Lotus Developer Domain: Notes/Domino Fix List

Notes/Domino Fix List

SPR # NBRR6DETXC

Fixed in 6.5.5; 7.0.1 FP1; 6.5.5 FP2 release

Product Area: Server

Technical Area: Applet component

Platform: Cross Platform

Lotus Customer Support APAR: LO10583

SPR# NBRR6DETXC - Starting on May 19, 2006, Web users may see a message stating that the certificate has expired when Domino applets are loaded by the JVM or JRE in a Web browser. Applets have been re-signed and are available as support downloads for multiple versions of Domino. The certificate expiration has been extended until 2009.

Technote Number: 1465556

Problem:
Problem

The certificate for some Java applets in Lotus® Domino 6.x and Domino 7.0.x
expired on 18 May 2006. After that date, Web users will see a dialog with a
message similar to one of the following when loading a Web page that contains a
Java applet from the Domino server:

"The digital signature was generated with a trusted certificate but has expired
or is not yet valid."
"The security certificate has expired or is not yet valid."

This issue can occur even if IBM is set up as a trusted publisher in the
browser.

Background
Java applets are often digitally signed to provide the user a level of
assurance that the applet comes from a known and trusted source, because
executing Java code is a potential security risk. This process is similar to
having a physical document signed by a Notary Public as verification that the
person executing the document is who he or she claims to be. In this case the
Notary Public would be analogous to the Certificate Authority, or CA, who signs
the certificate.

Digital certificates used in the signing process are valid for a specified
period of time, typically for one to three years. This allows an organization
such as IBM to sign files, Java applets in this case, for that time period and
allow the user to trust that the applet had indeed been provided by IBM. If
the Java applet is signed within the certificate's valid signing period, the
signature is valid indefinitely. However, the Java Runtime Engine (JRE) used
to run Java applets within a browser such as Microsoft Internet Explorer,
Mozilla, or Firefox cannot verify if the certificate was actually signed during
that valid period if the current date is beyond that time period. Therefore,
the browser dialog reports that, although the applet was properly signed with a
trusted certificate, the certificate itself has expired.

It is a common misconception that an applet signed with a certificate that has
expired is no longer safe to download or use. As long as the applet was signed
when the certificate issued by the CA (Certificate Authority) was still valid,
then the applet is valid according to the specification for signing Java
applets. Also, according to the specification, it is the responsibility of the
JVM or JRE to warn the user if an applet has been modified after it was
digitally signed with a certificate issued by a CA.
As long as the JVM or JRE does not return an error stating that the applet has
been modified since it was signed, the applet is still valid and safe to run

For more information on the digital signing process, you can refer to the
following document provide by VeriSign: VeriSign Code Signing for Sun Java
Object Signing

Solution

All Java applets shipped with Domino are signed before the certificate's
expiration date, so users can be assured that the applets are valid. This
includes the Domino applets such as the Outline applet, View applet, Action bar
applet, and Editor applet, as well as other applets shipped with Domino.

Customers experiencing this issue have the following options:

1. Explain to end users that the applets are still valid - The warning message
is only to notify users that the certificate used to sign the applet has
expired. The expiration does not affect the applets security or functionality.
In most cases the user can click to "Always Trust" content from IBM to stop the
message from appearing in the future.

2. If no hotfixes are installed on the Domino server, download and install the
Interim Fix applicable to your Domino release and operating system. Refer to
the following download document: "Re-signed Java applets for Domino" (#4012408).

3. Obtain re-signed applets from IBM Support by opening a PMR and requesting a
hotfix, available for the following versions of Domino: 6.5.4, 6.5.5 (and all
Fix Packs for each version). The certificate expiration is extended until 2009.

4. Upgrade to Domino 7.0.1 Fix Pack 1 where the applets have been resigned,
and the certificate expiration extended until 2009. For more information on
Domino 7.0.1 Fix Pack 1 refer to the technote "Information about Lotus Domino
7.0.1 Fix Pack 1" (#1239681). More >

Last Modified on 10/29/2015

Go back