checkpackageaccess on JDBCODBC Driver

Brian K. E. Balke (bkbalke@diagprog.com)
Tue, 01 Sep 1998 12:20:12 -0700

I am having trouble getting around this problem, even with the signed
applet. I believe that there is probably some complication with my
system configuration. I am running on WNT 4. Here are the steps I
followed:

1. Set my HOMEPATH:
This was a challenge. I discovered that "C:" is prepended to the path.
I was trying to set up my security directory on a secondary drive.
Eventually, I settled on "\Java\Signatures" which was expanded to
"C:\Java\Signatures"
However, this is not the "User home directory" that shows up in the
Plug-In java console, which is : "C:\WINNT35\Profiles\BrianBalke" (this
even after logging off and back on again).
2. Created an identity:
javakey -cs "MySigner" true
The identify database was created in C:\Java\Signatures.
3. Create keys in a project working directory (D:\MyProject\Signatures):

javakey -gk "MySigner" DSA 512 MySigner.public MySigner.private
4. Hacked up a certificate directive file. I won't reproduce the details
of this here. If the details are important, could you point me at a
specification for the contents? Then ran (again in the project
directory):
javakey -gc cdirective
5. Did the same for a signature directive file, and signed my jar:
javakey -gs sdirective ..\MyProject.jar
Then renamed my jar.sig to .jar, keeping it in the same location as my
.html file.
6. Tried running at this point (the trusted identity was already in the
database, so I thought that it might not be necessary to create the
client identity and register the x509 key. This involved COPYING the
identity database over to c:\winnt35\Profiles\BrianBalke, and then
double-clicking on my HTML file (Netscape not running). My applet
reported a package access when trying to load
sun.jdbc.odbc.JdbcOdbcDriver. Stopped Netscape.
7. Tried registering the client identity and key. This was probably a
mistake, as
javakey -c MySigner true
reported the "identity was already in the database" and
javakey -ic MySigner MySigner.x509
added a second certificate (discovered using javakey -li MySigner).
Tried the process in step 6 again, with the same results. Stopped
Netscape.
8. Repeated steps 1-5, but this time moved the identity database to
d:\MyProject\signatures before trying the steps in 7. Now there was only
one certificate in the database, but I still get the checkpackageaccess.
Stopped Netscape.

Final workaround was to register the JAR on my classpath. Since this is
what I will probably suggest the client should do (the jar is 650 K),
this is an acceptable work-around. However, I would like to get this
running as a trusted applet, so that:
1. I can use the more sophisticated JDK 1.2 security features
successfully once the JRE supports them for Netscape.
2. He can offer the network download option to clients running on
intranets.

Here's the final contents of the security database (reflects step 8.
Step 6 showed also "private key initialized").

c:\Java\Signatures>javakey -li MySigner
Identity: MySigner
MySigner[identitydb.obj][trusted]
public key initialized
certificates:
certificate 1 for : CN=Brian K. E. Balke, OU=MySigner
Corporation, O=MySigner Corporation, C=US
from : CN=Brian K. E. Balke, OU=MySigner
Corporation,
O=MySigner, C=US

No further information available.

The last line is a fitting conclusion.

Thanks for your help

Brian Balke