Java v7 u40 - Deployment rule set certificate?
I wanted to know if anyone had instructions or knew how to create self-signed certificates for the deployment rule sets, or if it can be done at all? I've followed instructions here:
http://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-using-java-keytool.html
to create a self signed certificate and then used the keytool to extract the certificate using the command: keytool -exportcert -keystore <keyname> -alias <aliasname> -file <filename>. I put the certificate in my trusted root ca, and then followed the instructions here to create and sign the jar file:
https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets
I put the ruleset in C:\Windows\Sun\Java\Deployment\DeploymentRuleSet.jar and the link to view it appears in the java control panel under Security. However, when I click on the link to view the ruleset, I see "Rule Set not found", and when I go to a website with Java I get the error "Application blocked by Deployment Rule Set" and the last line of the error says "Invalid Deployment Rule Set file"
So, does anyone know where I'm going wrong? I've already spent a few hours on this and can't figure it out. I'm just doing this on a test VM, so I don't care about certificate and security issues since I'll revert the VM once I'm done.
-
I figured out the problem. I didn't have ruleset.xml in the same folder as jar.exe, so when I created the jar file, ruleset.xml was not in the root of the jar file. - Ryan2065 11 years ago
-
Thanks for this info :D - Tman76 10 years ago
Answers (3)
To aggregate the whole situation of Java 7 Update 40 and up, please correct me when i am wrong, so i know i understand it right.
After the next security update of Java 7, all Java Applets which are not legal signed or the certificate is out of date are not runable anymore?
Only way to start them is to make a ruleset.xml, pack them into jar and then sign it with a certificate.
Is it possible to whitelist only internal java applets or can we whitelist any java-applets?
We have a corporate certificate to sign web-services on our domain, can we use it?
Do all applets signed with this certiciate have to be opened based on our domainname?
Can we use our active-directory self-signed certificate structure to sign our ruleset.xml?
I have a *.pfx file or a *.cer and *.key file, how can i merge them in a *jks using keytool?
Can we whitelist external applets, with this certificate.
Sorry not much experience with certificates at all.
Comments:
-
I wrote a fairly long blog post about this to document how one would create this file and sign it. Here is the post:
http://ephingadmin.com/wp/administering-java/ - Ryan2065 11 years ago
@Ryan2065 awesome tutorial, works great! Thanks! Admin Silver-Star! ;)
I get a data-signing certificate from our rootca-admin.
Works fine with Internet-Explorer, any way to push certificates to firefox?
e.g.: let firefox read the windows-system-certificates to verify the certificate-chain?
SOLVED:
Figured it out myself:
import your CA in Java Control-Panel: (System-Context)
Rename *.cer in *.pem
An the default password is "changeit" ,you don't have to change it! ;)
C:\Programme\java\jre7\bin>keytool.exe -importcert -keystore "\Program Files\jav
a\jre7\lib\security\cacerts" -storepass changeit -file MYCA.pem -alias MYCAALIAS
-noprompt
C:\Programme\java\jre7\bin>keytool.exe -importcert -keystore "\Program Files\jav
a\jre7\lib\security\cacerts" -storepass changeit -file MYROOTCA.pem -alias MYROOTCAALIAS -noprompt