4 Manage Rules

This topic explains the purpose of deployment rules, and describes how to create, update, and delete rules using Advanced Management Console.

This topic includes the following sections:

Deployment Rules Overview

The Deployment Rule Set feature is a deployment feature for enterprises that manage their Java desktop environment directly. A deployment rule set enables enterprises to continue using legacy business applications in an environment of ever-tightening application security policies, and control the version of the JRE that is used for specific applications.

Deployment rule sets contain deployment rules, which are used in the deployment process to determine if an application is allowed to run, if an application is automatically blocked, or if default processing is used. Applications are compared to the rules based on criteria such as location, title, and certificate used to sign the application. Rules are compared in the order in which they appear in the rule set. The first rule that an application matches determines the action taken for that application. See Deployment Rule Set in the Java Platform, Standard Edition Deployment Guide for information about rules and rule sets.

The Rules view of the AMC UI shows the rules and rule sets that are defined. To view the existing rules and add new rules, start the AMC UI. See Start and Stop the AMC UI.

From the Home view, click either Rules or View and manage rules and rule sets to show the Rules view. The following table describes the information that is shown in the Rules table for each rule. Some of the columns might be hidden in the current view.

Table 4-1 Information for Deployment Rules

Data Description

(blank)

Indicator for extensions. If this column contains a triangle symbol, then additional rules were created for the extensions used by the application from which this rule was created. Click the triangle to show or hide the additional rules.

ID

Internal identifier used by Advanced Management Console.

URL

Source of applications that match this rule. For applications that use JNLP, this is the location of the JNLP file. For applications embedded in a web page, this is the location of the web page.

Name

Name of the rule. This name is not part of the exported rule set.

Title

Title of the application that matches this rule.

Algorithm

Algorithm used to generate the hash value for the certificate that was used to sign the application. The default security hash algorithm is SHA-256.

Hash value

Hash value for the certificate that was used to sign the application that matches this rule.

Action

Action taken for applications that match this rule. Valid actions are run, block, default, and force-run. Default indicates that default processing is used to determine if the application is allowed to run or is blocked. Force-run indicates that the application is run with the JRE version that is specified in the rule, regardless of what version the application requests..

Run version

Version of the JRE that is requested for running the application that matches this rule. This version must satisfy the version criteria set by the application, if any. To override the version set by the application, use the force-run action.

Message

Message shown to the user when the application is blocked. Messages can be provided for multiple locales. If no message is provided, a default message is used.

Configure the Rules View

You can configure this view to show only the information that you want to see.

The right-most column heading is a plus sign (+). Click the plus sign to show a list of the column headings. Headings that are currently shown in the table are identified with a check mark. Headings without a check mark are not currently shown in the table. To hide a column that is currently shown, or show a column that is currently hidden, click the heading in the list.

Rearrange columns by dragging the column heading to a different location. To change the size of the column, click the separator after the column heading and drag it to the desired size.

Search for Rules

A search field is available to help you find specific rules. Enter a search term in the search field. The view is automatically updated to show you the rules that match the term.

You can choose the columns in the Rules table that you want included in the search. Click filter to show the list of columns. Columns that are currently searched are identified with a check mark. Columns without a check mark are not currently searched. To exclude a column that is currently included, or include a column that is currently excluded, click the heading in the list.

Tip:

You can search on a column even if that column is hidden in the Rules view. If you see unexpected results, it is possible that the search term matched information in a column that is hidden.

Create a Rule

Rules can be created from both the Apps view and the Rules view. If you create a rule from the Apps view, you can take advantage of the information from the AMC Collector to automatically fill in some of the fields for the rule. This method is an easy way to create a rule that matches a specific application. For complex applications with JNLP extensions, this method automatically generates any additional rules that are needed.

From either the Apps view or the Rules view, you can create a rule without fields pre-filled, called an empty rule or a rule from scratch. This method can be used to create a rule for an application not recorded by the AMC Collector, or if you want to create a generic rule that matches multiple applications.

Each rule contains the following information:

Name

Name given the rule. This name is required for identification purposes within Advanced Management Console. The name is not exported with the rule set.

Title

Title of the application. If no title is provided, all applications are considered a match to the title field. If a title is provided and Rule Action is set to either default or run, information must be provided for Location, Certificate, or both.

Location

URL for the source of the application. If no URL is provided, all applications are considered a match to the URL field. For applications that use JNLP, this is the location of the JNLP file. For applications embedded in a web page, this is the location of the web page.

Certificate

Hash value for the certificate and algorithm used to create the hash value.

Rule Action

Action taken for any application that matches the rule. Select one of the following options:

    • default - Use default processing to determine if the application is allowed to run.

    • block - Always block the application.

    • run - Allow the application to run. If this option is selected, Title, Location, or Hash Value must be specified. They cannot all be blank. If this option is selected, you must also specify a JRE version.

    • force-run - Override the JRE requested by the application, if any, and run the application with the JRE specified in the rule. If this option is selected, you must also specify a JRE version.

Version

JRE version to use to run the application. This field is enabled only if the Rule Action is set to run or force-run.

The version specified for the rule must match the version specified by the application, otherwise, the application is blocked. The versions do not need to be an exact match, for example, 1.7+ and 1.8* are considered a match. Choose one of the following options and provide the version to use:

  • SECURE - Any secure version. This option matches the secure version from any API level.

  • SECURE + API level - A secure version from the API level selected from the list. Select Or Later to allow versions newer than the selected version to be used. For example, SECURE-1.7 matches any secure version from the 1.7 release, SECURE-1.7+ matches any secure version from the 1.7 release and later releases.

  • API level - Any version from the API level selected from the list. Select Or Later to allow versions newer than the selected version to be used. For example, 1.7* matches any version of the 1.7 release, 1.7+ matches any version of the 1.7 release and later releases.

  • Product - The specific version entered. Select Or Later to allow versions newer than the selected version to be used. For example, 1.8.0_05 matches only the 1.8.0_05 release, 1.8.0_05+ matches the 1.8.0_05 release and later releases.

  • Latest available JRE - The latest version that is available on the user's system.

Message

Message shown to the user when an application is blocked. This field is enabled only if Rule Action is set to block. To add a message, right click in the message table and select Add Message. A new row is added to the table.

In the Locale column, type the locale for the message and press the Enter key. In the Message column, enter the message to show the user and press the Enter key. If the Locale field is set to <default>, then the message is used when no message is provided for the user's locale.

If multiple messages are provided, all messages are compared with the user's locale in the order shown. If more than one message matches the locale, the last message matched is used. To reorder the messages in the table, delete and re-enter the messages as needed.

Create a Rule from Application Information

To create a rule from application information, follow these steps: 

  1. In the AMC UI, click Apps to go to the Apps view.

  2. Select an application.

  3. Click New Rule.

    The Create Rule window is shown. Information about the application is used to fill in many of the fields.

  4. Provide a name for the rule, and provide information for the remaining fields.

    See Create a Rule for a description of the fields and their requirements.

  5. To edit any of the fields that were automatically filled in, click Manual Rule to enable these fields.

  6. Click Create to save the rule.

    Notification that the rule was created is shown briefly. The notification contains a link to the new rule in the Rules table in the Rules view.

Create a Rule from Scratch

To create a rule that is not based on application information from the AMC Collector, follow these steps: 

  1. In the AMC UI, open the Create Rule window.

    Use one of the following methods:

    • From the Apps view, click Empty Rule.

    • From the Rules view, click the New Rule icon that is above the Rules table.

  2. Fill in the information for the rule that you want to create.

    See Create a Rule for a description of the fields and their requirements.

  3. Click Create to save the rule.

Note:

If an application has multiple JAR files or extensions, you might need to create additional rules to ensure that the application is handled as expected.

Edit a Rule

To edit a rule, follow these steps: 

  1. In the AMC UI, click Rules to go to the Rules view.

  2. In the Rules table, select the rule that you want to edit.

    Tip:

    If a rule has rules for extensions, editing the rule also changes the rules for the extensions.

  3. Click the Edit Rule icon.

    The Edit Rule window is shown.

  4. Make the changes that you want to make.

    See Create a Rule for a description of the fields and their requirements.

  5. Click Edit to save the changes.

Analyze Application-to-Rule Relationships

From the Apps view, you can identify the rules that match a specific application. Viewing rule relationships enables you to verify that you have a rule defined to provide the desired action for an application.

To determine which rules match an application, follow these steps: 

  1. In the AMC UI, click Apps to go to the Apps view.

  2. In the Apps table, select an application.

  3. Click Relationships.

    The Application Relationships window is shown. The left panel shows the application that you selected, and the JAR file and extensions for that application. The right panel shows the rule sets that contain rules that match the application, if any.

  4. Click Rules.

    Rules that match the application are shown in the right panel. Rules that allow the application to run are highlighted in green and preceded by a check mark (Check mark, indicates run). Rules that block the application from running are highlighted in red and preceded by a circle with a line through the middle (Circle with a line through the middle, indicates block). Rules that use default processing to determine if the application is allowed to run are highlighted in yellow and preceded by a down arrow (Down arrow, indicates default processing).

  5. Click Close when you are done.

Delete a Rule

To delete a rule, follow these steps: 

  1. In the AMC UI, click Rules to go to the Rules view.

  2. In the Rules table, select one or more rules that you want to delete.

  3. Click the Delete Rule icon.

    The Delete Rule window is shown.

  4. Verify that only rules that you want to delete are shown.

  5. Click Delete to delete the rules.

    Note:

    When a rule is deleted, it is removed from all of the rule sets that contained that rule.