Create Java 1.7 Ruleset – create JAR File – sign JAR File

We are all happy, how fast the Java versions are changing and also, that in every version new “security” features are integrated. It’s not so easy to follow all the changes (started with version 1.7 upd 07), so it’s very important to test the deployments of java everytime! Unfortunately, not all settings can be tested… but for this, I will write another post later. In this blog we take a look how to deploy a Java RULESET, so java will run for specific sites without prompting the user, if he is really sure, to use java.

General

  1. Identify critical applets and web start applications, either by location (e.g. http://test.exam.com), name (e.g. MindMan), or code-sign hash.
  2. Create a file called ruleset.xml
  3. Package your ruleset.xml into a signed DeploymentRuleSet.jar
  4. Deploy your DeploymentRuleSet.jar to user desktops
  5. Verify usage of your rule set on a client desktop

Step-by-Step

  • Download and install Java SDK: Click HERE and choose the actual version (while writing this post it is “Java SE Development Kit 7u51“… but when you read it will be u70 or so Smiley).
  • Create a file “ruleset.xml” with the following text (change the http adresses in addresses you need!), Documentation from Oracle about ruleset is here: Click HERE
  • <ruleset version=”1.0+”>
    <rule>
    <id location=”http://intra.whatever.ch&#8221; />
    <action permission=”run” />
    </rule>
    <rule>
    <id location=http://server.domain />
    <action permission=”run” />
    </rule>
    </ruleset>

  • Copy the “Ruleset.xml” in „C:\Program Files (x86)\Java\jdk1.7.0_51\bin“
  • Open a CMD and change to the path „C:\Program Files (x86)\Java\jdk1.7.0_51\bin“
  • Convert the XML in aJAR file:
    jar –cvf DeploymentRuleSet.jar ruleset.xml

Sign the created jar file with a codesigning certificate

  • copy the PFX Certificate in C:\Temp
  • Read the alias from the certificate
    keytool -list -v -storetype pkcs12 -keystore c:\temp\javacodesigning.pfx

    The output is something like thi: Aliasname: {12345ae4-0541-4b5d-b90a-e0ac133c1234}

  • Now you can sign the jar file
    jarsigner -storetype pkcs12 -verbose -keystore c:\temp\javacodesigning.pfx –signedjar DeploymentRuleSet.jar DeploymentRuleSet.jar {12345ae4-0541-4b5d-b90a-e0ac133c1234}
  • Password of the PFX Certificate will be asked and has to be entered…
  • Deploy the signed “DeploymentRuleSet.jar” file to all clients in the directory „C:\Windows\Sun\Java\Deployment“
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s