The certificate for the Java applets in Rational Focal Point versions 6.3.0.x, 6.4.1.x and 6.5.0.x expires on January 19, 2012.
When loading one of the Java applets from the Rational Focal Point server, a message that the security certificate has expired is displayed.
This issue can occur even if IBM is set up as a trusted publisher in the browser.
A message similar to the following messages is displayed:
"The security certificate has expired or is not yet valid."
"The digital signature was generated with a trusted certificate but has expired or is not yet valid."
Java applets are often digitally signed to provide the user a level of assurance that the applet comes from a known and trusted source, because executing Java code is a potential security risk. This process is similar to having a physical document signed by a Notary Public as verification that the person executing the document is who he or she claims to be. In this case, the Notary Public would be analogous to the Certificate Authority or CA who signs the certificate.
Digital certificates used in the signing process are valid for a specified period of time, typically for one to three years. This allows an organization such as IBM to sign files (Java applets in this case) for that time period and allow the user to trust that the applet had indeed been provided by IBM. If the Java applet is signed within the certificate's valid signing period, the signature is valid indefinitely. However, the Java Runtime Engine (JRE) used to run Java applets within a browser, such as Microsoft Internet Explorer, Mozilla, or Firefox, cannot verify if the certificate was actually signed during that valid period if the current date is beyond that time period. Therefore, the browser dialog reports that, although the applet was properly signed with a trusted certificate, the certificate itself has expired.
It is a common misconception that an applet signed with a certificate that has expired is no longer safe to download or use. As long as the applet was signed when the certificate issued by the CA (Certificate Authority) was still valid, then the applet is valid according to the specification for signing Java applets. Also, according to the specification, it is the responsibility of the JVM or JRE to warn the user if an applet has been modified after it was digitally signed with a certificate issued by a CA.
As long as the JVM or JRE does not return an error stating that the applet has been modified since it was signed, the applet is still valid and safe to run.
For more information on the digital signing process, refer to the following document provide by VeriSign: VeriSign Code Signing
Diagnosing the problem
Why time stamp the applets now?
The applets are time stamped because a trusted internet server for verification of time stamping at signing is available recently. JVM version 1.5 in browsers is also required to recognize time stamping.
- Will this be corrected in a future release?
Additionally, time stamping is implemented to suppress warning messages even after November 2014 on browsers running JVM 1.5 and later.
- You replaced the expired applets with the new ones, but you receive a prompt asking to trust the new certificate. Why do you get this prompt and is this expected?
Resolving the problem
All Java applets that are shipped with Rational Focal Point are signed before the expiration date of the certificate, and these applets are valid. This includes the Rational Focal Point applets such as the Tree applet, Visualize applet, and Gantt applet, and other applets that are shipped with Rational Focal Point.
To resolve this issue, you can:
- Select "Always Trust" content from IBM, as the applets are still valid. The warning message is only to notify users that the certificate used to sign the applet has expired. The expiration does not affect the security or functionality of an applet.
- Upgrade Rational Focal Point version 6.x servers to Rational Focal Point 6.5.1. Rational Focal Point version 6.5.1 servers accessed using browsers that use JRE 1.5.0 or later will not experience the issue.
- Upgrade to the latest Interim fix pack for respective 6.4.x and 6.5.x release. For 6.3.1.x release, contact IBM Support. You can download the interim fix from Fix Central. The fixes are named as follows:
Rational Focal Point 126.96.36.199 interim fix 1: 188.8.131.52-Rational-RFP-IF001