Badkey Corner | Security certificate expiration messages generated from Domino applets (May 18, 2009)

Tuesday 12th, May 2009

Security certificate expiration messages generated from Domino applets (May 18, 2009)05/12/2009 08:24 PM

Problem
The certificate for some Java applets in Lotus Domino 6.5.x, Domino 7.0.x, Domino 8.0.x, and Domino 8.5 expired on May 18, 2009. Starting May 19th, Web users will see a dialog with a message similar to one of the following when loading a Web page that contains a Java applet from the Domino server:

"The digital signature was generated with a trusted certificate but has expired or is not yet valid."
"The security certificate has expired or is not yet valid."

This issue can occur even if IBM is set up as a trusted publisher in the browser.

Background:
Java applets are often digitally signed to provide the user a level of assurance that the applet comes from a known and trusted source, because executing Java code is a potential security risk. This process is similar to having a physical document signed by a Notary Public as verification that the person executing the document is who he or she claims to be. In this case, the Notary Public would be analogous to the Certificate Authority or CA who signs the certificate.

Digital certificates used in the signing process are valid for a specified period of time, typically for one to three years. This allows an organization such as IBM to sign files (Java applets in this case) for that time period and allow the user to trust that the applet had indeed been provided by IBM. If the Java applet is signed within the certificate's valid signing period, the signature is valid indefinitely. However, the Java Runtime Engine (JRE) used to run Java applets within a browser, such as Microsoft Internet Explorer, Mozilla, or Firefox, cannot verify if the certificate was actually signed during that valid period if the current date is beyond that time period. Therefore, the browser dialog reports that, although the applet was properly signed with a trusted certificate, the certificate itself has expired.

It is a common misconception that an applet signed with a certificate that has expired is no longer safe to download or use. As long as the applet was signed when the certificate issued by the CA (Certificate Authority) was still valid, then the applet is valid according to the specification for signing Java applets. Also, according to the specification, it is the responsibility of the JVM or JRE to warn the user if an applet has been modified after it was digitally signed with a certificate issued by a CA.

As long as the JVM or JRE does not return an error stating that the applet has been modified since it was signed, the applet is still valid and safe to run
For more information on the digital signing process, refer to the following document provide by VeriSign: VeriSign Code Signing

Resolving the problem
All Java applets shipped with Domino are signed before the certificate's expiration date, so users can be assured that the applets are valid. This includes the Domino applets such as the Outline applet, View applet, Action bar applet, and Editor applet, as well as other applets shipped with Domino.

Customers experiencing this issue have the following options:
1. Instruct users to select "Always Trust" content from IBM, as the applets are still valid. The warning message is only to notify users that the certificate used to sign the applet has expired. The expiration does not affect an applet's security or functionality. In most cases, the user can click to "Always Trust" content from IBM to stop the message from appearing in the future.

2. Upgrade Domino 7.x servers to Domino 7.0.4. Domino 7.0.4 servers that are accessed via browsers that are using JRE 1.5.0 or later will not experience the issue.

3. IBM recommends correcting this issue through the replacement of the .jar files affected. You can currently download .zip files containing re-signed applets either from Fix Central or the IBM Support FTP site, as described in Technote #4022981 - Download re-signed Java applets for Lotus Domino (May 18, 2009). The re-signed .jar files are applicable to any supported release of Notes/Domino for any 6.5x, 7.0.x, 8.0.x, or 8.5 release.

4. IBM recommends option #3, which allows customers to replace files manually without needing a specific hotfix. Additionally, an interim fix (hotfix) will be provided via Fix Central starting May 11th for the latest MR/Fix Pack levels. This interim fix can be applied on Domino servers that do not currently have a hotfix applied.

Hotfix postings to Fix Central will start May 11, 2009. These releases include the following platforms and releases:
Platforms: W32, AIX, IBM i (iSeries), & Linux Releases:
- Domino 6.5.6 FP3
- Domino 7.0.3 FP1
- Domino 7.0.4
- Domino 8.0.2 FP1
- Domino 8.5.0

Operating system(s): AIX, Linux, Solaris, Windows, i5/OS, z/OS
Software version: 6.5, 7.0, 8.0, 8.5
Reference #: 1381298 Modified date: 2009-05-08

This readme for the Applet Expire Fix includes Frequently Asked Questions along with Instructions on how to apply the applets to your Domino Server.
The content in this Readme is taken from TN #4022981 - Download re-signed Java applets for Lotus Domino (May 18, 2009)

Question: What issue does the re-signed applets resolve?
Answer: The certificate for some Java applets in Lotus Domino 6.5x, 7.0.x, 8.0.x, and 8.5 expires on May 18, 2009. This document provides links to .zip files containing re-signed Java applets for Domino 6.5x, 7.0.x, 8.0.x, and 8.5. For more details on the issue, refer to Technote #1381298 -- "Security certificate expiration messages generated from Domino applets (May 2009)"

Question: How do you obtain the re-signed applets?
Answer: Go to the Download Package section below and select the FTP link matching your Domino release.

Question: Is there a separate download file for each Domino server platform?
Answer: No. All the files in the zip should be copied to each Domino server, regardless of Domino Server platform.

Question: Is there a separate download file for each individual Domino server release? i.e. 7.0, 7.0.1, 7.0.2?
Answer: No. There is a single download file for each major release. For example, "Domino_7x_applets_2009_all_platforms.zip" applies to all versions of Domino 7.0.x servers running on any supported platform.

Question: Do these applets conflict with existing hotfixes?
Answer: No. The re-signed applets do not conflict with existing hotfixes. You can copy these files to your server even if you have a hotfix applied.

Question: How do you apply the applets?
Answer:
1) Download and unzip the .zip file for your Domino version.
2) Shut down your Domino server (optionally you can quit HTTP task by issuing the following command at the server console: tell HTTP Quit)
3) Backup existing files (See table below for your Domino version)
4) Copy new files into the appropriate location. (See table below for your Domino version)
-------------------------------------
Release Directory & Files to Replace
Domino 6.5.x
DATA\ Directory
domino\html\download\NetscapeDOLSPlugin_linux32.xpi
domino\html\download\NetscapeDOLSPlugin_linux.xpi
domino\html\sametime\stlinks\stlinks.jar
domino\java\actionbar.jar
domino\java\dominoapplets.jar
domino\java\editor.jar
domino\java\nvapplet.jar
domino\java\outline.jar
domino\java\uninstall.jar
-------------------------------------
Domino 7.0.x
DATA\ Directory
domino\html\download\NetscapeDOLSPlugin.xpi
domino\html\download\NetscapeDOLSPlugin_linux32.xpi
domino\html\download\NetscapeDOLSPlugin_linuxff.xpi
domino\html\sametime\stlinks\stlinks.jar
domino\java\actionbar.jar
domino\java\dominoapplets.jar
domino\java\domtags.jar
domino\java\editor.jar
domino\java\jakarta-regexp-1.1.jar
domino\java\nvapplet.jar
domino\java\NCSO.jar
domino\java\outline.jar
domino\java\uninstall.jar

PROGRAM\ Directory
jvm\lib\ext\websvc.jar
-------------------------------------
Domino 8.0.x
DATA\ Directory
domino\html\download\NetscapeDOLSPlugin.xpi
domino\html\download\NetscapeDOLSPlugin_linux32.xpi
domino\html\download\NetscapeDOLSPlugin_linuxff.xpi
domino\html\sametime\stlinks\stlinks.jar
domino\java\actionbar.jar
domino\java\dominoapplets.jar
domino\java\domtags.jar
domino\java\editor.jar
domino\java\jakarta-regexp-1.1.jar
domino\java\nvapplet.jar
domino\java\NCSO.jar
domino\java\outline.jar
domino\java\uninstall.jar
-------------------------------------
Domino 8.5.x
DATA\ Directory
domino\html\download\dolsplugin_linux.xpi
domino\html\download\dolsplugin_win32.xpi
domino\html\download\NetscapeDOLSPlugin.xpi
domino\html\download\NetscapeDOLSPlugin_linux32.xpi
domino\html\download\NetscapeDOLSPlugin_linuxff.xpi
domino\html\sametime\stlinks\stlinks.jar
domino\java\actionbar.jar
domino\java\dominoapplets.jar
domino\java\domtags.jar
domino\java\editor.jar
domino\java\jakarta-regexp-1.1.jar
domino\java\nvapplet.jar
domino\java\NCSO.jar
domino\java\outline.jar
domino\java\uninstall.jar

5) Restart Domino server (or if you just shut down HTTP task, issue following command at Server console: Load HTTP)

Question: Besides manually replacing the .jar files, are there other options available to address this issue?
Answer: Yes. Refer to Technote #1381298 for additional options.

More @ibm.com/support

Technorati: Badkey Domino IBM Lotus Notes

			Welcome to Badkey Corner The Badkey website is a website on security, IBM/Lotus Domino and Linux. The Badkey Corner Team RSS Feed and Curriculum Vitae
				Full Archive CentOS 5