Sunday, 22 September 2013

Testing Java Deployment Rulesets with a Self-Signed Certificate



Oracle have released the ability to whitelist java applets with the latest update to the java runtime environment (version 7 update 40).

There is a blog post on the product management blow that describes the new feature: https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets

I wanted to test this using a self-signed certificate before I went and purchased a code signing certificate from a trusted CA.  Never having used the java signing tools before, I will share the steps that I followed:

I'm creating all of my temporary files in C:\Temp\

1.       In this example, I want the java applet on the http://javatester.org website to run without prompts. It will usually give me the following because it is unsigned:



2.       Install the Java Development Kit (version 7, update 40)

3.       Open an elevated command prompt

4.       Add the /bin directory (C:\Program Files (x86)\Java\jdk1.7.0_40\bin) from the JDK to the PATH variable.
SET PATH=%PATH%;C:\Program Files (x86)\Java\jdk1.7.0_40\bin
(Or, you can add this under advanced system properties)

5.       Create your rule-set in ruleset.xml
Create an .xml file with the rules you want JRE to follow, examples can be found here:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/deployment_rules.html

In this example, we want the java applets on the http://javatester.org website to run without prompts.

<ruleset version="1.0+">
<rule>
<id location="http://javatester.org" />
<action permission="run" />
</rule>
</ruleset>

6.       Package ruleset.xml into DeploymentRuleSet.jar
The ruleset.xml that you created needs to be packaged into a .jar file.  To do this, use the jar utility that is now in your path from the JDK bin directory.
jar -cvf c:\temp\DeploymentRuleSet.jar ruleset.xml


7.       Create keystore and keypair
You need to create a java 'keystore' which will hold your certs and keys that you will use to sign your .jar.  This command creates a new keystore (since it does not already exist) and generates a key pair with the alias 'selfsigned'
keytool -genkey -keystore c:\temp\myKeystore.jks -alias selfsigned




8.       Create self-signed cert
This creates a self-signed certificate with the keys you generated and stores it in the keystore.
keytool -selfcert -alias selfsigned -keystore c:\temp\myKeystore.jks


9.       Check your keystore to confirm cert has been created
keytool -list -keystore c:\temp\myKeystore.jks


10.   Sign DeploymentRuleSet.jar with self-signed cert
Jarsigner -verbose -keystore c:\temp\myKeystore.jks DeploymentRuleSet.jar selfsigned


11.   Export the self-signed cert with public key
keytool -export -alias selfsigned -keystore c:\temp\myKeystore.jks -rfc -file public.csr




12.   Import the self-signed certificate into trustedcacerts inside cacerts keystore:
keytool -import -alias selfsigned -keystore "C:\Program Files (x86)\Java\jre7\lib\security\cacerts" -trustcacerts -file public.csr
Default password for cacerts: changeit



You can verify this has been added in the java control panel.  Security Tab , Manage Certificates, System, Secure Site CA:
 

13.   Copy c:\temp\DeploymentRuleSet.jar to C:\Windows\Sun\java\Deployment.  If everything was successful, your ruleset should show up in the Java Control Panel in the Security tab:



14.   You can now visit http://javatester.org/version.html without any prompts.
 


Posted by at

1 comment:

  1. Harry18 October 2013 at 08:11

    Hi Mike!

    Nice post about Deployment Rulesets.
    Tried it on version 7 update 45: didn't work!
    Is this only valid for 7 update 40?

    Harry

    ReplyDelete

Subscribe to: Post Comments (Atom)