Setting things up for the MICE applet

Background

When running as an applet rather than an application, MICE is subject to the security restrictions of the Java Virtual Machine. Normally an applet is only allowed to run in the "sandbox", a restricted environment which is isolated from the local computer, so that it cannot access local files and cannot connect to the network directly.

In order to use an applet like MICE, which requires access to the local file system and needs to be able to make arbitrary socket connections to other, third party machines, the applet must be signed, before it will be allowed to carry out these potentially insecure actions.

The process of creating a signed applet involves three steps:

  1. A certificate authority (CA) issues a certificate to a developer. By issuing the certificate, the CA is asserting that the developer is who they claim to be. The certificate does not guarantee that the developer is trustworthy or not malicious, only that their identity is known to the CA.
  2. The developer electronically signs the applet using his personal certificate, and distributes the applet via the network.
  3. The user downloads the signed applet, at which point the browser presents a security dialog, asking the user whether they trust the developer, whose identity is guaranteed by the CA. If the user agrees to trust the developer, the applet is granted the requested security permissions and is allowed to "play outside of the sandbox".

The most popular and commonly used web browsers are pre-configured to recognise and accept a number of commercial CA's. Other commercial entities can purchase certificates from these recognised CA's, and then use them to sign their applets. When these applets are downloaded to the common web browsers, the certificate is verified against the known CA's and the user is prompted to accept the certificate.

The MICE applet is a signed applet but it is signed with a certificate that was not issued by one of the commercial CA's. Instead, SDSC has established itself as a CA, and has put in place the mechanisms for issuing certificates for its own employees. These certificates are just as valid and secure as those obtained from commercial CA's, but since the common web browsers are not aware of SDSC as a CA, they will not accept these certificates immediately.

Importing keys from the SDSC CA

Note: these instructions are specific to Microsoft Windows. Other platforms have slightly different security models and MICE is not yet supported as an applet on these platforms.

In order to get the web browsers to accept certificates from SDSC as valid and secure, the user must import a key from the SDSC CA. Once the key is installed, when the user downloads an applet which has been signed with a certificate that is backed by SDSC, they will be presented with the usual security dialogs that ask them whether or not they wish to allow the applet to run outside of the sandbox.

To download the SDSC Certificate Authority key:

  1. Point your web browser at the SDSC Certificate management site.
    (This is a secure web page, so you may need to tell your browser to accept the certificate for this page...)
  2. Make sure the first item in the set of radio buttons is checked, Import the CA certificate chain into your browser, and hit the Submit button at the bottom of the page.
  3. The browser will pop up a dialog asking if you want to open the file or save it; choose Save this file to disk and make a note of where you actually save the resulting key file.

Next that key must be added to the browsers to allow them to recognise certificates that have been issued by the SDSC Certificate Authority. Because of the way the security features of the Java Plugin are implemented under Windows, the SDSC CA key must be imported into the Windows environment using Internet Explorer, even if you intend to run MICE under Netscape. Follow the instructions for importing the key using Internet explorer, and then repeat the process with Netscape.

Internet Explorer

  1. From the Internet Explorer menu bar open the Tools menu and choose Internet Options.
  2. In the resulting dialog, choose the Content tab and hit the Certificates button in the middle of the page.
  3. Find the tab labelled Trusted Root Certification Authorities. This will present you with a long list of the currently available certification authorities, and the next steps will add SDSC to that list.
  4. Hit the Import button and follow the steps on screen. Hit next and you will be asked for the key file that you want to import: hit the browse button and locate the file that you just downloaded. In the file browser dialog you will need to change the filter at the bottom so that it shows all types of files, rather than just a specific type of key file. Hit Next.
  5. The dialog now asks you to select the certificate store for this certificate authority key. You can safely choose the Automatically select the store option and hit Next.
  6. The SDSC CA is now installed. Hit Finish to complete the process. You will be presented with one more dialog, asking if you want to add the certificate to the Root Store. Hit Yes. You can now close the remaining options dialog and return to Internet Explorer.

Netscape

To be done... Right now it's impossible to remove the SDSC certification authority without crashing the browser, so I can't figure out the steps that are required to install it in the first place. I hope Netscape 6 is an improvement over 4.7...

Running the MICE applet

Once the SDSC CA key has been imported into the Windows environment via Internet Explorer, the plugin will correctly recognise and accept certificates issued by SDSC. To run MICE, visit Apostol Gramada's webpage.

When you visit the page with the MICE applet embedded in it, you should first see a dialog asking if you want to grant permissions for Java3d. The dialog allows you to grant permissions for this session only or from now on. The "grant always" option does not appear to work, so it is important to choose "grant for this session". Once you have granted permission for Java3d, the browser will download the Java3d jar file from SDSC, unpack it, and start the installation procedure.

Note: The Java3d installer will offer to install the runtime files in the default location for version 1.2 of the Java Runtime Enviornment. In order to use Java3d with version 1.3 of the Java Plugin (which is itself required in order for the security features that allow MICE to run as an applet), you must specify a slightly different location for the runtime files. When the installer presents the location for the files, be sure to change "1.2" to "1.3", or the plugin will not find the Java3d files.

With Java3d successfully installed you should next see another java secuity dialog box, asking if you want to grant the MICE applet for this session only, or from to grant permissions permanently. Both options work correctly, so it is up to the user which of the two they wish to use. Granting permissions for the applet permanently will avoid having to download the MICE jar files everytime the appet is run. Once you grant permission, the applet should start and you should see the MICE splash screen appear, followed closely by the application window.

If it doesn't work...


John Tate
Last modified: Tue Nov 14 16:46:33 PST 2000