An recent upgrade of our time card system forced us to upgrade all our workstations to Java 7u51 (we were on 6u45). We have another Java-based application which is critical to our business that is now throwing constant security warnings. Every user must click "Run" at least a dozen times a day (the vendor's code is unsigned with no publisher information). This is unacceptable
As far as I can tell, the only way to resolve this is to use a Deployment Rule Set. I have Googled tons of articles explaining how to do this. All of them are a little different, and none of them work. I created the XML file, Jar'ed it, signed it w/ a self-signed cert, and imported that cert into the trusted CA on a few test machines. No matter what I do, I see the following error on EVERY single Java-enabled site I visit (including the one I specifically whitelisted):
"Application Blocked by Deployment Rule Set"
Can not verify self-signed Deployment Rule Set jar.
I am absolutely infuriated with how Oracle has mis-handled Java in recent years. I've dumped 200+ hours into this rollout because I'm being hamstrung by one roadblock after another. Users are calling the help desk in frustration and the constant security warnings are costing the organization time and money.
Anyway, enough ranting. If anyone can tell me what I', doing wrong it would be much appreciated.
Here are the exact steps I took:
1) Downloaded and installed the JDK 7u51 (needed for keytool.exe and jarsigner.exe)
2) Created the following ruleset.xml file:
<ruleset version="1.0+">
<rule>
<id location="*.ourdomain.com" />
<action permission="run" />
</rule>
<rule>
<id />
<action permission="default" />
</rule>
</ruleset>
3) Packaged the XML file with the following command:
jar.exe -cvf DeploymentRuleSet.jar ruleset.xml
4) Created a 50-year, 2048-bit RSA, self-signed cert with the keytool.exe command as follows: (I let it prompt for DN info; cert password is same as keystore password)
keytool.exe -genkey -alias SelfSigned -keystore "SelfSigned.jks" -keyalg RSA -keysize 2048 -startdate "2000/01/01 00:00:00" -validity 18262
5) Exported the cert I just made with the following command:
keytool.exe -export -file "SelfSigned.cer" -alias SelfSigned -keystore "SelfSigned.jks"
6) Signed the JAR file I created in step 3 with the following command:
jarsigner.exe -keystore "SelfSigned.jks" -signedjar "DeploymentRuleSet.jar" DeploymentRuleSet.jar SelfSigned
7) Created the C:\Windows\Sun\Java\Deployment folder and copied the DeploymentRuleSet.jar file into it. I verified via the Java control panel that the ruleset is being applied and the cert is valid.
8) Imported the cert I exported in step 5. Here's where I deviated from instructions. I could not use keytool.exe to import the cert. This page suggests that the user trusted.certs store has no password and the system cacerts password is "changeit". Neither worked, so I used the Java control panel's GUI to import it into the user's Trusted Certificates store.
Best Answer
If on Windows: I did not import the cert to the user Trusted Certificates store in the Java Control Panel applet. I imported it to the Windows certificates.mmc Computer account and stored it under Trusted Root Certification Authorities. We are using to policy to do this.