With the current versions of Java, Web Start (JNLP) has become a more difficult proposition.  Signing is required for anything non-trivial and self-signed certificates are unwieldy due to the new trust requirements.  It’s rather unfortunate, since so much use of Java is internal Enterprise applications that truly don’t *need* to be signed for security purposes, yet they’re caught up in the consumer security net.  A further difficulty is the fact that Netbeans’ web start support is stuck back in the past (7.x for sure, 8.0 has come out since I started writing this and is a little better, but still does not appear to be complete), from when all the new requirements were not in place.

Before we do any of the certificate work, go ahead and do a clean/build of the project with JNLP and self-signed selected.  This is purely so we can get an auto-generated JNLP file as a template.  Put that into your deployment location and tweak as necessary (server info almost always needs to be adjusted manually).  Once that’s done, turn off the option to build for JNLP.  We’ll be doing the signing another way from here on out.  Do a clean/build again to get a non-signed version.  Now we can move on to the certificate portion.

The first step of getting the certificate is commonly described on the web, so I won’t duplicate that effort here.  The problem comes in that you’re likely to get a “.p12” file delivered to you, which Netbeans 7.x fails to read properly.  So, we need to have a special command for that.  Using jarsigner with the right storetype and keystore parameters in place we can deploy and run our app trusted!  Sort of…  Once you’re past the initial thrill of the app starting and happen to watch a Java console at startup, you’ll find out that Netbeans also doesn’t generate a proper manifest (8.0 also failed at this for me, hence *still* needing special handling despite now having p12 certificate support).  So, now we need to create our own manifest addendum and tack that onto our jar file *before* signing.  Once that’s done, you’re going to be all happy until you get the next console startup error about TSA…  So, we need to throw a “-tsa” line into our script…  Luckily I found a blog entry awhile back (unfortunately I lost the link or I’d give credit here) that pointed out that geotrust.com is kind enough to have an open public tsa server.  End result we have the following (sample code, you’ll need to do some light editing to both for your specific situation, especially if you’re on a Mac or *nix machine or use non-embedded libraries) files to run manually from a command prompt in our project directory after a full build is done:

  • Sign.bat

“c:\Program Files\Java\jdk1.7.0_51\bin\jar.exe” ufm ..\dist\application.jar manifest.txt
“c:\Program Files\Java\jdk1.7.0_51\bin\jarsigner.exe” -storetype pkcs12 -keystore cert.p12 -tsa https://timestamp.geotrust.com/tsa ..\dist\application.jar “certificate name here”

  • Manifest.txt

Permissions: all-permissions
Codebase: http://destination.example.com
Application-Name: application

That’s it, you may now deploy your application and revel in an error AND warning free startup!  If you’re the adventurous type that likes modifying the Netbeans build scripts, this can be dumped into there as well.  Personally, I prefer to not mess with those and just run this script afterwards since I occasionally have had need to blow away and recreate the build scripts.  Another thing is that you may choose to permanently convert the certificate to another type.  I’ve not bothered with that because I still need to script the manifest entries anyways.

Happy coding!

Leave a Reply

Your email address will not be published. Required fields are marked *

 characters available