Apply a Java Deployment Rule Set in 4 Easy Steps

by Ryan Oistacher on August 16, 2019

What is a Java Deployment Rule Set

A Java Deployment Rule Set enables you to continue using legacy business applications despite the changes to Java applet and Java Web Start application security policies. You can also use a Java Deployment Rule Set to control which version of Java Runtime Environment (JRE) JRE is used for specific business applications.

Some things in life are easy, but creating and managing a Java Deployment Rule Set isn’t one of them. Web-based Java apps require specific versions of Java; not just “the latest version.” This nuance makes it very tricky have both an older version of Java (for compatibility) and the latest version of Java (for security.)

You’re probably asking yourself “how can I get the best of both worlds; security AND compatibility?” Otherwise, you probably wouldn’t have found this blog. Fear not, you’re not alone. We’ve helped thousands of customers simplify their Java environments by doing the following:

Implementing the most-secure version of Java
Ensuring that critical legacy applications are matched with older versions is they needed.

If you’re not familiar with PolicyPak Java Rules Manager, here’s how to create, implement and manage your Java Deployment Rule Sets in X Easy Steps.

Step 1: Block Java Everywhere (Except the Websites That Need It)

As you can see in the screenshot below, I have four versions of Java installed on this Windows 10 computer.

The first thing you might want to do is increase Windows 10 security by proactively blocking all use of Java…. Except for the websites you know you have to use Java for. This is effectively a Java whitelist and can be done in a single policy in just a few clicks. Just create a Default Policy like this.

Sponsorships Available

And make the defaults to Block plus add your reason that end users should see.

The result of this one simple security step would be to instantly block all unknown Java websites when Java applets attempt to run. Here’s an example block message that the user sees.

Step 2: Make a “Map” Between Known Good Websites and Java Versions

Beyond this, you want to make a “map” between your known good websites, and which versions of Java you want to use with them. For instance:

Map Java.com to use Java 7 U 51. We can pretend that Java.com only works with 7 U 51, even though it will work with anything.
Map Javatester.org to use the latest version of Java 8… whatever that happens to be on the Windows 10 machine. We can pretend that Javatester.org is a business app which can use any version of Java, as long as it’s in the Java 8 family.

As you can see in the first screenshot above, our example Windows 10 machine has Java 7 U 51 installed, and two versions of Java 8.

To make the map from Java.com to Java 7 U 51, you’ll use PolicyPak Java Rules Manager to make a rule. In this example, it’s a few clicks to make the marriage.

Additionally, for Javatester.org, you would create a rule which will marry Javatester.org to whatever version of Java 8 is latest on the machine.

You can see instantly that Java.com is married to the specific 7 U 51 you specified. You can see this here.

Then for Javatester.org, you can see that the latest Java 8 was used that was on the machine. (Java 8 U 181).

Step 3: Consider Java Costs (And if You Want to Side Step Them)

Beyond making specific websites work with specific versions of Java, you can also use PolicyPak Java Rules manager to sidestep Java’s updated per-computer cost licensing model. We have another blog entry on that, which you’re welcome to read.

Step 4: Testing PolicyPak in Your Environment

Ready to get started? If so, visit this page (www.policypak.com/webinar) to sign up for a free trial and watch our introductory webinar. It will provide everything you need to know to get PolicyPak up and running in your environment (system requirements, versions, installation instructions, etc.)

Hope to see you soon!

The post Apply a Java Deployment Rule Set in 4 Easy Steps appeared first on PolicyPak.