Securing the NX Web Companion

Added on: 2005-05-26 Last Modified: 2019-08-27
ID: AR05C00209 Applies To: NX Software

Note: this product has been replaced by the "Web Player" functionality provided by all Enterprise products and has been discontinued. This article applies to legacy version 3.5.0 of NoMachine software.

 

The NX Web Companion contains a signed Java applet used to download the required NX components and the NX session information. NoMachine provides a self-signed applet. Customers interested in using the NX Web Companion tool should secure the applet using their own signed certificate.

The process of signing an applet ensures that the applet's code cannot be modified while travelling over the network, so that it can be trusted by the browser and executed under the user's control. The signing process, though, doesn't prevent other data from being downloaded by the applet which would be subject to spoofing and other common Internet threats, so, unless the access to the NX Web Companion is offered on a trusted network, it is strongly suggested that you protect your communication by means of a HTTPS/SSL connection.

By using the NX Web Companion the user needs to gain access to various information. You may consider putting the different data on different servers, whether HTTP or HTTPS servers, depending on the level of security you want to achieve. Some considerations:

 

    - The Java applet itself and the other NX Web Companion's components. This data is not critical. As we have seen, the applet has been signed so that it can be verified by the browser upon execution and the download of the other binary components is going to offer the same security (or, herein, lack of) of the download the NX binary packages from any other server on the Internet.
    - The Web page containing the applet parameters. This information is critical, because it exposes the address of the NX server and the URL where the session configuration can be downloaded. If the download of the NX session configuration has not been protected by additional means (host based access, HTTP password) a hacker would be able to intercept the data while traveling over the network and become able to get the session configuration on behalf of the legitimate user.
    - The NX session configuration file, including the cryptographic key used to gain access to the server and the user's credentials. This data is downloaded by the applet from the URL specified among the parameters and used to run the session without further interaction with the user. This data should be carefully protected and never transferred over the network across an unencrypted connection.

Please refer to your network administrator or operating system's vendor to learn how to configure Apache to provide secure access by SSL

 

If you would like to use your own certificate to sign the Java applet we suggest using the Java JAR Signer tool available from http://java.sun.com


JAR Signer is a command line tool for signing and verifying the signature on JAR files. JAR Signer is used to make a signed copy of a SignedApplet.jar file:

jarsigner -keystore compstore -storepass ab987c
                 -keypass kpi135 -signedjar
                 SSignedApplet.jar SignedApplet.jar signFiles

The -storepass ab987c and -keystore compstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key.  JAR Signer extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
We recommend to also read the documentation on the java sun homepage and this article about how to sign the Web Companion by using your own certificate:

https://www.nomachine.com/AR10K00708


More information about installing and configuring the NX Web Companion are available at:

https://www.nomachine.com/DT09K00053