Open Wonderland & Self Signed Certificates

[Carl Jokl]

I am having a big headache right now trying to run Open Wonderland on a demo computer. Whether I run the Open Wonderland Server from the source or a pre built binary, the client cannot be opened on Mac O/S as Java security policy prohibits executing Java WebStart from a self signed certificate. This means I can't manage to open a client from this server at all.

I should have come across this problem sooner! I have been able to open clients on the Open Wonderland Foundation servers without problem but I can't even change my security policy in such a way as will allow me to launch the WebStart based client. I am wondering if there is any way of overcoming this limitation in a way that would make a demo possible?

[Carlos Rafael Ramirez]

Hello Carl,

If your demo is open to the public the only way is to buy a code signing certificate. https://www.sslshopper.com/cheap-code-signing-certificates.html

Once you buy the certificate I can help you installing it. Probably you will want a domain name too, so you can use the same certificate for many demos

Regards,

Carlos

On Mon, Oct 27, 2014 at 3:44 PM, Carl Jokl <carl...@gmail.com> wrote:

I am having a big headache right now trying to run Open Wonderland on a demo computer. Whether I run the Open Wonderland Server from the source or a pre built binary, the client cannot be opened on Mac O/S as Java security policy prohibits executing Java WebStart from a self signed certificate. This means I can't manage to open a client from this server at all.

I should have come across this problem sooner! I have been able to open clients on the Open Wonderland Foundation servers without problem but I can't even change my security policy in such a way as will allow me to launch the WebStart based client. I am wondering if there is any way of overcoming this limitation in a way that would make a demo possible?

--
You received this message because you are subscribed to the Google Groups "Open Wonderland Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openwonderlan...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Carl Jokl]

Carlos

I already own the domain jokl.co.uk if that helps. One aspect that might be a little tricky is that I wanted to demo on a box at the conference so that I don't have to rely on the conference internet access as Wonderland is so bandwidth intensive. Will this technique still work if the box is not internet accessible?

Carl

[Carlos Rafael Ramirez]

Thinking it well, you don't need a domain or Internet connection to use the certificate. Java checks against its own authority database if your certificate is signed with a recognized certification authority. So you just need to ask for a certificate with your own name and sign the code.

I wish to understand better what connection model will you use in order to assist you better. I think in the following options:

1. You are in a stand with your laptop showing openwonderland, In this case forget about certificates and lower the security level in java and add your server as a trusted one.

2. You have in your stand a bunch of laptops. So the case is the same as 1.

3. If someone brings their laptop it will access openwonderland using an URL that you provide.

This case is the worst because, the certificate is just one of your problems. The laptop must have java installed so you need to provide a link for downloading and installing Java. Also the java version must be the last one or Java Web Start won't run.

So, what is your case?

Regards,

Carlos

[Carl Jokl]

I have an order processing for a certificate aimed at signing JAR files. It may well take the rest of the working day to process but I have done my part and need to wait for it to process.

[Carl Jokl]

The process has now completed and I am in possession of a digital certificate.

[Carlos Rafael Ramirez]

I just saw your email how I can help you?

El oct 28, 2014 5:57 PM, "Carl Jokl" <carl...@gmail.com> escribió:

The process has now completed and I am in possession of a digital certificate.

[Carlos Rafael Ramirez]

Hello Carl,

Probably I will be sleeping when you need the help. So if you haven't installed the certificate here the instructions:

openssl pkcs12 -export -in certificate.crt -inkey certificate.pem -out certificate.p12

keytool -importkeystore -destkeystore certificate.jks -srckeystore certificate.p12 -srcstoretype pkcs12

Copy certificate.jks in:

~/src/wonderland/trunk/wonderland/build-tools/keystore

open ~/src/wonderland/trunk/wonderland/build-tools/build-scripts/build-setup.properties and change these lines:

wonderland.keystore=${wonderland.keystore.dir}/certificate.jks

wonderland.keystore.alias=1

wonderland.keystore.password=thepassword you entered in keytool

then ant clean and ant

I hope haven't forgot something

Good luck

Regards,

Carlos

[Carl Jokl]

Hi

I am looking at the instructions but just checking as the file supplied has the extension p7b rather than crt. Will I need to alter the arguments to the command below to work with that certificate type?

Carl

[Carlos Rafael Ramirez]

Hi

Look in the issuer page if you can download it from other formats. Or use https://www.sslshopper.com/ssl-converter.html

The command I gave you can be used as well but I need to investigate the parameters and I can but later.

Regards

[Rasika]

Hi,

I am a student who is trying to host a server at the University. We bought a certificate from digicert, but the university refused their terms

due to domain name issues. Other options from sslshopper also ask for a domain name. 

• What are the requirements to host a certified server at a university when domain names are strict?
  
• Our lab it self has a sub domain (arts.uxxx.ac.jp) under main domain (uxxx.ac.jp). Can we use that one?
  
• Is there a way not to have a domain and yet certify properly (without any security warnings)?

Thank you very much for any help.

[Carlos Rafael Ramirez]

Hello Rasika,

You can buy a Code Sign certificate without a domain name. Also I don't see problems using your sub domain. 

Regards

[Rasika]

Hello Carlos,

Thank you very much for clearing my misunderstanding. Since digicert required a domain name
and the university refused terms we were bit worried.

Best regards,
Rasika Ranaweera

[Carlos Rafael Ramirez]

Ok another thing is your university have a certification authority for sure. And all the pcs in the campus should have it installed. Ask for it and ask them to generate a certificate for you.

--

[Rasika]

There were so many issues: our University did not have such certification authority that I could use, then we bought a certificate from thawte (there was a campaign).

After buying the certificate we were informed the campaign is not for Asia/Pacific, so we bought one from comodo. Then I created .jks file using the commands

you'd provided. It seemed the certificate was added correctly.

Trust this certificate? [no]:  yes
Certificate was added to keystore

After that I cleaned all .wonderland client and server caches and started the server.

  [pack200] Building: wonderland.untouched/web/webstart/dist/webstart/jme-awt.jar.repack.jar
  [pack200] Repack with Pack200
  [pack200] Source File :wonderland.untouched/web/webstart/build/webstart/jme-awt.jar
  [pack200] Dest.  File :wonderland.untouched/web/webstart/dist/webstart/jme-awt.jar.repack.jar
  [signjar] Signing JAR: wonderland.untouched/web/webstart/dist/webstart/jme-awt.jar.repack.jar to wonderland.untouched/web/webstart/dist/webstart/jme-awt.jar.repack.sign.jar as <our alias>
  [signjar] jar signed.

I could also verify the jar files:

$ jarsigner -verify wonderland.untouched/web/webstart/dist/webstart/jme-awt.jar

jar verified.

$ jarsigner -verify -verbose -certs web/webstart/dist/webstart/activation.jar

      [entry was signed on 7/8/15 8:39 PM]
      X.509, CN=…, C=JP (mykey)
      [certificate is valid from 6/11/15 9:00 AM to 6/11/18 8:59 AM]
      X.509, CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
      [certificate is valid from 5/9/13 9:00 AM to 5/9/28 8:59 AM]
      X.509, CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
      [certificate is valid from 1/19/10 9:00 AM to 1/19/38 8:59 AM]

But when I started a client:

javaws http://owl.u.ac.jp:8080/wonderland-web-front/app/Wonderland.jnlp

I got a security warning saying "Your security settings have blocked a self-signed application from running."

Does this mean our certificate is not valid? Is there a way to know whether a jar file is self-signed or not?

Thank you for any help.