One with Developer Workstation

I have created a very simple applet code in JDeveloper. Here is how it looks in Applet Viewer.
I don’t care much about applet by itself, I want to make it running under Java 8, but if you need something to test project archive is right there.

Prepare applet manifest

One of the most important changes in security requirements – proper archive manifest. For JDeveloper it is really simple to implement.

1. Create new text file in project directory with File –> New – File under General category.
   
   
   
2. In the new file dialog window name it as manifest.txt and click "Ok" button.
   
   
   
   
3. Create Manifest descriptors and save manifest.txt. Add lines as follow:
   Permissions: sandbox
   Codebase: *.vb.mmikhail.com *.vb.mmikhail.com:445
   Application-Name: Simple Applet Table

   ---

   Brief content description. “Permissions” property declares that applet code does not require any access to local resources at all. “Codebase” describes domains that we are going to use for. Please pay attention that I put two values, because for codebase www.site.com and www.site.com:80 are different. The last one is quite self-explanatory.
   

   ---

4. You already have JAR deployment profile, don’t you?  Open Project Properties, Navigate to deployments and open deployment profile for edit.
5. Enable MANIFEST.MF in deployment profile and don’t forget to merge our text document.
   
   
   
   
   
   
6. Compile and deploy your project to JAR file.

Applet prepared for signing and deployment.

Developer Certificate

Now we need a new certificate to sign our code. This time procedure a bit different, because jarsigner works with JKS storage and you should create one.

1. Open new command window as Administrator. You shouldn't do it if you sign certificates against well known CA. In my case I have to add my private CA certificate into JRE keystore. 
2. Create new key store and private key with keytool utility.
   
   \MyWork\jks>keytool -genkey -alias AppSign -keystore keysigner.jks -storepass welcome1 -keypass welcome1 -keysize 2048 -keyalg rsa -validity 1826
   What is your first and last name?
   [Unknown]: Michael M
   What is the name of your organizational unit?
   [Unknown]:
   What is the name of your organization?
   [Unknown]: mmikhail
   What is the name of your City or Locality?
   [Unknown]: Naples
   What is the name of your State or Province?
   [Unknown]: Florida
   What is the two-letter country code for this unit?
   [Unknown]: US
   Is CN=Michael M, OU=Unknown, O=mmikhail, L=Naples, ST=Florida, C=US correct?
   [no]: y
3. Create new certificate request
   
   \MyWork\jks>keytool -certreq -keystore keysigner.jks -alias AppSign -file michaelm.crq
   Enter keystore password:
   \MyWork\jks>
4. Transfer your request to the server and sign it with openSSL CA. I prefer WinSCP or MobaXTerm
   
   
   E:\MyWork\jks>"c:\Program Files (x86)\WinSCP\WinSCP.com" /open root@rhas48
   Searching for host...
   Connecting to host...
   Authenticating...
   Using username "root".
   Password:
   Authenticated.
   Starting the session...
   Reading remote directory...
   Session started.
   Active session: [1] root@rhas48
   winscp> put michaelm.crq
   michaelm.crq              |          1 KiB |    0.0 KiB/s | binary | 100%
   winscp>
5. On server side sign it with OpenSSL
   
   [root@rhas48 ~]# openssl ca -in michaelm.crq -out michaelm.pem -days 1826 -md sha1
   Using configuration from /usr/local/openssl/openssl.cnf
   Enter pass phrase for /root/sslCA/private/cakey.pem:
   Check that the request matches the signature
   Signature ok
   Certificate Details:
           Serial Number: 4102 (0x1006)
        
   ..........
   
   Certificate is to be certified until Jan 25 00:22:55 2020 GMT (1826 days)
   Sign the certificate? [y/n]:y
   
   1 out of 1 certificate requests certified, commit? [y/n]y
   Write out database with 1 new entries
   Data Base Updated
   [root@rhas48 ~]# openssl x509 -in michaelm.pem -out michaelm.crt -outform DER
   [root@rhas48 ~]#
6. Return to the command window and get certificates back to workstation.
   
   
   winscp> get michaelm.crt
   michaelm.crt              |          4 KiB |    0.0 KiB/s | binary | 100%
   winscp> get sslCA/cacert.pem
   cacert.pem                |          1 KiB |    0.0 KiB/s | binary | 100%
   winscp> exit
   \MyWork\jks>
7. Install certificates to the keystore starting with my personal CA certificate first.
   
   
   \MyWork\jks>keytool -importcert -keystore keysigner.jks -trustcacerts  -alias mmikhail-ca -file cacert.pem
   Enter keystore password:
   Owner: EMAILADDRESS=m-mikhail@mmikhail.com, CN=Personal CA, O=mmikhail,
   
   .......
   
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
   
   \MyWork\jks>keytool -importcert -keystore keysigner.jks  -alias AppSign -file michaelm.crt
   Enter keystore password:
   Certificate reply was installed in keystore
   \MyWork\jks>
8. I should make my own CA trusted for JRE on my computer.
   
   \MyWork\jks>keytool -importcert -keystore “C:\Program Files (x86)\Java\jre1.8.0_31\lib\security\cacerts” –storepass changeit -trustcacerts  -alias mmikhail-ca -file cacert.pem
   …………
   Trust this certificate? [no]:  yes
   Certificate was added to keystore
   \MyWork\jks>

Now we are ready to sign our library and deploy it to Apache server.

Sign applet code

1. sign applet library. Go to the project deployment directory and sign it with new key:
   
   \MyWork\OldSystemApps\SimpleApplet\deploy>jarsigner -keystore ..\..\..\jks\keysigner.jks simpleapplet.jar AppSign
   Enter Passphrase for keystore:
   \MyWork\OldSystemApps\SimpleApplet\deploy>
   
   

   ---

   Command jarsigner gets parameters as follow:
   
   
   

   • Key store and certificate location: -keystore <JKS file location>
   • Jar file name: simpleapplet.jar
   • Alias for private key to sign:  AppSign

   
   
   

   ---

2. Transfer library to the server and make sure that it’s available to end users on new virtual host.
   
   
   
   
   

The last part is about Apex application .