Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Re-Signing EMC Documentum Applets Using Custom Security

White Paper
RE-SIGNING EMC DOCUMENTUM APPLETS
USING CUSTOM SECURITY CERTIFICATES
Abstract
This white paper outlines the procedure to digitally sign Java
applets that have expired security certificates. EMC®
Documentum® Webtop uses applet/servlet technology that
enables content transfer between the client machine and
content repository. As a security measure an applet gains
access to a local machine only if it is trusted or signed code.
Since the content transfer operation involves interaction with
the client system, we sign our applets with digital security
certificates. This paper provides instructions to sign applets
using your own security certificates obtained from trusted
certification authorities.
March 2011
Copyright © 2011 EMC Corporation. All Rights Reserved.
EMC believes the information in this publication is accurate of
its publication date. The information is subject to change
without notice.
The information in this publication is provided “as is”. EMC
Corporation makes no representations or warranties of any kind
with respect to the information in this publication, and
specifically disclaims implied warranties of merchantability or
fitness for a particular purpose.
Use, copying, and distribution of any EMC software described in
this publication requires an applicable software license.
For the most up-to-date listing of EMC product names, see EMC
Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their
respective owners.
Part Number h8201
Re-signing EMC Documentum Applets
Using Custom Security Certificates
2
Table of Contents
Executive summary.................................................................................................. 4
Audience ............................................................................................................................ 4
Re-signing Documentum applets using custom security certificates .......................... 4
Prerequisites ...................................................................................................................... 4
Process for re-signing applets .................................................................................. 4
Signing WDK and Webtop applet files ................................................................................. 6
Conclusion .............................................................................................................. 7
References .............................................................................................................. 7
Re-signing EMC Documentum Applets
Using Custom Security Certificates
3
Executive summary
This white paper enables customers who want to re-sign applets that have expired
certificates to use certificates procured from a certification authority of their choice,
in place of the EMC certificate that is procured from Thawte, a certification authority
(CA). The paper outlines generic steps to re-sign EMC applets using custom code.
Customers who place a high level of importance on security by not trusting code that
interacts with the client machine must sign EMC® Documentum® applets with
certificates from a trusted CA in keeping with the policy enforced by the their
organization.
Audience
This white paper is intended for technical support personnel to share the instructions
provided with customers who want to re-sign Documentum applets using custom
certificates.
Re-signing Documentum applets using custom security
certificates
You can opt to digitally re-sign your applets that have expired certificates with the
help of a trusted certification authority.
Prerequisites
J2SDK 1.4 or later
Signing tools such as jarsigner from Sun JDK or the Netscape Signing Tool
A valid digital certificate verified by a Certification Authority
Microsoft signcode for signing cabinet files (MS SDK for Java)
The process of re-signing Documentum applets using custom security certificates
includes the following steps:
1. Signing applet jar files using jarsigner
2. Signing applet cabinet (.cab) files using Microsoft Authenticode
Process for re-signing applets
Step 1: Signing applet jar files using the jarsigner
Perform the following steps to sign applet jar files using the jarsigner:
1. Create a keystore.
Use keytool to create a certificate and store it in keystore. Run the following
command to create a certificate and import it into the keystore:
Re-signing EMC Documentum Applets
Using Custom Security Certificates
4
keytool –import –trustcacerts –keystore <keystore_filename> -alias
<alias_name> -file cert.p7b
This command imports the response from the CA stored in a file called cert7.db
into the keystore as name <alias name>. The name <alias name> must not already
exist in the keystore. The -trustcacerts flag notifies keytool to verify the response
certificate against the certificates that are shipped with Java 2. If you do not have
a verified digital certificate, you can use keytool to generate a public-private key
pair, and then generate a certificate signing request (CSR) using keytool. After
importing it into the keystore, you can use the certificate for signing applets.
2. Run the following command using the jarsigner to sign the applet (.jar) files:
jarsigner -keystore <keystore_filename> <path to appletfiles.jar)>
<alias_name>
This command signs the jar <appletfiles.jar> using the private key stored in the
keystore <keystore_filename> created in Step 1, with the alias as <alias_name> as
specified while creating the keystore.
When you execute this command, you are prompted to specify the keystore
password and the certificate password depending on how the certificate was
imported into the keystore. You can pass the “–storepass” and “–keypass”
parameters to keytool to store the keystore password as an alternative to using
the interactive mode to enter passwords.
3. Run the following command to verify the status of the signed jars in the jar file and
check whether the certificate is known (specified through keystore):
jarsigner -verify -verbose -certs <path to appletfiles.jar>
Personal information encoded in the certificate for the entity that signed the file is
listed against each signed file. (If the certificate is known in the keystore by a
specific name, that name is listed in parentheses after the certificate's personal
information.)
Step 2: Signing the applet cabinet (.cab) files using Microsoft Authenticode
Perform the following steps to sign the applet cabinet (.cab) files using Microsoft
Authenticode.
1. Run the following commands:
signcode –j javaSign.dll –jp Low -spc <software publisher certificate> –
v<private key generated while requesting CA for issuing certificate> -n
<title of applet> -i <applet provider> -t<timestamp provider>
<appletFile.cab>
signcode –j javaSign.dll –jp Low -spc xyz.spc –v xyz.pvk –n “Documentum
Content Transfer 5.3 SP” –i “http://www.emc.com” –t
“http://timestamp.verisign.com/scripts/timstamp.dll" applets.cab
2. Verify the signature on each applet cabinet file by running the following command
or performing the specified steps in Windows Explorer (see below):
chktrust /q/v <appletFile.cab>
Re-signing EMC Documentum Applets
Using Custom Security Certificates
5
In Windows Explorer:
a. Open Windows Explorer.
b. Locate the file you signed.
c. Right-click the file and select Properties. The Properties dialog box appears.
d. Click the Digital Signatures tab to view the details of the signature.
Signing WDK and Webtop applet files
If are working on WDK/Webtop 5.3.x, you must sign the following files using the
procedures described in the preceding sections:
WDK Applications content transfer files








<virtual_root>/wdk/contentXfer/ContentXfer.jar
<virtual_root>/wdk/contentXfer/FullContentXfer.jar
<virtual_root>/wdk/contentXfer/ContentXfer.cab
<virtual_root>/wdk/contentXfer/FullContentXfer.cab
<virtual_root>/wdk/contentXfer/mac_contentxfer.jar
<virtual_root>/wdk/contentXfer/mac_contentxfer_osx.jar
<virtual_root>/wdk/contentXfer/mac_FullContentxfer.jar
<virtual_root>/wdk/contentXfer/mac_FullContentxfer_osx.jar
WDK Applications UCF invoker files


<virtual_root>/wdk/system/ucfinit.cab
<virtual_root>/wdk/system/ucfinit.jar
WDK Applications file selector files



<virtual_root>/wdk/fileselector/fileSelector.jar
<virtual_root>/wdk/fileselector/fileSelector1_1.jar
<virtual_root>/wdk/fileselector/fileSelector.cab
WDK Applications web workflow files



<virtual_root>/wdk/webwfm/webwfde.jar
<virtual_root>/wdk/webwfm/clientJVMDetect.cab
<virtual_root>/wdk/webwfm/clientJVMDetect.jar
If are working on WDK/Webtop 6.x, you must sign the following files using the
procedures described in the preceding sections:
WDK Applications UCF invoker files


<virtual_root>/wdk/system/ucfinit.cab
<virtual_root>/wdk/system/ucfinit.jar
WDK Applications file selector files


<virtual_root>/wdk/fileselector/fileSelector.jar
<virtual_root>/wdk/fileselector/fileSelector1_1.jar
Re-signing EMC Documentum Applets
Using Custom Security Certificates
6

<virtual_root>/wdk/fileselector/fileSelector.cab
WDK Applications web workflow files



<virtual_root>/wdk/webwfm/webwfde.jar
<virtual_root>/wdk/webwfm/clientJVMDetect.cab
<virtual_root>/wdk/webwfm/clientJVMDetect.jar
Conclusion
When certificates for Java applets expire, you must re-sign the applets. While you can
use the EMC certificate, you can use certificates procured from a certification
authority of your choice. This paper discusses the instructions to sign applets using a
certification authority other than the EMC certificate.
References
Please consult the following to get more information:
http://download.oracle.com/javase/1.3/docs/tooldocs/win32/jarsigner.html
Re-signing EMC Documentum Applets
Using Custom Security Certificates
7
Download