Solved

Java Deployment Rule Set Configuration Issues

Posted on 2015-02-02
5
560 Views
Last Modified: 2015-02-10
Our company is working with a new company that has an web app that requires Java 6u16 so I figured it would be a good time to finally learn how to better secure Java in our enviroment.  We currently are using Java 7u75 with a few users using Java 8u25.  I have read I can run both (or all 3) version of Java on 1 computer.  

 I now have Java 8u25, 7u75, and 6u16 on my test computer. I have created my ruleset and signed the jar file. I also have a deployment.config & deployment.properties along with the signed (Self Signed and cert depolyed via GPO) jar file in C:\Windows\Sun\Java\Deployment

 Now on any website that uses Java I get this error

Blocked
I have read https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets thouroughly but still no luck.
deployment.properties.txt
deployment.config.txt
ruleset.xml
0
Comment
Question by:BHeshka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40585944
introduced in Java 7 update 40 not available in java 6 update 16.  You have to set your path's to use the applicable version.. I'd set the default path in the path environment variables and only for specific applications use a batch file to change the path
default in path environment variable  C:\Java\jdk1.7.0\bin
--
rem need java 6
set javahome = c:\java\jdk1.6.0\bin
java version6.ja

for your browser you can change which is used in the java control panel
0
 
LVL 63

Expert Comment

by:btan
ID: 40585991
quick check on this source as well
When specifying a version for your DRS, it is easiest to go in order of: SECURE (no version), then SECURE-1.X (major version only), and only use specific versions like 1.7.0_51 for a verified compatibility issue. Because rules are specified explicitly by a system administrator, their results are applied before other checks that would affect program execution.
https://blogs.oracle.com/java-platform-group/entry/managing_multiple_java_versions
0
 

Author Comment

by:BHeshka
ID: 40586808
Thanks for your respoonses.


@btan
Thanks for the link.  I didnt install the different versions as static installes but wonder if I would as each are major versions.  I guess I should incase someone decides for some reason to install a old java version, it would prevent the "specific" version that I force on them from being overwritten.

@ David Johnson
I thought that the below in deployment.properties would specify the locations and the the rule set would tell the app what version to use?  Is what you stated for desktop java apps only? I should have specified that we only have browser based java apps in our enviroment. If not how would I specify a path only for certain websites?

deployment.javaws.jre.0.args=
deployment.javaws.jre.0.registered=true
deployment.javaws.jre.0.osarch=x86
deployment.javaws.jre.0.osname=Windows
deployment.javaws.jre.0.platform=1.8
deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre8\\bin\\javaw.exe
deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.0.enabled=true
deployment.javaws.jre.0.product=1.8.0_25

deployment.javaws.jre.1.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.1.args=
deployment.javaws.jre.1.enabled=true
deployment.javaws.jre.1.registered=false
deployment.javaws.jre.1.product=1.7.0_71
deployment.javaws.jre.1.path=C\:\\Program Files (x86)\\Java\\jre7\\bin\\javaw.exe
deployment.javaws.jre.1.osarch=x86
deployment.javaws.jre.1.osname=Windows
deployment.javaws.jre.1.platform=1.7

deployment.javaws.jre.2.enabled=true
deployment.javaws.jre.2.platform=1.6
deployment.javaws.jre.2.osname=Windows
deployment.javaws.jre.2.osarch=x86
deployment.javaws.jre.2.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.2.registered=true
deployment.javaws.jre.2.path=C\:\\Program Files (x86)\\Java\\jre6\\bin\\javaw.exe
deployment.javaws.jre.2.product=1.6.0_16
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40587940
In fact, as advised by principal, the (other) Patch-In-Place is the default chosen approach and you should use static installations only on systems known to require a specific version. Since it is specific to certain appls it is much better to tie to specific version in a machine with multiple rather than leaving it open.

Regardless, when specifying the version in a DRS, it is best to choose a version equal to or higher than the one requested by the launching file. Of course, specifying a version in your DRS that looks like SECURE or SECURE-1.X is simpler choice but can lead to execution not within control and lockdown, kinda of differing the DRS intent to lockdown where possible.
0
 

Author Closing Comment

by:BHeshka
ID: 40601293
Removed Secure form DRS and all is working.  Also reinstalled using STATIC paramater.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
OnPage: Incident management and secure messaging on your smartphone
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question