I'm at my wits end with Java. I request assistance with anyone who has done this successfully, especially with smart cards/PKCS11. My issue is that no matter how I sign the deploymentruleset.jar, my test websites I go to keep getting the pop-up warning with "The certifica is not valid and cannot be used to verify the identity of the website" along with "This application will be blocked in a future Java security update because the JAR file manifest does not contain the permissions attribute". I have changed my ruleset.xml a billion times, even attempting to whitelist everything as a last resort to at least check if it's reading the file, but to no avail. It all seems to stem from how the JAR file is signed.
The java documentation I'm seeing is basically stating like, "oh, just go buy a certificate". For many of us, this is not an option, and we are forced to rely upon our internal CAs. Furthermore, you need a code-signing certificate to do this, so I was provided a token-based certificate to do this, which forced me to rely upon -storetype NONE and all that jazz. So I was provided a token-based certificate to do the task. After a long and brutal journey, I was finally able to sign it without getting "The signer's certificate chain is not validated". Now, it appears validated. This was a week in process. This involved downloading and adding certs to the cacerts keystore. This was after another brutal journey trying to figure out how to read my smart card with ActivClient, then another brutal journey trying to read a secondary card reader (slot=1 needs to be added to the cfg file). Yes, I did modify the security attributes (and others) a million different ways and test. Same result.
So now, no matter what I do, sites that I test on do not feel the jar file has a certificate chain. Yes, I've added the item to the whitelist, and after I proceed after the warning, I'm then told I can't proceed with "Application Blocked by Deployment Rule Set" because "Can not verify the self-signed Deployment Rule Set JAR". Several variations of the test site (including wildcards) are in the ruleset.xml. The ruleset.xml displays properly when in the Java console from control panel.
Why has this become ridiculously hard for anyone to deploy this? I get security, but if you can't document properly different methods to do this, with gotchas and FAQs, then it's rather useless. Before you point me to an Oracle document, rest assured, I've read all of them.
Has anyone out there successfully done this with a token-based code-signing cert from an internal CA? Is it a requirement to buy an external file-based cert to do this?
Thanks,
Nate