Main Menu

KB - Configuring Web Start During a BBj Installation

Background on Internet Security

Java has not escaped the ever increasing focus on Internet security. All web-based access provided by Java products has been affected by a tightening of Oracle’s Java security model. Most at risk have been browser-based Java plugins - which are NOT employed by any of BASIS’ products. For example, BASIS’ browser user interface (BUI) client deployment is based on JavaScript and HTML5, NOT a Java browser plugin. However, Oracle’s very useful Java Network Launch Protocol (JNLP) delivered over the Internet via Java Web Start is widely used by BASIS customers as a ‘zero-deployment’ mechanism for installing and launching the BASIS Thin Client on the desktop.

 

Oracle’s solution to the potential security risk posed by Web Start’s capability (launching an application across the Internet on the desktop) has been to rely on the presence of a security certificate to authenticate the credentials of the application to the user/client. The security and ownership requirements of such certificates have been ratcheted up by successive versions of Java. Accordingly, BASIS is responding with a solution for customers that allows them to continue to benefit from the ‘zero-deployment’ benefits of Web Start while being in compliance with the new security paradigm.

Overview

Oracle’s Web Start security model now blocks applications that are not signed with a security certificate. In order to adhere to this security model, installations of BBj® 13.13 and higher will prompt for information to configure the BBj application server to allow Web Start clients to run with the new security model. You can choose to either generate a new compliant Web Start certificate or use your own compliant Web Start certificate. This article provides the information you need to know to correctly configure BBj for Web Start during installation.

 

During the installation process, several windows are presented by the installer to gather information for Web Start: Configure Web Start, Use Existing Web Start Certificate, and Generate Web Start Certificate. These windows allow you to do the following:

  • Specify whether to generate a security certificate during installation or select an existing one for use

  • Configure the BBj application server

  • Permit you to choose whether to make the install file itself available for Web Start clients to run

After installation has completed, Web Start will ask clients to confirm that they trust the installation the first time they run by displaying the following windows: Install Certificate Authority Installer, Install Certificate Authority, and Do You Want to Run.

Configure Web Start

Oracle’s Web Start security model blocks applications that are not signed with a security certificate. In order to adhere to this security model, you must either trust your software provider to generate a security certificate or provide a certificate. Whichever option you choose, BBj will use that certificate for Web Start clients at run time. See Figure 1.

Figure1

Figure 1. The Configure Web Start window.

 

The Configure Web Start window also allows you to choose whether to have the Jetty Web Server offer the install file itself to Web Start clients to run.

Generate Web Start Certificate

If you choose to trust your software provider to generate a security certificate, the installer prompts you to provide the information it needs (see Figure 2). Once you have provided the information in the required fields, the installer generates a Certificate Authority (CA) certificate.Figure2

Figure 2. The Generate Web Start Certificate window.

Complete the fields as follows:

Your Company Name - Enter text that identifies your organization. Web Start will require clients to trust applications based on this text in order to run the first time.
 

Jetty Host (external) - Enter the BBj application Jetty Server name as seen by your clients (external to the server itself). This can be an IP address. Do not use ‘localhost’ or local IP address if clients on other computers will use Web Start to run applications on this server.
 

Jetty Port - Enter the port of the BBj application Jetty server.

Use Existing Web Start Certificate

If your server is connected to the Internet and is able to access a trusted organization (such as Verisign, Baltimore Cyber, etc.), then you can choose to purchase and use a certificate from such an organization. In this case, BBj will not generate certificates each time a Web Start client runs, and will instead use the certificate you provide.

 

If you choose to use an existing certificate, it must be from a trusted organization and be valid for code-signing Java jar files. The installer will prompt you to identify the certificate file and provide the needed passwords and key (see Figure 3).

Figure3

Figure 3. The Use Existing Web Start Certificate window.

Complete the fields as follows:

Keystore - Navigate and select the keystore file you purchased from a Certificate Authority.
 

Keystore Password, Private Key, and Private Key Password - Enter the values obtained when you purchased your certificate from the CA trusted organization.

Impact of the Installation on Web Start Clients

With a change in the content of .jnlp files in BBj 13.13, Web Start clients that use a .jnlp file to run their application must download an updated .jnlp file from the server. Clients that run a BBj 13.12 or earlier .jnlp file that they saved locally can expect to receive security warnings or errors involving an “unknown” publisher. To download the updated .jnlp file, simply enter the URL that includes the .jnlp file into a browser. For example, http://yourserver.com:8888/myapp.jnlp.

 

The first time a Web Start client runs any BBj  application after installing a certificate on that server, Web Start will ask the client to confirm that he/she trusts the installation by displaying several security windows. The windows are: Install Certificate Authority Installer, Install Certificate Authority, and Do You Want to Run. See Figure 4 for a high level flowchart describing the sequence of events that will occur when a Web Start client attempts to run a BBj application.

Figure4

Figure 4. The decision flow when a Web Start client attempts to run a BBj application. Click here for a larger view.

 

Once a client answers “Yes” to each of the security windows that appear and checks the “Do not show this again…” box when it is available, the windows will not appear again on that client until a new certificate is installed on the server.

 

There are several events that can cause a new certificate to be installed on a server:

  • Installing BBj (such as an upgrade) to a location other than the one where it was already installed

  • Purchasing a new certificate directly from a trusted organization and installing it through Enterprise Manager

  • Manually generating a new Certificate Authority through Enterprise Manager after changing the server’s name or port
     

Install Certificate Authority Installer

The Install Certificate Authority Installer window displays information about the server and publisher of the CA installer. This information comes from the signed BBjWebStartBootstrap.jar file in the BBj installation. See Figure 5.

Figure5

Figure 5. The Install Certificate Authority Installer window.

 

If you do not wish to see this dialog again for any application from this publisher and server URL, mark the checkbox “Do not show this again for apps from the publisher and location above”. If you recognize and trust the Publisher and Location shown, click [Run]; otherwise, click [Cancel].

 

Install Certificate Authority

The Install Certificate Authority window displays the Web Start key fingerprint in the Certificate Authority on the server (see Figure 6.). This window will only appear if you selected the “Trust <software provider> to generate a certificate for Web Start” option during BBj install. If you instead selected the “Use an existing certificate for Web Start” option during BBj install, the installer did not generate a fingerprint.

Figure6

Figure 6. The Install Certificate Authority window.

During installation, the fingerprint is generated and displayed (see Figure 7).

Figure7

Figure 7. The Installation Summary window.

 

If you do not know the fingerprint that was generated and displayed during the installation, contact your system administrator or the person who installed BBj on the server and obtain the value. If the fingerprint displayed matches the fingerprint that was generated and displayed during the installation, click [Yes]; otherwise, click [Not Now]. Web Start will attempt to run the application without trusting the certificate, and will fail unless your Java Security is disabled.

 

Do you Want to Run?

The “Do you want to run this application” window displays information about the server and the publisher of the application. The person installing it on the BBj server set this information. See Figure 8.

Figure8

Figure 8. The Do You Want to Run window.
 

If you do not wish to see this dialog again for any application from this publisher and server URL, mark the checkbox “Do not show this again for apps from the publisher and location above”. If you recognize and trust the Publisher and Location shown, click [Run]; otherwise, click [Cancel].
 

Web Start Application Runs

At this point, your Web Start application will run.

 

  Google+ View BASIS LinkedIN ProfileVisit our Twitter Feed Check out our Facebook Public Profile Click to View the BASIS youTube channel