Allowing jnlp via deployment rule set

Similar Messages

• Deployment Rule Sets do not properly launch the latest available version from the JRE6 family when the jpi-version is specified by the RIA

  Issue Summary
  In Java 1.7 Update 71, Java 1.7 Update 72 and Java 1.8 Update 25 Deployment Rule Sets do not properly launch the latest available version from the JRE6 family when the jpi-version is specified by the RIA.  We've noticed this with Oracle Forms and Reports 11g where we have forms that specify Java 1.6 Update 20.  We used to be able to specify Java 1.6 Update 26 in our Ruleset, but now the only version a that works in our ruleset is Java 1.6 Update 20 which is the same version requested by the JPI-Version attribute of the jar.  The long term solution would be to upgrade Oracle Forms and Reports, however this isn't currently in the cards.
  RuleSet.xml Test
  Ruleset.xml
  1 
  2
  3
  4
  5
  6
  7
  8
  9
  10
  11
  <ruleset version="1.0+">  
  <rule>
     <id location="*.javatester.org" />
     <action permission="run" version="1.6*" />
  </rule>
  <ruleset version="1.0+">
  <rule>
     <id location="*.internaldomain.name" />
     <action permission="run" version="1.6*" />
  </rule>
  </ruleset>
  Test 1 (Control)
  Installed Java Versions:
  – 1.7 Update 51 b13 (both x86 and x64 however x86 is invoked)
  – 1.6 Update 26 b03 (both x86 and x64 however x86 is invoked)
  Deployment Ruleset works as expected for both URLs
  Test 2
  Installed Java Versions:
  – 1.7 Update 72 (both x86 and x64 however x86 is invoked)
  – 1.6 Update 26 b03 (both x86 and x64 however x86 is invoked)
  The RuleSet works for JavaTester.org however on internaldomain.name we get the following error:
  With the trace logging turned on, I suspected the version attribute supplied by the RIA. I was able to trick Java by adding the following to my system deployment.properties file:
  deployment.javaws.jre.0.product=1.6.0_20
  deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre6\\bin\\javaw.exe
  deployment.javaws.jre.0.enabled=true
  Because the RIA requests 1.6.0_20 it matches 1.6* from the deployment ruleset sooner than 1.6.0_26. However, if 1.6.0_20 is not available 1.6.0_26 should match according to the Deployment Rule Set documentation:
  http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html
  The version of the JRE that is used is determined by the following order of precedence:
  1. The current version of the JRE is used if it is available and matches both the version attribute and the version requested by the RIA.
  2. The latest available version of the JRE is used if it matches both the version attribute and the version requested by the RIA.
  3. The current version of the JRE is used if it is available and matches the version attribute.
  4. The latest available version of the JRE is used if it matches the version attribute.
  If no version is available that meets the criteria, then the RIA is blocked, and a message is shown to the user. To provide a custom message, include the message element.
  As a result:
  If Java 1.6.0_20 is listed in the version requested by the RIA and 1.6.0_20 is listed in the deployment.properties file, #1 matches.
  If Java 1.6.0_20 is listed in the version requested by the RIA, but 1.6.0_20 is NOT listed in the deployment.properties file the #1 SHOULD match, but doesn’t. It used to match up-to and including JRE 1.7 Update 51 however the ruleset appears to no longer match in subsequent versions.
  #2 should never match with our current Deployment Ruleset. It would match if we specified 1.7* as a version in the Ruleset.xml.
  #3 used to be broken as well after JRE 1.7 Update 51 however this bug has been marked as fixed. See: http://bugs.java.com/view_bug.do?bug_id=8032781
  I have reproduced this issue with Java 1.7 Update 71, Java 1.7 Update 72, and Java 1.8 Update 25 when one of these versions are installed with Java 1.6 Update 26.

  I can't seem to edit this post anymore, for some odd reason.
  So here goes;
  I found this post in NVIDIA's knowledge base;
  When installing an after-market graphics card into a certified Windows 8 PC with UEFI enabled, the s...
  The interesting parts in this post are as follows;
  When an after-market graphics card is installed into a motherboard with UEFI enabled in the system BIOS, or if the system is a certified Windows 8 PC with Secure Boot enabled, the system may not boot.
  UEFI is a new system BIOS feature that is provided on most new motherboards. A UEFI system BIOS is required in order for the Windows 8 Secure Boot feature to work. Secure boot is enabled by default on certified Windows 8 PCs.
  In order to get the PC to boot with a graphics card that does not contain UEFI firmware, the end-user must first disable the secure boot feature in the system's SBIOS before installing the graphics card.
  Note: Some system SBIOS's incorporate a feature called compatibility boot. These systems will detect a non-UEFI-enabled firmware VBIOS and allow the user to disable secure boot and then proceed with a compatibility boot. If the system contains a system SBIOS the supports compatibility boot, the user will need to disable secure boot when asked during boot process
  This leads me to believe that the BIOS update that wrecked my setup was 9SKT58A/9SJT58A, which only contains one change;
  "Adds support for updating BIOS from a WIN7 BIOS to a WIN8 BIOS".
  I've just ordered a cheap UEFI-compatible GT640 from Gainward, so I hope I'll be able to try that out this weekend.

• Deployment Rule Set broken with Java 7u55

  Hello!
  I'm using Deployment Rule Set in my company environment, its signed by code signing certificate that is given out by internal CA. After I upgraded to Java 7u55, the Deployment Rule Set does not recognize older statically installed Java version.
  Versions I have:
  7u45 - install directory: C:\Program Files\Java\jre1.7.0_45
  7u51 - install directory: C:\Program Files\Java\jre1.7.0_51
  7u55 - install directory: C:\Program Files\Java\jre1.7.0_55 or C:\Program Files\Java\jre7\ - neither does not work
  When I go to site described in Ruleset and that has to use Java 7u45, then I receive an message "Deployment Rule Set required Java version 1.7.0_45 not available. In the same way it doesn't recognize 1.7.0.51 or even Java version 6.
  When I uninstall Java 7u55, everthing works fine again.
  My ruleset looks like this:
  <ruleset version="1.0+">
       <rule>
            <id location="first.site.com" />
            <action permission="run" version="1.7.0_45" />
       </rule>
       <rule>
            <id location="second.site.com" />
            <action permission="run" version="1.7.0_51" />
       </rule>
       <rule
            <id />
            <action permission="default" />
       </rule>
  </ruleset>
  Anyone knows what's wrong or is it a bug?

  costlow - I disagree.  If I'm using IE, then I only need the internal certficate used to sign the jar to be also insalled on the machine in question in the windows CA Certs store.  If the cert was the issue, why does it work with 7u51.  If it was a bad cert, it should fail with every version.  Plus, I think the pop up has a different error message if it has a cert issue.
  I'm having the exact same issue as the OP described and it all started with 7u55.  Here's what I've found:
  - With 7u55 or 7u60 installed, the error will come up rergardless of what prior version is being requested.
  - If 7u51 is the latest installed, it works
  -  If 8u05 is installed with 7u55 and/or 7u60, it works
  - If I install the 7u60 EA b15, it works
  Something in the final release is being added that blocks this functionality, but for some odd reason only in the 7 family starting with 7u55.
  Any insight you could give would be very helpful.  In the meantime, I am deploying 8u05 to cover this up, but it does pose issues for some apps that don't work with the new 8 family plugin.

• 7u45: MacOS X: Deployment Rule Set not found?

  Per the Deployment Rule Set packaging instructions:
  http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/deployment_rules.html#package
  "Install the DeploymentRuleSet.jar file on your users' systems in the following directories:
  On Windows platforms, install the file in the <Windows-directory>\Sun\Java\Deployment directory, for example, c:\Windows\Sun\Java\Deployment.
  On Mac OS X and UNIX platforms, install the file in the /etc/.java/deployment directory.
  To view the active rule set, see the Security section of Java Control Panel."
  I am able to use and view the rule set on Windows and Linux platforms, but the deployment rule set is not seen under MacOS X (10.9 Mavericks).
  I placed it in:
  /etc/.java/deployment/DeploymentRuleSet.jar and yes, it is properly signed, in the correct format, etc. Identical file works fine under Windows and Linux.
  Anyone else have this issue?

  Hurray!! I finally found out how to get the JCP to display the DeployementRuleSet.jar file.
  The path in the documentation (/etc/.java/deployment) is wrong (at least on Mac OSX 10.7.5)!.
  I went through the decompilation of the ControlPanel source code, and found out that the expected path for the jar file is
  /Library/Application Support/Oracle/Java/Deployment
  Note:The Deployment directory has to be created

• Getting Deployment Rule Sets to work

  So, I'm struggling trying to get Java deployment rule sets working as follows:
  Here is my simple ruleset.xml:
  <ruleset version="1.0+">
    <rule>
      <id location="javatester.org" />
      <action permission="run" version="1.6.0_35" />
    </rule>
  </ruleset>
  I have gotten this same ruleset working using 3 different older versions of jre7 (7u45, 7u35, 7u9) where javatester.org website will display the specified version, even when a newer version is present.  However, this seems to break when I try to specify a jre6 version (tried both 6u35 & 6u27).
  For example, when I try 6u35, the javatester.org website displays
  Error.  Click for details
  When I click, a blank pop up windows briefly pops up then disappears, with a title bar "Application Error".  I have made the Java console visible for testing purposes, and both the 1.7.0_51 & 1.6.0_35 consoles pop up, but I can't find anywhere why this might not work.  I am assuming it's not a certificate issue, as I imported my self-signed certificate into the Signer CA store and can see it in both the Java 7u51 control panel, and the Java 6u35 control panel.
  Any thoughts?  Anyone else get this working?

  Hello,
  can you show me your "ruleset.xml"?
  I had similar problems when I had an error in there (invalid XML). You have to be extra careful that it is valid UTF-8 too. I already got a problem because of an invalid umlaut,
  Regards
  Markus

• Deployment Rule Set Centrally Managed location of .jar file?

  Hello,
  We are currently looking at implementing the Deployment Rule Set in our company and I was wondering if there is a way to centrally manage the Deployment Rule Set?
  Having to keep up with deploying the jar file for every change and expiring certificates isn't ideal
  Thanks!

  And your OS doesn't have a file search feature, which might have given you the answer faster than waiting for a response on these columns?
  db

• Deployment Rule Set - Allow file://

  I have a DVD that uses Java to look up parts.  Java content is blocked because the content is not signed by the vendor.  When it is blocked, it lists the location as "file://"
  I have tried to add the following to the DeploymentRuleSet with no success:
  <rule>
        <id location="file://" />
        <action permission="run" />
  </rule>
  It no longer tells me that the content is blocked, but it also doesn't run the content.  It just sits there.
  I have even added file:/ to the exceptions list and it still doesn't work.
  I've had to work around this issue by installing Java 6 on systems that need to access this DVD.
  Has anyone been successful in allowing "file://" to run through a rule in their DeploymentRuleSet?

  Hello,
  Can you try something like
  file://*
  file://c/*
  etc.
  -Roger

• GRC AC Rule Sets

  Hi
  We have a requirement of building up a custom rule set for our organization. The current requirement is to have a central rule set across for all system and have subsequent system specific Risks identified in addition.
  Scenario: Letu2019s say we have identified around 100 risks across the enterprise, however only 50 risks out of 100 risks are applicable for one system. While for the second system there are around 70 risks applicable. Finally for the third one all 100 risks are applicable.
  Should we have system specific rule sets to address the above scenario or should we have a common rule set for the enterprise.
  Appreciate your inputs about the approach for building up of rule set for such scenarios.
  Question: With GRC 10.0, can we run risks for a system on multiple rule set IDs at one time.
  Thanks.
  Anjan Pandey

  Hi,
  Most of the clients will prefer to go with one rule set. However System can allow create/maintain multiple rule sets.
  Anyway your requirement is to have one central rule set across all systems u2013 For that, Create Logical system and maintains one Rule set is the right approach and it gives flexibility for future usage to add /remove required systems. You can maintain risks by system specific, not required to maintain multiple rule sets.
  Refer  GRC Access Control Effective Rule Set Design document,  it gives some good explanation of Rule Set Design&typical Scenarios, Logical & Physical systems approach..etc.
  Regards,
  Ram
  Edited by: ram komma on Apr 13, 2011 1:55 PM

• Trying to comprehend the use of Automatic Deployment Rules

  I am having a hard time trying to conceptualize ADRs. I would appreciate it if someone can let me know if I am on the right track here. 
  The way I see it is I can set up an ADR for every 2nd Tuesday of every month (Patch Tuesday) to run to build my initial deployment to a pilot test group. Then I have to build subsequent deployments after that since ADRs can only build one deployment (the
  one for my pilot test group). 
  My question is, should an ADR be used only for a pilot test deployment and not a production deployment?
  Thank you very much everyone, I appreciate your help

  I thought during the wizard it allows you to specify which type of patches you want to deploy such as Security, etc? 
  You select the update filter and criteria in the ADR wizard:
  http://blogs.technet.com/b/configmgrdogs/archive/2012/05/08/configmgr-2012-automatic-deployment-rules.aspx
  An example scenario:
  http://technet.microsoft.com/en-us/library/jj134348.aspx#BKMK_Step2
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• How can I deploy the setting of clear cache on exit for all users?

  How can I deploy the setting of clear cache on exit for all users?

  Note that Firefox disables the disk cache if you use "Clear history when Firefox closes" to clear the cache (see about:cache), so you can either disable the disk cache via its related pref or set the prefs related to clearing this data,but then other items that have a check-mark by default are cleared as well.
  *browser.cache.disk.enable
  *privacy.clearOnShutdown.cache
  *privacy.sanitize.sanitizeOnShutdown
  You can use a mozilla.cfg file in the Firefox program folder to lock prefs or specify new (default) values.
  Place a local-settings.js file in the defaults\pref folder where also the channel-prefs.js file is located to specify using mozilla.cfg.
  pref("general.config.filename", "mozilla.cfg");
  These functions can be used in the mozilla.cfg file:
  defaultPref(); // set new default value
  pref(); // set pref, but allow changes in current session
  lockPref(); // lock pref, disallow changes
  See also:
  *http://kb.mozillazine.org/Locking_preferences
  *http://mike.kaply.com/2012/03/16/customizing-firefox-autoconfig-files/
  *http://mike.kaply.com/2014/01/08/can-firefox-do-this/

• FBL5N - in Rule set - It is a Display customer line items

  Dear All,
  We observed that FBL5N - Display customer line items in Standard SoD rule set under function AR07  addressing a risk of S022.
  Unless there are t-codes of FD03 or FB02 this t-code does not allow to change the payment terms of the customer.
  We are having a challenge from the client that FBL5N is a display t-code and why it is there in rule set.
  Has anybody came across this scenario? If yes, what is the underlying risk for this FBL5N independently.
  Is there any SAP Note for this t-code like ME23N from SAP.
  Thanks and Best Regards,
  Srihari.K

  Hi Christian,
  We checked the authorization objects as well enabled in GRC rule set as below:
  F_BKPF_BUK - Docume t Authorization document for company codes - 01 or 02 - Enable.
  Inspite of this access, FBL5N cannot be used to change the document for payment terms and assignments without FB02 t-code
  assignment in the role.
  Independently FBL5N cannot be used for any change or create activity except Display customer line items.
  Please advise
  Thanks and Best Regards,
  Srihari.K

• I have messages in mail that are color-coded as if by a rule, but I have no rules set. How can I correct this?

  The only rule that I ever had in Mail was the default one that color coded messages from Apple blue. I notice that some messages are color-coded brown and I have no rules set at al (hence no rule to turn off.)  Some of the messages are related to viewing online magazine, but not all.  How can I stop this?

  Hi. Thanks for your message.
  Well, I understand what you are trying to say but I thought it was easier to categorize in Apple Mail.
  On Entourage I just click twice on a sender address, record it on Address book and give it a colour that I previously defined as "Work", "Personal", "Customers", "Suppliers", "Friends" or whatever.
  As Apple Mail don't have Address Book as part of it but an outside feature it's very annoying. Of course I am used to use a software and I don't expect now Apple Mail do everything as Entourage but... as someone said it seems Apple Mail stopped in time. The recent version seems the first one ever issued. I hate the way Mail.app handles attachments by placing big chunky previews right in my email. I prefer them to be named attachments listed somewhere else, out of the content of my email. I don't if I can change this via terminal commands? Can you tell me if that is possible?
  I don't understand why Apple Mail have lots of plugins instead of a great improvment from the backstage.
  I use Apple computers since ever and I love this machines but sometimes I don't understand this lake of improvments.
  Take a look at this link:
  http://scottworldblog.wordpress.com/2009/10/12/microsoft-entourage-vs-apple-mail /
  Of course I don't agree 100% with him but some things are true...

• Is it possible to add a firewall Filter or Rule Set to the Extreme Router (802.11n)

  Is it possible to add a firewall Filter or Rule Set to the setting for the Extreme Router (802.11n) like the following:
  "ALLOW TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220 on Port 53"  and
  "BLOCK TCP/UDP IN/OUT all IP addresses on Port 53"
  The goal of this is to create a firewall rule to only allow DNS (TCP/UDP) to OpenDNS' servers and restrict all other DNS traffic to any other IPs.
  Or, alternatively is there a way to configure same applied to the Network preferences on IMAC OS X?
  Thanks and much appreciation to anyone who has any clue about this.

  Sorry, I think you've got it backwards.
  The concern is NOT that the child can make changes to our hardware/AEBS, or even our network software on my IMAC - nothing's been changed.
  BUT, he changed the dns settings on his OWN device (ie chromebook) to google public server, accessed the AE using our home wifi network BUT bypassed our dns settings. Capeesh?
  See: http://www.pocketables.com/2013/03/how-to-use-change-the-dns-settings-on-your-ch romebook-and-use-googles.html

• Access to update the GRC rule set is limited

  Hello - What is the process (tcode) to see who has access to update the GRC rule set?
  Thanks!

  Hi Sam,
     What is the version of your RAR (CC)? If it is CC 4.0 then you enter the product via tcode and go to rule architect to make changes. If you have CC 5.X then you go through the web browser and go to Rule architect to make changes to the rule set.
  The process to change a rule set is as below:
  1) Creats Function
  2) Create risk
  3) Create Rule
  Regards,
  Alpesh

• Multiple GRC rule set update

  we are having a custom rule set A loaded in GRC. Now we want another rule set B, with new risks and definition to be loaded in GRC. If we try to upload rule set B risks and functions via Upload function in GRC, would it overwrite the rule set A, or not.Just wanted to confirm whether existing rule set A would be affected or not, due to upload of rule set B.

  Hey Alpesh,
  Sorry, I haven't understand it correct. This is a question that will always be asked in the train.
  You wrote:
  "If you have created different files (e.g. risks, ruleset, function action, function permission etc.) and upload them via configuration -> rule upload then RAR will not overwrite your ruleset A and will only insert new rule set files."
  Is this just possible, if all IDs (risk, function, function action, function permission) will be changed before and could not be equal like in the rule set A? correct?
  What's about with the ALL.txt files, do I have to change/upload them as well again?
  Thanks for feedback,
  alwaly a pleasure!
  Greets
  Martin