Visit Azul.com Support

How to Use Deployment Ruleset

Table of Contents
Need help?
Schedule a consultation with an Azul performance expert.
Contact Us

The Deployment RuleSet (DRS) feature for IcedTea-Web allows you to:

  • Create allow- and block-listings.

  • Configure default rules .

  • Configure security exceptions for Applets and Web Start.

DRS is designed to be deployed by your central IT department into a jar file (DeploymentRuleset.jar), that contains an XML with the rules.

Azul implementation of DRS

The SA version of Azul’s IcedTea-Web supports the requested DRS-features requested by our customers and retain compatibility with the official DRS XML format and is compatible with Java 6 and later.

Installation

Install the SA-version of IcedTea-Web as described here.

Configuring the Deployment Ruleset

  • Find your existing ruleset, normally in C:\Windows\Sun\Java\Deployment\DeploymentRuleSet.jar.

  • Or create a new ruleset:

    • Create a file ruleset.xml, see the examples below.

    • Create the DeploymentRuleSet.jar with JAVA_HOME\bin\jar cf DeploymentRuleSet.jar ruleset.xml. Please note that ruleset.xml should be located in the top-level folder.

    • Alternatively, "zip" the file ruleset.xml and rename to DeploymentRuleSet.jar.

    • Place in C:\Windows\Sun\Java\Deployment\DeploymentRuleSet.jar.

Ruleset Examples

  • Run without security warnings

    • URL based rule

       
      <ruleset version="1.1+">
  <rule>
    <id location="https://docs.oracle.com/" />
    <action permission="run" version="1.8*" force="true" />
  </rule>
</ruleset>

    • Certificate based rule

       
      <ruleset version="1.1+">
  <rule>
    <id>
      <certificate hash="A0A30C69631D2A9E3F82401ABD83107A813FAA1B1638746AFA523AA55563417C" />
    </id>
    <action permission="run" version="1.8*" force="true" />
  </rule>
</ruleset>

    • When the JNLP has no href

       
      <ruleset version="1.1+">
  <rule>
    <id location="https://docs.oracle.com/" matchcodebase="true" />
    <action permission="run" />
  </rule>
</ruleset>

  • Run with a specific JRE version

    • Old JRE 8 update 292

       
      <ruleset version="1.1+">
  <rule>
    <id location="https://docs.oracle.com/" />
    <action permission="run" version="1.8.0_292" force="true" />
  </rule>
</ruleset>

    • Old JRE 7 update 292

       
      <ruleset version="1.1+">
  <rule>
    <id location="https://docs.oracle.com/" />
    <action permission="run" version="1.7.0_292" force="true" />
  </rule>
</ruleset>

    • Run with 32bit JVM. The "32bit" in the ruleset is just a label. The corresponding entry in jres.txt will decide the bitness.

       
      <ruleset version="1.1+">
  <rule>
    <id location="https://docs.oracle.com/" />
    <action permission="run" version="1.8.0_292_x86" force="true" />
  </rule>
</ruleset>

      With a corresponding jres.txt:

       
      1.8.0_292_x86,C:\Users\dmitry\binaries\zulu8.54.0.21-ca-jre8.0.292-win_x86
1.8.0_292,C:\Users\dmitry\binaries\zulu8.54.0.21-ca-jre8.0.292-win_x64

  • Block a URL

     
    <ruleset version="1.1+">
  <rule>
    <id location="https://docs.oracle.com/" />
    <action permission="block" />
  </rule>
</ruleset>

  • Fallback rule: this must be the last rule in the file. It is triggered for any URL that does not match. The default behavior is as if no ruleset file was present. The most common usage will be to block all URLs that are not allowed.

     
    <ruleset version="1.1+">
  <rule>
    <id />
    <action permission="block" />
  </rule>
</ruleset>

  • Use an alternative javaws from the reference JRE. This is designed to allow fallback to a co-installed old version of Webstart. It looks for javaws in the specified JRE and passes the JNLP URL through:

     
    <ruleset version="1.1+">
  <rule>
    <id location="https://docs.oracle.com/" />
    <action permission="run" version="1.8.0_202_ora" force="true" forcejavaws="true"/>
  </rule>
</ruleset>

  • Wildcards are allowed in the host name. This is commonly used for subdomains, but is also useful when the hostname is indeterminate. This is common when the JNLP sits on an appliance or a local server in kiosk or retail solutions:

     
    <ruleset version="1.1+">
  <rule>
    <id location="https://*:2443/forms.jnlp" />
    <action permission="run" version="1.8.0_202_ora" force="true" forcejavaws="true"/>
  </rule>
</ruleset>

  • Full ruleset example:

     
    <ruleset version="1.1+">
  <rule>
    <id location="https://docs.google.com/" />
    <action permission="run" version="1.8*" force="true" />
  </rule>
  <rule>
    <id location="https://docs.oracle.com/forms/" />
    <action permission="run" version="1.7.0_292" force="true" />
  </rule>
  <rule>
    <id>
      <certificate hash="A0A30C69631D2A9E3F82401ABD83107A813FAA1B1638746AFA523AA55563417C" />
    </id>
    <action permission="run" version="1.8*" force="true" />
  </rule>
  <rule>
    <id location="https://docs.oracle.com/test" />
    <action permission="run" version="1.8.0_202_ora" force="true" forcejavaws="true"/>
  </rule>
  <rule>
    <id />
    <action permission="block" />
  </rule>
</ruleset>

Troubleshooting

To enable logging, add the following lines to the config file C:\Users\$USER\.config\icedtea-web\deployment.properties:

 
deployment.log=true
deployment.log.file=true

The log files will be created at C:\Users\$USER\.config\icedtea-web\log. You can find the related log entries in the lines starting with drs:.

For a quick check from command line to see if the DRS ruleset is applied as expected, you can add the -verbose option:

 
javaws -verbose -jnlp <URL or jnlp file>