Release 10.1A: OpenEdge Deployment:
WebClient Applications

How WebClient uses digital signatures

Now, apply your knowledge of digital signatures to WebClient. If you want to digitally sign each cabinet file to be downloaded and want the end user to verify the digital signature of each cabinet file downloaded, who needs which key?

To digitally sign a cabinet file to be downloaded, you need:

To verify the digital signature of a downloaded cabinet file, the end user needs your public key in the form of a public-key certificate.

So, to use digital signatures, you need a private key, a public key, and a public-key certificate, while your end user needs your public-key certificate. This section covers:

Getting a private key, public key, and public-key certificate

The following section describes the process for obtaining private and public keys.

To get a private key, public key, and public-key certificate:
  1. Select a PKI vendor (CA) whose software is compatible with Microsoft Authenticode Technology and request a “software publishing digital certificate.”

    2. To get names of CAs, ask your PSC Product Marketing representative.

  2. Install the software that generates and securely stores public keys and private keys on your system.

    3. You can typically get the software from Microsoft or download it from the CA’s Web site. You might have to provide a name for the certificate storage location.

  3. Fill out the CA’s request for information about you, your company, and how you are going to pay.

  4. Submit the requested information and the stored public key to the CA.

    5. Step 2 through Step 4 typically are handled through a Web site.

  5. Wait for the CA to verify your identity.

    6. Note: The CA might use phone calls or personal visits to verify the information you supply.

  6. If the CA can prove your individual and corporate identity, they will contact you and tell you how to obtain your digital certificate. Typically, this involves same software and the same Web site as Step 2 through Step 4.

    7. The digital certificates are stored on your system in the same named certificate location as the one used for the initial public/private key generation.

You can repeat Step 2 through Step 6. And you can have digital certificates issued by multiple CAs for a single public/private key pair.

Defining an application as signed

Now that you have a private key, public key, and public-key certificate, you can define an application as signed. To do so, go to the Web Client Application Assembler’s Generate window and click the Security button to display the Security window shown in Figure 5–1. In the Digital Signature group box, check From Registry (if the digital signature information resides in the registry) or From File (if the digital signature information resides in a file).

Figure 5–1: Defining an application as signed

What WebClient does differently for an application defined as signed

If you define an application as signed, when you generate the application, the Application Assembler:

By contrast, if you define an application as unsigned, when you generate the application, the Application Assembler:

How your public-key certificate gets to the end user

When an application is defined as signed and the end user downloads a signed configuration or component cabinet file (each of which contains your public-key certificate), WebClient on the end user’s machine:

  1. Extracts the digital signature and your public-key certificate from the cabinet file.

  2. Verifies the digital signature of the cabinet file, using your public-key certificate.

  3. Also verifies your public-key certificate through its issuer’s root public-key certificate. The issuer’s root public-key certificate can be obtained from the cabinet file itself or from the certificate store used by Microsoft Internet Explorer.

  4. Displays the information on the certificate and asks whether the end user trusts it.

    5. Note: If the end user says no, the process aborts.

  5. Optionally stores your public-key certificate in the digital certificate store of Internet Explorer.

Changing the definition of an application from signed to unsigned and from unsigned to signed

An application can change from being signed to unsigned and from unsigned to signed. That is, if the previous version of an application is defined as signed, you can define the current version as unsigned. And if the previous version of an application is defined as unsigned, you can define the current version as signed.

Note: Progress Software Corporation does not recommend changing the status of an application from signed to unsigned.

If the end user downloads an application configuration file that is unsigned (indicating that the current version of the application is defined as unsigned) and the previous version of the application is defined as signed, WebClient asks the end user to confirm that it is OK for the application to be changing from signed to unsigned.

Note: Progress Software Corporation recommends that you instruct your end users to accept the change from a signed to an unsigned application only if they have been informed of this change by a trusted source. Otherwise, they should reject the change and contact you.

Creating test public-key certificates

WebClient includes a batch file, MakeTestCert.bat, that makes it easier for you to create mock public-key certificates for testing. For more information, see the comments in the file, which resides at OpenEdge-Install-Directory\bin.

Copyright © 2005 Progress Software Corporation
 www.progress.com
Voice: (781) 280-4000
Fax: (781) 280-4095