Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Accessing Hong Kong Government Services using a Hongkong Post eCert from Firefox on Ubuntu Linux

First published: 22nd February 2017

This technical note is meant to assist Linux users to access Hong Kong Government online services. The difficulties with this are not that the services are incompatible with Linux, but that there are certain restrictions and tricks that are not obvious, and the Government's helpdesk is more experienced at providing assistance to Windows and OS X users.

These notes were based on the writer's experience of accessing the Driving License Renewal service and eTax service in February 2017. Other services may be different, and the services may have changed since this was written.

System Requirements

There is a GovHK webpage of the system requirements, the discussion here focusses on Linux and Firefox.

The services run a configuration check as the application starts, but the information reported might not be useful.

Operating System and Browser

The writer used Ubuntu 16.04 LTS and Firefox 51.0.1, but any current Linux distribution, and any version of Firefox after 38 will probably work. Using Chrome as your browser might work, but Chrome stopped supporting Java applets in 2015, so, in practical terms, you would probably need to use a horrendously out-of-date version of Chrome.

The service compatibility test will probably report an "Alert", that the version of the browser has not been tested. When Firefox version 51 was tried, the alert appeared, but the service still worked. Unfortunately, the Government helpdesk for the service will note the "unsupported version" and recommend removing the current browser and downgrading to an older version, version 48 in this case. The use of a more recent browser version is unlikely to be the cause of most problems, and it is recommended to look carefully for other causes before attempting a time-consuming and vulnerability-introducing downgrade.

Javascript

The services require Javascript to be enabled. If you use NoScript or an ad-blocker, make sure that you allow Javascript from the relevant domains. Depending on the particular service these include:

The egis.gov.hk domain is required for most services because that is the common web application hosting platform for delivering e-Government services to the public by government bureaux and departments.

Java 8

Ubuntu, Linux Mint and Debian include the packages openjdk-8-jre and icedtea-8-plugin to provide Java 8 and the associated browser plugin. They pass the "Do I have Java?" test at the Java website but they are not recognised by the services compatibility check. If you have this plugin installed, you will probably receive Error 513-E-001 from the check. It simply doesn't recognise that Java is there. It seems that just disabling the IcedTea plugin in the browser Add-on settings is not sufficient, the packages must be removed.

Use your preferred package manager to remove the packages, for example:

apt purge default-jre-headless openjdk-8-jre openjdk-8-jre-headless java-common icedtea-8-plugin

Download Oracle Java for Linux and install manually. For Ubuntu, the RPM packages cannot be used, download using the Linux or Linux x64 (if your CPU is 64 bit) link. The provided instructions have too many alternatives to be clear. This summary assumes the downloaded file is called /home/adyer/Downloads/jre-8u121-linux-i586.tar.gz and the software will be installed to /usr/java. Unpack the download:

cd /usr/java tar zxvf /home/adyer/Downloads/jre-8u121-linux-i586.tar.gz

This creates the directory /usr/java/jre1.8.0_121 containing the Java files. Now it is necessary to configure Firefox to recognise the Java plugin. First, exit Firefox if it is running. You must create a symbolic link to the Java plugin from your home directory ~/.mozilla/plugins. If you have not manually installed plugins before, the plugins directory will not exist, even if you have other plugins that were installed by more normal methods. So, create the plugins directory and the symbolic link:

cd ~/.mozilla mkdir plugins cd plugins ln -s /usr/java/jre1.8.0_121/lib/i386/libnpjp2.so .

If you have a 64 bit CPU, the link will have amd64 instead of i386. If the plugins directory already exists, check for old links to javaplugin-oji.so or libnpjp2.so and remove them before creating the link to the latest version.

Start Firefox and type about:plugins into the address bar. You should find the details of the Java Plug-in in the list.

thumbnail

Root Certificates

Java has a separate certificate store to your browser. Install the Hongkong Post CA Root Certificates to Java. The Hongkong Post certificates can be downloaded. There are (currently) two root CA certificates, and four Sub CA certificates, get them all:

The files have a .crt extension, but the Java Control Panel expects a .p12 extension, so rename the files, changing the extension, for example:

mv root_ca_1.crt root_ca_1.p12

Start the Java Control Panel. If your Java installation directory was /usr/java/jre1.8.0_121 then the Java Control Panel can be started with the command:

/usr/java/jre1.8.0_121/bin/jcontrol

Select the Security tab and click the Manage Certificates button. Select Certificate type: Secure Site CA and click the Import button, browse to a certificate file and click OK to import that certificate. Repeat for each other certificate.

thumbnail

Some GovHK services rely on a Thawte certificate, but where the CA certificate for this can be found is unknown.

thumbnail

Accessing the eTax Service

The eTax service login page is linked from various locations in the GovHK portal. First, the results of the compatibility check are displayed: thumbnail

Click Continue. You are asked to choose your authentication method: thumbnail

If you do not have the Thawte CA certificate installed, a pop-up asks if you want to run this application: thumbnail

Check if you trust the certificate, and click Run. You can now enter your HK Identity Card Number and choose which media your eCert is stored on: thumbnail

The choices are Smart ID Card or a file location. Whether an eCert on a Smart ID Card can be retrieved when using Linux and Firefox is unknown. This guide uses the e-Cert File USB thumbnail, further details of the e-Cert File USB are available in another article, because this one is already getting too long. Use the Browse button to find the file with a .p12 extension containing your certificate and enter the PIN or pass-phrase to unlock it. Click Login. If the login is successful, a list of online tax services appears: thumbnail

Using the services should be self-explanatory from here, and as the behaviour and appearance will be the same as for Windows, the GovHK Helpdesk should be able to offer useful advice.


Troubleshooting

Alert The version of browser used in your computer has not been tested on this online service.

If your browser is Firefox 51 or later, this warning can be ignored.

Error 513-E-001 Java Enabled: Unknown

The compatibility check is unable to recognise your Java plugin. Remove other versions of Java and install Oracle's Java as described above.

Attention: The present combination of your operating system and browser has not been fully tested on eTAX System.

thumbnail

Results of the compatibility check when starting the eTax service, if your browser is Firefox 51 or later, this warning can be ignored.

Updated: 09th March 2017

Firefox 52

According to this article, the latest (as of 9th March 2017) version of Firefox no longer supports plugins. Therefore the Oracle Java plugin cannot be installed, and Hong Kong Government online services, including eTax, cannot be used from Firefox version 52 or later.

GovHK services and the Thawte CA certificate

The eTax helpdesk has clarified the usage of Thawte-signed certificates:

The latest version of Java Runtime Environment (JRE) should has already included the root certificate from Thawte. However, you may still get the security warning message when running the Java programs because this is the behavior of Oracle Java browser plug-in even though the certificate is valid. The certificate is valid when a Java logo and a blue shield with white "i". Otherwise, a yellow triangle with an exclamation mark would be shown. For more technical details, please refer to ( https://java.com/en/download/help/appsecuritydialogs.xml ).


Gallery

Error 513-E-001 Java Enabled: UnknownError 513-E-001 Java Enabled: Unknown hi-res
Alert The version of browser used in your computer has not been tested on this online service.Alert The version of browser used in your computer has not been tested on this online service. hi-res
Firefox about:plugins showing that the Java Plug-in is installedFirefox about:plugins showing that the Java Plug-in is installed hi-res
Importing CA Certificate to the Java certificate storeImporting CA Certificate to the Java certificate store hi-res
GovHK Service relying on a Thawte CertificateGovHK Service relying on a Thawte Certificate hi-res
Attention: The present combination of your operating system and browser has not been fully tested on eTAX System.Attention: The present combination of your operating system and browser has not been fully tested on eTAX System. hi-res
eTax authentication choice (SC-535-2-002)eTax authentication choice (SC-535-2-002) hi-res
eTax run permissioneTax run permission hi-res
eTax: Choosing the eCert storageeTax: Choosing the eCert storage hi-res
eTax HKID entry and eCert media choiceeTax HKID entry and eCert media choice hi-res
e-Cert File USBe-Cert File USB hi-res
eTax: Successfully logged in.eTax: Successfully logged in. hi-res

More Information

Slashdot   Slashdot It! | Share