Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Java Deployment Rule Set Configuration Issues

Posted on 2015-02-02
5
Medium Priority
?
706 Views
Last Modified: 2015-02-10
Our company is working with a new company that has an web app that requires Java 6u16 so I figured it would be a good time to finally learn how to better secure Java in our enviroment.  We currently are using Java 7u75 with a few users using Java 8u25.  I have read I can run both (or all 3) version of Java on 1 computer.  

 I now have Java 8u25, 7u75, and 6u16 on my test computer. I have created my ruleset and signed the jar file. I also have a deployment.config & deployment.properties along with the signed (Self Signed and cert depolyed via GPO) jar file in C:\Windows\Sun\Java\Deployment

 Now on any website that uses Java I get this error

Blocked
I have read https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets thouroughly but still no luck.
deployment.properties.txt
deployment.config.txt
ruleset.xml
0
Comment
Question by:BHeshka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40585944
introduced in Java 7 update 40 not available in java 6 update 16.  You have to set your path's to use the applicable version.. I'd set the default path in the path environment variables and only for specific applications use a batch file to change the path
default in path environment variable  C:\Java\jdk1.7.0\bin
--
rem need java 6
set javahome = c:\java\jdk1.6.0\bin
java version6.ja

for your browser you can change which is used in the java control panel
0
 
LVL 65

Expert Comment

by:btan
ID: 40585991
quick check on this source as well
When specifying a version for your DRS, it is easiest to go in order of: SECURE (no version), then SECURE-1.X (major version only), and only use specific versions like 1.7.0_51 for a verified compatibility issue. Because rules are specified explicitly by a system administrator, their results are applied before other checks that would affect program execution.
https://blogs.oracle.com/java-platform-group/entry/managing_multiple_java_versions
0
 

Author Comment

by:BHeshka
ID: 40586808
Thanks for your respoonses.


@btan
Thanks for the link.  I didnt install the different versions as static installes but wonder if I would as each are major versions.  I guess I should incase someone decides for some reason to install a old java version, it would prevent the "specific" version that I force on them from being overwritten.

@ David Johnson
I thought that the below in deployment.properties would specify the locations and the the rule set would tell the app what version to use?  Is what you stated for desktop java apps only? I should have specified that we only have browser based java apps in our enviroment. If not how would I specify a path only for certain websites?

deployment.javaws.jre.0.args=
deployment.javaws.jre.0.registered=true
deployment.javaws.jre.0.osarch=x86
deployment.javaws.jre.0.osname=Windows
deployment.javaws.jre.0.platform=1.8
deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre8\\bin\\javaw.exe
deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.0.enabled=true
deployment.javaws.jre.0.product=1.8.0_25

deployment.javaws.jre.1.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.1.args=
deployment.javaws.jre.1.enabled=true
deployment.javaws.jre.1.registered=false
deployment.javaws.jre.1.product=1.7.0_71
deployment.javaws.jre.1.path=C\:\\Program Files (x86)\\Java\\jre7\\bin\\javaw.exe
deployment.javaws.jre.1.osarch=x86
deployment.javaws.jre.1.osname=Windows
deployment.javaws.jre.1.platform=1.7

deployment.javaws.jre.2.enabled=true
deployment.javaws.jre.2.platform=1.6
deployment.javaws.jre.2.osname=Windows
deployment.javaws.jre.2.osarch=x86
deployment.javaws.jre.2.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.2.registered=true
deployment.javaws.jre.2.path=C\:\\Program Files (x86)\\Java\\jre6\\bin\\javaw.exe
deployment.javaws.jre.2.product=1.6.0_16
0
 
LVL 65

Accepted Solution

by:
btan earned 1500 total points
ID: 40587940
In fact, as advised by principal, the (other) Patch-In-Place is the default chosen approach and you should use static installations only on systems known to require a specific version. Since it is specific to certain appls it is much better to tie to specific version in a machine with multiple rather than leaving it open.

Regardless, when specifying the version in a DRS, it is best to choose a version equal to or higher than the one requested by the launching file. Of course, specifying a version in your DRS that looks like SECURE or SECURE-1.X is simpler choice but can lead to execution not within control and lockdown, kinda of differing the DRS intent to lockdown where possible.
0
 

Author Closing Comment

by:BHeshka
ID: 40601293
Removed Secure form DRS and all is working.  Also reinstalled using STATIC paramater.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question