Which forum for keystore.jks, JARSIGN questions

[BrainClay]

Which forum should I post questions about:

> Creating Java Keystore.jks (does it matter where it is created? (Server vs my PC?)
> Adding certificates to Keystore.jks for use in signing DeploymentRuleSet.jar files (Can we use self-signed certificates, or do we need a key-chain back to a known authority?)
> Where to deploy Keystore.jks so Windows clients can access it (deployed to server, or to local client?)

Here is additional background (optional)

Background:
We have a purchased Web-based application for Learning Management (LMS). The vendor used to be Plateau, but they were bought by SuccessFactors. Anyway, everyone in the company has to take various training courses for their job, and our LMS manages that. For example, everyone in the company has to take an online Ethics course once a year (don’t accept bribes, etc.), and at the end of the online course, it gives a quiz. The results of that quiz are sent back to the server using Java.

Problem:
The problem is that our internal security group insists that we run Java at the “High” security setting. However we run into several issues with this:
• When you run at “High” security, you won’t get warnings if you are on the latest version of Java.
• However, we aren’t always at the latest version of Java, just due to logistics, but also, sometimes we test the latest version with our LMS, and it doesn’t always work, so we may decide not to implement the latest version of Java.
• So a version of Java that used to work on the “High” security setting will suddenly stop to work when a new version of Java comes out. By stop working, I mean it could either start giving lots of security warnings –or- it could not work all together, meaning that the test scores won’t be sent to the server, and the user is told that it broke (I’m not sure what the exact error is.)

Solution:
One solution would be to just change everyone’s security setting to Medium, but our security group is insistent that we not do that, but instead, change it to medium on a case by case basis. (This has our help desk manager in fits!)

We discovered a new feature, implemented in 7U45, called Deployment Rule Sets. This is an XML file that can be deployed by IT to every PC which tells Java to ignore security for a specific collection of Java applications (RIAs). The user can also manually add the LMS website URL to the Java Control Panel, and it is supposed to do the same thing, and we’ve tested that, and it seems to work and solve our problems. The Deployment Rule Set is a way for IT to push this out to all users.

The process is that you have to:
1. Create an XML file with the Rule Sets in it, which we have done (see attached).
2. You have to create a JAR file named DeploymentRuleSet.jar, which we’ve done (see attached)
3. You have to digitally sign the DeploymentRuleSet.jar using the Java keystore.

Where we need help:
We need help understanding Java keystores – that’s where we’re stuck. Here are some of our questions:
• How do you create a valid Java Keystore? (We have Oracle documentation, but it has gaps)
• Where do you create the Keystore? Does it matter where it is created, or can you create it anywhere?
• Where you do deploy the Keystore? Does it get deployed centrally on a server, or do we deploy it to every Windows PC?
• Can we use self-signed certificates, or do we need a key-chain back to a known authority?
• If we need a key chain back to a known certificate authority, then can we use our *.terumobct.com cert? Do we need to create another cert?
• We could also use some practical tips on how to execute the commands relating to creating a keystore and adding certs to it. We think we can figure out how to sign the DeploymentRuleSet.jar once we have the keystore, but that might be nice too.

Here are some of the links we’ve found that are helpful, but since we’re so new to Java, don’t answer all our questions:

Creating a KeyStore in JKS Format
Creating a KeyStore in JKS Format (Configuring Java CAPS for SSL Support)

Signing JAR Files
Signing JAR Files (The Java™ Tutorials > Deployment > Packaging Programs in JAR Files)

Deployment Rule Set
Deployment Rule Set

Java Security in 7u51 (Deployment Rule sets are new in our current version, 45)
Java Control Panel

[jashburn]

In the context of creating and deploying Deployment Rule Set:

• How do you create a valid Java Keystore? (We have Oracle documentation, but it has gaps)

You can create the keystore as documented at Creating a KeyStore in JKS Format (Configuring Java CAPS for SSL Support). What are the gaps? Related to the next questions perhaps?

• Where do you create the Keystore? Does it matter where it is created, or can you create it anywhere?
• Where you do deploy the Keystore? Does it get deployed centrally on a server, or do we deploy it to every Windows PC?

For your purposes you can create and deploy it into a machine where you're sure it is secure. You don't want untrusted individuals to have access to it (even though the keystore is password protected.) It can be in the server machine provided you're comfortable with the (unlikely or otherwise) possibility of a cracker breaking in to the machine via the web server and getting hold of the keystore. The keystore is certainly not to be deployed to every PC. You're only using it to store all the necessities for signing the Deployment Rule Set jar file, right?

• Can we use self-signed certificates, or do we need a key-chain back to a known authority?

As mentioned at Deployment Rule Set , "The JAR file must be signed with a valid certificate from a trusted certificate authority," i.e., the latter.

• If we need a key chain back to a known certificate authority, then can we use our *.terumobct.com cert? Do we need to create another cert?

Not 100% sure, but I believe you can reuse your existing trusted CA cert.

As for practical tips, you actually have all the ingredients you need from the links you posted. The only tip I can think of at the moment is it can be quite fiddly to get it right, and a small mistake may cause the deployed DeploymentRuleSet to not work. Therefore follow the instructions on the web pages carefully, and double-check all the commands you execute. If you don't seem to be able to get it to work, you might want to ask another person to go through the entire procedure in case you overlooked something (speaking for personal experience!)

Finally, you might want to revisit the Java plugin update deployment policy in your organisation. "Logistics" and LMS not working with the latest update are not very good reasons to not update the Java plugin. If you take a look at each of the Java 7 updates, you'll find that they each address a bunch of security vulnerabilities in the Java plugin. It has also become a very (if not the most) popular attack vector.

Good luck!