Hosted Java Applets Templates

About Hosted Java Applet Templates

The Java applet upload feature enables you to store the Java applets of your choice directly on the device without employing a separate Web server to host them. When you use this feature, you simply upload the applets to the device (along with additional files that the applets reference) and create a simple Web page through the system that references the files. Then, the system intermediates the Web page and Java applet content using its Content Intermediation Engine.

For example, you might want to use the system to intermediate traffic between an IBM AS/400 system on your network and individual 5250 terminal emulators on your users' computers. To configure the system to intermediate this traffic, obtain the 5250 terminal emulator's Java applet. Then you can upload this applet to the system and create a simple Web page that references the applet. After you create the Web page through the system, it creates a corresponding bookmark that users can access through their home pages.

The system enables you to host Java applets using Web resource profile templates (described in these topics) as well as through Terminal Services resource profiles.

The hosted Java applets feature is a standard feature on all Ivanti Connect Secure devices.

Task Summary: Hosting Java Applets

The Java applet upload feature enables you to store the Java applets of your choice directly on the device without employing a separate Web server to host them.

To host Java applets on the device:

1.Specify which applets you want to upload, create bookmarks that reference the uploaded applets, and specify which roles can access the bookmarks using settings in the Users > Resource Profiles > Web page of the admin console.

2.(Optional.) To sign your Java applets, Select System > Configuration > Certificates > Code-Signing Certificates in the admin console to upload the Java certificate to the device. If you choose to skip this step, the user sees an untrusted certificate warning each time he accesses the corresponding bookmark.

3.(Optional.) To improve the performance of your Java applications:

•Select Enable Java instrumentation caching on the Maintenance > System > Options page of the admin console. This option can improve the performance of downloading Java applications.

•After you finish configuring the system, cache your Java applet and access it as an end user. This action eliminates the performance hit that occurs through the intermediation engine when the first end user accesses the applet.

Uploading Java Applets to Ivanti Connect Secure

You can use Java applets to intermediate traffic to various types of applications through the system. For example, you can upload the 3270 applet, 5250 applet, or Citrix Java applet. These applets enable users to establish sessions to IBM mainframes, AS/400s, and Citrix MetaFrame servers through terminal emulators. (Note that to enable the Citrix Java ICA client through a session, you must upload multiple Citrix .jar and .cab files to the device.

The system enables you to upload individual .jar and .cab files or .zip, .cab, or .tar archive files. Archive files can contain Java applets and files referenced by the applets. Within the .zip, .cab, or .tar file, the Java applet must reside at the top level of the archive. You can upload any number of files to the system as long as their combined size does not exceed 100 MB.

To ensure compatibility with both Sun and Microsoft Java Virtual Machines (JVMs), you must upload both .jar and cab files to the device. (The Sun JVM uses .jar files, whereas the Microsoft JVM uses .cab files.)

When you upload Java applets, the system asks you to read a legal agreement before it finishes installing the applets. Read this agreement carefully-it obligates you to take full responsibility for the legality, operation, and support of the Java applets that you upload.

You can only upload 100 MB of Java applets to the system. The system displays the size of each applet that you upload on the Java Applets page, so you can determine, if necessary, which applets you want to delete.

Uploading Java applets requires signed ActiveX or signed Java applets to be enabled within the browser to download, install, and launch the client applications.

Signing Uploaded Java Applets

Unlike other Java applets that users can access through the system, you do not have to create a separate code-signing policy for the Java applets that you upload. The system automatically signs (or re-signs) them using the appropriate code-signing certificate. A code-signing certificate (also called an applet certificate) is a type of server-side certificate that re-signs Java applets intermediated by the system.

The system automatically signs (or resigns) your hosted Java applets with the code-signing certificate that you install through the System > Configuration > Certificates > Code-signing Certificates page of the admin console. If you do not install a code-signing certificate on the system, it uses its self-signed applet certificate to sign or re-sign the applets. In this case, users see an "untrusted certificate issuer" warning whenever they access the Java applets through the system.

The system re-instruments and re-signs your uploaded Java applets whenever you change (that is, import, renew, or delete) the corresponding code-signing certificate.

Creating HTML Pages That Reference Uploaded Java Applets

When uploading a Java applet to the system, you must create a simple Web page that references the applet. Users can access this Web page through a bookmark on their home pages or from external Web servers.

The Web page must contain a simple HTML page definition that references the uploaded Java applet. The Web page can also contain any additional HTML and JavaScript that you choose. The system can generate some of the Web page for you, including the HTML page definition and the references to your Java applet. (Note, however, that the system is not aware of all the applet-specific parameters that are required by your applet-you must find and fill these parameters in yourself.) When the system generates this HTML, it creates placeholders for any undefined values and prompts you to fill in the necessary values.

You can create these Web pages through Java applet upload resource profiles.

Accessing Java Applet Bookmarks

Users can access the applets you upload to the system using two methods:

•Bookmarks on the end-user console-When you create a Web page that references your uploaded Java applets, the system creates a corresponding link to the Web page and displays that link in the Bookmarks section of the end-user console. Users who map to the appropriate role can simply click the link to access the Java applet.

•Links on external Web servers-Users can link to the Java applet bookmarks from an external Web server by simply using the correct URLs. When the user enters a bookmark's URL (or clicks an external link that contains the URL), the system prompts the user to enter his username and password. If he properly authenticates, it allows him to access the bookmark. You can construct the URL to the Java applet bookmark using the syntax described in either of the following lines:

https://SecureAccessGateway_hostname/dana/home/launchwebapplet.cgi?

bmname=bookmark Name

https://SecureAccessGateway_hostname/dana/home/launchwebapplet.cgi?

id=<resourceID>&bmname=bookmarkName

You can determine the ID for a Java applet bookmark by accessing it through the home page and then extracting the ID from the Web browser's address bar.

Although the system enables you to create multiple bookmarks with the same name, we strongly recommend that you use a unique name for each. If multiple bookmarks have the same name and a user accesses one of these bookmarks using a URL that includes the bmname parameter, the system randomly picks which of the identically named bookmarks to display to the user. Also note that the bmname parameter is case-sensitive.

If you create links on external servers to Java applet bookmarks on the system and you are using multiple customized sign-in URLs, some restrictions occur.

Creating a Hosted Java Applet Resource Profile

To create a hosted Java applet resource profile:

1.Select Users > Resource Profiles > Web in the admin console.

2.Click New Profile.

3.Select Hosted Java Applet from the Type list.

4.Enter a unique name and optionally a description for the resource profile.

5.Select the Java applet that you want to associate with the resource profile from the Applet to use list. Or, if the applet that you want to use is not currently available in the list, click Edit Applet. Then:

•Click New Applet to add an applet to this list. Or, select an existing applet and click Replace (to replace an existing applet with a new applet) or Delete (to remove an applet from the system.)

If you replace an existing archive, make sure that the new applet archive contains all of the necessary files for the applet to successfully launch and run. If the associated HTML for the applet refers to files that do not exist in the new archive, then the applet will not function correctly.

The system only allows you to delete applets that are not currently in use by a Web or Terminal Services resource profile.

•Enter a name to identify the applet in the Name box (for new and replaced applets only).

•Browse to the applet that you want to upload. You can upload applets (.jar or .cab files) or archives (.zip, .jar, and .tar files) that contain applets and all of the resources that the applets need (for new and replaced applets only).

•Select the Uncompress jar/cab file check box if the file that you selected is an archive that contains the applet (New and replaced applets only).

•Click OK and then click Close Window.

When you select an applet in the Java Applets dialog box, you are loading third-party software onto the Ivanti product. By clicking OK, you are agreeing to the following terms on behalf of yourself (as purchaser of the equipment) or the organization that purchased the Ivanti product, as applicable.

By loading third party software onto the Ivanti product, you are responsible for obtaining all rights necessary for using, copying, and/or distributing such software in or with the Ivanti product. Ivanti is not responsible for any liability arising from use of such third-party software and will not provide support for such software. The use of third-party software may interfere with the proper operation of the Ivanti product and/or Ivanti software, and may void any warranty for the Ivanti product and/or Ivanti software.

6.Use settings in the Autopolicy: Java Access Control section to enable access if your Java applets need to make socket connections.

7.Click Save and Continue.

8.Select the roles to which the resource profile applies In the Roles tab and click Add.

The selected roles inherit the autopolicies and bookmarks created by the resource profile. If it is not already enabled, the system also automatically enables the Web option in the Users > User Roles > Select_Role > General > Overview page of the admin console and the Allow Java Applets option Users > User Roles > Select_Role > Web > Options page of the admin console for all of the roles you select.

9.Click Save Changes.

10.Create bookmarks in the Bookmarks tab.

Configuring Hosted Java Applet Resource Profile Bookmarks

You must create bookmarks to your hosted Java applets to enable end users to access the applets.

To configure hosted Java applet resource profile bookmarks:

1.Select Users > Resource Profiles > Web >Select Resource Profile> Bookmarks in the admin console.

2.Click the appropriate link in the Bookmark column if you want to modify an existing bookmark. Or, click New Bookmark to create an additional bookmark.

Although it is generally easiest to create a resource profile session bookmark through the resource profile configuration page, you can choose to create one through the user roles page as well if you have already created a resource profile.

3.Enter a name and optionally a description for the bookmark. This information displays on the home page. (By default, the system names the bookmark the same name as the corresponding resource profile.)

We strongly recommend that you use a unique name for each bookmark to make it clear to users which link they are accessing.

4.Click Generate HTML to create an HTML page definition that includes references to your Java applets. Then, fill in any required attributes and parameters.

If you are using HTML generated by the system, make sure to search the HTML code for "__PLEASE_SPECIFY__" and update the code as necessary.

You can also add more HTML or JavaScript to this Web page definition. the system rewrites all of the code that you enter in this field

Make sure to enter unique HTML in this field. If you create two bookmarks with the same HTML code, the system deletes one of the bookmarks in the end-user view. You will still be able to see both bookmarks, however, in the administrator console.

5.List those attributes in the Multi-Valued User Attributes box if your HTML code contains attributes that may expand to multiple values (such as userAttr.hostname or userAttr.ports). When the user signs into a device, the system evaluates these attributes and creates separate bookmarks as necessary based on each of the individual values. If you use an attribute that expands to multiple values, but do not enter that attribute in this box, the system creates a single bookmark based on the attribute's first value.

6.Under Display options, click Bookmark opens new window to automatically open the Web resource in a new browser window. Note that this functionality applies only to role bookmarks and not bookmarks created by users. Next, select the following options if you want to hide UI elements from the user:

•Do not display the browser address bar-Select this option to remove the address bar from the browser window. This feature forces all Web traffic through the system by precluding users in the specified role from typing a new URL in the address bar, which circumvents the system.

•Do not display the browser toolbar-Select this option to remove the menu and toolbar from the browser. This feature removes all menus, browsing buttons, and bookmarks from the browser window so that the user browses only through the system.

7.Under Roles, specify the roles to which you want to display the bookmark if you are configuring the bookmark through the resource profile pages:

•ALL selected roles-Select this option to display the bookmark to all of the roles associated with the resource profile.

•Subset of selected roles-Select this option to display the bookmark to a subset of the roles associated with the resource profile. Then select roles from the ALL Selected Roles list and click Add to move them to the Subset of selected roles list.

8.Click Save Changes.

Creating Hosted Java Applets Bookmarks Through the User Roles Page

It is generally easiest to create a hosted Java applets bookmark through the resource profile configuration pages, as explained in previous topic. However, you can choose to create a resource profile session bookmark through the user roles page using the following instructions:

1.Select Users > Roles > Select_Role > Web > Bookmarks in the admin console.

2.Click New Bookmark.

3.Select Pick a Web Resource Profile from the Type list. (The system does not display this option if you have not already created a hosted Java applet resource profile.)

4.Select an existing resource profile.

5.Click OK. (If you have not already associated the selected role with the resource profile, the system automatically makes the association for you. The system also enables any access control policies for the role that are required by the resource profile.)

6.If this role is not already associated with the selected resource profile, the system displays an informational message. If you see this message, click Save Changes to add this role to the resource profile's list of roles and to update the profile's autopolicies as required. Then, repeat the previous steps to create the bookmark.

7.Configure the bookmark settings.

When you create a resource profile bookmark through the user roles page (instead of the standard resource profiles page), the system only associates the generated bookmark with the selected role. The system does not assign the bookmark to all of the roles associated with the selected resource profile.

Required Attributes for Uploaded Java Applets

When you create a Java applets bookmark through the system, you must define the following attributes and their corresponding values. If you use the Generate HTML feature, it populates some of this information for you and adds PLEASE_SPECIFY to those attributes whose values you must specify. When specifying attributes and their corresponding values, use the attribute="value" format.

The system generates parameters that it knows are required. Note, however, that it is not aware of all the applet-specific parameters that are required by your applet-you must find and fill in these parameters yourself.

Attributes that are required by the system include:

•code-Indicates which class file to invoke in your Java applet. Use this value to point to your Java applet's main function. Example:

applet code="com.citrix.JICA"

•codebase-Indicates where the Web browser can fetch the applet. Use the <<CODEBASE>> variable, which points to the location on the system where it stores the Java applet. When entering a path to a file, note that <<CODEBASE>> includes a trailing slash, which means the following example works:

<img src="<<CODEBASE>>path/to/file">

This example does not work:

<img src="<<CODEBASE>>/path/to/file">

•archive-Indicates which archive file (that is, .jar, .cab, or .zip file) the Web browser should fetch. Example:

archive="JICAEngN.jar"

In addition to the required attributes listed earlier, you may also use the following optional attributes when creating a Java applet bookmark:

•name-Specifies a label for the Java applet. Example:

name="CitrixJICA"

•host-Specifies, for terminal sessions, the server to which the system should connect.

•port-Specifies, for terminal sessions, the port to which the system should connect.

•width and height-Indicates the size of the Java applet window. Example:

width="640" height="480"

•align-Indicates the Java applet window's alignment within the browser window. Example:

align="top"

When defining attributes and their corresponding values, note the following:

•We strongly recommend that you not include useslibrarycabbase parameter in the HTML, because it causes the cab file to be permanently installed on the user's machine. If you later change a cab file on the system, all users will have to manually delete the cab files on their machines to get the new version from the system.

•We do not support applet tags that are constructed through the document.write function because the dynamic HTML interferes with the system parser.

•We do not support relative links to URLs, documents, or images in your HTML. If you do, the links will break when the user tries to access them from the end-user console. Instead, you should include absolute links. If you are linking to a document or image included in your zip file, use the <<CODEBASE>> variable to indicate that the system can find the file in the uploaded zip archive. For example:

<img src="<<CODEBASE>>yourcompany_logo.gif" alt="YourCompany">

Required Parameters for Uploaded Java Applets

When you create a Java applets bookmark through the system, you must specify parameters and values that should be passed to the Java applet. These parameters are completely applet-specific. When specifying parameters and their corresponding values, use the following format:

<param name="parameterName" value="valueName">

Where all of the text is literal except parameterName and valueName.

You can use variables to pass values to the Java applet by enclosing the variable names in double-brackets. For example, you might choose to pass the <<username>> and <<password>> values to the Java applet.

When using the Java applet upload feature, if you include the <password> token within the generated HTML, it appears as cleartext if you view the source in the browser window that launches the applet. This behavior cannot be changed because the system does not control how the Java applet processes the password. We strongly discourage the use of the <password> token in the HTML code.

If you find a Web page that contains an applet that you want to use, go to the demonstration site and view the source on the page that runs the Java applet. Within the source, look at the applet tag. Pick out the code attribute in the source and determine if it contains any special parameters that you need to pass to the browser. In most cases, you should be able to copy and paste the code attribute and its corresponding parameters directly into the HTML field for your bookmark. Note, however, that if a parameter references a resource on the local Web server, you cannot copy and paste the reference into the bookmark because the system does not have access to the other Web server's local resources. When copying and pasting parameters from another source, always check the values of the parameters.