35
edits
Changes
Java
,Added Intro to Deployment Rule Set
== Browser Plugins (JRE7) ==
<source lang="dos">
%PROGRAMFILES% or %PROGRAMFILES(X86)%\Java\jre7\bin\ssvagent.exe -disablewebjava
</source>
<source lang="dos">
%PROGRAMFILES% or %PROGRAMFILES(X86)%\Java\jre7\bin\ssvagent.exe -forceinstall -register -new -high
</source>
File in user path takes precedence.
</source>
===Deployment Rule Set===
Is an option to define '''Exception Site List''' as in Java Control Panel within %WINDIR%\Sun\Java\Deployment\DeploymentRuleSet.jar
You may define execution exception by '''URL''' or '''Certificate signature'''. You may also specify JRE version which application should use and notify user about your policy.
For creating DeploymentRuleSet.jar, you need jar, jarsigner and keytool from '''Java JDK'''. You also need to have certificate signed by CA contained within java JRE's keystore (cacerts) or import your selfsigned certificate to your clients.
====Creating DeploymentRuleSet.jar====
1. Create %tmp%\ruleset.xml and specify your policy
<source lang="xml">
<ruleset version="1.0+">
<rule>
<id title="Solitaire" location="https://host.example.com/games" />
<action permission="SECURE-1.7" />
</rule>
<rule>
<id location="https://host.example.com" />
<action permission="run" version="" />
</rule>
<rule> <!-- allow anything signed with company's public cert -->
<id>
<certificate hash="794F53C746E2AA77D84B843BE942CAB4309F258FD946D62A6C4CCEAB8E1DB2C6" />
</id>
<action permission="run" version="SECURE" />
</rule>
<rule> <!-- block everything else with message -->
<id />
<action permission="block" />
<message>Sorry, but we only allow Solitaire and apps with our sign.</message>
</action>
</rule>
</ruleset>
</source>
2. Create DeploymentRuleSet.jar and sign with your certificate
<source lang="dos">
"%JDK_PATH%\bin\jar" cf %tmp%\DeploymentRuleSet.jar -C %tmp% ruleset.xml
"%JDK_PATH%\Java\jdk1.7.0_51\bin\jarsigner" -keystore yourkeystore.jks %tmp%\DeploymentRuleSet.jar yourcertalias
</source>
3. (Selfsigned certs only) Import your selfsigned certificate to '''JRE''' keystore
<source lang="dos">
"%JDK_PATH%\Java\jdk1.7.0_51\bin\keytool.exe" -import -alias yourcertalias -file yourcertificate.crt -keystore "%JRE_PATH%\lib\security\cacerts" -storepass changeit
</source>
4. Copy DeploymentRuleSet.jar to %SYSDIR%\Sun\Java\Deployment\DeploymentRuleSet.jar
====More info from Oracle====
[http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/deployment_rules.html Details about ruleset.xml (Oracle Doc)]
[http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/deployment_rules_dtd.html rulset.xml DTD (Oracle Doc)]
[http://docs.oracle.com/javase/tutorial/deployment/jar/build.html Creating Jar Tutorial (Oracle Doc)]
[http://docs.oracle.com/javase/tutorial/deployment/jar/signindex.html Signing Jar Tutorial (Oracle Doc)]
=Java Runtime Environment (JRE) 6=