Writing a Java Code Signing Resource Policy

Java code signing resource policies specify how the system rewrites Java applets. By default, when the system intermediates a signed Java applet, it re-signs the applet with its own certificate, which is not chained to a standard root certificate. When a user requests an applet that performs potentially high-risk tasks, such as accessing network servers, the user's browser displays a security warning that the root is not a trusted root. To forestall this warning, you can import a code-signing certificate that the system uses to re-sign applets that it intermediates.

When configuring Java code signing resource policies, enter the servers from which you trust applets. You can enter a server IP address or domain name. The system only re-signs applets served by a trusted server. If a user requests an applet from server not on the list, the system does not use the imported production certificates to sign the applet, which means the user is prompted by the browser with a security warning. For Sun JVM users, the system additionally checks that the root CA of the original applet certificate is on its list of trusted root certificate authorities.

To write a Java code signing resource policy:

1.In the admin console, choose Users > Resource Policies > Web.

2.If your administrator view is not already configured to show java policies, make the following modifications:

  1. Click the Customize button in the upper right corner of the page.
  2. Select the Java check box.
  3. Select the Code-Signing check box below the Java check box.
  4. Click OK.

3.Select the Java > Code-Signing tab.

4.On the Java Signing Policies page, click New Policy.

5.Enter a name to label this policy (required) and description of the policy (optional).

6.In the Resources section, specify the resources to which this policy applies.

7.In the Roles section, specify:

Policy applies to ALL roles - To apply this policy to all users.

Policy applies to SELECTED roles - To apply this policy only to users who are mapped to roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

Policy applies to all roles OTHER THAN those selected below - To apply this policy to all users except for those who map to the roles in the Selected roles list. Make sure to add roles to this list from the Available roles list.

8.In the Action section, specify:

Resign applets using Code-Signing Certificate - The uploaded code-signing certificate will be used to sign the Java applets intermediated by the system.

Resign applets using default certificate - The system re-signs the applet with its own self-signed code signing certificate that is not chained to a standard root certificate.

Use Detailed Rules - To specify one or more detailed rules for this policy.

9.Click Save Changes.

10.On the Java Signing Policies page, order the policies according to how you want to evaluate them. Keep in mind that once the system matches the resource requested by the user to a resource in a policy's (or a detailed rule's) Resource list, it performs the specified action and stops processing policies.