Solved

Java Deployment Rule Set

Posted on 2015-01-11
12
451 Views
Last Modified: 2015-04-10
Our company is working with a new company that has an web app that requires Java 6u16 so I figured it would be a good time to finally learn how to better secure Java in our enviroment.  We currently are using Java 7u71 with a few users using Java 8u25.  I have read I can run both (or all 3) version of Java on 1 computer.  

I now have Java 8u25, 7u71, and 6u16 on my test computer. I have created my ruleset and signed the jar file. I also have a deployment.config & deployment.properties along with the signed jar file in C:\Windows\Sun\Java\Deployment

Now on any website that uses Java I get this error

Blocked.png
Any help?

I also attached deployment.config & deployment.properties
deployment.config.txt
deployment.properties.txt
0
Comment
Question by:BHeshka
12 Comments
 
LVL 5

Expert Comment

by:Alexa Jackson
ID: 40543753
Hi
As per the information and details provided by you, Java 8u25 installation show errors, may be because of the Proxy Server. Please follow this script: -

function FindProxyForURL(url, host) {
// Plain Host without domain, internal domain or ip-address
  if (isPlainHostName(host)  ||
   dnsDomainIs(host,".internal.domain.com") ||
   url.substring(0, 4)=="ftp:" ||
//http://....
   url.substring(7, 9)=="10." ||
   url.substring(7, 11)=="172.1" ||
   url.substring(7, 13)=="192.168" ||
//https://....
   url.substring(8, 10)=="10." ||
   url.substring(8, 12)=="172.1" ||
   url.substring(8, 14)=="192.168" ||
  shExpMatch(url,"https://www.<servername>.com:8443/"))
   {
  return "DIRECT";
  }
// If the client uses that pad-file, the client is connected to the internal network an has to use a proxy server
  return "PROXY <Proxyserver>:<Proxyport>; DIRECT";
}
 
It's not perfect. 172.1.... does not include all private IP adresses in Class B, but for our environment it's enough till Oracle has a solution.

I hope this information will be helpful for you.
Thanks and regards
Alexa@J
0
 

Author Comment

by:BHeshka
ID: 40544453
Thanks for the response Alexa.  This seems more for programming or where would I put this?
0
 

Author Comment

by:BHeshka
ID: 40571455
Anyone else have any suggestions?
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 5

Expert Comment

by:Alexa Jackson
ID: 40572115
Hi,

The above provided code can be traversed at the time of installation of the JDBC drivers.
What is JDBC Driver?: - These are the drivers that you install at the time of setting database connectivity.
In simple words, you need to put the provided code at the time of setting JDBC connection via setting path in the console panel.

Please let me know if you need further assistance.

Thanks and Regards
Alexa@J
0
 

Author Comment

by:BHeshka
ID: 40584771
THis talk about a JDBC Driver just doesnt seem to jive with what I am trying to accomplish.  

https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets 

The above link might better discribe it.
0
 
LVL 13

Accepted Solution

by:
George K. earned 500 total points
ID: 40629435
Try this:
Create a rule set .xml file and package it with your Deploymentruleset.jar

Rule set xml example:

<ruleset version="1.1">
      <rule>
            <id location="http://yoursite.com....." />
            <action permission="run" />
      </rule>
      <rule>
            <id location="http:yoursite.com........./myapp" />
            <action permission="run" version="SECURE-1.6.0.16" />
...........
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 40629469
Our company is working with a new company that has an web app that requires Java 6u16 so I figured it would be a good time to finally learn how to better secure Java in our enviroment.
It would be a good time to ask them WHY their software requires an insecure JRE in order to run
0
 

Author Comment

by:BHeshka
ID: 40648108
CEHI - I brought this up with them and our management during our testing.  They both for some reason dont seem to care.  Now I am trying to atleast patch the problem,

George - I had something like that already but I reread the info on the java site.  I attached all my files. Do you see any errors?

The late response is due to a new error that I cant seem to get past.  

Blocke2.png
I am using the latest JDK (8u40) and this is what I am running to complie and sign it
jar cvf DeploymentRuleSet.jar ruleset.xml
jarsigner -verbose -J-Dhttp.proxyHost=sk.proxy.website2.prv -J-Dhttp.proxyPort=80 -keystore CCU_CodeSigningKeyStore -storepass Password -keypass Password -tsa http://tsa.starfieldtech.com DeploymentRuleSet.jar CodeSigning

When I open the Java control panel I am able to see my deployment ruleset

I have even tried uninstalling Java and reinstalling.
deployment.config.txt
deployment.properties.txt
exception.sites.txt
ruleset.xml.txt
0
 

Author Comment

by:BHeshka
ID: 40648126
I should also mention I was at one point getting a error message that would popup then quickly disappear that just said TLS 1.2
0
 

Author Closing Comment

by:BHeshka
ID: 40678369
I finally noticed that I was missing a <rule> tag in my ruleset.  That is why I was getting a parsing error.  The TLS issue must be related to Java 6 Update 16 as Java 6 Update 45 (Last Version 6) works.
0
 

Author Comment

by:BHeshka
ID: 40678375
Untitled.png
Here is an image of the TLS error for future reference.
0
 

Author Comment

by:BHeshka
ID: 40678415
Here are my notes to create a self signed Java Deployment Rule Set in a Windows (Server 2008 R2) enviroment.  You will need to deploy (trust) your certificate within your domain via Group Policy.



*** CCU_CodeSigningKeyStore password = Ultra#Secure1Password)  Change -storepass if you change password (ex. -storepasss Ultra#Secure1Password changes to -storepass NewPassword1)
*** CodeSigning password = Ultra#Secure1Password               Change -keypass if you change password (ex. -keypass Ultra#Secure1Password changes to -keypass NewPassword1)


keytool -genkey -keystore CCU_CodeSigningKeyStore -alias CodeSigning
keytool -list -storepass Ultra#Secure1Password -keystore CCU_CodeSigningKeyStore
keytool -selfcert -storepass Ultra#Secure1Password -alias CodeSigning -keystore CCU_CodeSigningKeyStore
keytool -list -v -storepass Ultra#Secure1Password -keystore CCU_CodeSigningKeyStore
keytool -certreq -v -alias CodeSigning -file mycsr.pem -storepass Ultra#Secure1Password -keystore CCU_CodeSigningKeyStore

- Use your internal WebBased Cert Authority (https://certservername/certsrv/Default.asp) to sign key.  You may have to add the codesigning template first in Certification Authority MMC.
-rename the file certnew.cer and the Root cert to CA_Cert.cer. (I think just the 2nd part - verify this)

keytool -import -trustcacerts -keystore CCU_CodeSigningKeyStore -storepass Ultra#Secure1Password -alias CodeSigningCA -file CA_Cert.cer
- Import ALL certificates in the chain above your self signed certificate

keytool -import -keystore CCU_CodeSigningKeyStore -storepass Ultra#Secure1Password -alias CodeSigning -file certnew.cer


<In the future if changing your ruleset Start here>
Copy Ruleset.xml CA_Cert.cer certnew.cer CCU_CodeSigningKeyStore to the bin folder of the current java JDK folder.

Open a CMD and change to the path "<Path to Java JDK>\jdk1.x.0_xx\bin"
ex.
c:
cd C:\jdk1.7.0_75\bin

Convert the XML in aJAR file: jar cvf DeploymentRuleSet.jar ruleset.xml

jarsigner -verbose -keystore CCU_CodeSigningKeyStore -storepass Ultra#Secure1Password -keypass Ultra#Secure1Password -tsa http://tsa.starfieldtech.com DeploymentRuleSet.jar CodeSigning
- You can use any Time Stamp Server
      http://timestamp.comodoca.com/authenticode
      http://timestamp.verisign.com/scripts/timstamp.dll
      http://timestamp.globalsign.com/scripts/timestamp.dll
      http://tsa.starfieldtech.com

jarsigner -verify -verbose -keystore CCU_CodeSigningKeyStore -certs DeploymentRuleSet.jar
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Viewers learn how to read error messages and identify possible mistakes that could cause hours of frustration. Coding is as much about debugging your code as it is about writing it. Define Error Message: Line Numbers: Type of Error: Break Down…
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question