=== Introduction ===
Please note, here is a very important key point in the proxydelegation.jnlp (highlight with red color). Based on the security issue, the JAR file should be signed if the program involves to access local file (IO). In the Proxy Delegation case, problem will request end-user to indicate where usercert.pem and userkey.pem are. So the JAR files which relate with access local file should be signed. (The processes of signature will be description in next session) At first I’ signed all JAR files, but it will have problem when I execute it via proxydelegation.jnlp. The problem is about that all JAR files are not signed with the same signer. In order to make sure that all JAR files are signed by the same signer, I unzip all JAR files and rejar them. Then I signed them again, but it still has problems. This problem is about a JAR file “ -jdk13-131.jar” been signed by BC (it is the JAR file provider). The solution is use tag
=== JNLP ===
[http://andy09360639.blogspot.com/2010/02/java-web-start-in-jnlp-sample-for.html Simple JNLP]
=== Sign jar ===
The following having two method to sing jar
* 1
{{{
openssl pkcs12 -export -chain \
-inkey ~/.globus/userkey.pem \
-in ~/.globus/usercert.pem \
-out ~/.globus/user.p12 \
-CApath /etc/grid-security/certificates/ \
-name "myalias"
}}}
To verify content of the PKCS12 file, you can use:
{{{
openssl pkcs12 -info -in ~/.globus/user.p12
}}}
or
{{{
keytool -list -v -keystore ~/.globus/user.p12 -storetype PKCS12
}}}
To sign a JAR file:
{{{
jarsigner -keystore ~/.globus/user.p12 -storetype PKCS12 file.jar myalias
}}}
* 1
{{{
jarsigner -keystore C:\working\mystore -storepass myspass
-keypass j638klm -signedjar sbundle.jar bundle.jar jane
}}}
* unzip the JAR content
{{{
jar xf jar-file
}}}
* Download the jce-jdk13-131.jar from and put to .../jsp/JWS/JarFiles/cog-1.4
[http://polydistortion.net/bc/index.html jce-jdk]
=== Reference ===
[http://www.gridlab.org/WorkPackages/wp-5/guide/signjar.html sign_learn]
[http://www.ascc.sinica.edu.tw/nl/91/1818/02.txt openssl_intro]
[http://en.wikipedia.org/wiki/X.509 x.509]
[http://my.freebsd.org.hk/html/jdk1.2/tooldocs/win32/jarsigner.html jarsing_hk]
[http://polydistortion.net/bc/index.html The_Bouncy_Castle]
/////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
2010.06.04
. 建立一個 jar file, 其中 -C 為 bin 下的 all class 要放到 jar
{{{
[Andy@t-ap188 JWS]$ ls
bin lib src test.jar
[Andy@t-ap188 JWS]$ jar cvf test.jar -C bin .
}}}
/////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
2010.06.04
一個從 Sign 的script, jim and i
{{{
#!/bin/bash
JAR_DIR=/home/Andy/apache-tomcat-5.5.27/webapps/gcp/jsp/JWS/JarFiles
keyPath=/home/Andy/portal/script/key_bak
openssl pkcs12 -export -chain \
-inkey $keyPath/hostkey.pem \
-in $keyPath/hostcert.pem \
-out $keyPath/host.p12 \
-CApath /etc/grid-security/certificates/ \
-name "vt-004"
mkdir -p tmp
cp -r $JAR_DIR tmp
cd tmp
mkdir -p signed_jar
cp -r $JAR_DIR/* signed_jar
for jar in $(find JarFiles -name *.jar);
do
echo $jar
echo ${jar/JarFiles/signed_jar}
zip -d $jar META-INF/\*
jarsigner -keystore $keyPath/host.p12 -storetype PKCS12 -signedjar ${jar/JarFiles/signed_jar} $jar vt-004 < ../password
done
/bin/cp -rf signed_jar/* /opt/apache-tomcat-5.5.27/webapps/gcp/jsp/JWS/JarFiles
cd ..
#rm -rf tmp
}}}
沒有留言:
張貼留言