Solved

Java Deployment Rule Set

Posted on 2015-01-11
12
336 Views
Last Modified: 2015-04-10
Our company is working with a new company that has an web app that requires Java 6u16 so I figured it would be a good time to finally learn how to better secure Java in our enviroment.  We currently are using Java 7u71 with a few users using Java 8u25.  I have read I can run both (or all 3) version of Java on 1 computer.  

I now have Java 8u25, 7u71, and 6u16 on my test computer. I have created my ruleset and signed the jar file. I also have a deployment.config & deployment.properties along with the signed jar file in C:\Windows\Sun\Java\Deployment

Now on any website that uses Java I get this error

Blocked.png
Any help?

I also attached deployment.config & deployment.properties
deployment.config.txt
deployment.properties.txt
0
Comment
Question by:BHeshka
12 Comments
 
LVL 5

Expert Comment

by:Alexa Jackson
Comment Utility
Hi
As per the information and details provided by you, Java 8u25 installation show errors, may be because of the Proxy Server. Please follow this script: -

function FindProxyForURL(url, host) {
// Plain Host without domain, internal domain or ip-address
  if (isPlainHostName(host)  ||
   dnsDomainIs(host,".internal.domain.com") ||
   url.substring(0, 4)=="ftp:" ||
//http://....
   url.substring(7, 9)=="10." ||
   url.substring(7, 11)=="172.1" ||
   url.substring(7, 13)=="192.168" ||
//https://....
   url.substring(8, 10)=="10." ||
   url.substring(8, 12)=="172.1" ||
   url.substring(8, 14)=="192.168" ||
  shExpMatch(url,"https://www.<servername>.com:8443/"))
   {
  return "DIRECT";
  }
// If the client uses that pad-file, the client is connected to the internal network an has to use a proxy server
  return "PROXY <Proxyserver>:<Proxyport>; DIRECT";
}
 
It's not perfect. 172.1.... does not include all private IP adresses in Class B, but for our environment it's enough till Oracle has a solution.

I hope this information will be helpful for you.
Thanks and regards
Alexa@J
0
 

Author Comment

by:BHeshka
Comment Utility
Thanks for the response Alexa.  This seems more for programming or where would I put this?
0
 

Author Comment

by:BHeshka
Comment Utility
Anyone else have any suggestions?
0
 
LVL 5

Expert Comment

by:Alexa Jackson
Comment Utility
Hi,

The above provided code can be traversed at the time of installation of the JDBC drivers.
What is JDBC Driver?: - These are the drivers that you install at the time of setting database connectivity.
In simple words, you need to put the provided code at the time of setting JDBC connection via setting path in the console panel.

Please let me know if you need further assistance.

Thanks and Regards
Alexa@J
0
 

Author Comment

by:BHeshka
Comment Utility
THis talk about a JDBC Driver just doesnt seem to jive with what I am trying to accomplish.  

https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets

The above link might better discribe it.
0
 
LVL 13

Accepted Solution

by:
George K. earned 500 total points
Comment Utility
Try this:
Create a rule set .xml file and package it with your Deploymentruleset.jar

Rule set xml example:

<ruleset version="1.1">
      <rule>
            <id location="http://yoursite.com....." />
            <action permission="run" />
      </rule>
      <rule>
            <id location="http:yoursite.com........./myapp" />
            <action permission="run" version="SECURE-1.6.0.16" />
...........
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 86

Expert Comment

by:CEHJ
Comment Utility
Our company is working with a new company that has an web app that requires Java 6u16 so I figured it would be a good time to finally learn how to better secure Java in our enviroment.
It would be a good time to ask them WHY their software requires an insecure JRE in order to run
0
 

Author Comment

by:BHeshka
Comment Utility
CEHI - I brought this up with them and our management during our testing.  They both for some reason dont seem to care.  Now I am trying to atleast patch the problem,

George - I had something like that already but I reread the info on the java site.  I attached all my files. Do you see any errors?

The late response is due to a new error that I cant seem to get past.  

Blocke2.png
I am using the latest JDK (8u40) and this is what I am running to complie and sign it
jar cvf DeploymentRuleSet.jar ruleset.xml
jarsigner -verbose -J-Dhttp.proxyHost=sk.proxy.website2.prv -J-Dhttp.proxyPort=80 -keystore CCU_CodeSigningKeyStore -storepass Password -keypass Password -tsa http://tsa.starfieldtech.com DeploymentRuleSet.jar CodeSigning

When I open the Java control panel I am able to see my deployment ruleset

I have even tried uninstalling Java and reinstalling.
deployment.config.txt
deployment.properties.txt
exception.sites.txt
ruleset.xml.txt
0
 

Author Comment

by:BHeshka
Comment Utility
I should also mention I was at one point getting a error message that would popup then quickly disappear that just said TLS 1.2
0
 

Author Closing Comment

by:BHeshka
Comment Utility
I finally noticed that I was missing a <rule> tag in my ruleset.  That is why I was getting a parsing error.  The TLS issue must be related to Java 6 Update 16 as Java 6 Update 45 (Last Version 6) works.
0
 

Author Comment

by:BHeshka
Comment Utility
Untitled.png
Here is an image of the TLS error for future reference.
0
 

Author Comment

by:BHeshka
Comment Utility
Here are my notes to create a self signed Java Deployment Rule Set in a Windows (Server 2008 R2) enviroment.  You will need to deploy (trust) your certificate within your domain via Group Policy.



*** CCU_CodeSigningKeyStore password = Ultra#Secure1Password)  Change -storepass if you change password (ex. -storepasss Ultra#Secure1Password changes to -storepass NewPassword1)
*** CodeSigning password = Ultra#Secure1Password               Change -keypass if you change password (ex. -keypass Ultra#Secure1Password changes to -keypass NewPassword1)


keytool -genkey -keystore CCU_CodeSigningKeyStore -alias CodeSigning
keytool -list -storepass Ultra#Secure1Password -keystore CCU_CodeSigningKeyStore
keytool -selfcert -storepass Ultra#Secure1Password -alias CodeSigning -keystore CCU_CodeSigningKeyStore
keytool -list -v -storepass Ultra#Secure1Password -keystore CCU_CodeSigningKeyStore
keytool -certreq -v -alias CodeSigning -file mycsr.pem -storepass Ultra#Secure1Password -keystore CCU_CodeSigningKeyStore

- Use your internal WebBased Cert Authority (https://certservername/certsrv/Default.asp) to sign key.  You may have to add the codesigning template first in Certification Authority MMC.
-rename the file certnew.cer and the Root cert to CA_Cert.cer. (I think just the 2nd part - verify this)

keytool -import -trustcacerts -keystore CCU_CodeSigningKeyStore -storepass Ultra#Secure1Password -alias CodeSigningCA -file CA_Cert.cer
- Import ALL certificates in the chain above your self signed certificate

keytool -import -keystore CCU_CodeSigningKeyStore -storepass Ultra#Secure1Password -alias CodeSigning -file certnew.cer


<In the future if changing your ruleset Start here>
Copy Ruleset.xml CA_Cert.cer certnew.cer CCU_CodeSigningKeyStore to the bin folder of the current java JDK folder.

Open a CMD and change to the path "<Path to Java JDK>\jdk1.x.0_xx\bin"
ex.
c:
cd C:\jdk1.7.0_75\bin

Convert the XML in aJAR file: jar cvf DeploymentRuleSet.jar ruleset.xml

jarsigner -verbose -keystore CCU_CodeSigningKeyStore -storepass Ultra#Secure1Password -keypass Ultra#Secure1Password -tsa http://tsa.starfieldtech.com DeploymentRuleSet.jar CodeSigning
- You can use any Time Stamp Server
      http://timestamp.comodoca.com/authenticode
      http://timestamp.verisign.com/scripts/timstamp.dll
      http://timestamp.globalsign.com/scripts/timestamp.dll
      http://tsa.starfieldtech.com

jarsigner -verify -verbose -keystore CCU_CodeSigningKeyStore -certs DeploymentRuleSet.jar
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now