Java Deployment Rule Set

By Rory Monaghan


Recently I was tasked with investigating the Java Deployment Rule Set to allow us to have multiple versions of Java on one machine, ensuring that web applications which require the older versions use them as needed and to ensure any other Java web apps run with the latest version. Usually, I would resort to application virtualization for dealing with the deployment of legacy versions of Java but that was not an option this time.

I followed the step by step: HERE, it really is all you need. I had a few slight variations on what was shown in that post but credit where credit is due. Eventually I got this to work by changing some paths around. I believe my confusion was due to using a different version of OpenSSL. I will link the exact version that I used here, so this should work for everybody without exception. The link above also is set to block all other Java web apps, where as mine allows them to work with the latest version. If you’d like to block all then by all means, use the ruleset example shown in the link above.


Visual C++ Redistributable 2008
OpenSSL Light 1.0.2 (Install, accepting all default in setup)
Java SDK (Any version from 7 Update 40 should work)

For testing purposes, you can also install any old version of Java that you’d like to test it with. I installed Java version 6 update 20. If you don’t already have the older versions of Java that you need to test with, you will need to get an Oracle account and download them from the Archive.

Creating the Deployment Rule Set

Run Command Prompt as an Administrator


Type SET OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg and hit enter


Type cd C:\OpenSSL-Win32\bin and hit enter


Type openssl.exe req -x509 -nodes -days 365 -newkey rsa:2048 -keyout JavaprivateKey.key -out JavaClientCert.crt

The above command will create the crt cert file using the JavaprivateKey.key with 2048 as the bit size. The cert will expire in 365 days, you can increase this if you please, I’m not sure what the limit was but I did try out 10000 days and it took, I tried to for more than that before and it failed to create the .crt file.

When satisfied, hit Enter



You will be prompted to input some info for the cert, here’s what I used:

Country Name (2 letter code): US

State or Province Name:AZ

Locality Name: PHX

Organization Name:

Organizational Unit Name: RORYMON.COM

E-mail Address


Type openssl.exe pkcs12 -export -inkey JavaprivateKey.key -in JavaClientCert.crt -name RORYMON -out server.p12

The above command will generate a pkcs cert file which is required in Java in order to use a signed Jar Deployment Rule Set File.

Hit Enter and then enter a password as prompted


At this point launch Configure Java in your start menu. Click on Manage Certificates.


Select Signer CA from the drop down and then click Import.


Browse to your server.p12 file which should be in the bin folder e.g. C:\OpenSSL-Win32\bin and hit open


Enter your password here and hit OK


Click Close



Open Notepad and paste in the text:

<ruleset version=”1.0+”>
    <id location=”” />
    <action permission=”run” version=”1.6.0_20″ />
    <id />
    <action permission=”default”>

id location is the site it should apply to. You can be very specific or you can use a wildcard, if you please. action permission can be set to run, block, default.

run appears to allow the Java web app to run without prompts

block completely blocks the webapp from running, if you’d like to block certain webapps or even block all webapps not explicitly allowed, you can use block to achieve this.

default will run in default mode, this will ensure prompts are thrown e.g. Allow this application to run using Java or whatever that warning actually says 🙂

For the version you can state the version as I have above, or you can be more broad and use SECURE-1.6 which will allow the web app to use any secure version of Java 1.6 that happens to be on the machine. You can also use SECURE-1.7 if you please

In my Java Ruleset, I’m allow the page to run using Java 6 Update 20, all other sites which require Java should use the latest version installed on the desktop and launch with a prompt.

For more about the ruleset.xml and what you can set through this. Check out the official Oracle documentation HERE

When ready, please save the text file as ruleset.xml to the Java working directory, in this instance that’s C:\Program Files\Java\jdk1.7.0_75\bin

At this point, I suggest copying the files created in the C:\OpenSSL-Win32\bin folder over to the Java working directory. (Only the created files, not every file in that directory, they should appear as above)


In the command window, type cd “C:\Program Files\Java\jdk1.7.0_75\bin” and hit enter


Type jar -cvf DeploymentRuleSet.jar ruleset.xml and hit enter

Step14Type keytool -import -file JavaClientCert.crt -alias RORYMON -keystore RORYMON.jks

the alias RORYMON can be substituted with your own alias as you please throughout the rest of the post.

Enter password again, as prompted

This imports our cert into the keystore


When you receive the above prompt Type Y and hit enter


Type jarsigner -verbose -keystore server.p12 -storepass PASSWORD(This should be your password!!) -storetype pkcs12 DeploymentRuleSet.jar RORYMON

This will sign the JAR file with our server.p12 certificate.

Hit Enter


The above message should be fine. The config file should now be signed.

Testing the Deployment Rule Set


Create the directory C:\Windows\Sun\Java\Deployment and copy the DeploymentRuleSet.jar file into it.


If you launch back into the Java Control Panel you should now be able to click on the View the active Deployment Rule Set under the Security Tab


We’re expecting to see the above. Basically a display of the contents of our ruleset.xml


Browse to and click Do I have Java?


Click on Verify Java version, when you get the prompt click to allow Java to run. This is the prompt expected with the Default option selected in the ruleset


At this point, we can now see that browsing to and verifying shows the latest version. Remember, we specifically state should run the older version.


At this point, you should now browse to

That’s it! You should up and rocking. To use this on a different machine, you’ll need to deploy the DeploymentRuleSet.jar file to the C:\Windows\Sun\Java\Deployment directory on your users machine and you’ll need to ensure the cert has been imported for the users. You can do this programmatically by using the keytool:

keytool -import -alias RORYMON -keystore “C:\Program Files\Java\jre7\lib\security\cacerts” -file JavaClientCert.crt -storepass changeit

Note: The default password for the storespass is actually changeit

Let's make virtualization easier!

Be amongst the first to know when I publish new reviews, guides and tools to simplify your projects.

By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.