Solved

Java Deployment Rule Set Configuration Issues

Posted on 2015-02-02
5
506 Views
Last Modified: 2015-02-10
Our company is working with a new company that has an web app that requires Java 6u16 so I figured it would be a good time to finally learn how to better secure Java in our enviroment.  We currently are using Java 7u75 with a few users using Java 8u25.  I have read I can run both (or all 3) version of Java on 1 computer.  

 I now have Java 8u25, 7u75, and 6u16 on my test computer. I have created my ruleset and signed the jar file. I also have a deployment.config & deployment.properties along with the signed (Self Signed and cert depolyed via GPO) jar file in C:\Windows\Sun\Java\Deployment

 Now on any website that uses Java I get this error

Blocked
I have read https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets thouroughly but still no luck.
deployment.properties.txt
deployment.config.txt
ruleset.xml
0
Comment
Question by:BHeshka
  • 2
  • 2
5 Comments
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40585944
introduced in Java 7 update 40 not available in java 6 update 16.  You have to set your path's to use the applicable version.. I'd set the default path in the path environment variables and only for specific applications use a batch file to change the path
default in path environment variable  C:\Java\jdk1.7.0\bin
--
rem need java 6
set javahome = c:\java\jdk1.6.0\bin
java version6.ja

for your browser you can change which is used in the java control panel
0
 
LVL 62

Expert Comment

by:btan
ID: 40585991
quick check on this source as well
When specifying a version for your DRS, it is easiest to go in order of: SECURE (no version), then SECURE-1.X (major version only), and only use specific versions like 1.7.0_51 for a verified compatibility issue. Because rules are specified explicitly by a system administrator, their results are applied before other checks that would affect program execution.
https://blogs.oracle.com/java-platform-group/entry/managing_multiple_java_versions
0
 

Author Comment

by:BHeshka
ID: 40586808
Thanks for your respoonses.


@btan
Thanks for the link.  I didnt install the different versions as static installes but wonder if I would as each are major versions.  I guess I should incase someone decides for some reason to install a old java version, it would prevent the "specific" version that I force on them from being overwritten.

@ David Johnson
I thought that the below in deployment.properties would specify the locations and the the rule set would tell the app what version to use?  Is what you stated for desktop java apps only? I should have specified that we only have browser based java apps in our enviroment. If not how would I specify a path only for certain websites?

deployment.javaws.jre.0.args=
deployment.javaws.jre.0.registered=true
deployment.javaws.jre.0.osarch=x86
deployment.javaws.jre.0.osname=Windows
deployment.javaws.jre.0.platform=1.8
deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre8\\bin\\javaw.exe
deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.0.enabled=true
deployment.javaws.jre.0.product=1.8.0_25

deployment.javaws.jre.1.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.1.args=
deployment.javaws.jre.1.enabled=true
deployment.javaws.jre.1.registered=false
deployment.javaws.jre.1.product=1.7.0_71
deployment.javaws.jre.1.path=C\:\\Program Files (x86)\\Java\\jre7\\bin\\javaw.exe
deployment.javaws.jre.1.osarch=x86
deployment.javaws.jre.1.osname=Windows
deployment.javaws.jre.1.platform=1.7

deployment.javaws.jre.2.enabled=true
deployment.javaws.jre.2.platform=1.6
deployment.javaws.jre.2.osname=Windows
deployment.javaws.jre.2.osarch=x86
deployment.javaws.jre.2.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.2.registered=true
deployment.javaws.jre.2.path=C\:\\Program Files (x86)\\Java\\jre6\\bin\\javaw.exe
deployment.javaws.jre.2.product=1.6.0_16
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40587940
In fact, as advised by principal, the (other) Patch-In-Place is the default chosen approach and you should use static installations only on systems known to require a specific version. Since it is specific to certain appls it is much better to tie to specific version in a machine with multiple rather than leaving it open.

Regardless, when specifying the version in a DRS, it is best to choose a version equal to or higher than the one requested by the launching file. Of course, specifying a version in your DRS that looks like SECURE or SECURE-1.X is simpler choice but can lead to execution not within control and lockdown, kinda of differing the DRS intent to lockdown where possible.
0
 

Author Closing Comment

by:BHeshka
ID: 40601293
Removed Secure form DRS and all is working.  Also reinstalled using STATIC paramater.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now