IBM Support

Sametime applets signer certificate expires on 18 May 2009

Technote (troubleshooting)


Problem

The Lotus Sametime Meeting Server applets are signed with a VeriSign certificate that is valid between 15 May 2006 and 18 May 2009. Therefore, as of May 19, 2009, users who attempt to load any of the Sametime applets, such as the Meeting Room Client or Directory applet, will be presented with a warning dialog stating the following:

"The application's digital signature has an error. Do you want to run the application?"

There is also a note that says:

"The digital signature was generated with a trusted certificate but has expired."


Resolving the problem

It is important to note that this message is simply a warning that is presented to the end users. Once the user selects "Run," the applet loads as expected. This certificate expiration will not cause any functional error within the applets.

The following Sametime components rely on applets and will be affected by this issue:

  • Online Meetings
  • Instant or Ad-hoc meetings created between 1 or more participants
  • Directory applets loaded to view persons for adding to the buddy list or meetings
  • Sametime links (ST Links) based applets that are using the signed JAR files.
  • Sametime network client install applet (for Sametime versions 8.0, 8.0.1, or 8.0.2)

Sametime Limited Use servers are not affected by this expiration, and therefore would not be required to apply this hotfix.

For example, this screen capture shows the complete warning:
    Warning - Security dialog



Resolving the problem

First, ensure that you have followed the instructions to update the Domino applets on your server. Then continue with the steps below.

The re-signed applets for the following Sametime server versions are now available on Fix Central at the links below. The new certificate expires on Sunday, March 18, 2012 at 19:59:59 EDT. See Technote 1098628 for assistance in determining your server version.


Note: This 8.0.2 version was reposted on May 19 due to a problem affecting only the fix on IBM i platform.

The affected fix name on Fix Central was ST-8.0.2.0-MultiOS-RHOK-7RULBK. It has been fixed and reposted as ST-8.0.2.0-MultiOS-RHOK-7S7P2X.
Note: There was a problem found with the original fix for clients attending meetings with Sun Java 1.4.2 with fix ST-8.0.1.0-MultiOS-JABT-7R7MGA.

The new fix, posted on June 12, resolves this issue and is named: ST-8.0.1.0-MultiOS-RHOK-7SMTWT
Note: This resigned Java Connect client fix is also included in the Sametime 7.0 server fix.

Sametime versions prior to 7.0 are no longer supported and therefore will not be updated. To resolve this issue, please upgrade to a supported version of Sametime and apply the applicable fix to the server.

For installation instructions, reference Technote 1385734.




Frequently asked questions:

Q: What is the STComm.jar file? Why don't I see it on my server?
A: This JAR file is only included in the Sametime SDK. It is not deployed to a Sametime server by default. The toolkit, and this file, is typically used only by customers running Lotus Quickr or QuickPlace, or those application developers that have built their own Sametime components by using the SDK. This file's placement is determined by your developed applet. If required, replace as needed.

Q: I see two stlinks.jar files on my server? Why is that, and which do I replace?
A: SPECIAL CONSIDERATION SHOULD BE CONSIDERED USING THE STLINKS.JAR FILE.
Sametime provides two stlinks.jar files, one unsigned (in \stlinks), and one signed (in stlinks\signed). Only the signed stlinks.jar file is included in the fixes. If you are currently using the signed stlinks.jar file, then copy this updated file to the \stlinks folder. If you are not presently using the signed stlinks.jar file, then copy this file to the backup folder \stlinks\signed\. You will not need to update the unsigned version of the stlinks.jar file because it is not affected by this certificate expiration.

Q: How can I tell if we need to implement the signed stlinks.jar file?
A: To determine if you are at present using the signed stlinks.jar file, perform these steps:
  1. Navigate to your production directory \stlinks folder \data\domino\html\sametime\stlinks
  2. Copy the stlinks.jar file, and paste to a temporary location (for example: C:\temp)
  3. Open this temporary copy of stlinks.jar with a zip application (Winzip, WinRar) and determine if it contains an *.rsa file (zigbert.rsa or INTERNAT.RSA).
  4. If one of these files exists, then you are using the signed jar file. You will need to place the stlinks.jar file from the hotfix in the \stlinks directory as noted in the Installation Instructions. Otherwise, you should place the updated stlinks.jar file from the hotfix under \stlinks\signed.

Q: How do the new applets get pushed down to my end users?
A: Beginning in Sametime 7.5, applets are downloaded by users and handled by the client JVM. This does not pose a problem for users with locked-down desktops because the applets are stored in a user's local workspace, to which they should have write access. By replacing these JAR files, the users will automatically download the new applets the next time they attend a meeting, exactly as they would have when the server was deployed and they attended their first meeting.

Q: Why, after applying the fix, do my users see a prompt stating "The application's digital signature has been verified. Do you want to run the application?"
A: This prompt is a one-time confirmation, which is not an indication of any problem. The users would also have had to accept this prompt when the server was first deployed; the step needs to be repeated due to the new applets. This is a property common of any signed applet and not something that IBM can prevent. The prompt is as shown in the following screen capture:

Q: How can I test and see the problem and resolution after the fix?
A: Be very careful with this testing, because modifying your system clock can cause problems for Notes and Domino client programs running on your machine. Be sure to test this on a test client machine with no Domino products running concurrently. By setting your client OS's date past May 18 on a test machine, you can simulate the warning message. Then, you can apply the fix to the server, and confirm that the warning is no longer shown after applying the fix the next time you load the applet (by attending a meeting, or invoking any of the other applets). You can find the updated applets downloaded to your local Java cache. If this does not seem to be working, ensure that your client browser nor any network devices are caching the applets, preventing you from downloading the new version.

Related information

Document information

More support for: Lotus End of Support Products
IBM Sametime

Software version: 7.0, 7.5, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.2

Operating system(s): AIX, IBM i, Linux, Solaris, Windows

Reference #: 1380778

Modified date: 15 July 2009


Translate this page: