Help for Signing Deployment Rule Sets
By Jim Connors 14 December 2017

Among other benefits, the Java SE Advanced offering provides customers with access to security patches for Java releases that are no longer publicly updated.  And as a result, many of these organizations have become diligent -- deservedly so -- in keeping up to date with Oracle's quarterly cadence.  If you are one of those customers who falls into this category, you may have noticed that the most recent October 2017 updates for Java 6 (6u171) and Java 7 (7u161) will no longer include a Java Plugin.

Does that mean future Java 6 and 7 updates won't be able to run browser-based applications?  The answer is no; these releases can still run Java web content, but they must be launched with the latest Java 8 update configured with Deployment Rule Sets.  Briefly, Deployment Rule Sets enable you to control the version of the JRE that is used for specific applications.  In this scenario, the Latest (most secure) Java 8 update is launched when a user clicks on a link to start a web application.  The Java 8 plugin will consult the Deployment Rule Set, which contains a set of rules, to determine what to do next,  If a rule exists to direct your application to run a specific version of Java, it will do so.  If no rule exists, the rule set can be configured to block the application, thus assuring only those applications you trust can run.

The purpose of this article is not to introduce you to Deployment Rule Sets; there are other excellent resources including this entry entitled Introducing Deployment Rule Sets.  Rather, the discussion today focuses on a critical step in creating rule sets, namely the requirement that the rule set be signed.  The aforementioned article was written in 2013 when Deployment Rule Sets were first introduced.  Java web application security has been further ratcheted up since, and the rule set signing section in the article only glosses over the steps required.

To help facilitate the signing of Deployment Rule Sets, the following GitHub project has been created:

https://github.com/jtconnors/sign_drs

Along with documentation and a sample ruleset, it includes a Windows Powershell script which automates the process.  You can check out the project's README for further info.