NOTES CLIENT INSTALLATION AND SMART UPGRADE
Plug-ins are typically signed by the developer or the build room depending on how the plug-ins are built. JAR signing is a standard process and many tools exist to do this. You can sign features and plug-ins either by using the JarSigner tool included in the Java™ Development Kit (JDK) or by using a third-party tool, such as the Plugin Development Environment (PDE) in Eclipse. Certificates used in jar signing can be obtained from many of the well known certificate authorities (CA).
When you install and deploy new custom or third-party features and plug-ins for Notes installation, you can add your own certificates to a keystore so that the signed features are trusted during install and update from the media kit.
Features are checked for trust during initial and update provisioning. If Lotus Notes is already installed, features are checked during runtime provisioning -- either during traditional third-party install or user-initiated update.
Note There is no user interface for prompting during initial Notes install.
If you create new Eclipse features, you can sign them in preparation for install and update using a code signing certificate obtained from a certification authority. When signed and properly resident in the install media kit, the features can be installed if the code signing certificate is included in the media kit keystore. If the code signing certificate is not a trusted file, you can modify the install signature verification policy to allow for installing signed but untrusted content. Signing your custom or third-party Eclipse features accomplishes the following:
To add new features to the Lotus Notes installer do the following:
1. Build and create JAR files for new custom or third-party features and plug-ins for use in an Eclipse update site. Use the JRE's JarSigner tool, Eclipse, or other third-party tool.
2. Sign the new custom or third-party feature and plug-in JAR files.
3. Add the certificate to the Notes install media kit's deploy\.keystore.JCEKS.IBM_J9_VM.install file using the KeyTool program included with the JVM or other third-party tool.
Note The Notes Keystore, which is used for manual update, does not currently include a cross certificate for the IBM code signing certificate. Only the .KEYSTORE file contains this certificate, and it is only used for install and upgrade.
5. Modify the Notes install kit install manifest (deploy\install.xml) and the update site registry (updateSite.zip\site.xml) to include the new feature(s).
6. Use the Domino Administrator to set the default signature verification policies to be used by the Notes client using the Security Settings - Signed Plugin page.
8. Deploy or make available to users, the install kit, including the keystore that you updated in the install kit's deploy directory.
Look for updates to this content as future Expeditor releases become available.
See also