6 Rule Sets
The Advanced Management Console enables administrators to create and distribute deployment rule sets, which provide control over the browser-based Java applications that are run on desktops in their enterprise. Usage information collected from Java Usage Tracker reports can be used to create rules and rule sets. Existing rule sets can be imported and managed by Advanced Management Console . You can also remove deployed rule sets.
This topic includes the following sections:
About Deployment Rule Sets
A deployment rule set enables enterprises to continue using legacy business applications in an environment of ever-tightening application security policies. You can use a deployment rule set to manage which web-based Java applications, such as Java applets or Java Web Start applications, are allowed to run in an enterprise. You can also use a deployment rule set to control the version of the Java Runtime Environment (JRE) that is used for an application. The Advanced Management Console provides administrators with a tool for creating and managing deployment rules sets, which can then be distributed throughout the enterprise.
Deployment rule sets contain deployment rules. These rules are used in the deployment process to determine if a browser-based Java application is allowed to run, if the application is automatically blocked, or if default processing is used. Applications are compared to the rules based on criteria such as location, title, JAR file checksum, and certificate used to sign the application. Rules are compared in the order in which they appear in the rule set. The first rule that an application matches determines the action taken for that application.
Although multiple rule sets can be defined, only one rule set can be active on a user's system. That rule set must be a signed JAR file. The export feature of the in the Rule Sets tab generates the necessary JAR file. If JAR signing is enabled, then signing is done as part of the export process; otherwise, the JAR file must be signed manually. After the JAR file is signed, it must be imported into the Advanced Management Console to be available for distribution. See Exporting a Rule Set. In the Rule Sets tab, you can also set a rule set as the default deployment rule set. See Setting Default Deployment Rule Set,
See Deployment Rule Set in the Java Platform, Standard Edition Deployment Guide.
Rule Sets Tab
The Rule Sets tab of the Advanced Management Console shows a list of rule sets and corresponding lists of all rules. The tab also displays an artificial rule set called All Rules, which is not a rule set, but is a collection of all rules in the Advanced Management Console . For each rule set, the name and its title, action of the rule, rule version, and the location of the rule are displayed.
In the Display Rule As table, click the arrow that appears in the column heading to sort the data by the values in that column. Use the navigation bar below the table to view additional pages when the number of entries exceeds the page size. Click the Properties icon next to Display Rule As to view the properties of the selected Rule. The following figure displays the Display Rule As table and its properties:
Description of the illustration display-rule-table_with-arrows.png
-
Create a rule set
-
Delete the selected rule set
-
Sign the selected rule set
-
Import a rule set
-
Export a rule set
-
Assign a default rule set
-
Move the selected rule up or down by clicking the Up and Down arrow icons
Under Display Rule Set As, select a Rule Set and click the Rule Set Details icon to view the Rule Set details, and then manage the rule sets (create, delete, sign, import, export, and assign a default rule set).
In the Rule Set Details pane, click the Edit icon to edit the selected rule set. Click the Rule Set Details (search) icon to view the details of the rule set both in tabular as well as properties view.
Managing Rules and Rule Sets
Use the Rule Set tab in the Advanced Management Console to manage rule sets and view the relationship between rule sets and applications.
Property | Description |
---|---|
Rule Set Name |
Name of the rule set. This name is not part of the exported rule set. Double-click the rule set name to show and hide the names of the rules that are in the rule set. |
# of Rules |
Number of rules in the rule set |
Signed |
Indicator that the rule set is signed. Rule sets that show a check mark in this column are signed. Only signed rule sets can be distributed to desktops in your enterprise. |
This topic contains the following sections:
Managing Rule Sets
You can manage rule sets in the Rule Sets tab of the Advanced Management Console .
Adding a Rule Set
Only one deployment rule set can be active on a desktop. However, you can have more than one rule set in Advanced Management Console . You can also create rule sets for different purposes, such as providing a customized rule set for each department in your enterprise. Working with multiple rule sets also enables you to try out different combinations of rules.
Adding a Rule Set includes the following:
Importing an Existing Rule Set
If you have an existing rule set, then you can import it into Advanced Management Console from the Rule Set tab.
To import a rule set:
Editing a Rule Set
After a deployment rule set is created, you can add more deployment rules and delete rules that are not needed in the Rule Sets tab in the Advanced Management Console . You can also reorder the rules. The order of the rules in the rule set is important, because the action taken for a web-based Java application is determined by the first rule that the application matches.
The Editing a Rule Set topic includes the following sections:
Adding a Rule to a Rule Set
You can add deployment rules to the rule set to define the action that you to be applied for a web-based Java application in the Rule Sets tab. The order of the rules matters.
To add rules to a rule set:
See Editing a Signed Rule Set for actions that are needed if you edit a signed rule set.
Reordering Rules in a Rule Set
The order of the deployment rules in a deployment rule set matters. The first rule to match an application is used to determine the action for that application. You can reorder rules using the Up and Down arrows in the Rule Sets tab. For best results, place rules with the most restrictive matching criteria ahead of rules with less restrictive matching criteria.
To reorder rules in a rule set:
Removing Rules from a Rule Set
When you no longer need a deployment rule, remove it from the Rule Sets tab in the Advanced Management Console .
To remove rules from a rule set:
The selected rules are removed from the rule set, but remain in the Rules table for future use. See Deleting a Rule.
Editing Customer Data in a Rule Set
Add custom data to a rule set or modify that data in the Rule Sets tab of the Advanced Management Console . This data is added to the Java Usage Tracker record when no rules in the rule set match the application.
To edit customer data:
Editing a Signed Rule Set
A signed deployment rule set is locked and is ready to be distributed in Advanced Management Console . When you edit a signed rule set, a warning message is displayed indicating that the rule set is locked. If you proceed to edit the rule set, then the rule set gets unlocked and is no longer considered signed.
To use the rule set after it is edited, you must export and sign the rule set. To sign the rule set, you can do either of the following:
-
Select the option to sign the rule set internally in the Advanced Management Console when you export: In this case, you need not import the signed rule set back into Advanced Management Console , because the import is automatically done. See Exporting a Rule Set.
-
Sign the rule set externally after you have exported it. Typically, you can do this when you have your own corporate code signing group or service that signs artifacts for you: In this scenario, when you export the rule set and sign externally, you must import the signed rule set back to Advanced Management Console. See Importing an Existing Rule Set.
Note:
After an existing rule set is signed, it is redeployed to all the managed desktops, to which the rule set was originally deployed. For example, if the rule set was the most recent rule set deployed to desktop A, then desktop A gets an automatic update with a new version of the rule set after it is signed again.
Deleting a Rule Set
When you no longer need one of the deployment rule sets that you created, you can delete the rule set in the Rule Sets tab of the Advanced Management Console .
To delete a rule set:
- In the Advanced Management Console , click Rule Set.
- Under Display Rule Set As, select a Rule Set that you want to delete.
- Click the Rule Set Actions icon and select Delete.
- In the Delete Rule Set confirmation dialog, click Delete to delete the selected rule set.
Exporting a Rule Set
When you have a deployment rule set ready for production, you can export that rule set and create the file that can be distributed to desktops. The file is signed if the tool is configured to supporting signing the rule set as part of the export process.
To export a rule set:
Signing a Rule Set
Note:
JARs signed with SHA-1 algorithms are disabled by default and are treated as unsigned in future releases of Java. This applies to the algorithms that are used to digest, sign, and timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the chain of the code signer and the Timestamp Authority.See Disable SHA-1 signed jars for more details.
To conform to the standard, ensure that the JARs and certificates are signed appropriately, else the ruleset signing or deployment of the ruleset at the agent will fail.
Setting Default Deployment Rule Set
In the Rule Sets tab of the Advanced Management Console , you can set a rule set as the default deployment rule set. If a default deployment rule set exists, then Advanced Management Console automatically deploys that default rule set to target systems during the Advanced Management Console agent registration.
Note:
If you select a rule set that is already marked as the default, then use the Set as Default option to remove the default status from the deleted rule set.Viewing Relationships between Rule Sets and Applications
Identify the deployment rule sets that match a specific application from the Rule Sets tab. Viewing rule set relationships enables you to verify that you have defined a deployment rule to provide the desired action for a web-based Java application.
To view the relationships for a specific application:
Managing Rules
In the Advanced Management Console , click the Rule Sets tab to create, edit, and delete deployment rules. The rules that you create can then be added to deployment rule sets to manage the web-based Java applications that are being run in your enterprise.
The following actions are available for managing rules:
Creating a Rule
Create deployment rules from both the Java Usage tab and the Rule Set tab of the Advanced Management Console . A rule is used to define the action taken when a web-based Java application that matches the rule is started.
To create a rule from the Rule Sets tab:
- In the Advanced Management Console click the Rule Sets tab.
- Click New on the Display Rule As panel to display the Create a New Rule dialog.
- Enter a name for the rule, and provide information for the remaining fields.
- Click Create to save the rule.
Editing a Rule
You can modify existing deployment rules by using the Edit button in the Rule Sets tab of the Advanced Management Console .
To edit a rule:
Deleting a Rule
You can delete existing deployment rules by using the Delete button in the Rule Sets tab of the Advanced Management Console .
To delete a rule:
Rule Properties
Each deployment rule contains information that is used to determine if a web-based Java application matches the rule. When an application is run, the application properties are compared with the rule properties to determine if the application is allowed to run.
The following table describes the rule properties:
Property | Description |
---|---|
Name |
Name given to the rule. This name is required for identification purposes within Advanced Management Console . The name is not exported with the rule set. |
Title |
Title of the application. If no title is provided, then all applications are considered a match to the title property. If a title is provided and Rule Action is set to either |
Location |
URL for the source of the application. If no URL is provided, then all applications are considered a match to the URL field. For applications that use JNLP, this is the location of the JNLP file. For applications embedded in a web page, this is the location of the web page. |
Certificate |
Hash value for the certificate that was used to sign the application and the algorithm used to create the hash value. Certificate hash values are typically used to identify signed applications. |
Checksum |
Hash value for the checksum for the JAR file and the algorithm used to create the hash value. Checksum hash values are typically used to identify unsigned JAR files. |
Rule Action |
Action taken for any application that matches the rule. Select one of the following options:
|
Version |
JRE version to use to run the application. This property is enabled only if the Rule Action is set to The version specified for the rule must match the version specified by the application; otherwise, the application is blocked. The versions don't need to be an exact match, for example, 1.7+ and 1.8* are considered a match. For Version, choose one of the following options and select a release or enter a version number:
|
Message |
Message shown to the user. If no message is provided, then a default message is shown when an application is blocked, and no message is shown when an application matches a run rule. To add a message, right click in the message table and select Add Message. A new row is added to the table. In the Locale column, enter the locale for the message and Enter. In the Message column, enter the message to show the user and press the Enter key. If the Locale field is set to If multiple messages are provided, then all messages are compared with the user's locale in the order shown. If more than one message matches the locale, then the last message matched is used. To reorder the messages in the table, delete and reenter the messages as needed. |
Customer Data |
Custom information that is included in a rule. This information is added to the Java Usage Tracker record when an application that matches the rule is run. Add valid XML in the Customer Data field. Each block of data must begin with the |
Deploying Rule Sets
The Advanced Management Console provides administrators with a way to distribute a deployment rule set to desktops in their enterprise. The desktops must be registered with the Advanced Management Console .
Deployment Rule Set Distribution
A deployment rule set helps you manage the applications that are allowed to run in your enterprise. The Desktops tab in Advanced Management Console contains an option for pushing a deployment rule set to selected desktops.
The Advanced Management Console agent is used to install the rule set on a desktop. Pushing a rule set sends a command to the agent. The next time the agent contacts the Advanced Management Console server, the agent processes the command. View the status of the rule set by selecting the Rule Set Status display option or setting the Rule Set Status filter criteria.
Removing Deployment Rule Sets
Administrators can choose to remove the Deployment Rule Set from selected desktops that in turn sends a command to the Advanced Management Console agent. The agent removes the Deployment Rule Set files present in the deployment directory on the desktop and then reports the status back to the server. Use the Commands tab on the Status page to check the status.