Solved

Java Deployment Rule Set Configuration Issues

Posted on 2015-02-02
5
484 Views
Last Modified: 2015-02-10
Our company is working with a new company that has an web app that requires Java 6u16 so I figured it would be a good time to finally learn how to better secure Java in our enviroment.  We currently are using Java 7u75 with a few users using Java 8u25.  I have read I can run both (or all 3) version of Java on 1 computer.  

 I now have Java 8u25, 7u75, and 6u16 on my test computer. I have created my ruleset and signed the jar file. I also have a deployment.config & deployment.properties along with the signed (Self Signed and cert depolyed via GPO) jar file in C:\Windows\Sun\Java\Deployment

 Now on any website that uses Java I get this error

Blocked
I have read https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets thouroughly but still no luck.
deployment.properties.txt
deployment.config.txt
ruleset.xml
0
Comment
Question by:BHeshka
  • 2
  • 2
5 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40585944
introduced in Java 7 update 40 not available in java 6 update 16.  You have to set your path's to use the applicable version.. I'd set the default path in the path environment variables and only for specific applications use a batch file to change the path
default in path environment variable  C:\Java\jdk1.7.0\bin
--
rem need java 6
set javahome = c:\java\jdk1.6.0\bin
java version6.ja

for your browser you can change which is used in the java control panel
0
 
LVL 61

Expert Comment

by:btan
ID: 40585991
quick check on this source as well
When specifying a version for your DRS, it is easiest to go in order of: SECURE (no version), then SECURE-1.X (major version only), and only use specific versions like 1.7.0_51 for a verified compatibility issue. Because rules are specified explicitly by a system administrator, their results are applied before other checks that would affect program execution.
https://blogs.oracle.com/java-platform-group/entry/managing_multiple_java_versions
0
 

Author Comment

by:BHeshka
ID: 40586808
Thanks for your respoonses.


@btan
Thanks for the link.  I didnt install the different versions as static installes but wonder if I would as each are major versions.  I guess I should incase someone decides for some reason to install a old java version, it would prevent the "specific" version that I force on them from being overwritten.

@ David Johnson
I thought that the below in deployment.properties would specify the locations and the the rule set would tell the app what version to use?  Is what you stated for desktop java apps only? I should have specified that we only have browser based java apps in our enviroment. If not how would I specify a path only for certain websites?

deployment.javaws.jre.0.args=
deployment.javaws.jre.0.registered=true
deployment.javaws.jre.0.osarch=x86
deployment.javaws.jre.0.osname=Windows
deployment.javaws.jre.0.platform=1.8
deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre8\\bin\\javaw.exe
deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.0.enabled=true
deployment.javaws.jre.0.product=1.8.0_25

deployment.javaws.jre.1.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.1.args=
deployment.javaws.jre.1.enabled=true
deployment.javaws.jre.1.registered=false
deployment.javaws.jre.1.product=1.7.0_71
deployment.javaws.jre.1.path=C\:\\Program Files (x86)\\Java\\jre7\\bin\\javaw.exe
deployment.javaws.jre.1.osarch=x86
deployment.javaws.jre.1.osname=Windows
deployment.javaws.jre.1.platform=1.7

deployment.javaws.jre.2.enabled=true
deployment.javaws.jre.2.platform=1.6
deployment.javaws.jre.2.osname=Windows
deployment.javaws.jre.2.osarch=x86
deployment.javaws.jre.2.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.2.registered=true
deployment.javaws.jre.2.path=C\:\\Program Files (x86)\\Java\\jre6\\bin\\javaw.exe
deployment.javaws.jre.2.product=1.6.0_16
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40587940
In fact, as advised by principal, the (other) Patch-In-Place is the default chosen approach and you should use static installations only on systems known to require a specific version. Since it is specific to certain appls it is much better to tie to specific version in a machine with multiple rather than leaving it open.

Regardless, when specifying the version in a DRS, it is best to choose a version equal to or higher than the one requested by the launching file. Of course, specifying a version in your DRS that looks like SECURE or SECURE-1.X is simpler choice but can lead to execution not within control and lockdown, kinda of differing the DRS intent to lockdown where possible.
0
 

Author Closing Comment

by:BHeshka
ID: 40601293
Removed Secure form DRS and all is working.  Also reinstalled using STATIC paramater.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now