Recently I was tasked with investigating the Java Deployment Rule Set to allow us to have multiple versions of Java on one machine, ensuring that web applications which require the older versions use them as needed and to ensure any other Java web apps run with the latest version. Usually, I would resort to application virtualization for dealing with the deployment of legacy versions of Java but that was not an option this time.
I followed the step by step: HERE, it really is all you need. I had a few slight variations on what was shown in that post but credit where credit is due. Eventually I got this to work by changing some paths around. I believe my confusion was due to using a different version of OpenSSL. I will link the exact version that I used here, so this should work for everybody without exception. The link above also is set to block all other Java web apps, where as mine allows them to work with the latest version. If you’d like to block all then by all means, use the ruleset example shown in the link above.
For testing purposes, you can also install any old version of Java that you’d like to test it with. I installed Java version 6 update 20. If you don’t already have the older versions of Java that you need to test with, you will need to get an Oracle account and download them from the Archive.
Creating the Deployment Rule Set
Run Command Prompt as an Administrator
Type SET OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg and hit enter
Type cd C:\OpenSSL-Win32\bin and hit enter
Type openssl.exe req -x509 -nodes -days 365 -newkey rsa:2048 -keyout JavaprivateKey.key -out JavaClientCert.crt
The above command will create the crt cert file using the JavaprivateKey.key with 2048 as the bit size. The cert will expire in 365 days, you can increase this if you please, I’m not sure what the limit was but I did try out 10000 days and it took, I tried to for more than that before and it failed to create the .crt file.
When satisfied, hit Enter
You will be prompted to input some info for the cert, here’s what I used:
Country Name (2 letter code): US
State or Province Name:AZ
Locality Name: PHX
Organization Name: Rorymon.com
Organizational Unit Name: RORYMON.COM
E-mail Address Rory@rorymon.com
Type openssl.exe pkcs12 -export -inkey JavaprivateKey.key -in JavaClientCert.crt -name RORYMON -out server.p12
The above command will generate a pkcs cert file which is required in Java in order to use a signed Jar Deployment Rule Set File.
Hit Enter and then enter a password as prompted
At this point launch Configure Java in your start menu. Click on Manage Certificates.
Select Signer CA from the drop down and then click Import.
Browse to your server.p12 file which should be in the bin folder e.g. C:\OpenSSL-Win32\bin and hit open
Enter your password here and hit OK
Open Notepad and paste in the text:
<id location=”javatester.org” />
<action permission=”run” version=”1.6.0_20″ />
id location is the site it should apply to. You can be very specific or you can use a wildcard, if you please. action permission can be set to run, block, default.
run appears to allow the Java web app to run without prompts
block completely blocks the webapp from running, if you’d like to block certain webapps or even block all webapps not explicitly allowed, you can use block to achieve this.
default will run in default mode, this will ensure prompts are thrown e.g. Allow this application to run using Java or whatever that warning actually says 🙂
For the version you can state the version as I have above, or you can be more broad and use SECURE-1.6 which will allow the web app to use any secure version of Java 1.6 that happens to be on the machine. You can also use SECURE-1.7 if you please
In my Java Ruleset, I’m allow the javatester.org page to run using Java 6 Update 20, all other sites which require Java should use the latest version installed on the desktop and launch with a prompt.
For more about the ruleset.xml and what you can set through this. Check out the official Oracle documentation HERE
At this point, I suggest copying the files created in the C:\OpenSSL-Win32\bin folder over to the Java working directory. (Only the created files, not every file in that directory, they should appear as above)
In the command window, type cd “C:\Program Files\Java\jdk1.7.0_75\bin” and hit enter
Type jar -cvf DeploymentRuleSet.jar ruleset.xml and hit enter
the alias RORYMON can be substituted with your own alias as you please throughout the rest of the post.
Enter password again, as prompted
This imports our cert into the keystore
When you receive the above prompt Type Y and hit enter
Type jarsigner -verbose -keystore server.p12 -storepass PASSWORD(This should be your password!!) -storetype pkcs12 DeploymentRuleSet.jar RORYMON
This will sign the JAR file with our server.p12 certificate.
The above message should be fine. The config file should now be signed.
Testing the Deployment Rule Set
Create the directory C:\Windows\Sun\Java\Deployment and copy the DeploymentRuleSet.jar file into it.
If you launch back into the Java Control Panel you should now be able to click on the View the active Deployment Rule Set under the Security Tab
We’re expecting to see the above. Basically a display of the contents of our ruleset.xml
Browse to https://www.java.com and click Do I have Java?
Click on Verify Java version, when you get the prompt click to allow Java to run. This is the prompt expected with the Default option selected in the ruleset
At this point, we can now see that browsing to Java.com and verifying shows the latest version. Remember, we specifically state javatester.org should run the older version.
At this point, you should now browse to https://javatester.org/version.html
That’s it! You should up and rocking. To use this on a different machine, you’ll need to deploy the DeploymentRuleSet.jar file to the C:\Windows\Sun\Java\Deployment directory on your users machine and you’ll need to ensure the cert has been imported for the users. You can do this programmatically by using the keytool:
keytool -import -alias RORYMON -keystore “C:\Program Files\Java\jre7\lib\security\cacerts” -file JavaClientCert.crt -storepass changeit
Note: The default password for the storespass is actually changeit