How to Deploy RSA-Signed Applets in Java Plug-in

This section covers the following topics:

Introduction
How to create RSA Signed Applets
How to deploy RSA Signed Applets
Converting old Netscape signed applets
Microsoft Authenticode
Certificate Management
Disabling RSA signed applet support

Introduction

RSA signed applet support has been added to Java Plug-in. This provided the following:

Support for standard Verisign and Thawte RSA certificates.
Identical RSA signed applet support in Internet Explorer and Netscape Navigator.
Pop-up dialogs to let users validate signers.

You do not need to deploy security key files to each machine.

This section describes how to create and deploy RSA signed applets. For an overview of how they are implemented, see How RSA Signed Applet Support Works.

How to Create RSA Signed Applets

The RSA signed applet support in Java Plugin 1.3 and higher versions uses the Netscape Object Signing conventions.

To create an RSA signed applet you need:

The Netscape Signing Tools.
A Netscape Object Signing Certificate from an RSA Certificate Authority (CA) such as Verisign or Thawte.

To install the Netscape signing tool and the certificate, see Netscape's Signing Tools documentation and the web sites of the CAs.

Once the Object Signing Certificate and the Netscape Signing Tool are properly installed, they can be used to sign applets. For security reasons, install the Netscape Signing Tool and the Object Signing Certificate in secure locations.

To create an RSA signed applet:

Archive the applet .class files in a JAR file using the "jar" command in the Java 2 SDK.
Use the Netscape Signing Tool to sign the JAR file.

How to Deploy RSA Signed Applets

To deploy RSA signed applets:

Reference the JAR from the HTML page using archive="xyz.jar" in the APPLET tag.
Place the JAR file and HTML page on the web server.

When users of Java Plug-in encounter an RSA signed applet, the Plug-in will verify whether:

the applet is correctly signed
the RSA certificate chain and root CA are valid

If both verify positive, the Plug-in will pop-up a security dialog telling the user who signed the applet and providing four options:

Grant always: If selected, the applet will be granted "AllPermission". Any applet signed with the same certificate will be trusted automatically in the future, and no security dialog will pop up when the certificate is encountered again. This option selection can be changed from the Java Plug-in Control Panel.
Grant this session: If selected, the applet will be granted "AllPermission". Any applet signed with the same certificate will be trusted automatically within the same browser session.
Deny: If selected, the applet will be treated as untrusted.
View Issuer: If selected, the user can examine the attributes of each certificate in the certificate chain in the JAR file.

Once the user selects the options from the security dialog, the applet will be run in the corresponding security context. Note that all options are selected on the fly; no preconfiguration is required.

Converting old Netscape signed applets

Existing RSA signed applets designed for Netscape may use Netscape-specific security APIs. These Netscape-specific APIs are not supported in Java Plug-in. Instead, the Plug-in supports the standard Java security APIs in both Netscape Navigator and Internet Explorer.

To migrate Netscape-signed applets using the Netscape security APIs to run in Java Plug-in:

Comment or remove all netscape.security.* related statements from the Java applet.
Compile and archive the applet as a JAR file.
Re-sign the JAR file using Object Signing.

This ensures that an RSA signed applet will run in both Netscape Navigator and Internet Explorer with Java Plug-in.

Microsoft Authenticode

Authenticode is a proprietary signing technology used in Microsoft Internet Explorer on Win32 for supporting signed applets in IE's JVM. Authenticode is not supported in Java Plug-in. Instead, the Java Plug-in supports use of RSA signed applets in both IE and Netscape.

Certificate Management

The Java Plug-in Control Panel provides a panel for managing RSA signed applets. This panel contains a list of certificates that received "Grant always" permission when the Java Plug-in security dialog (pop-up) ran. Users can remove any certificate from the list, and if an applet signed by a removed certificates is encountered again, a security dialog pop-up will appear asking for permission. Users can also export and view certificates through the control Panel.

Disabling RSA Signed Applet Support

RSA signed applets can be entirely disabled in Java Plug-in by specifying the usePolicy permission in the policy file. If the usePolicy permission is among the permissions granted to the given codesource (by the configured security policy), user prompting will not take place, and only permissions specified in the security policy will be granted to the codesource. By default, RSA signed applets are enabled in the Java Plug-in.