Digital signature of the Applet in Java2

My project is to use APPLET to create a Real-Time Message Queue monitoring program. because local resources are involved, the APPLET must be digitally signed and authenticated. My environment is windows, the application server is WEBLOGIC6.0, And the development environment is JBUILDER4.0. Previously, I reminded you to pay attention to the concepts of server and client. The files should be on the server and those files should be on the client.

First, use JRE1.3.0 _ 01 (JAVA Runtime Environment 1.3.0.1) on the client to replace IE's JVM (JAVA Virtual Machine. JAVA. SUN. download on the COM website. After the download is completed, install it on the client first. The installation process is very simple.

In the HTML file of the APPLET called on the server side, you also need to include it so that the JRE client is not installed in advance to download the Code. For details, go to the next step;

The procedure is as follows:

Server:

1. decompress all the package files required by the Program (I will use the JMS package of WEBLOGIC here to use the command jar xf weblogicc. jar), and then use the JDK packaging command to compile the monitoring program. class and the decompressed package are packaged into a package. (If I have already put the Monitoring Program and the unwrapped package in the same directory), they are all commands in the dos state. For specific commands, see the bin directory of jdk1.3 (1.2,

The command is as follows:

Jar cvf monitor. jar *. class

This command generates a package named monitor. jar.

2. Create the keystore and keys for the package file (monitor. jar) You just created. Here, the keystore will be used to store the authentication of the key (private keys) and the public key, and the alias here is monitor.

The command is as follows:

Keytool-genkey-keystore monitor. keystore-alias monitor

This command generates a monitor. in the keystore file of the keystore, the system will ask you many questions, such as your company name, your address, and the password you want to set.

3. Use the generated key to sign the jar file.

The command is as follows:

Jarsigner-keystore monitor. keystore monitor. jar monitor

This command will sign the monitor. jar file and will not generate a new file.

4. Import the public key to a cer file, which is the unique file to be copied to the client.

The command is as follows:

Keytool-export-keystore monitor. keystore-alias monitor-file monitor. cer

This command will generate the monitor. cer authentication file. Of course, these steps may ask you the password you just set. This completes the server-side settings. In this case, you can set the jar file, keystore file, and cer file (I am using the monitor. jar, monitor. keystore, monitor. cer) is copied to the server directory. I used weblogic6.0, So I copied it to a self-built directory under C: eawlserver6.0configmydomainapplicationsDefaultWebApp _ myserver.

Client:

1. First install jre1.3.0 _ 01, and then copy the monitor. cer file generated by the server to a specific directory of jre. Here I am:
C: under the program files=oftjre.3.0 _ 01libsecurity directory.

2. Import the public key to cacerts of jre (this is the default keystore of jre)

The command is as follows:

Keytool-import-alias monitor-file monitor. cer
-Keystore cacerts

Note that you need to enter the cacerts password, which should be changeit, rather than your own keystore password.

3. Modify the policy file and run the policytool command in the dos state.

The system automatically displays a policytool dialog box, as shown in Figure 4. Select the open item in the file menu, and open java in the c: program files1_oftjre.3.0 _ 01libsecurity directory. poliy file, select Change keystore from the edit menu, and enter
File:/c:/program files/unzip oft/jre/1.3.0 _ 01/lib/security/cacerts. Note the backslash here and enter JKS in new keystore type, this is the fixed format of cacerts. Click Add Policy Entry and enter:

Http: /// URL: 7001 /*

The URL is the IP address of the server, and 7001 is the port of weblogic. If you are using apache on another application server, the port number can be omitted.

In SignedBy, enter (alias): Here is Monitor, and click add peimission. In the displayed dialog box, select the permissions you want to grant to the applet. Here there are many permissions, readers can find their own materials. Select allpeimission. In signedBy on the right, enter the alias monitor.
Save the saved items in the file menu.

Of course, you can see that I have implemented signature authentication for multiple packages.

In this way, the client settings are complete. When the client uses ie to run the applet, it will ask if you want to authorize the signature. After you select authorization, the package will be automatically downloaded from the server to the local computer, and ie will automatically start jre, you can see in the lower right column that is equivalent to the java console of ie.

4. Call the html file of the applet

As we all know, due to the security of java2, html files that can be normally called by the applet can no longer be used, but the html files are changed to ActiveX calls. The difference between ie and nescape is detailed, which can be found on sun. I will not talk about it. I just want to show you the html I wrote for ie.

<Html>
<META HTTP-EQUIV = "Content-Type" CONTENT = "text/html; CHARSET = gb2312">
<Center>
<H3> message center Real-time Monitoring Platform <Hr>
<OBJECT classid = "clsid: 8AD9C840-044E-11D1-B3E9-00805F499D93"
Width = "900" height = "520" align = "baseline" codebase = "http: // 192.168.2.217: 7001/j2re-1_3_0_01-win-i.exe # Version =,">
<Param name = "java_code" VALUE = "wise. monitor. applet. monitorApplet">
<Param name = "java_codebase" VALUE = "monitor/classes">
<Param name = "java_type" VALUE = "application/x-java-applet; version = 1.3">
<Param name = "ARCHIVE" VALUE = "monitor. jar">
<Param name = "scriptable" VALUE = "true">
</OBJECT>
</Center>
</Html>

I want to emphasize that every modification to the applet requires re-packaging the signature, and the procedure is very complicated. Therefore, in the specific implementation, we need to put some parameters that will change into the html file, upload it to the applet. There are a lot of online articles. Let's check it out.

Another problem is that a friend asked me, which is not too troublesome. Every client must perform complicated doscommand operations, I can only say that at present, my level can only include a prepared client file cer file and java. the policy and cacerts files are directly copied to the client. Of course, this is also flawed. If someone else's computer already has an authentication, it will be lost. We can discuss these issues together.

Another optimization is that during packaging, I only talked about all the security-related packages and source programs to be used in one package. In this way, if the package is very large, the download speed will be greatly affected. If you can use the package on the local computer, this jre will do the same, go to the jre console of the Control Panel to set the parameters. Let's keep readers exploring for it.

Conclusion

I found that there are very few java-related materials and fewer Chinese characters on the Internet, so I hope I can share some small knowledge with you and save a lot of repeated useless work. If you have any questions about this issue or discuss it further, please contact me. My mailbox is a afeilb@163.net. Hope we can make progress together!