In most enterprises, Java is a necessary evil. While most home users these days can get away with just uninstalling, in the corporate world there is still a need for Java. That means tolerating the security risks and update nags and Ask Toolbars and the generally ad hoc default settings. Or does it?
Oracle provides Java Deployment Documentation with instructions for using a deployment.config and deployment.properties file in your environment to rein in Java and to get it to behave exactly how you want. It’s not the most detailed documentation but more of a technical index. Hopefully, this article will help explain the process a bit more plainly.
We have previously shared controlling Java’s Exceptions list that appeared under the Security tab of the Java Control Panel in Java 7u51. Now, we can control the rest of Java’s settings with a little more coordination.
The main meat & potatoes on the topic come from the Java Deployment Documentation but to really understand the setup and capabilities, I had to test it out and see it in action.
deployment.config
To control Java on the endpoint, it requires at least two files. The first is a text file called deployment.config. It resides at C:WindowsSunJavaDeployment for Windows PCs or with variables:
Windows -> <Windows Directory>SunJavaDeploymentdeployment.config
Unix -> /etc/.java/deployment/deployment.config
Mac -> /Library/Application Support/Oracle/Java/Deployment/deployment.config
The deployment.config is pretty simplistic. It does not have a whole lot of settings to configure. It mostly points out the location of the deployment.properties files that contains the more detailed Java settings.
An example deployment.config file is below:
[shell]deployment.system.config = file:\C:\WINDOWS\Sun\Java\Deployment\deployment.properties
deployment.system.config.mandatory = true
deployment.system.cachedir = C:\WINDOWS\Sun\Java\Cache\[/shell]
The property deployment.system.config tells it where to find the deployment.properties file, the next file we will focus on. The property deployment.system.config.mandatory tells Java to care if that deployment.properties file is available. If the config is mandatory but not readable, Java will not do anything. If the config is mandatory and available, Java will behave how you specify. If the config is not mandatory and not available, Java will use default settings or the user-specified settings in the deployment.properties file located under their user profile. You can also set the cache directory for Java to use if you would rather use a central cache versus user-specific caches. You can remove the deployment.system.cachedir line if you do not wish to specify a different location for the cache directory.
I have been putting the central deployment.properties file in the same directory as the deployment.config file and it’s been a perfectly good spot.
deployment.properties
Users have individual deployment.properties files in their user profile but Java will use the deployment.properties if specified in the deployment.config file. The settings line up with the settings seen in the Java Control Panel.
Individual deployment.properties files that you may look at for examples are located here:
Windows -> <User Application Data Folder>LocalLowSunJavaDeploymentdeployment.properties
Unix -> ${user.home}/.java/deployment/deployment.properties
Mac -> ~/Library/Application Support/Oracle/Java/Deployment/deployment.properties
You can comment out a line by adding a pound sign/hash tag/# in front of it or enable the line by removing the hash tag. (Don’t uncomment the section lines, just the properties.) Adding the property name and .locked after it will mean that the setting is enforced and grayed out for the user. If it is not locked, the user would be allowed to change the setting.
An example deployment.properties file is below:
[shell]#deployment.properties
# Security Tab
# Enable Java content in the browser
deployment.webjava.enabled=true
#deployment.webjava.enabled.locked
# Security Level
deployment.security.level=HIGH
deployment.security.level.locked
# Advanced Tab
# DebuggingEnable tracing
deployment.trace=false
#deployment.trace.locked
# DebuggingEnable logging
deployment.log=false
#deployment.log.locked
# DebuggingShow applet lifecycle exceptions
deployment.javapi.lifecycle.exception=false
#deployment.javapi.lifecycle.exception.locked
# Java console
#deployment.console.startup.mode.locked
deployment.console.startup.mode=HIDE
# Default Java for browsersMicrosoft Internet Explorer
deployment.browser.vm.iexplorer=true
#deployment.browser.vm.iexplorer.locked
# Default Java for browsersMozilla family
deployment.browser.vm.mozilla=true
#deployment.browser.vm.mozilla.locked
# Java Plug-inEnable the next-generation Java Plug-in (requires browser restart)
# This must be done by executing one of the following commands as an administrator:
# [Disable] – {JREInstallPath}binssvagent.exe -high -jpisetup -old
# [Enable] – {JREInstallPath}binssvagent.exe -high -jpisetup -new
# Shortcut Creation
#deployment.javaws.shortcut=ASK_IF_HINTED
#deployment.javaws.shortcut.locked
# JNLP File/MIME Association
#deployment.javaws.associations=ASK_USER
#deployment.javaws.associations.locked
# Application Installation
#deployment.javaws.install=IF_HINT
#deployment.javaws.install.locked
#JRE Auto-Download
deployment.javaws.autodownload=NEVER
deployment.javaws.autodownload.locked
# Security Execution EnvironmentEnable granting elevated access to signed apps
# aka. Allow user to grant permissions to signed content
#deployment.security.askgrantdialog.show=true
#deployment.security.askgrantdialog.show.locked
# Security Execution EnvironmentEnable granting elevated access to self-signed apps
#deployment.security.askgrantdialog.notinca=true
#deployment.security.askgrantdialog.notinca.locked
# Security Execution EnvironmentShow sandbox warning banner
#deployment.security.sandbox.awtwarningwindow=true
#deployment.security.sandbox.awtwarningwindow.locked
# Security Execution EnvironmentAllow user to accept JNLP security requests
#deployment.security.sandbox.jnlp.enhanced=true
#deployment.security.sandbox.jnlp.enhanced.locked
# Security Execution EnvironmentDon’t prompt for client certificate selection when no certificates or only one exists
#deployment.security.clientauth.keystore.auto=true
#deployment.security.clientauth.keystore.auto.locked
# Security Execution EnvironmentWarn if site certificate does not match hostname
#deployment.security.jsse.hostmismatch.warning=true
#deployment.security.jsse.hostmismatch.warning.locked
# Security Execution EnvironmentShow site certificate from server even if it is valid
#deployment.security.https.warning.show=false
#deployment.security.https.warning.show.locked
# Mixed code (sandbox vs. trusted) security verification
#deployment.security.mixcode=ENABLE
#deployment.security.mixcode.locked
# Check for certificate revocation using
# Replaces Advanced Security SettingsCheck certificates for revocation using Certificate Revocation List (CRLs)
# [Certificate Revocation List (CRLs)] – ocsp=false, crl=true
# [Online Certificate Status Protocol (OCSP)] – ocsp=true, crl=false
# [Bot CRLs and OCSP] – ocsp=true, crl=true
#deployment.security.validation.ocsp=true
#deployment.security.validation.ocsp.locked
#deployment.security.validation.crl=true
#deployment.security.validation.crl.locked
# Advanced Security SettingsUse certificates and keys in browser keystore
#deployment.security.browser.keystore.use=true
#deployment.security.browser.keystore.use.locked
# Advanced Security SettingsCheck certificates for revocation using Certificate Revocation List (CRLs)
# See Check for certificate revocation using
# Advanced Security SettingsEnable list of trusted publishers
#deployment.security.pretrust.list=true
#deployment.security.pretrust.list.locked
# Advanced Security SettingsEnable blacklist revocation check
#deployment.security.blacklist.check=true
#deployment.security.blacklist.check.locked
# Advanced Security SettingsEnable caching password for authentication
#deployment.security.password.cache=true
#deployment.security.password.cache.locked
# Advanced Security SettingsEnable online certifcate validation
#deployment.security.revocation.check=ALL_CERTIFICATES
#deployment.security.revocation.check.locked
# Advanced Security SettingsUse SSL 2.0 compatible ClientHello format
#deployment.security.SSLv2Hello=false
#deployment.security.SSLv2Hello.locked
# Advanced Security SettingsUse SSL 3.0
#deployment.security.SSLv3=false
#deployment.security.SSLv3.locked
# Advanced Security SettingsUse TLS 1.0
#deployment.security.TLSv1=true
#deployment.security.TLSv1.locked
# Advanced Security SettingsUse TLS 1.1
#deployment.security.TLSv1.1=true
#deployment.security.TLSv1.1.locked
# Advanced Security SettingsUse TLS 1.2
#deployment.security.TLSv1.2=true
#deployment.security.TLSv1.2.locked
# MiscellaneousPlace Java icon in system tray
# MiscellaneousJava Quick Starter
#deployment.system.tray.icon=true
#deployment.system.tray.icon.locked
#Disable Sponsor offers like ASK Toolbar
install.disable.sponsor.offers=true
install.disable.sponsor.offers.locked
# Prompt: Your Java version is insecure. or Your Java version is out of date.
deployment.expiration.check.enabled=false
deployment.expiration.check.enabled.locked
#
#deployment.capture.mime.types=true
#deployment.capture.mime.types.locked
deployment.security.expired.warning=false
deployment.security.expired.warning.locked
#deployment.user.security.exception.sites=C:\WINDOWS\Sun\Java\Deployment\exception.sites
#deployment.user.security.exception.sites.locked[/shell]
You can see the settings have the effect of unchecking or checking the corresponding boxes and graying out the locked properties in the screenshot below.
As you can see with the deployment.user.security.exception.sites property, you could specify a different location for an exceptions.sites file which may be easier to manage in your environment than the previous method we wrote about using Group Policy Preferences to distribute and update exception.sites files.
You can view more details about the other properties from the Java Deployment Configuration File and Properties documentation.
After going through the Java deployment process, it seems much easier to understand through practical use. Hopefully this article was also helpful to you.