.. _server_webstart_insight_codesign:

OMERO.insight webstart security and code-signing
================================================

Java 1.7 and later includes strict security settings which prevent Java web
applications from running unless they are signed with a code-signing
certificate. This includes the OMERO.insight webstart client included with
OMERO.server.

All current OMERO.server releases are code-signed by the University of Dundee.
If you build and distribute your own copies of OMERO and want to use
OMERO.insight webstart you can either change the
:ref:`Java security settings for all users
<server_webstart_client_configuration>`, or buy a code-signing certificate and
use this to :ref:`sign the client <server_webstart_codesign>`.


.. _server_webstart_client_configuration:

Java configuration settings
---------------------------

Add a security exception in the Java Control Panel (on Windows this can be
accessed through the Control Panel, on Mac OS X through System Preferences).

.. figure:: /images/java_1_7_51-windows-control_panel.png
   :align:  center


.. _server_webstart_codesign:

Code-signing your own server
----------------------------

First buy a code-signing certificate from a certificate authority. Note that
several types are available, ensure you buy one suitable for signing Java
code. If necessary convert it to PKCS #12 format and create a JKS certificate
store.

The server can be signed using the :source:`omero_insight_sign.py
<docs/hudson/omero_insight_sign.py>` script, for example::

    omero_insight_sign.py <keystore.jks> <alias> OMERO.server-XXX.zip \
        -kp <keystore-password> -cp <certificate-password> \
        -ts <timestamping-yes-no> -oz <OMERO.server-XXX-signed.zip>

See the script for more information.