Java Deployment Rule Set and Active Directory Certificates

Creating a Java Deployment Ruleset is actually a trivial process – it’s signing it that can be a pain in the backside.  In this post we are signing our Java Deployment Rule Set with an Active Directory code signing certificate.  I am using jdk1.8.0_181 to create my Java Deployment Rule Set.  Do NOT use a version of the JDK that has a major version that is greater than the JRE in your environment (for example if you are running Java 7 in your environment, use the Java 7 JDK and not the Java 8 JDK!).

Create ruleset.xml

Create a file called ruleset.xml.  It MUST be called ruleset.xml since this is what Java specifically searches for inside the compiles JAR file.  The beauty of the ruleset.xml is that you can use wildcards for the URL and for the port.  With site.exceptions you can’t do this.  Here is a basic example:

You obviously need to add your own URLs to this, and give them permission to “run”.  Interestingly if you have multiple versions of JRE installed, in the <action> tag you can provide a specific JRE version for that URL to use.  For example:

Compile DeploymentRuleset.jar

Compile ruleset.xml into a JAR file.  This MUST be called DeploymentRuleset.jar because again, this is what Java specifically looks for.  When we compile the JAR file, we should NOT specify a full path name to the ruleset.xml because Java cannot locate it within the JAR file.  So you should first ‘CD’ to c:\Alkane and then run the following command line:

Obtain a Code Signing Certificate

Follow this article on obtaining a code signing certificate from Active Directory Certificate Services.  Essentially you enable the code signing template in Certificate Services Manager, you then grant permissions to allow a user (yourself!) to request a Code Signing certificate, and you then you request a new certificate.

Export a Code Signing Certificate in PFX format

So now we can assume you’ve followed the steps above and you have a code signing certificate.  My code signing certificate forms a chain of:

  • Root certificate
  • Intermediate certificate
  • Code signing certificate

So let’s export them all in PFX format.  A PFX will include all certificates in the chain, as well as the private key.  And we need all this to create our Java keystore.  So…

From the Certificates MMC snap-in, navigate to your Personal certificate store.

Right-click the certificate > All Tasks > Export.

Click Next

Click ‘Yes, export the private key’

You are only given the option to export it as a PFX certificate.  This is fine, but make sure you select ‘Include all certificates in the certification path if possible’ and also ‘Export all extended properties’.  Click next.

Specify a password for the private key – lets use alkanecertpass for this example.  Click next.

Provide a path to save your certificate in – let’s save it as C:\Alkane\Alkane.pfx.  Click next.  Click finish.

A .pfx file uses the same format as a .p12 or PKCS12 file. They are used to bundle a private key with its X.509 certificate(s) and to bundle all the members of a chain of trust.

Get the Alias Name of the PFX

Run the following command to get the alias name for your PFX.  We need this later on:

My PFX alias name is: alkanealias

Create a JKS Java Keytore

Now we can create our Java keystore from our PFX file.  There are a few formats we can create the keystore in (JKS, PKCS12, JCEKS for example) but we will create it in JKS format.  Be mindful that:

  • If you create your keystore in PKCS12 format, -deststorepass and -destkeypass should be the same
  • Change -deststoretype to PKCS12 if you require a keystore in PKCS12 format
  • Be careful if you change the -destalias from the -srcalias since when I verified my signed JAR file i got the following message:
    This jar contains signed entries which are not signed by the specified alias(es).

I keep the Java keystore alias name the same like so:

This will create: C:\Alkane\trusted.certs

Add Trusted Root Certificate

By default when we sign the JAR file it looks in the cacerts file (which is a form of keystore called a ‘trust store’) of the signing JDK (in my example, C:\Program Files (x86)\Java\jdk1.8.0_181\jre\lib\security\cacerts) to see if the root certificate is trusted. Because it isn’t in there it deems the root certificate as being untrusted and you will see errors when you verify such as:

  • The signer’s certificate chain is not validated.
  • CertPath not validated: Path does not chain with any of the trust anchors

So we add the root certificate as a trusted certificate in our own keystore like so:

Sign DeploymentRuleset.jar With Java Keystore

Now we can sign the DeploymentRuleset.jar file with our Java keystore:

Because I am signing behind a proxy, I needed to specify a proxy host and port so I could timestamp my signature.  Timestamping is an important part of the process and ensures the signed JAR will remain valid indefinately.

Verify The Signature Of DeploymentRuleset.jar

Now we need to verify the signature of the JAR file against out keystore.  Change the storetype parameter to PKCS12 for PKCS12 store types:

DeploymentRuleset.jar Testing

Now that everything is signed and verified successfully, we need to test it.

At the moment our Java environment is fairly locked down, and we have deployment.config, and exception.sites located in C:\Windows\SUN\Java\Deployment.

I needed to add our keystore, so I added an entry to like so:

and then I lumped our new trusted.certs file into the same folder.

To test the DeploymentRuleSet.jar file it’s as easy as placing it into this same location (C:\WINDOWS\Sun\Java\Deployment).  Then launch the Java control panel applet and head over to the security tab (this may differ for later versions of Java).

There should be a blue link towards the bottom called ‘View the active Deployment Ruleset’.  Click it and you should see the contents of your ruleset.xml file and a verification that it is valid and timestamped.  Click ‘View Certificate Details’ to verify the certificate.


Error 16389 for .Net Framework 4.6.2 as SCCM Application

In brief, when configuring .Net 4.6.2 as an SCCM 2012 application we get an error 16389.  Even when I checked the ‘Run installation and uninstall program as 32-bit process on 64-bit clients’ i still had the issue.  So I followed the aforementioned guide and fixed a couple of bugs.

So, first download the offline installer from here.

Now, using 7-Zip, extract the contents of NDP462-KB3151800-x86-x64-AllOS-ENU.exe to a folder of your choice.

Now select all of the extracted content (hold down shift or ctrl to select multiple), right-click, 7-Zip and Add to Archive.

Then use settings similar to the following – ensure you check ‘Create SFX archive’ and name the archive as an executable:

Add To Archive

Click OK and it will create a self extracting executable.  By default the extraction method isn’t silent – it shows a progress bar in a GUI.  But we can make it run silently by using the following VBScript file to perform the extraction and installation:

The default .Net executable is heavily compressed.  When extracted it extracts to over 1gb!  So I would suggest it’s worthwhile compressing it like above using 7-Zip (which doesn’t compress it quite as well, admittedly.)

Finally, the detection method:

.Net Detection Method

You can find the relevant release number for your version of .Net from here.

Suppress Opt-In and First Run dialogs when launching Office 2013

So a bit of background first.  I’d been given an Office 2013 App-V application to fix.  Each time it was launched the user was prompted with ‘First Run’, ‘Opt-In’ and licensing dialogs.  I needed to suppress these prompts.  This could probably be done via GPO or initially when the application was configured and captured, via the Office Customization Tool.  But since I didn’t want to start all over again I detected the registry settings.  Some I Googled, and some I found myself.  Here they are:


Google Chrome 49.0.2623.112

I’ve been configuring an old version of Google Chrome recently (googlechromestandaloneenterprise.msi), for a legacy Windows XP environment! (gasp).

Anyway, here’s my recipe.

We have manually created a master.preferences file:

Most of the entries are self explanatory.  However Google Chrome doesn’t open on the homepage when you launch the browser – instead it opens on the Startup URL, so we configured this to point to the ‘homepage’ too.

A guide for preferences can be found here:

The content of this file is in JSON format. Once you have finished editing and tweaking, ensure the JSON validates successfully – you can do this here:

Now we will add these ‘master preferences’ to our installer.  To do this we URL Encode the content of master.preferences file. You can do this in any URL Encoding/Decoding website such as here:

Create a transform (MST)

Create a Property called MASTER_PREFERENCES. Paste the URL encoded master_preferences into the value field.

Find the Custom Action called BuildInstallCommand.   Look in the Target column and set: installerdata=[MASTER_PREFERENCES]

This will generate your master.preferences file at install time so that any new user profile created when Google Chrome is launched will use these settings (existing profiles will not use this preferences file). When Google Chrome is launched for the first time, user data is created here:

[LocalAppDataFolder]\Google\Chrome\User Data

I’ve also added a VBScript custom action to run towards the end of the InstallExecuteSequence (Deferred, just before InstallFinalize) to delete C:\Program Files\Google\Update and delete the services gupdate and gupdatem. This will suppress Chrome from updating.  The condition for this custom action is NOT REMOVE~=”ALL”.

Note that to sleep from within a custom action, we use one of the appraches mentioned here.

I’ve also added a clean up script after uninstall since it sometimes leaves a folder called CrashReports behind: