Java Applets

HTTP > Applets and ActiveX > Settings | Java Applets

Important: The settings you specify in this page are global. They will affect the action IWSVA takes on all Java applets, and apply it to all policies. For example, if you configure IWSVA to strip all applet signatures, that will also cause IWSVA to take any policy-based actions specified for unsigned applets in the Java Applet Security Rules page. SHOW ME>>

It is important to understand the relationship between the signature handling on this page and the subsequent actions defined on the rules page.

Signature Validation

• Strip signatures and process all applets as unsigned—IWSVA removes the signature from all Java applets (without any further validation) and processes them accordingly. Regardless of signature, all Java applets are processed according to the rules specified in the Java Applet Security Rules page, as explained previously.

• Validate applet signatures using the following settings—If IWSVA is unable to validate the signature of a signed applet, then it changes the status of the certificate as configured in the paragraphs that follow (to unsigned, or to invalid). IWSVA then takes the action configured on the Java Applet Security Rules page for unsigned or invalid applets.

• Check the expiration of signing certificate. IWSVA checks whether the certificate that is used to validate the file’s signature has expired. If it has, the signature status is set to ”invalid.”

• Check the expiration of all certificates in the chain. IWSVA checks when all the certificates in the chain expire (other than the certificate that is used to validate the file’s signature). If one has, the signature status is set to ”invalid.”

• If unable to determine certificate trusted status, set the status to: Unsigned (Strip signature)/Invalid. If the primary (root) certificate in an otherwise validate signature is not in the IWSVA ”Trusted Certificates” list, select the signature status to use.
   

• Check the revocation status of the certificate—If IWSVA finds that the certificate has been revoked, the signature status is set to "Invalid." If the signature status is unknown (meaning the source is unavailable), IWSVA sets the status you specify: valid, unsigned, or invalid. Applets are then processed according to the rules configured on the Java Applet Security rules page (click HTTP > Applets and ActiveX > Policies and choose a policy from the list).
  
  If a signature or certificate in the signing (certification) chain cannot be checked, then the signature is stripped and the overall signature status is set to "unsigned." If a signature can be processed completely, but is found to be invalid, the signature status is then set to ”invalid.” A signature can be invalid for a number of reasons, including the following:

• The signature does not match the signed data.

• The certificate in the signature’s signing chain cannot be validated by the next certificate in the chain.

• A certificate in the signing chain violates use constraints contained in it or one of the other certificates.

See also:

• Applet Re-signing

• ActiveX Executables

• Applet Instrumentation Settings

• About Digital Signatures