Solved

Java Deployment Rule Set

Posted on 2015-01-11
12
458 Views
Last Modified: 2015-04-10
Our company is working with a new company that has an web app that requires Java 6u16 so I figured it would be a good time to finally learn how to better secure Java in our enviroment.  We currently are using Java 7u71 with a few users using Java 8u25.  I have read I can run both (or all 3) version of Java on 1 computer.  

I now have Java 8u25, 7u71, and 6u16 on my test computer. I have created my ruleset and signed the jar file. I also have a deployment.config & deployment.properties along with the signed jar file in C:\Windows\Sun\Java\Deployment

Now on any website that uses Java I get this error

Blocked.png
Any help?

I also attached deployment.config & deployment.properties
deployment.config.txt
deployment.properties.txt
0
Comment
Question by:BHeshka
12 Comments
 
LVL 5

Expert Comment

by:Alexa Jackson
ID: 40543753
Hi
As per the information and details provided by you, Java 8u25 installation show errors, may be because of the Proxy Server. Please follow this script: -

function FindProxyForURL(url, host) {
// Plain Host without domain, internal domain or ip-address
  if (isPlainHostName(host)  ||
   dnsDomainIs(host,".internal.domain.com") ||
   url.substring(0, 4)=="ftp:" ||
//http://....
   url.substring(7, 9)=="10." ||
   url.substring(7, 11)=="172.1" ||
   url.substring(7, 13)=="192.168" ||
//https://....
   url.substring(8, 10)=="10." ||
   url.substring(8, 12)=="172.1" ||
   url.substring(8, 14)=="192.168" ||
  shExpMatch(url,"https://www.<servername>.com:8443/"))
   {
  return "DIRECT";
  }
// If the client uses that pad-file, the client is connected to the internal network an has to use a proxy server
  return "PROXY <Proxyserver>:<Proxyport>; DIRECT";
}
 
It's not perfect. 172.1.... does not include all private IP adresses in Class B, but for our environment it's enough till Oracle has a solution.

I hope this information will be helpful for you.
Thanks and regards
Alexa@J
0
 

Author Comment

by:BHeshka
ID: 40544453
Thanks for the response Alexa.  This seems more for programming or where would I put this?
0
 

Author Comment

by:BHeshka
ID: 40571455
Anyone else have any suggestions?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:Alexa Jackson
ID: 40572115
Hi,

The above provided code can be traversed at the time of installation of the JDBC drivers.
What is JDBC Driver?: - These are the drivers that you install at the time of setting database connectivity.
In simple words, you need to put the provided code at the time of setting JDBC connection via setting path in the console panel.

Please let me know if you need further assistance.

Thanks and Regards
Alexa@J
0
 

Author Comment

by:BHeshka
ID: 40584771
THis talk about a JDBC Driver just doesnt seem to jive with what I am trying to accomplish.  

https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets 

The above link might better discribe it.
0
 
LVL 13

Accepted Solution

by:
George K. earned 500 total points
ID: 40629435
Try this:
Create a rule set .xml file and package it with your Deploymentruleset.jar

Rule set xml example:

<ruleset version="1.1">
      <rule>
            <id location="http://yoursite.com....." />
            <action permission="run" />
      </rule>
      <rule>
            <id location="http:yoursite.com........./myapp" />
            <action permission="run" version="SECURE-1.6.0.16" />
...........
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 40629469
Our company is working with a new company that has an web app that requires Java 6u16 so I figured it would be a good time to finally learn how to better secure Java in our enviroment.
It would be a good time to ask them WHY their software requires an insecure JRE in order to run
0
 

Author Comment

by:BHeshka
ID: 40648108
CEHI - I brought this up with them and our management during our testing.  They both for some reason dont seem to care.  Now I am trying to atleast patch the problem,

George - I had something like that already but I reread the info on the java site.  I attached all my files. Do you see any errors?

The late response is due to a new error that I cant seem to get past.  

Blocke2.png
I am using the latest JDK (8u40) and this is what I am running to complie and sign it
jar cvf DeploymentRuleSet.jar ruleset.xml
jarsigner -verbose -J-Dhttp.proxyHost=sk.proxy.website2.prv -J-Dhttp.proxyPort=80 -keystore CCU_CodeSigningKeyStore -storepass Password -keypass Password -tsa http://tsa.starfieldtech.com DeploymentRuleSet.jar CodeSigning

When I open the Java control panel I am able to see my deployment ruleset

I have even tried uninstalling Java and reinstalling.
deployment.config.txt
deployment.properties.txt
exception.sites.txt
ruleset.xml.txt
0
 

Author Comment

by:BHeshka
ID: 40648126
I should also mention I was at one point getting a error message that would popup then quickly disappear that just said TLS 1.2
0
 

Author Closing Comment

by:BHeshka
ID: 40678369
I finally noticed that I was missing a <rule> tag in my ruleset.  That is why I was getting a parsing error.  The TLS issue must be related to Java 6 Update 16 as Java 6 Update 45 (Last Version 6) works.
0
 

Author Comment

by:BHeshka
ID: 40678375
Untitled.png
Here is an image of the TLS error for future reference.
0
 

Author Comment

by:BHeshka
ID: 40678415
Here are my notes to create a self signed Java Deployment Rule Set in a Windows (Server 2008 R2) enviroment.  You will need to deploy (trust) your certificate within your domain via Group Policy.



*** CCU_CodeSigningKeyStore password = Ultra#Secure1Password)  Change -storepass if you change password (ex. -storepasss Ultra#Secure1Password changes to -storepass NewPassword1)
*** CodeSigning password = Ultra#Secure1Password               Change -keypass if you change password (ex. -keypass Ultra#Secure1Password changes to -keypass NewPassword1)


keytool -genkey -keystore CCU_CodeSigningKeyStore -alias CodeSigning
keytool -list -storepass Ultra#Secure1Password -keystore CCU_CodeSigningKeyStore
keytool -selfcert -storepass Ultra#Secure1Password -alias CodeSigning -keystore CCU_CodeSigningKeyStore
keytool -list -v -storepass Ultra#Secure1Password -keystore CCU_CodeSigningKeyStore
keytool -certreq -v -alias CodeSigning -file mycsr.pem -storepass Ultra#Secure1Password -keystore CCU_CodeSigningKeyStore

- Use your internal WebBased Cert Authority (https://certservername/certsrv/Default.asp) to sign key.  You may have to add the codesigning template first in Certification Authority MMC.
-rename the file certnew.cer and the Root cert to CA_Cert.cer. (I think just the 2nd part - verify this)

keytool -import -trustcacerts -keystore CCU_CodeSigningKeyStore -storepass Ultra#Secure1Password -alias CodeSigningCA -file CA_Cert.cer
- Import ALL certificates in the chain above your self signed certificate

keytool -import -keystore CCU_CodeSigningKeyStore -storepass Ultra#Secure1Password -alias CodeSigning -file certnew.cer


<In the future if changing your ruleset Start here>
Copy Ruleset.xml CA_Cert.cer certnew.cer CCU_CodeSigningKeyStore to the bin folder of the current java JDK folder.

Open a CMD and change to the path "<Path to Java JDK>\jdk1.x.0_xx\bin"
ex.
c:
cd C:\jdk1.7.0_75\bin

Convert the XML in aJAR file: jar cvf DeploymentRuleSet.jar ruleset.xml

jarsigner -verbose -keystore CCU_CodeSigningKeyStore -storepass Ultra#Secure1Password -keypass Ultra#Secure1Password -tsa http://tsa.starfieldtech.com DeploymentRuleSet.jar CodeSigning
- You can use any Time Stamp Server
      http://timestamp.comodoca.com/authenticode
      http://timestamp.verisign.com/scripts/timstamp.dll
      http://timestamp.globalsign.com/scripts/timestamp.dll
      http://tsa.starfieldtech.com

jarsigner -verify -verbose -keystore CCU_CodeSigningKeyStore -certs DeploymentRuleSet.jar
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this post we will learn how to make Android Gesture Tutorial and give different functionality whenever a user Touch or Scroll android screen.
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
The viewer will learn how to implement Singleton Design Pattern in Java.
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question