Whitelisting Percussion Applets using Java Deployment Rules

For those still having lingering issues with security warnings and Java, you can use Deployment Rule Sets to White List Rhythmyx server urls so that your internal users are not impacted by future security updates.

Oracle has instructions on setting this up here:

Deployment Rule Sets

For CM System 7.x, use “SECURE-1.7” as your version of Java. For legacy versions of CM System use “SECURE-1.6” or “SECURE-1.5”. This will insure that the latest patched version of the Java run time is used for the version of Java being run.

The process involves 4 primary steps:

1.) Create a ruleset.xml file that includes a rule for every host name used to access your Rhythmyx installations. Also include any other Java applications that are used by your organization. An example rule set is included below. This policy will effectively white list 3 Rhthmyx servers, all local installations running on 9992, cms.mycompany.com (configured to run on port 80) and devcms.mycompany.com running on port 9992. Every hostname and protocol must be listed as a seperate rule. So if SSL is enabled for example, a 4th rule would need added for the https:// version of the url.
ruleset.xml

<ruleset version="1.0+">
  <rule>
    <id location="http://127.0.0.1:9992/" />
    <action permission="run" version="SECURE-1.7" />
  </rule>
<rule>
    <id location="http://cms.mycompany.com/" />
    <action permission="run" version="SECURE-1.7" />
 </rule>  
<rule>
    <id location="http://devcms.mycompany.com:9992/" />
    <action permission="run" version="SECURE-1.7" />
 </rule>  
<rule>
    <id />
    <action permission="block">
      <!-- Change permission to default to use Java default security which is to prompt users -->
      <message>Blocked by corporate</message>
    </action>
  </rule>
</ruleset>

2.) Package the ruleset.xml into a jar.

jar -cvf DeploymentRuleSet.jar ruleset.xml

3.) Sign the jar. This step can be a pain if you don’t have a code signing certificate, but in order to secure the policy you need to get one.

See this link for background.

4.) Deploy the DeploymentRuleSet.jar to your users desktops using some form of I.T. policy or systems management tool preferably.

  • On Windows platforms, install the file in the \Sun\Java\Deployment directory, for example, c:\Windows\Sun\Java\Deployment.
  • On UNIX platforms, install the file in the /etc/.java/deployment directory.
  • On Mac OS X platforms, install the file in the /Library/Application Support/Oracle/Java/Deployment/ directory.

Once deployed this should prevent further security updates from breaking Rhythmyx. This setup also allows you to pin a Java version. So for example if we wanted to pin yesterdays update of Java 51 as the version because everything is working great with it. You could change the policy to explicitly specify that version by naming the version on each rule.

For example:

  <rule>
    <id location="http://127.0.0.1:9992/" />
    <action permission="run" version=" 1.7.0_51" />
  </rule>

-n