First published: 22nd February 2017
This technical note is meant to assist Linux users to access Hong Kong Government online services. The difficulties with this are not that the services are incompatible with Linux, but that there are certain restrictions and tricks that are not obvious, and the Government's helpdesk is more experienced at providing assistance to Windows and OS X users.
These notes were based on the writer's experience of accessing the Driving License Renewal service and eTax service in February 2017. Other services may be different, and the services may have changed since this was written.
There is a GovHK webpage of the system requirements, the discussion here focusses on Linux and Firefox.
The services run a configuration check as the application starts, but the information reported might not be useful.
Operating System and Browser
The writer used Ubuntu 16.04 LTS and Firefox 51.0.1, but any current Linux distribution, and any version of Firefox after 38 will probably work. Using Chrome as your browser might work, but Chrome stopped supporting Java applets in 2015, so, in practical terms, you would probably need to use a horrendously out-of-date version of Chrome.
The service compatibility test will probably report an "Alert", that the version of the browser has not been tested. When Firefox version 51 was tried, the alert appeared, but the service still worked. Unfortunately, the Government helpdesk for the service will note the "unsupported version" and recommend removing the current browser and downgrading to an older version, version 48 in this case. The use of a more recent browser version is unlikely to be the cause of most problems, and it is recommended to look carefully for other causes before attempting a time-consuming and vulnerability-introducing downgrade.
egis.gov.hk e-Government Infrastructure Services
cr.gov.hk Companies Registry
ird.gov.hk Inland Revenue Department
td.gov.hk Transport Department
hkpl.gov.hk Public Libraries
egis.gov.hk domain is required for most services because that is the common web application hosting platform for delivering e-Government services to the public by government bureaux and departments.
Ubuntu, Linux Mint and Debian include the packages openjdk-8-jre and icedtea-8-plugin to provide Java 8 and the associated browser plugin. They pass the "Do I have Java?" test at the Java website but they are not recognised by the services compatibility check. If you have this plugin installed, you will probably receive Error 513-E-001 from the check. It simply doesn't recognise that Java is there. It seems that just disabling the IcedTea plugin in the browser Add-on settings is not sufficient, the packages must be removed.
Use your preferred package manager to remove the packages, for example:
apt purge default-jre-headless openjdk-8-jre openjdk-8-jre-headless java-common icedtea-8-plugin
Download Oracle Java for Linux and install manually. For Ubuntu, the RPM packages cannot be used, download using the Linux or Linux x64 (if your CPU is 64 bit) link. The provided instructions have too many alternatives to be clear. This summary assumes the downloaded file is called
/home/adyer/Downloads/jre-8u121-linux-i586.tar.gz and the software will be installed to
/usr/java. Unpack the download:
tar zxvf /home/adyer/Downloads/jre-8u121-linux-i586.tar.gz
This creates the directory
/usr/java/jre1.8.0_121 containing the Java files. Now it is necessary to configure Firefox to recognise the Java plugin. First, exit Firefox if it is running. You must create a symbolic link to the Java plugin from your home directory
~/.mozilla/plugins. If you have not manually installed plugins before, the plugins directory will not exist, even if you have other plugins that were installed by more normal methods. So, create the plugins directory and the symbolic link:
ln -s /usr/java/jre1.8.0_121/lib/i386/libnpjp2.so .
If you have a 64 bit CPU, the link will have
amd64 instead of
i386. If the plugins directory already exists, check for old links to
libnpjp2.so and remove them before creating the link to the latest version.
Start Firefox and type about:plugins into the address bar. You should find the details of the Java Plug-in in the list.
Java has a separate certificate store to your browser. Install the Hongkong Post CA Root Certificates to Java. The Hongkong Post certificates can be downloaded. There are (currently) two root CA certificates, and four Sub CA certificates, get them all:
- Hongkong Post Root CA 1
- Hongkong Post e-Cert CA 1 - 10
- Hongkong Post e-Cert CA 1 - 14
- Hongkong Post e-Cert CA 1 - 15
- Hongkong Post Root CA 2
- Hongkong Post e-Cert CA 2 - 15
The files have a
.crt extension, but the Java Control Panel expects a
.p12 extension, so rename the files, changing the extension, for example:
mv root_ca_1.crt root_ca_1.p12
Start the Java Control Panel. If your Java installation directory was
/usr/java/jre1.8.0_121 then the Java Control Panel can be started with the command:
Select the Security tab and click the Manage Certificates button. Select Certificate type: Secure Site CA and click the Import button, browse to a certificate file and click OK to import that certificate. Repeat for each other certificate.
Some GovHK services rely on a Thawte certificate, but where the CA certificate for this can be found is unknown.
Accessing the eTax Service
The eTax service login page is linked from various locations in the GovHK portal. First, the results of the compatibility check are displayed:
Click Continue. You are asked to choose your authentication method:
If you do not have the Thawte CA certificate installed, a pop-up asks if you want to run this application:
Check if you trust the certificate, and click Run. You can now enter your HK Identity Card Number and choose which media your eCert is stored on:
The choices are Smart ID Card or a file location. Whether an eCert on a Smart ID Card can be retrieved when using Linux and Firefox is unknown. This guide uses the e-Cert File USB
, further details of the e-Cert File USB
are available in another article, because this one is already getting too long. Use the Browse button to find the file with a
extension containing your certificate and enter the PIN or pass-phrase to unlock it. Click Login. If the login is successful, a list of online tax services appears:
Using the services should be self-explanatory from here, and as the behaviour and appearance will be the same as for Windows, the GovHK Helpdesk should be able to offer useful advice.
Alert The version of browser used in your computer has not been tested on this online service.
If your browser is Firefox 51 or later, this warning can be ignored.
Error 513-E-001 Java Enabled: Unknown
The compatibility check is unable to recognise your Java plugin. Remove other versions of Java and install Oracle's Java as described above.
Attention: The present combination of your operating system and browser has not been fully tested on eTAX System.
Results of the compatibility check when starting the eTax service, if your browser is Firefox 51 or later, this warning can be ignored.
Updated: 09th March 2017
According to this article, the latest (as of 9th March 2017) version of Firefox no longer supports plugins. Therefore the Oracle Java plugin cannot be installed, and Hong Kong Government online services, including eTax, cannot be used from Firefox version 52 or later.
GovHK services and the Thawte CA certificate
The eTax helpdesk has clarified the usage of Thawte-signed certificates:
The latest version of Java Runtime Environment (JRE) should has already included the root certificate from Thawte. However, you may still get the security warning message when running the Java programs because this is the behavior of Oracle Java browser plug-in even though the certificate is valid. The certificate is valid when a Java logo and a blue shield with white "i". Otherwise, a yellow triangle with an exclamation mark would be shown. For more technical details, please refer to ( https://java.com/en/download/help/appsecuritydialogs.xml ).