We have a legacy Java web-start application. As the code is downloaded remotely, the Java Security system need to instructed that the code downloaded from the source URL is safe.
The URL to download the code is in the JNLP file (https://app.domain.com/prod). A ruleset.xml is created with instruction to allow run. The ruleset.xml is jar-ed into DeploymentRuleSet.jar. It is signed to ensure authenticity. The signed jar is pushed to all Users's machine.
1. Create keypair
The below command creates a keystore file name "jarsigned.keystore" and adds a key pair into it under the alias jarsigner. The key is valid for 1825 days from 2019-08-15. They keystore password and keypassword are set the default. Change it as required.
If a self-signed certificate is going to be used skip to STEP 4.
2. Create a Certificate Sign Request (CSR)
The CSR is in the file jarsigner.csr.
Send the file the the Certificate Authority. Ask specifically for a Code Signing certificate (costs more than standard ssl certificate)
3. Once the signed certificate is received from CA, save the certificate file as jarsigner.cer and Import it into keystore.
4. Create ruleset.xml
Since the code is downloaded from domain.com, the rule should allow run permission.
5. Create DeploymentRuleSet.jar
6. Sign the jar file with the certificate
You will see the below warning if certificate was not signed by CA.
The signer's certificate is self-signed.
7. Verify the jar
The message will say "jar verfied"
8. Deploy jar to users computer
Copy the DeploymentRuleSet.jar to c:\windows\sun\java\deployment folder
If the certificate generated (in Step 3) was signed by a Certificate Authority, SKIP steps 9 & 10. We are done.
9. Export the certificate out of the keystore.
10. Import the certificate into trusted certificate store on User's machine. The trusted certificate store is in jre/lib/security folder. DO this from admin shell
Ensure that the cacert is in the JRE or JDK being used by the web start command.