This section describes the signed plug-in policy settings used by the Lotus® Expeditor Client provisioning system for controlling access to local or remote Eclipse update sites. Your end users access the update sites to upgrade their base offerings and custom plug-in applications.
Because the provisioning system can access code from a local or remote eclipse update site, signing the jar files posted on the update site and verifying them on the client at download time allows the end user to get reliable information about the code they are about to download. This component allows them to identify who published the code and verify that software has not been tampered with or altered since the time it was uploaded to the update site. In addition, this component validates plug-in time stamps. You can time stamp a plug-in to ensure that when the it was signed, the signing certificate was not expired.
The decisions made by the provisioning subsystem when installing jars from an update site are made by a policy engine which uses policy settings defined as Eclipse preferences to make trust decisions. The policy engine that makes the trust decisions is controlled by a set of Eclipse preferences.
By default, support for verifying signed plug-ins is turned on.
To configure signed plug-in verification, modify the following Eclipse preferences. See Managing Eclipse preferences
for setting preference information.
Table 1. Signed plug-ins preferences
|Eclipse preference||Possible Values|
|com.ibm.rcp.security.update/VERIFICATION_LISTENER ||Class implementing the IVerificationListener interface|
This preference setting indicates which Eclipse IVerificationListener implementation will be used by the provisioning system while verifying jar files being provisioned from an Eclipse update site. This subcomponent provides the below two implementations of IVerificationListener interface:
Set this value for enabling this subcomponent when provisioning is done by launching the platform in headless mode. This can be enabled at install time by adding this preference to the plugin_customization.ini file in the deploy directory of the media kit.com.ibm.rcp.security.update.ui.PromptVerificationListener
Set this class to implement the user interface to be shown to the end user. Offerings should set this value to when the platform is launched in non-headless mode and it is expected that the end user will make the trust decisions for untrusted code being downloaded by the provisioning system.
This preference setting value defines the default behavior for a given IVerificationListener implementation when it encounters a jar file, which is signed, but the certificate used to sign the jar file has expired. UNSIGNED_PLUGIN_POLICY
This preference setting value defines the default behavior for a given IVerificationListener implementation when it encounters a jar file that is unsigned. UNTRUSTED_SIGNATURE_POLICY
This setting value defines the default behavior for a given IVerificationListener implementation when it encounters a jar file that is untrusted.
Setting the above policy values to ALLOW
will be interpreted by the IVerification Listener implementation to allow or deny provisioning of features. However, the policy setting of PROMPT
will be interpreted by an IVerificationListener implementation based on whether the platform is running in headless mode. For example, the PromptVerificationListener will prompt the users to make the necessary trust decisions while the DefaultVerificationListener treats PROMPT
so that untrusted code never gets provisioned.
For additional information regarding IVerificationListeners and other public APIs related to signed plug-ins, see the Eclipse Javadoc for the package org.eclipse.update.core.
Plug-ins can be signed using either Eclipse tools or the Java keytool.
Parent topic: Configuring deployment settings: XPD622