I wanted to know if anyone had instructions or knew how to create self-signed certificates for the deployment rule sets, or if it can be done at all?  I've followed instructions here:

 

http://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-using-java-keytool.html

 

to create a self signed certificate and then used the keytool to extract the certificate using the command: keytool -exportcert -keystore <keyname> -alias <aliasname> -file <filename>. I put the certificate in my trusted root ca, and then followed the instructions here to create and sign the jar file:

 

https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets

 

I put the ruleset in C:\Windows\Sun\Java\Deployment\DeploymentRuleSet.jar and the link to view it appears in the java control panel under Security. However, when I click on the link to view the ruleset, I see "Rule Set not found", and when I go to a website with Java I get the error "Application blocked by Deployment Rule Set" and the last line of the error says "Invalid Deployment Rule Set file"

 

So, does anyone know where I'm going wrong?  I've already spent a few hours on this and can't figure it out. I'm just doing this on a test VM, so I don't care about certificate and security issues since I'll revert the VM once I'm done. 

2 Comments   [ + ] Show Comments

Comments

  • I figured out the problem. I didn't have ruleset.xml in the same folder as jar.exe, so when I created the jar file, ruleset.xml was not in the root of the jar file.
  • Thanks for this info :D
Please log in to comment

Community Chosen Answer

1

are you saving the cert to the TrustedPublisher store on the local machine?

Answered 09/23/2013 by: mattski
Second Degree Green Belt

Please log in to comment

Answers

0

To aggregate the whole situation of Java 7 Update 40 and up, please correct me when i am wrong, so i know i understand it right.

After the next security update of Java 7, all Java Applets which are not legal signed or the certificate is out of date are not runable anymore?
Only way to start them is to make a ruleset.xml, pack them into jar and then sign it with a certificate.

Is it possible to whitelist only internal java applets or can we whitelist any java-applets?

We have a corporate certificate to sign web-services on our domain, can we use it?
Do all applets signed with this certiciate have to be opened based on our domainname?

Can we use our active-directory self-signed certificate structure to sign our ruleset.xml?
I have a *.pfx file or a *.cer and *.key file, how can i merge them in a *jks using keytool?
Can we whitelist external applets, with this certificate.

Sorry not much experience with certificates at all.

Answered 09/30/2013 by: Jokes2013
White Belt

  • I wrote a fairly long blog post about this to document how one would create this file and sign it. Here is the post:
    http://ephingadmin.com/wp/administering-java/
Please log in to comment
0

@Ryan2065 awesome tutorial, works great! Thanks! Admin Silver-Star! ;)

I get a data-signing certificate from our rootca-admin.

Works fine with Internet-Explorer, any way to push certificates to firefox?
e.g.: let firefox read the windows-system-certificates to verify the certificate-chain?

SOLVED:
Figured it out myself:
import your CA in Java Control-Panel: (System-Context)

Rename *.cer in *.pem

An the default password is "changeit" ,you don't have to change it! ;)

C:\Programme\java\jre7\bin>keytool.exe -importcert -keystore "\Program Files\jav
a\jre7\lib\security\cacerts" -storepass changeit -file MYCA.pem -alias MYCAALIAS
-noprompt

C:\Programme\java\jre7\bin>keytool.exe -importcert -keystore "\Program Files\jav
a\jre7\lib\security\cacerts" -storepass changeit -file MYROOTCA.pem -alias MYROOTCAALIAS -noprompt

Answered 10/01/2013 by: Jokes2013
White Belt

Please log in to comment
Answer this question or Comment on this question for clarity