JRE7 Update 51 installed with earlier version of JRE - the requirement of signed certs or whitelists?
Hi Everyone,
Quite frustrated with JRE7 with Update 40 or 51 working with JRE6.
I have packaged JRE7 Update 40 that is used with an application...called Kronos 7 which is a URL and certificate.
Currently we have JRE6 that is used with the previous version of Kronos which did not have a certificate.
I was testing both to co-exist which worked fine but receive a prompt "Do you want to run this application?" showing the name,publisher and location. Choices are to run the application or cancel.
Is there anyway around this or do I need sign the application or create a certification is someway?
Thanks for reading,
-
have you tried to set the secuirty level down in the java control panel to see it that allows it to run without asking? - SMal.tmcc 10 years ago
Answers (6)
Humm, is Java 6 promting or Java 7?
I have a feeling its Java 7, they changed the way the presented security, so heeaps of pops ups for users now. Anyway, have a read of the below in regards to Java 7, it should help, its the Deployment.Config you need to look it.
http://www.itninja.com/blog/view/java-7-update-25-best-way-to-deploy-with-customized-settings
You could also import the cert to your java store (i think), would need some scrpiting foo for this.
This is due to the changes from Oracle starting at 1.7u40. Review the release notes, specifically the "New Security Warnings for Unsigned and Self-Signed Applications" section.
A few points of reference:
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/securityDialogs.html
This is how it's been addressed from what I've seen, and your vendor may have to do this. A few vendors are aware of the issue and have patches available, if it's something you host/maintain:
http://docs.oracle.com/javase/tutorial/deployment/jar/secman.html
Be further aware that it will be also changing in January with the relase of 1.7u51-
https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias
Hope that helps
Appreciate all the replies.
To Rileyz in regards to Java 6 prompting - JRE6 and 7 Update40 are installed together so the JRE7 will be the default security mechanism prompting.
Drose23, the articles you supplied and other Oracle articles for JRE7 such as the link you also shown below, all point to the fact all applications need to be signed from now on...
So if JRE7 is installed with a legacy version JRE4,5 or 6 etc, any IE apps that did not needed to be signed, will need to, IF we want to suppress the security warning such as "Do you want to run this application....."
https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias
I am lucky as I found that Update21 will work with the product.
THe vendor was telling me to looking out for Jan 14th next year for Update 51....
I hope Oracle fix the situation moving forward as I dont believe having this warning mitigates the security zero day exploitation....just seems like a waiver form.
Since JRE7 Update 21 also has the same new security model, I think we are all going to be surprised that if this version of runtime is going to co-exist with an earlier version of JRE, that RIAs or internet apps depending upon older versions of JRE, will suddenly require to have application signing/white listed or certified.
There is going to be some demand for certificate signing through this....
This sounds like access lists on a firewall doesnt it except at the application layer...
Has anyone encountered this yet?
Comments:
-
Hi Drose23,
I read the links and some other blogs....I have packaged JRE previously and created certs for drivers but never anything like this.....
My understanding that a deployment rule set needs to be created or whitelist the application via JAR creation etc. At this point of time, I have done this....
Has anyone whom has packaged JRE have now gone down the path of signing JAR or signing certificates to allow JRE 7 RIAs work socialise with previous versions of JRE?
I feel a little lost right now... - tron2ole 10 years ago
I have not been online for a while but I did work it out in the end....for certs on backend servers that need to be signed as apart of JRE7 front end.
The steps should include: (Ignore these steps if the RIA does not have certificates downloaded from the backend server as you would only need to whitelist your site using ruleset.xml).
Always use the JDK base version for the respective JRE version of the application if compiling application jar files, or the respective JRE version to be targeted on the system if creating JRE configuration as per below.
set PATH=%PATH%;%PROGRAMFILES%\Java\jdk1.7.0_21\bin to use your command line.
Creating a deployment rule set
1. Create ruleset.xml as required...see Oracle's webpage to create a sample one like the one below.
<ruleset version="1.0+">
<rule>
<id location="http://*.yoursite.com.au" />
<action permission="run" />
</rule>
</id>
<action permission="run" />
</rule>
<rule>
<id location="http://*.yoursite.com.au">
<action permission="run" />
</rule>
<rule>
<id /><!-- Because this is both blank and shown last, it will be the default policy. -->
<action permission="block">
<message>Blocked if you require it by your org or company.</message>
</action>
</rule>
</ruleset>
2 Compile ruleset.xml to DeploymentRuleSet.jar
jar.exe -cvf DeploymentRuleSet.jar ruleset.xml
3 Sign DeploymentRuleSet.jar with jarsigner.exe using your company's root certificate (or create one if required).
jarsigner.exe -keystore RootCer.keystore -storePass PASSWORD DeploymentRuleSet.jar AnyNameCodeSigner
Adding a certificate to a keystore (or creating new keystore)
1. Run application using the respective JRE version required, tick box to trust certificate when prompted
2. Certificate will get stored in Java user trusted certificates store
3. Open java control panel and view user trusted certificates store
4. Find relevant certificate and export to .cer file
5. Double click cer file to get alias name
6. Run keytool.exe to import certificate to existing or new trusted.certs keystore
7. keytool.exe -importcert -file CERTNAME.cer -keystore trusted.certs -storepass PASSWORD -alias "CERTIFICATE ALIAS"
The trusted.certs and deploymentruleset.jar will need to be added to your JRE 7 package to whitelist RIA that have an application server with certificate based signing.