Java IoT Authors: Elizabeth White, Liz McMillan, Yeshim Deniz, Pat Romanski, Roger Strukhoff

Related Topics: Java IoT

Java IoT: Article

Installing Java with the Browser

Installing Java with the Browser

The use of Java in Web browsers has had mixed results. Applications that run in browsers rather than locally find a host of different hurdles. They're more restricted, run slower at times and take a long time to load, thus making complex applications more difficult. Advances in security and virtual machine technology have addressed the first two items. The third item remains somewhat challenging. Faster modems, increased bandwidth and compressed file formats alleviate the problem somewhat but their impact varies. When fourth-generation browsers appeared, they included some new technology with features that allowed developers to have their applets and supporting classes installed permanently.

This article is focused on distributing Java classes that are permanently installed on a user's machine (see Figure 1). The next time a user visits the page, the classes are loaded locally instead of from the network. I'll start with a short explanation of some concepts and tools used in this process, and apply this knowledge to a working example for Internet Explorer and Netscape Communicator. We'll then look at some problems that can occur and some links to additional information.

The examples in this article use a test certificate, not a production certificate from a Certificate Authority. For purposes of this article, I thought a test certificate - also referred to as a self-signed certificate - was best since not everyone has a certificate. It also teaches you how to generate a certificate for testing. Regardless, the procedures described here apply exactly the same when you're using a real certificate. When you have a real one, you can just skip the parts about generating a test certificate.

The software used in this article was:

  • IE4.0 40bit
  • NS Communicator 4.51 with SmartUpdate
  • MS Personal Web Server (create a virtual directory called "sample" to run samples)
  • MS Windows NT 4.0 SP4
In a typical scenario visitors to a Web page download any elements into their browser cache. This could include the page itself, and some images as well as applets. Depending on browser settings, the next time users visit the page all of these elements may be reloaded from the Web site. This is certainly feasible for elements such as HTML and images, but can be time-consuming and frustrating for users of your applets. Internet Explorer and Netscape have different approaches to the actual implementation of downloading and installing, but they also share some common ideas.

Digital Certificate and Signatures
The use of digital signatures and certificates to verify the authenticity of software is nothing new. Software downloaded over the Internet provides the user no assurance about the authenticity of the author, where the software came from or when it was created. A common metaphor for a digital certificate used in code signing is "shrink-wrap." Software bought off the shelf at your local retailer is packaged with labels and markings indicating the company of origin. Software downloaded over the Internet has no such visible labels or markings.

That's where digital certificates and signatures come in. The combination of digital certificates and signatures provides the labeling or shrink-wrapping that supplies information such as author name, time created and expiration date; they also ensure that the software wasn't tampered with since it was signed. A third party - a Certificate Authority (CA) - normally issues certificates. Basically, the Certificate Authority vouches for the identity of the individual using the certificate to sign his or her software. Popular CA's are Verisign and Thawte. You may also be able to obtain a certificate from your own company, if they're set up to issue certificates.

Netscape and Internet Explorer certificates are based on the standard x509, but deviate after that to produce certificates that are incompatible with each other. Internet Explorer has its Authenticode certificates; Netscape, its Object-Signing certificates.

The use of packaging mechanisms to bundle your code and supporting files is common in both browsers. Internet Explorer uses the CAB format and Netscape uses the JAR format. This provides for quicker download times and is a requirement if you want to use managed installation mechanisms provided by Internet Explorer and Netscape Communicator. The former recognizes the JAR format but is unable to recognize a digital signature within. The latter doesn't recognize the CAB format.

There are utilities for both browsers that allow developers to generate self-signed digital certificates as well as packages, and sign their code. The first five utilities described here are for Internet Explorer only. The last one is for Netscape Communicator only. See the Links section for tool locations. If you have the Microsoft SDK for Java, you may already have the Microsoft utilities.

  • MAKECERT: Generates a test x509 certificate
  • CERT2SPC: Generates a test Software Publishing Certificate from an x509 certificate
  • SIGNCODE: Signs code using a Software Publishing Certificate for IE
  • CABARC: Builds a cabinet file of specified files
  • DUBUILD: Builds a cabinet and OSD and is an all-in-one tool. If you're uncomfortable with XML or don't wish to build your OSDs, this tool is for you. If you're up to it, you can also code the OSD by hand
  • SIGNTOOL: Packages and signs code using an object-signing certificate for Netscape; also used for generating test object-signing certificates
Scripted Install Procedure
The Microsoft virtual machine and its Java Package Manager use an XML-based description language, Open Software Description (OSD), that directs the Java Package Manager on how to handle different aspects of the download (see Listing 1). An OSD is also used to describe any dependencies between various components of the download. Netscape, on the other hand, uses a combination of JavaScript and Java in the package "netscape.softupdate.*" to allow developers to write scripts that control the flow of the installation (see Listing 2). Each of these procedures allows developers to control their installation by querying properties such as:
  • OS version
  • Browser version
  • Software version
  • Ensure proper space exists before install
  • Dependencies between different Java packages and versions
Depending on which procedure you're using, some of these properties may not be available.

Managed Installation
Both browsers have an installation manager available to perform the actual install. Internet Explorer uses the Java Package Manager. Netscape uses the JAR Installation Manager and a feature called SmartUpdate. These installation managers allow the developer to install and update software automatically.

Java Package Manager
The Java Package Manager was introduced in Internet Explorer 4.x and provides the following features:

  • Version Control: Enables you to update older versions of your software and ensure that software isn't downgraded. Note: You can't downgrade your software with the Java Package Manager.
  • Namespaces: Prevents collisions between same-named packages. Before namespace, packages were installed into the CLASSPATH and provided no protection for libraries that may have had identical package names. By providing a namespace for each installed package, you avoid this collision. There's also a global namespace. Packages installed into the global namespace are accessible to all Java Packages. This would be ideal for a generic library that other installed applications could use.
  • Improved Security: Fine-grained security is now possible. The Java Package Manager requires that packages be signed with the Java Permissions to step out of the sandbox. With these permissions you can control access to the UI, the file system and other system resources such as sockets and threads. You can use the default permissions provided by the different levels (high, medium and low) or you can specify a custom permissions file.
You can view already installed packages by opening the "Downloaded Program Files" folder in your Windows Explorer. You can also see this same list using Internet Explorer. Open View...>Internet Options...>Settings...>View Objects. Unlike Netscape, once a package is installed, you can begin using it immediately.

JAR Installation Manager/SmartUpdate
The JAR Installation Manager and SmartUpdate were introduced in Netscape 4.x and provide features similar to those in the Java Package Manager. Some features of SmartUpdate may not be available, depending on the version of Communicator used.

  • Version Control: As with the Java Package Manager, you can update older versions of your software and ensure that it isn't downgraded. However, SmartUpdate also gives you a couple of advantages over the features provided by the Java Package Manager: (1) you can downgrade previously installed packages, and (2) you can force an install despite the version. SmartUpdate maintains this in the Client Version Registry. Unlike the Java Package Manager, when you install a package with SmartUpdate, you must restart Communicator before you can use it. Your install script should indicate this with a dialog.
  • Improved Security: Fine-grained security is now possible. The JAR Installation Manager requires packages to be signed in order to be installed and step out of the sandbox. One noticeable difference between IE and NS is that IE's permissions are encoded with the digital signatures, whereas NS requires the use of the "Capabilities" API to request permissions at runtime.
  • Registry of Installed Applications: Netscape provides a Client Version Registry area that records all installed software registered for use with Communicator.
Sample Application
Now that we have some of the basics behind us, let's start applying it. We're going to install a basic clock applet (see Listing 3), then write an HTML page that demonstrates the installed applet. Please note the package statement in the source. The Java Package Manager requires you to place your classes into a package. Once you've compiled the source, we'll start with the process for Internet Explorer, then Netscape Communicator.

Internet Explorer
1. Generate a test x509 certificate.
The options used for this step are:

  • -sk: Key Name
  • -n: Certificate Subject x500 Name (i.e. CN=My Name)
makecert -sk SampleKey -n "CN=TestCertificate" SampleTestCert.cer

2. Turn an x509 certificate into a Software Publishing Certificate.

cert2spc SampleCert.cer SampleTestCert.spc

3. Create your distribution unit.
The options used for this step are:

  • /D: Distribution unit name or "friendly name"
  • /I: Include files matching this pattern
  • /V: Version number for distribution unit
dubuild sample.cab . /D "Sample Application" /I *.class /V 1,0,0,0

By not using the /N option, we're placing our package into the global namespace. To get an idea what the OSD generated by dubuild looks like, open your CAB and view the generated OSD file. It should look like the one in Listing 1.

4. Sign your code.
During this step you'd normally supply an additional parameter, -t, to indicate a URL to a time-stamping CGI on your Certificate Authority's Web site. However, due to firewall considerations, this may be impossible. For test purposes this isn't a problem. You'll see a message indicating the CAB has been signed but not time-stamped.

The options used for this step are:

  • -j: Indicates the source of the Java permissions
  • -jp: A parameter to pass to javasign.dll. In this case, the security level of medium
  • -spc: The software publishing certificate generated in step 2
  • -k: The key generated from step 1
signcode -j javasign.dll -jp medium -spc SampleTestCert.spc -k SampleKey sample.cab

With our code packaged and signed, we're ready to deploy. We'll use the <APPLET> tag with three parameters:

  • useslibrary: Specifies a name for the distribution unit, which should match the one you specified when you ran dubuild
  • useslibrarycodebase: Specifies the codebase for the distribution unit CAB file
  • useslibraryversion: Specifies the version number, which should match the one you specified when you ran dubuild
<APPLET CODE=com.mysample.application.Sample HEIGHT=20 WIDTH=100>
<PARAM NAME=useslibrary VALUE="Sample Application">
<PARAM NAME=useslibrarycodebase VALUE="sample.cab">
<PARAM NAME=useslibraryversion VALUE="1,0,0,0">

These parameters will be ignored in Internet Explorer version 3 and Netscape browsers. Once you've saved the page, open it in your browser. If everything went okay, you should see a Security Warning dialog. Click on "Yes" to trust; you should then see the sample applet start.

Verify Installation
Open the "Downloaded Program Files" folder in Windows Explorer ordo aView...>InternetOptions...>Settings...>View Objects and you should see the same display (see Figure 2). Behind the scenes the Java Package Manager is also updating the registry entries for your distribution unit. Run regedit and open "HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Global Namespace". You should see keys for all packages installed in the global namespace, top-level first. Open the "com" key and you'll see the "mysample" key underneath it.

Netscape Communicator
We'll now examine the process for Netscape Communicator. Note: Please shut down Communicator before running step 1 or you risk corrupting Communicator's security database. You'll also note that the signing and packaging steps are combined. To create and store an object-signing certificate, you'll also need to have a password set. If you don't, step 1 will fail. To set a password, open the Security Window and select "Passwords." As you'll see shortly, to permanently install Java Packages to run locally, you must place your signed JAR of classes inside another JAR containing an install script (see Figure 3). Wherever you specify the path to the certificate directory, you'll need to replace the path of the certificate database to match the path on your system.

1. Create test object-signing certificate.
The options used for this step are:

  • G: The nickname of our object-signing certificate
  • -d: The location of the certificate database
signtool -G"SampleNetscapeObjectCert"

When you run signtool you'll be prompted for a number of parameters, as it states in the message before it runs. These are optional except for the database password. You can bypass them by pressing "Enter." To verify your certificate has been added, type the following command:

signtool -L -d"e:\progra~1\netscape\users\default"

You should see a list of Certificate Authorities, including yours, with asterisks beside them. The asterisk means that this certificate can be used to sign objects. If you decide not to install directly into Communicator, you can import your certificate by placing a link to it on a Web page, then clicking on it. You'll be guided through a series of dialogs to install it. If you're distributing this test object-signing certificate from a Web site, you'll also need to configure a MIME entry for it on the Web server you're using. You can also start Communicator and look at the Security Info Window. Click on "Signers" under "Certificates." You may have to scroll until you see "SampleNetscapeObjectCert".

2. Create install script (see Listing 2).
The install script's purpose is to direct the actual install.

3. Create and sign Software JAR.
The options used for this step are:

  • b: Specifies the base filename for the .rsa and .sf files
  • d: Specifies the location of the certificate directory
  • k: Specifies the nickname of the test object-signing certificate created in step 1
  • Z: Directs signtool to create a JAR with the specified name
signtool -b "Sample Application"
-d"e:\progra~1\netscape\users\default" -k SampleNetscapeObjectCert
-Z sample.jar .

4. Create and sign Install JAR.
Now we'll create the install JAR that will hold our install script and software JAR. You'll be prompted for the certificate database password. You can also use the "-p" option to specify the password. I'd recommend using this option only during testing as the password is visible.

  • b: Specifies the base filename for the .rsa and .sf files
  • i: Specifies the name of the install script
  • d: Specifies the location of the certificate directory
  • k: Specifies the nickname of the test object-signing certificate created in step 1
  • Z: Directs signtool to create a JAR with the specified name
signtool -b sampleinst -i sample.js
-k SampleNetscapeObjectCert -Z sampleinst.jar .

Now that the classes are packaged and signed, we can deploy. We'll be using what's referred to as a trigger script (see Listing 4). Once you've saved the page, open it in your browser. If everything went okay, you should see a Security Warning dialog. Click on "Grant" to trust, then you'll see a dialog indicating Communicator must be restarted before using the new classes.

Verifying Installation
Start Communicator and open Edit...>Preferences...>Advanced...> SmartUpdate. You'll see your package name in the listing of installed software (see Figure 4).

Using the Installed Software
Let's try out the newly installed package. Put the following code into a page and bring it up in your browser (see Figure 5). Notice there is no CAB base or archive parameter specifying the cabinet or JAR where the classes are to be found. That's because the classes are being loaded locally by the browser.

<H1> Our Sample Installed Application </H1>
<APPLET CODE=com.mysample.application.Sample HEIGHT=20 WIDTH=200></APPLET>

Updating Your Software
Eventually most software needs to be updated. New hardware, bugs or new versions can create this need. With the Java Package Manager and Netscape with SmartUpdate, you can update the version a user has installed with the same ease. Simply increment the version numbers appropriately and update your HTML page and/or the install script. The next time users visit the page, they'll be prompted to install a new version if the version you specified is newer than the installed version.

Sometimes things go awry. You may see messages indicating security failures or you may see nothing on the page. There are tools to aid in diagnosing download failures. CODLLGVW is a utility that examines the code download error log created during download. Netscape includes a host of error codes that could arise during SmartUpdate. In Internet Explorer one of the most common is that there may be insufficient disk space to install your component. Another possible area is errors in the OSD. The CDF utility can be used to find possible errors in your OSD, such as missing or misspelled tags. Another problem I've seen is not specifying a package in your OSD that's in your CAB. Also, make sure the name you use in the useslibrary tag matches the friendly name of your distribution unit. And when using IE, make sure the version numbers match on your useslibraryversion tag and the one you specified when you ran DUBUILD.

As you can see, distributing your code for permanent installation isn't difficult. And I'm sure the users of your applet will appreciate the decreased loadtime. Although the process for each browser is somewhat different, it's similar overall.

The following links should provide any further details you may need. Good luck!

  1. Packaging Components for Internet Distribution:
  2. Deploying Java in Internet Explorer and Netscape Communicator:
  3. Downloading Code on the Web:
  4. Object Signing - Establishing Trust for Downloaded Software:
  5. Object Signing Resources:
  6. SmartUpdate Developers Guide:

More Stories By Mike Jasnowski

Mike Jasnowski is a senior software engineer on the BEA WebLogic Server Administration Console team. He has been involved in development for almost 20 years and in many industries. Mike is a contributing author to several books and author of JMX Programming (Wiley)

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@ThingsExpo Stories
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO LLC announced today that "Miami Blockchain Event by FinTechEXPO" has announced that its Call for Papers is now open. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expe...
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER give you detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPO also offers s...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...