems to be a certification issue. But does it relate in anyway to signing of the XAP file with the required certificate ? I am not sure. I tried with a self-signed certificate and bind my layer service URL to use that certificate. Then I install the same certificate to Trusted root folder of the client. But i was not successful in signing the XAP with that certificate.
Please let me know if you have any work-around.
If the code is running in a different user's context, you need to put your "Self-signed" certificate into the Machine Trusted Root store. Start mmc.exe. On the File menu, choose to Add a Snap-in. Add the Certificates snap-in. Pick Local Machine. Import the Self-signed root into the Trusted Root store.
I had the same problem and found out, that the SSL settings in IIS were wrong.
I configured IIS 7.5 to SSL only and to accept client certificates. With this settings, I ended up with the service not found error in OOB. After setting IIS to ignoring client certificates the OOB Application works fine.