Java Deployment Rule Set

Recently I was tasked with investigating the Java Deployment Rule Set to allow us to have multiple versions of Java on one machine, ensuring that web applications which require the older versions use them as needed and to ensure any other Java web apps run with the latest version. Usually, I would resort to application virtualization for dealing with the deployment of legacy versions of Java but that was not an option this time.

I followed the step by step: HERE, it really is all you need. I had a few slight variations on what was shown in that post but credit where credit is due. Eventually I got this to work by changing some paths around. I believe my confusion was due to using a different version of OpenSSL. I will link the exact version that I used here, so this should work for everybody without exception. The link above also is set to block all other Java web apps, where as mine allows them to work with the latest version. If you’d like to block all then by all means, use the ruleset example shown in the link above.

Requirements

Visual C++ Redistributable 2008
OpenSSL Light 1.0.2 (Install, accepting all default in setup)
Java SDK (Any version from 7 Update 40 should work)

For testing purposes, you can also install any old version of Java that you’d like to test it with. I installed Java version 6 update 20. If you don’t already have the older versions of Java that you need to test with, you will need to get an Oracle account and download them from the Archive.

Creating the Deployment Rule Set

Run Command Prompt as an Administrator

Step1

Type SET OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg and hit enter

Step2

Type cd C:\OpenSSL-Win32\bin and hit enter

Step3

Type openssl.exe req -x509 -nodes -days 365 -newkey rsa:2048 -keyout JavaprivateKey.key -out JavaClientCert.crt

The above command will create the crt cert file using the JavaprivateKey.key with 2048 as the bit size. The cert will expire in 365 days, you can increase this if you please, I’m not sure what the limit was but I did try out 10000 days and it took, I tried to for more than that before and it failed to create the .crt file.

When satisfied, hit Enter

Step4

 

You will be prompted to input some info for the cert, here’s what I used:

Country Name (2 letter code): US

State or Province Name:AZ

Locality Name: PHX

Organization Name: Rorymon.com

Organizational Unit Name: RORYMON.COM

E-mail Address Rory@rorymon.com

Step5

Type openssl.exe pkcs12 -export -inkey JavaprivateKey.key -in JavaClientCert.crt -name RORYMON -out server.p12

The above command will generate a pkcs cert file which is required in Java in order to use a signed Jar Deployment Rule Set File.

Hit Enter and then enter a password as prompted

Step6

At this point launch Configure Java in your start menu. Click on Manage Certificates.

Signer

Select Signer CA from the drop down and then click Import.

Step7

Browse to your server.p12 file which should be in the bin folder e.g. C:\OpenSSL-Win32\bin and hit open

Step8

Enter your password here and hit OK

Step9

Click Close

Step10

 

Open Notepad and paste in the text:

<ruleset version=”1.0+”>
  <rule>
    <id location=”javatester.org” />
    <action permission=”run” version=”1.6.0_20″ />
  </rule>
  <rule>
    <id />
    <action permission=”default”>
    </action>
  </rule>
</ruleset>

id location is the site it should apply to. You can be very specific or you can use a wildcard, if you please. action permission can be set to run, block, default.

run appears to allow the Java web app to run without prompts

block completely blocks the webapp from running, if you’d like to block certain webapps or even block all webapps not explicitly allowed, you can use block to achieve this.

default will run in default mode, this will ensure prompts are thrown e.g. Allow this application to run using Java or whatever that warning actually says 🙂

For the version you can state the version as I have above, or you can be more broad and use SECURE-1.6 which will allow the web app to use any secure version of Java 1.6 that happens to be on the machine. You can also use SECURE-1.7 if you please

In my Java Ruleset, I’m allow the javatester.org page to run using Java 6 Update 20, all other sites which require Java should use the latest version installed on the desktop and launch with a prompt.

For more about the ruleset.xml and what you can set through this. Check out the official Oracle documentation HERE

When ready, please save the text file as ruleset.xml to the Java working directory, in this instance that’s C:\Program Files\Java\jdk1.7.0_75\bin
Files

At this point, I suggest copying the files created in the C:\OpenSSL-Win32\bin folder over to the Java working directory. (Only the created files, not every file in that directory, they should appear as above)

Step11

In the command window, type cd “C:\Program Files\Java\jdk1.7.0_75\bin” and hit enter

Step12

Type jar -cvf DeploymentRuleSet.jar ruleset.xml and hit enter

Step14Type keytool -import -file JavaClientCert.crt -alias RORYMON -keystore RORYMON.jks

the alias RORYMON can be substituted with your own alias as you please throughout the rest of the post.

Enter password again, as prompted

This imports our cert into the keystore

Step15

When you receive the above prompt Type Y and hit enter

Step16

Type jarsigner -verbose -keystore server.p12 -storepass PASSWORD(This should be your password!!) -storetype pkcs12 DeploymentRuleSet.jar RORYMON

This will sign the JAR file with our server.p12 certificate.

Hit Enter

Step17

The above message should be fine. The config file should now be signed.

Testing the Deployment Rule Set

Step18

Create the directory C:\Windows\Sun\Java\Deployment and copy the DeploymentRuleSet.jar file into it.

Step19

If you launch back into the Java Control Panel you should now be able to click on the View the active Deployment Rule Set under the Security Tab

Ruleset2

We’re expecting to see the above. Basically a display of the contents of our ruleset.xml

JavaTest

Browse to http://www.java.com and click Do I have Java?

JavaTest2

Click on Verify Java version, when you get the prompt click to allow Java to run. This is the prompt expected with the Default option selected in the ruleset

Step20

At this point, we can now see that browsing to Java.com and verifying shows the latest version. Remember, we specifically state javatester.org should run the older version.

Step21

At this point, you should now browse to http://javatester.org/version.html

That’s it! You should up and rocking. To use this on a different machine, you’ll need to deploy the DeploymentRuleSet.jar file to the C:\Windows\Sun\Java\Deployment directory on your users machine and you’ll need to ensure the cert has been imported for the users. You can do this programmatically by using the keytool:

keytool -import -alias RORYMON -keystore “C:\Program Files\Java\jre7\lib\security\cacerts” -file JavaClientCert.crt -storepass changeit

Note: The default password for the storespass is actually changeit

About author

Rorymon

Microsoft MVP in App-V. Citrix CTA. VMware vExpert. Unidesk Certified Engineer

E2EVC 2014 LAX

I was very honored to speak at the first Experts to Experts Virtualization Conference held in the United States. I had a blast, met some great people ...