#2311 Create tool to regenerate configure.jar
Closed: Fixed None Opened 12 years ago by rcritten.

Ticket 2207 handles new installations not adding the delegation options to configure.jar. We also need a tool to regenerate configure.jar that does not configure network.negotiate-auth.delegation-uris


configure.jar is the signed javascript file used to configure the web browser. It is generated at installation time and we provide no update it post-install.

We need to update this file so the delegation option can be removed. Otherwise anyone that clicks on the "Configure Browser" button will get the delegation value unnecessarily set (and they can either ignore it or manually remove it).

It is signed javascript because it uses the browser's configuration mechanism to change the user's profile. It is signed to provide some assurances that it is from a trusted source and has not been modified.

I wonder if we're better off just documenting this. It isn't like the tool would be run very often.

The steps are this:

Start on the initial IPA master. This is the only server that gets a signing cert.

You'll need the 2.2+ packages which has an updated preferences.html that does not configure delegation.

Execute these as root:

- mv /usr/share/ipa/html/configure.jar /usr/share/ipa/html/configure.jar.old
- mkdir /tmp/sign
- cp /usr/share/ipa/html/preferences.html /tmp/sign
- /usr/bin/signtool -d /etc/httpd/alias -k Signing-Cert -Z /usr/share/ipa/html/configure.jar -e .html -p !`cat /etc/httpd/alias/pwdfile.txt` /tmp/sign

Copy the resulting configure.jar to all other IPA masters.

This only affects newly configured browsers. Those already configured will need to be updated manually.

Re-assign to Deon to document.

Moving to next month iteration.

Metadata Update from @rcritten:
- Issue assigned to elladeon
- Issue set to the milestone: FreeIPA 2.2.0 Documentation

7 years ago

Login to comment on this ticket.

Metadata