INSTALLING
Eclipse plug-ins can be created and used to extend Notes® client functionality. Features and plug-ins are provisioned with the client software.
About this task
To simplify installation or deployment, sign your features and plug-ins.
CAUTION: The Notes installer requires that all features and plug-ins in the install kit be signed and timestamped.
Sign new features and plug-ins in preparation for install and update using a code signing certificate obtained from a certification authority. When signed and properly resident in the install kit, the features can be installed if the code signing certificate is included in the kit keystore. If the code signing certificate is not a trusted file, you can modify the install signature verification policy to allow for installing signed but untrusted content.
Note: Features and plug-ins being installed as part of Notes install or upgrade must be signed. Features and plug-ins being deployed to an existing Notes install, for example using a widget, should be signed by a trusted certifier.
Administrative trust defaults can be pushed to clients using Domino® policy settings in the Administrative trust defaults section on the security policy document's Keys and Certificates tab. Use this policy option to specify your specific administrative trust defaults for use during either Notes install or upgrade or client plug-in deployment to an existing Notes installation.
Note: Time stamping certificates can be added to signed plug-ins to ensure the long-term validity of plug-in signatures. You can use security policy settings to ignore the expiration dates of time stamping certificates that are valid at the time of plug-in signing. With this approach, users are not hindered during use or installation of signed plug-ins when time stamping certificates expire. See the related topics for information on creating a security policy settings document.
Signing your custom or third-party features and plug-ins accomplishes the following:
Features are checked for trust during install and update provisioning. If Notes is already installed, features are checked during runtime provisioning.
The Notes installer installs and initially provisions new or updated features from the install kit's update site UPDATESITE.ZIP. During this initial provisioning, trust is based on the Java keystore file in the Notes install kit's deploy directory. There is no user interface for trust prompting during Notes install; all install features must be signed by a trusted signer.
Note: When you run a Notes client kit installation, the Java key store is copied to notes\framework\rcp\deploy\.keystore.JCEKS.IBM_J9_VM.install This keystore contains the IBM® code signing certificate used during install.
The items in the Notes install kit's update site zip file (updateSite.zip) must be signed, including custom or third-party feature and plug-in JAR files. The provisioning process seeks to verify the signature. This allows administrators and users to control and validate the signed code being downloaded to the client.
If Notes is running, provisioning can be initiated manually by the user or programmatically based on a scheduled criteria or other provisioning mechanism, such as that used by the widget provisioning process. During runtime provisioning, a combination of the Notes keystore and the user's personal name and address book (NAB) determines trust for the features and plug-ins being deployed.
Note: When you run a Notes client kit installation, the Java key store is copied to notes\framework\rcp\deploy\.keystore.JCEKS.IBM_J9_VM.install (on the Mac OS X platform, this is .keystore.JCEKS.Java_HotSpot_Client_VM.install). This keystore contains the IBM code signing certificate used during install. However, during runtime provisioning, Notes uses an additional trust store in the user's Contacts application (names.nsf). The Advanced/Certificate view of the user's Contacts application contains certificates that are used during runtime provisioning to determine trust. Trust certificates can be copied to the Advanced/Certificate view of the Contacts application using the Administrative trust defaults section of security policy or while the user is provisioning he can select Install this plug-in and add the signer to my list of trusted signers. Ideally, you should configure trust settings such that users never receive trust prompts. Push trust certificates to the user's Contacts application using policy, or the alternative deploy.nsf if you would prefer not to use policy, so that deployed features and plug-ins are installed without trust prompts.
Note: See the related topics for information on customizing an install kit for trust defaults.
If you have digitally signed the features to install or update, the provisioning system does the following:
Note: Domino policy takes precedent over settings in the install kit's deploy\plugin_customization.ini file. Domino policy does not affect the initial install.
Using Domino policy to set or verify trust for client plug-ins A JAR file is unsigned, not signed with a trusted certificate, or the certificate has either expired or is not yet valid. You can establish a policy for never installing these plug-ins, always installing them, or asking users to decide at the time the plug-in is installed. Features and plug-ins being installed as part of Notes install or upgrade must be signed.
Signing and adding new features to the kit
Use this procedure to sign the new custom or third-party feature and plug-in JAR files and add the feature to the Notes install kit.
This procedure assumes that you have built or the obtained JAR files for new custom or third-party features and plug-ins for use in an Eclipse update site. Use the JRE's JarSigner tool, Eclipse, or other third-party tool.
Procedure
1. Set the JAVA_HOME directory environment variable, on the machine(s) on which you'll be installing Notes, to point to the JDK folder under which the keytool resides. In the following sample command line, the needed bin\keytool would be resident in the indicated JAVA_HOME variable's directory.
%JAVA_HOME%\bin\jarsigner -verbose -keystore C:\sign-plugin\abx\mykeystore-storepass keystorepassword -keypass privatekeypassword C:\sign-plugin\abx\mytestUpdatesite\plugins\com.ibm.sign.demo_1.0.0.jar EclipseFeaturesAlias
<ibm-portal-composite>
<domain-object name="com.ibm.rcp.installmanifest">
<object-data>
<install version="8.0.0.20081211.1925">
<!-- add this sample installfeature snippet to the end of the manifest,before the </install> line -->
<installfeature default="false" description="My hello world feature"id="test" name="Test" required="false" show="true" version="1.0.0">
<requirements>
<feature download-size="222"
id="com.ibm.sign.demo.feature" match="perfect" shared="true" size="199"url="jar:${installer.root}/updateSite.zip!/" version="1.0.0"/>
</requirements>
</installfeature>
<!-- end of addition -->
</install>
</object-data>
</domain-object>
</ibm-portal-composite>
Note: This step is also described in the following topics: Customizing the Notes install kit to add or remove Eclipse features and Adding new features to the Notes install kit using a supplied tool.
b. Copy your signed features and plugins JAR files to the unzipped updatesite's features and plugins folders respectively.
c. Update the unzipped updatesite's site.xml file to reflect the new feature. A sample entry is shown:
e. Copy the modified updatesite.zip file to the Notes install kit, to replace the original, supplied updatesite.zip with the one you have just modified.
Related tasks Customizing a Notes install kit to set certifier and trust defaults Creating a security policy settings document Adding and removing components from the Notes install kit using UpdateSiteMgr Deploying client plug-ins with widgets and the widget catalog