Monday, September 04, 2006

Java WebStart over HTTPS

Here's a small thing you need to know to get Java WebStart (JWS) to work over https connections.

If you try to launch a browser and start a JWS application over a https connection, it would prompt you to the standard security dialog and if you chose to trust the source, JWS still fails to launch the application.

Apparently this is because JWS is not very good at handling certificates. The work around is to add the certificate manually to the JWS keystore. Here’s how to go about it.

Step 1: To start with, you need to get hold of the certificate you want to put in to your JWS keystore. If you are using a self-signed certificate, you can export it out of your keystore as a .arm file etc.

Step 2: Locate the JRE your browser is using. If you are using Windows OS, you can do that using one of the following


Start > Settings > Control Panel > Java Plug-in
Start > Program Files > Java Web Start


Usually, its under C:\Program Files\Java\j2re1.4xx

If you are in a *nix environment, I am not sure how to figure this out – try â€ï¿½which java’ or â€ï¿½where is java’ in console. Or check you browser settings.

Step 3:Import certificate to the correct keystore.

Once you have located the JRE home that you browser is pointing to, there should be a folder called â€ï¿½javaws’ and under that there is a keystore called â€ï¿½cacerts’. This is the most misleading part – Ignore that keystore because adding the certificate there does not work.

Instead, under JRE home, look for â€ï¿½lib\security’ and the â€ï¿½cacerts’ keystore. If you import the certificate here, that should do the trick. You can use the following command to import a certificate into the keystore.

keytool –import –alias <enter an alias> -file <full path to the certificate file here> ?keystore cacerts –trustcacerts

Keytool will prompt for keystore password. Default is 'changeit'.

JWS should be able to see it from now on.

Some useful links:

Java Sketchbook: Digging into Java Web Start [java.net]
Java Web Start and Code Signing [dallaway.com]

No comments: