Feb 052016
 

I had to recently update Java to version 8 on some RDS servers. Java 8 has increased it’s security level by default, and many private website using unsigned Java code have stopped working with this version.

The only way to workaround is to deploy a “security.sites” file containing the URL of the websites for which we want to bypass the security check.

This is just simple file looking like this :

  • https://my-trusted-java-unsigned.but-using-ssl.com
  • https://trusted.company.website.com

I’ve tried to follow instructions from the Java.com manual to deploy the “security.sites” settings at the server level via files configuration. In this case you have to use a “deployment.config” located in <Windows Directory>\Sun\Java\Deployment\deployment.config.

But this is not very easy. First, the way Java is using path format inside the different config files is giving, to say the least, a real headache. The path format will change from files to files (really…). And on top of that, if you have hardened the security on your RDS server to deny users the read access on your system, it is quite difficult to troubleshoot why the “deployment.properties” method is not working.

Having a limited amount of time, I’ve chosen to deploy the “security.sites” file via the GPO preferences.

I’m working in a multi-tenant environment. We don’t have common share. So in this tutorrial I will store the “security.sites” file inside the GPO itself.

Launch the Group Policy Management Console. Right click on “Group Policy Objects” and select “New”. Name the GPO and click OK.

Now select your GPO in the left pane and click on the “Details” tab in the right pane.

We want to locate the “Unique ID” of the GPO. It will be something looking like : {44175C22-701C-4DD4-B378-9599CD5FACBA}.

Now we can locate and open the folder of the GPO. Just access your domain “SYSVOL” folder this way :

  • \\your.domain\SYSVOL\your.domain\Policies\{0C5DBD9B-592B-4E8F-93C9-D3C45243B58D}\

And I will copy the file in the following directory :

  • User\Scripts\Logon

So just copy and paste the “security.sites” in this location. Now edit the GPO with the Group Policy Management Console.

Open the User configuration / Preferences / Windows Settings / Files.

Create a new file policy.

Select “Replace” as the default action (the file will be replaced at each logon).

Select the GPO folder as the source path :

  • \\your.domain\SYSVOL\your.domain\Policies\{0C5DBD9B-592B-4E8F-93C9-D3C45243B58D}\User\Scripts\Logon\security.sites

Now the destination of the file is located in the user AppData folder (we will user the %USERPROFILE% variable to shorten the path) :

  • %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites

Now a very last action, in the “Common tab” select :

  • Run in logged-on user’s security context (user policy option)

Save it, close your GPO editor, and it’s all done ! Just link the GPO to your users OU and they will start using your own security list exception for Java 8.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

This site uses Akismet to reduce spam. Learn how your comment data is processed.