Java Deployment Rule Set and Self Signed Certificates

Java Deployment Rule Set and Self Signed Certificates enable us to load browser URLs with different versions of the Java Runtime. This blog post forms part of a Java series including:

Securing Java Runtime Environment

Java Deployment Rule Set and Active Directory Certificates

Creating a Java Deployment Ruleset is actually a trivial process – it’s signing it that can be a pain in the backside.

In this post we are signing our Java Deployment Rule Set with a self signed certificate.

Java Deployment Rule Set and Self Signed Certificates

I am using jdk1.7.0_80 (yes, you need to download the Java Development Kit) to create my Java Deployment Rule Set.

Do NOT use a version of the JDK that has a major version that is greater than the JRE in your environment (for example if you are running Java 7 in your environment, use the Java 7 JDK and not the Java 8 JDK!). If you do, it will appear to sign successfully but when you view the Java deployment rule set in the Java control panel you will see something like this (timestamp not available):

timestamp not available

instead of this:

timestamp java deployment ruleset

Create ruleset.xml

Create a file called ruleset.xml. It MUST be called ruleset.xml since this is what Java specifically searches for inside the compiles JAR file. The beauty of the ruleset.xml is that you can use wildcards for the URL and for the port. With the exception.sites file you can’t do this. Here is a basic example:

<ruleset version="1.0+">
<rule>
<id location="http://*.java.com" />
<action permission="run" />
</rule>
<rule>
<id location="https://*.java.com" />
<action permission="run" />
</rule>	
<rule>
<id />
<action permission="block">
<message>This applet has been blocked by Java.  Please contact your administrator for assistance.</message>
</action>
</rule>
</ruleset>

You obviously need to add your own URLs to this, and give them permission to “run”. Interestingly if you have multiple versions of JRE installed, in the <action> tag you can provide a specific JRE version for that URL to use. For example:

<action permission="run" version="1.6.0_31" force="true" />

When we set permission to “run”, the following types of RIAs are allowed to run without prompts:

  • Signed with a valid certificate from a trusted certificate authority
  • Signed with an expired certificate
  • Self-signed
  • Unsigned
  • Missing required JAR file manifest attributes

So Java deployment rule set is great for hiding some of these warnings. A Rich Internet Application (RIA) is blocked if it is signed with a certificate that is blacklisted or known to be revoked, even though the action is set to “run”.

Also (untested) you should also pay close attention to the process flow of Java Rich Internet Applications. In the above example, if a URL match cannot be found the RIA will be blocked. However if we wanted default processing to continue (so that the Java exception.sites file gets processed, for example) we could either delete the rule with the “block” permission or replace it with:

<rule>
<id />
<action permission="default" />
</rule>

Compile DeploymentRuleset.jar

Compile ruleset.xml into a JAR file. This MUST be called DeploymentRuleset.jar because again, this is what Java specifically looks for. When we compile the JAR file, we should NOT specify a full path name to the ruleset.xml because Java cannot locate it within the JAR file. So you should first ‘CD’ to c:\Alkane and then run the following command line:

"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\jar.exe" -cvf "C:\Alkane\DeploymentRuleSet.jar" "ruleset.xml"

Create a Java Keystore

Here we generate a new Java keystore. The keystore will include a key pair (a public key and associated private key), and will wrap the public key into an X.509 v3 self-signed certificate.

I would recommend keeping the alias name in lower case. I’ve noticed that if you give it a mixed case alias name and attempt to verify it later (jarsigner.exe -verify) with the mixed case alias name, you’ll see a message:

This jar contains signed entries which are not signed by the specified alias(es)

Even though the jarsigner.exe -verify command will work when the alias name is specified in lower case, I’d recommend keeping the alias name lower case throughout for consistency.

You can grab the distinguished name (dname) parameter for your environment by running this line of PowerShell:

Get-ADDomain | Select DistinguishedName
"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\keytool.exe" -genkeypair -alias "selfsigned" -keystore "c:\alkane\DeploymentRulesetKeyStore.jks" -keyalg RSA -keysize 2048 -keypass "alkanecertpass" -startdate "2019/01/01 00:00:00" -validity 18262 -dname "DC=alkane,DC=solutions,DC=ad" -storepass "alkanestorepass" -storetype JKS

Sign the JAR file

Now we sign the JAR file.

Because I am signing behind a proxy, I needed to specify a proxy host and port so I could timestamp my signature. Timestamping is an important part of the process and ensures the signed JAR will remain valid indefinitely – even after the certificate expires.

"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\jarsigner.exe" -keystore "c:\alkane\DeploymentRulesetKeyStore.jks" "c:\alkane\DeploymentRuleSet.jar" "selfsigned" -storepass "alkanestorepass" -storetype JKS -keypass "alkanecertpass" -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -J-Dhttp.proxyHost=alkanehost -J-Dhttp.proxyPort=alkaneport

Verify The Signature Of DeploymentRuleset.jar

We can verify the signature with the following command:

"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\jarsigner.exe" -verify -verbose -certs -keystore "c:\alkane\DeploymentRulesetKeyStore.jks" -storetype JKS -storepass "alkanestorepass" "C:\Alkane\DeploymentRuleSet.jar" "selfsigned"

DeploymentRuleset.jar Testing

Now that everything is signed and verified successfully, we need to test it.

Our Java is locked down by a deployment.config file and a deployment.properties file located in C:\Windows\SUN\Java\Deployment.

As such to test the DeploymentRuleSet.jar file it’s as easy as placing it into this same location. Then launch the Java control panel applet and head over to the security tab (this may differ for later versions of Java).

There should be a blue link towards the bottom called ‘View the active Deployment Ruleset’. Click it and you should see the contents of your ruleset.xml file and a verification that it is valid and timestamped. Click ‘View Certificate Details’ to verify the certificate.

Of course if you were testing browser redirection specifically (assuming you have JRE 1.7.0_51 and JRE 1.6.0_31 installed locally), you could add a rule like this:

<rule>
<id location="https://*.java.com" />
<action permission="run" version="1.6.0_31" force="true" />
</rule>

By default Java in the browser should use the latest version installed (1.7.0_51 in our case) but the rule above forces it to load any applets on java.com with version 1.6.0_31. Once this rule is in place, head over to the Java verify page and ensure it shows the ‘older’ version of Java!

Creating and signing a Java Deployment Rule Set

This blog discusses creating and signing a Java deployment rule set. It forms part of a Java series including Securing Java Runtime Environment and Java Deployment Rule Set and Self Signed Certificates.

Java Deployment Rule Set and Active Directory Certificates

In this post we are signing our Java Deployment Rule Set with an Active Directory code signing certificate. I am using jdk1.7.0_80 (yes, you need to download the Java Development Kit) to create my Java Deployment Rule Set.

Do NOT use a version of the JDK that has a major version that is greater than the JRE in your environment (for example if you are running Java 7 in your environment, use the Java 7 JDK and not the Java 8 JDK!). If you do, it will appear to sign successfully but when you view the Java deployment rule set in the Java control panel you will see something like this (timestamp not available):

timestamp not available

instead of this:

timestamp java deployment ruleset

Create ruleset.xml

Create a file called ruleset.xml. It MUST be called ruleset.xml since this is what Java specifically searches for inside the compiles JAR file. The beauty of the ruleset.xml is that you can use wildcards for the URL and for the port. With exception.sites you can’t do this. Here is a basic example:

<ruleset version="1.0+">
<rule>
<id location="http://*.java.com" />
<action permission="run" />
</rule>
<rule>
<id location="https://*.java.com" />
<action permission="run" />
</rule>	
<rule>
<id />
<action permission="block">
<message>This applet has been blocked by Java.  Please contact your administrator for assistance.</message>
</action>
</rule>
</ruleset>

You obviously need to add your own URLs to this, and give them permission to “run”. Interestingly if you have multiple versions of JRE installed, in the <action> tag you can provide a specific JRE version for that URL to use. For example:

<action permission="run" version="1.6.0_31" force="true" />

When we set permission to “run”, the following types of RIAs are allowed to run without prompts:

  • Signed with a valid certificate from a trusted certificate authority
  • Signed with an expired certificate
  • Self-signed
  • Unsigned
  • Missing required JAR file manifest attributes

So Java deployment rule set is great for hiding some of these warnings. A Rich Internet Application (RIA) is blocked if it is signed with a certificate that is blacklisted or known to be revoked, even though the action is set to “run”.

Also (untested) you should also pay close attention to the process flow of Java Rich Internet Applications. In the above example, if a URL match cannot be found the RIA will be blocked. However if we wanted default processing to continue (so that the Java exception.sites file gets processed, for example) we could either delete the rule with the “block” permission or replace it with:

<rule>
<id />
<action permission="default" />
</rule>

Compile DeploymentRuleset.jar

Compile ruleset.xml into a JAR file. This MUST be called DeploymentRuleset.jar because again, this is what Java specifically looks for. When we compile the JAR file, we should NOT specify a full path name to the ruleset.xml because Java cannot locate it within the JAR file. So you should first ‘CD’ to c:\Alkane and then run the following command line:

"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\jar.exe" -cvf "C:\Alkane\DeploymentRuleSet.jar" "ruleset.xml"

Obtain a Code Signing Certificate

Follow this article on obtaining a code signing certificate from Active Directory Certificate Services. Essentially you enable the code signing template in Certificate Services Manager, you then grant permissions to allow a user (yourself!) to request a Code Signing certificate, and you then you request a new certificate.

Export a Code Signing Certificate in PFX format

So now we can assume you’ve followed the steps above and you have a code signing certificate. My code signing certificate forms a chain of:

  • Root certificate
  • Intermediate certificate
  • Code signing certificate

So let’s export them all in PFX format. A PFX will include all certificates in the chain, as well as the private key. And we need all this to create our Java keystore. So:

From the Certificates MMC snap-in, navigate to your Personal certificate store.

Right-click the certificate > All Tasks > Export.

Click Next

Click ‘Yes, export the private key’

You are only given the option to export it as a PFX certificate. This is fine, but make sure you select ‘Include all certificates in the certification path if possible’ and also ‘Export all extended properties’. Click next.

Specify a password for the private key – let’s use alkanecertpass for this example. Click next.

Provide a path to save your certificate in – let’s save it as C:\Alkane\Alkane.pfx. Click next. Click finish.

A .pfx file uses the same format as a .p12 or PKCS12 file. They are used to bundle a private key with its X.509 certificate(s) and to bundle all the members of a chain of trust.

Get the Alias Name of the PFX

Run the following command to get the alias name for your PFX. We need this later on:

"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\keytool.exe" -list -storetype PKCS12 -keystore "C:\Alkane\Alkane.pfx" -storepass "alkanecertpass" -v

My PFX alias name is: alkanealias

Just a note – if you decide to change the alias name by using a command line similar to:

"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\keytool.exe" -changealias -alias ...

I would recommend keeping the alias name in lower case. I’ve noticed that if you give it a mixed case alias name and attempt to verify it later (jarsigner.exe -verify) with the mixed case alias name, you’ll see a message:

This jar contains signed entries which are not signed by the specified alias(es)

Even though the jarsigner.exe -verify command will work when the alias name is specified in lower case, I’d recommend keeping the alias name lower case throughout for consistency.

Create a JKS Java Keytore

Now we can create our Java keystore from our PFX file. There are a few formats we can create the keystore in (JKS, PKCS12, JCEKS for example) but we will create it in JKS format. Be mindful that:

  • If you create your keystore in PKCS12 format, -deststorepass and -destkeypass should be the same
  • Change -deststoretype to PKCS12 if you require a keystore in PKCS12 format
  • Be careful if you change the -destalias from the -srcalias since when I verified my signed JAR file i got the following message:
    This jar contains signed entries which are not signed by the specified alias(es).

I keep the Java keystore alias name the same like so:

"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\keytool.exe" -importkeystore -srckeystore "C:\Alkane\Alkane.pfx" -srcstoretype pkcs12 -srcstorepass "alkanecertpass" -srcalias "alkanealias" -destkeystore "C:\Alkane\trusted.certs" -deststoretype JKS -deststorepass "alkanestorepass" -destkeypass "alkanestorepass" -destalias "alkanealias"

This will create: C:\Alkane\trusted.certs

Add Trusted Root Certificate

By default when we sign the JAR file it looks in the cacerts file (which is a form of keystore called a ‘truststore’ – see the difference between a keystore and a truststore) of the signing JDK (in my example, C:\Program Files (x86)\Java\jdk1.7.0_80\jre\lib\security\cacerts) to see if the root certificate is trusted. Because it isn’t in there it deems the root certificate as being untrusted and you will see errors when you verify such as:

  • The signer’s certificate chain is not validated.
  • CertPath not validated: Path does not chain with any of the trust anchors

So we add the root certificate as a trusted certificate in our own keystore like so:

"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\keytool.exe" -importcert -file "C:\Alkane\Root.cer" -alias "AlkaneRoot" -keystore "c:\Alkane\trusted.certs" -storepass "alkanestorepass" -noprompt

Sign DeploymentRuleset.jar With Java Keystore

Now we can sign the DeploymentRuleset.jar file with our Java keystore:

"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\jarsigner.exe" -verbose -keystore "C:\Alkane\trusted.certs" "C:\Alkane\DeploymentRuleSet.jar" "alkanealias" -storepass "alkanestorepass" -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -J-Dhttp.proxyHost=alkanehost -J-Dhttp.proxyPort=alkaneport

Because I am signing behind a proxy, I needed to specify a proxy host and port so I could timestamp my signature. Timestamping is an important part of the process and ensures the signed JAR will remain valid indefinitely – even after the certificate expires.

Verify The Signature Of DeploymentRuleset.jar

Now we need to verify the signature of the JAR file against out keystore. Change the storetype parameter to PKCS12 for PKCS12 store types:

"C:\Program Files (x86)\Java\jdk1.7.0_80\bin\jarsigner.exe" -verify -verbose -certs -keystore "C:\Alkane\trusted.certs" -storetype JKS -storepass "alkanestorepass" "C:\Alkane\DeploymentRuleSet.jar" "alkanealias"

DeploymentRuleset.jar Testing

Now that everything is signed and verified successfully, we need to test it.

I’m not entirely sure this step is necessary for Active Directory certificates (since the root and intermediate certificates are already in the relevant trusted stores) but it’s probably relevant for externally purchased certificates. In any event, at the moment our Java environment is fairly locked down, and we have deployment.config, deployment.properties and exception.sites located in C:\Windows\SUN\Java\Deployment.

I needed to add a reference to our keystore, so I added an entry to deployment.properties like so:

deployment.system.security.trusted.certs=C\:/WINDOWS/Sun/Java/Deployment/trusted.certs

and then I lumped our new trusted.certs file into the same folder. We use the ‘system’ context trusted.certs (deployment.system) instead of the ‘user’ context (deployment.user) because users may have already trusted their own specific sites and we don’t want to overwrite these.

To test the DeploymentRuleSet.jar file it’s as easy as placing it into this same location (C:\WINDOWS\Sun\Java\Deployment). Then launch the Java control panel applet and head over to the security tab (this may differ for later versions of Java).

There should be a blue link towards the bottom called ‘View the active Deployment Ruleset’. Click it and you should see the contents of your ruleset.xml file and a verification that it is valid and timestamped. Click ‘View Certificate Details’ to verify the certificate.

Of course if you were testing browser redirection specifically (assuming you have JRE 1.7.0_51 and JRE 1.6.0_31 installed locally), you could add a rule like this:

<rule>
<id location="https://*.java.com" />
<action permission="run" version="1.6.0_31" force="true" />
</rule>

By default Java in the browser should use the latest version installed (1.7.0_51 in our case) but the rule above forces it to load any applets on java.com with version 1.6.0_31. Once this rule is in place, head over to the Java verify page and ensure it shows the ‘older’ version of Java!