6 Rule Sets

The Advanced Management Console enables administrators to create and distribute deployment rule sets, which provide control over the browser-based Java applications that are run on desktops in their enterprise. Usage information collected from Java Usage Tracker reports can be used to create rules and rule sets. Existing rule sets can be imported and managed by Advanced Management Console . You can also remove deployed rule sets.

This topic includes the following sections:

• About Deployment Rule Sets

• Rule Sets Tab

• Managing Rule Sets and Rules

• Deploying Rule Sets

• Deployment Rule Set Distribution

• Removing Deployment Rule Sets

About Deployment Rule Sets

A deployment rule set enables enterprises to continue using legacy business applications in an environment of ever-tightening application security policies. You can use a deployment rule set to manage which web-based Java applications, such as Java applets or Java Web Start applications, are allowed to run in an enterprise. You can also use a deployment rule set to control the version of the Java Runtime Environment (JRE) that is used for an application. The Advanced Management Console provides administrators with a tool for creating and managing deployment rules sets, which can then be distributed throughout the enterprise.

Deployment rule sets contain deployment rules. These rules are used in the deployment process to determine if a browser-based Java application is allowed to run, if the application is automatically blocked, or if default processing is used. Applications are compared to the rules based on criteria such as location, title, JAR file checksum, and certificate used to sign the application. Rules are compared in the order in which they appear in the rule set. The first rule that an application matches determines the action taken for that application.

Although multiple rule sets can be defined, only one rule set can be active on a user's system. That rule set must be a signed JAR file. The export feature of the in the Rule Sets tab generates the necessary JAR file. If JAR signing is enabled, then signing is done as part of the export process; otherwise, the JAR file must be signed manually. After the JAR file is signed, it must be imported into the Advanced Management Console to be available for distribution. See Exporting a Rule Set. In the Rule Sets tab, you can also set a rule set as the default deployment rule set. See Setting Default Deployment Rule Set,

See Deployment Rule Set in the Java Platform, Standard Edition Deployment Guide.

Rule Sets Tab

The Rule Sets tab of the Advanced Management Console shows a list of rule sets and corresponding lists of all rules. The tab also displays an artificial rule set called All Rules, which is not a rule set, but is a collection of all rules in the Advanced Management Console . For each rule set, the name and its title, action of the rule, rule version, and the location of the rule are displayed.

In the Display Rule As table, click the arrow that appears in the column heading to sort the data by the values in that column. Use the navigation bar below the table to view additional pages when the number of entries exceeds the page size. Click the Properties icon next to Display Rule As to view the properties of the selected Rule. The following figure displays the Display Rule As table and its properties:

Description of the illustration display-rule-table_with-arrows.png

In Display Rule Set As, click the Table icon, and then click the Rule Set Action icon to do the following to manage the rule sets:

• Create a rule set

• Delete the selected rule set

• Sign the selected rule set

• Import a rule set

• Export a rule set

• Assign a default rule set

• Move the selected rule up or down by clicking the Up and Down arrow icons

Under Display Rule Set As, select a Rule Set and click the Rule Set Details icon to view the Rule Set details, and then manage the rule sets (create, delete, sign, import, export, and assign a default rule set).

In the Rule Set Details pane, click the Edit icon to edit the selected rule set. Click the Rule Set Details (search) icon to view the details of the rule set both in tabular as well as properties view.

Managing Rules and Rule Sets

Use the Rule Set tab in the Advanced Management Console to manage rule sets and view the relationship between rule sets and applications.

The following table under Rule Set Details describes the information that is shown for each rule set. To view the details, click the Rule Set Details icon :

Property	Description
Rule Set Name	Name of the rule set. This name is not part of the exported rule set. Double-click the rule set name to show and hide the names of the rules that are in the rule set.
# of Rules	Number of rules in the rule set
Signed	Indicator that the rule set is signed. Rule sets that show a check mark in this column are signed. Only signed rule sets can be distributed to desktops in your enterprise.

This topic contains the following sections:

• Managing Rule Sets

• Managing Rules

Managing Rule Sets

You can manage rule sets in the Rule Sets tab of the Advanced Management Console .

This topic contains the following sections:

• Adding Rules to a Rule Set

• Editing a Rule Set

• Deleting a Rule Set

• Exporting a Rule Set

• Signing a Rule Set

• Setting Default Deployment Rule Set

Adding a Rule Set

Only one deployment rule set can be active on a desktop. However, you can have more than one rule set in Advanced Management Console . You can also create rule sets for different purposes, such as providing a customized rule set for each department in your enterprise. Working with multiple rule sets also enables you to try out different combinations of rules.

Adding a Rule Set includes the following:

• Importing an Existing Rule Set

• Creating a Rule Set

Importing an Existing Rule Set

If you have an existing rule set, then you can import it into Advanced Management Console from the Rule Set tab.

To import a rule set:

1. In the Advanced Management Console , click Rule Set.
2. In the Display Rule Set As, click the Rule Set Actions drop-down arrow icon and select Import to display the Import New Rule Set dialog.
3. Enter or browse to the location of the file that you want to import.

   You can import a signed or unsigned rule set JAR file named DeploymentRuleSet.jar, or a rule set definition file named ruleset.xml.

4. Enter a name in Rule Set Name.

   Advanced Management Console uses this name is used to manage the rule set. The name is not included when a rule set is exported.

5. Click Import to import the rule set.

   The rule set is added to the Rule Sets table, and the rules included in the rule set are added to the Rules table. Expand the rule set to see the rules that were imported. The names for the rules in the imported rule set default to the name of the rule set followed by a rule number. See Editing a Rule.

Creating a Rule Set

To create new Rule Sets for managing web-based Java applications in your enterprise, go to the Rule Set tab in theAdvanced Management Console .

To create a rule set:

1. In the Advanced Management Console , click Rule Set.
2. In Display Rule Set As, click the Rule Set Actions icon to display the New Rule Set dialog.
3. Enter a Name for the rule set.
4. (Optional) Enter the Customer Data for the rule set.

   The Custom Data information is added to the Java Usage Tracker record when no rules in the rule set match the application.

   Add valid XML in the Customer Data field. A block of data must begin with the <customer> element and end with the </customer> element. Multiple <customer> blocks are valid and all XML elements must be within a <customer> block. If the data is invalid, then the rule cannot be saved.

5. Click Create to create the rule set.

   The rule set is added to the Rule Sets table. If you added rules when you created the rule set, then you can expand the rule set to see the rules. See Adding a Rule to a Rule Set.

Editing a Rule Set

After a deployment rule set is created, you can add more deployment rules and delete rules that are not needed in the Rule Sets tab in the Advanced Management Console . You can also reorder the rules. The order of the rules in the rule set is important, because the action taken for a web-based Java application is determined by the first rule that the application matches.

The Editing a Rule Set topic includes the following sections:

• Adding a Rule to a Rule Set

• Reordering Rules in a Rule Set

• Removing Rules from a Rule Set

• Editing Customer Data in a Rule Set

• Editing a Signed Rule Set

Adding a Rule to a Rule Set

You can add deployment rules to the rule set to define the action that you to be applied for a web-based Java application in the Rule Sets tab. The order of the rules matters.

To add rules to a rule set:

1. Click the Rule Sets tab in the Advanced Management Console .
2. Under Display Rule As, select a rule in the Rules table.
3. Use one of the following methods to add the selected rule to a rule set:

   • Use the mouse to drag the selected rule from the Rules table to the target rule set in the Rule Sets table.

   • Click Add to Rule Set. In the Add a Rule to a Rule Set dialog, select a target rule sets, and click Add.

   • In the Rule Sets table, select a rule in a rule set. Use the mouse to drag the rule to a different rule set. The rule is added to the target rule set and also remains in the source rule set.

See Editing a Signed Rule Set for actions that are needed if you edit a signed rule set.

Reordering Rules in a Rule Set

The order of the deployment rules in a deployment rule set matters. The first rule to match an application is used to determine the action for that application. You can reorder rules using the Up and Down arrows in the Rule Sets tab. For best results, place rules with the most restrictive matching criteria ahead of rules with less restrictive matching criteria.

To reorder rules in a rule set:

1. Click the Rule Sets tab in the Advanced Management Console .
2. Under Display Rule Set As, select a Rule Set from the Rule Set table.
   The associated rules are displayed in the Rules table under Display Rule As.
3. Select a rule that you want to reorder and use Up or Down buttons accordingly to move the selected rule.
   If the rule set is a signed rule set, then when you reorder the rules, a warning message is displayed indicating that you are about to modify a signed rule set. Typically, if rules are reordered in a signed rule set, then the rule set becomes unsigned and you need to sign the rule set to make your changes effective. See Editing a Signed Rule Set.

Removing Rules from a Rule Set

When you no longer need a deployment rule, remove it from the Rule Sets tab in the Advanced Management Console .

To remove rules from a rule set:

1. Click the Rule Sets tab in the Advanced Management Console .
2. Under Display Rule As, select a rule in the Rules table.
3. Select the rule that you want to remove.
4. Click Remove from Rule Set.
   The rule gets deleted from the rule set. If the rule set is a signed rule set, then when you try to remove a rule, a warning message is displayed in the Remove Rule From Rule Set dialog indicating that you are about to modify a signed rule set. Typically, if rules are removed from a signed rule set, then the rule set becomes unsigned and you need to sign the rule set to make your changes effective. See Editing a Signed Rule Set.

The selected rules are removed from the rule set, but remain in the Rules table for future use. See Deleting a Rule.

Editing Customer Data in a Rule Set

Add custom data to a rule set or modify that data in the Rule Sets tab of the Advanced Management Console . This data is added to the Java Usage Tracker record when no rules in the rule set match the application.

To edit customer data:

1. Click the Rule Sets tab in the Advanced Management Console .
2. Under Display Rule As, select a rule in the Rules table and click Edit to display the Edit Rule dialog.
3. In the Customer Data section, make the changes that you want.

   Add valid XML in the Customer Data field. A block of data must begin with the <customer> element and end with the </customer> element. Multiple <customer> blocks are valid and all XML elements must be within a <customer> block. If the data is invalid, then the rule cannot be saved.

4. Click Apply to save the changes.

Editing a Signed Rule Set

A signed deployment rule set is locked and is ready to be distributed in Advanced Management Console . When you edit a signed rule set, a warning message is displayed indicating that the rule set is locked. If you proceed to edit the rule set, then the rule set gets unlocked and is no longer considered signed.

The following tasks provides information about editing a signed deployment rule set:

• Adding Rules to a Rule Set

• Reordering Rules in a Rule Set

• Removing Rules from a Rule Set

• Editing Customer Data in a Rule Set

To use the rule set after it is edited, you must export and sign the rule set. To sign the rule set, you can do either of the following:

• Select the option to sign the rule set internally in the Advanced Management Console when you export: In this case, you need not import the signed rule set back into Advanced Management Console , because the import is automatically done. See Exporting a Rule Set.

• Sign the rule set externally after you have exported it. Typically, you can do this when you have your own corporate code signing group or service that signs artifacts for you: In this scenario, when you export the rule set and sign externally, you must import the signed rule set back to Advanced Management Console. See Importing an Existing Rule Set.

Note:

After an existing rule set is signed, it is redeployed to all the managed desktops, to which the rule set was originally deployed. For example, if the rule set was the most recent rule set deployed to desktop A, then desktop A gets an automatic update with a new version of the rule set after it is signed again.

Deleting a Rule Set

When you no longer need one of the deployment rule sets that you created, you can delete the rule set in the Rule Sets tab of the Advanced Management Console .

To delete a rule set:

1. In the Advanced Management Console , click Rule Set.
2. Under Display Rule Set As, select a Rule Set that you want to delete.
3. Click the Rule Set Actions icon and select Delete.
4. In the Delete Rule Set confirmation dialog, click Delete to delete the selected rule set.

Exporting a Rule Set

When you have a deployment rule set ready for production, you can export that rule set and create the file that can be distributed to desktops. The file is signed if the tool is configured to supporting signing the rule set as part of the export process.

To export a rule set:

1. In the Advanced Management Console , click the Rule Sets tab.
2. Under Display Rule Set As select a Rule Set that you want to export.
3. Click the Rule Set Actions icon and select Export to display the Export Rule Set dialog
4. Provide the following information:

   • DRS Version: Select the deployment rule set version for the rule set. Rules might contain information that is not supported in earlier versions. Select Auto to have the version set automatically based on the rules in the rule set.

   • Sign Rule Set: Select this option to sign the rule set as part of the export process.

5. Click Export to export the rule set.

   If you have selected the JAR option, then the Opening Deployment RuleSet.Jar dialog is displayed indicating that the DeploymentRuleSet.jar file is created in the output directory specified. Click Save to save the JAR file to your system.

   If you have selected the XML option, then the Opening ruleset.xml dialog is displayed indicating that the ruleset.xml file is created in the output directory specified. See Package and Install the Rule Set in the Java Platform, Standard Edition Deployment Guide .

   A signed rule set is ready to be distributed to your users. To use Advanced Management Console for distribution, you must import the signed rule set from the Rule Sets tab. See Importing an Existing Rule Set.

Signing a Rule Set

To sign a rule set:

1. In the Advanced Management Console , click the Rule Sets tab.
2. In the Rule Set table, select the Rule set you want to sign.
3. Click the Rule Sets Action icon and then click Sign... to display the Sign Rule Set JAR File dialog.
   If the selected Rule has already been signed, then a warning message is displayed in the dialog indicating that the rule set has already been signed.
4. Select one of the following options in the Sign Rule Set JAR File dialog:
   • Sign with self-signed certificate
   • Sign with local keystore and private key provided by user
   • Import a signed JAR
5. Click Next. The Signing Details are as shown as shown:
   
   Description of the illustration rules-set-signing-details.png
6. Select Default Deployment Rule Set to set the Deployment Rule Set as the default.
   There can be only one default Default Deployment Rule Set. If you select a signed ruleset as the default one, then this selection overrides any previous default settings.
7. Click Sign.

If the Rule Set has been signed, then it is indicated with a success message in the Summary page of the Sign Rule Set Jar File dialog box.

Note:

JARs signed with SHA-1 algorithms are disabled by default and are treated as unsigned in future releases of Java. This applies to the algorithms that are used to digest, sign, and timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the chain of the code signer and the Timestamp Authority.

See Disable SHA-1 signed jars for more details.

To conform to the standard, ensure that the JARs and certificates are signed appropriately, else the ruleset signing or deployment of the ruleset at the agent will fail.

Setting Default Deployment Rule Set

In the Rule Sets tab of the Advanced Management Console , you can set a rule set as the default deployment rule set. If a default deployment rule set exists, then Advanced Management Console automatically deploys that default rule set to target systems during the Advanced Management Console agent registration.

To set a default deployment rule set:

1. In the Advanced Management Console , click the Rule Sets tab.
2. In the Rule Set table, select the rule set that you want to set as the default rule set.
3. Click the Rule Sets Action icon and then click Set as Default to display the Default Deployment Rule Set dialog.
4. Click Apply to set the selected Rule set as the default deployment rule set.
   The default deployment rule set is indicated by D.

If you want to mark any other rule set as a default one, then you can just select a different, signed rule set as the default option. This new selection overrides the old selection. The Set as Default option is available only for signed rule sets.

Note:

If you select a rule set that is already marked as the default, then use the Set as Default option to remove the default status from the deleted rule set.

Viewing Relationships between Rule Sets and Applications

Identify the deployment rule sets that match a specific application from the Rule Sets tab. Viewing rule set relationships enables you to verify that you have defined a deployment rule to provide the desired action for a web-based Java application.

To view the relationships for a specific application:

1. In the Advanced Management Console , click the Rule Sets tab.
2. Under Display Rule Set As select a rule set from the rule set table.
3. Click the Rule Set — App Relationship icon to display a tree view of all rule sets and their related applications.
4. Expand the All Rule Sets tree and select a rule set to display the relationship in the Related Applications panel.

   The Related Applications panel shows the web-based Java applications that you selected and the JAR file and extensions for that application.

5. Click the Table icon to go back to the rule sets table view.

Managing Rules

In the Advanced Management Console , click the Rule Sets tab to create, edit, and delete deployment rules. The rules that you create can then be added to deployment rule sets to manage the web-based Java applications that are being run in your enterprise.

The following actions are available for managing rules:

• Creating a Rule

• Editing a Rule

• Deleting a Rule

• Rule Properties

Creating a Rule

Create deployment rules from both the Java Usage tab and the Rule Set tab of the Advanced Management Console . A rule is used to define the action taken when a web-based Java application that matches the rule is started.

To create a rule from the Rule Sets tab:

1. In the Advanced Management Console click the Rule Sets tab.
2. Click New on the Display Rule As panel to display the Create a New Rule dialog.
3. Enter a name for the rule, and provide information for the remaining fields.
4. Click Create to save the rule.

Editing a Rule

You can modify existing deployment rules by using the Edit button in the Rule Sets tab of the Advanced Management Console .

To edit a rule:

1. In the Advanced Management Console click the Rule Sets tab.
2. Under Display Rules As, select a Rule from the Rules table.
3. Click Edit to display the Edit Rule dialog.
4. Edit the rule details.

   If you edit a rule that is associated with a signed rule set, then the respective rule set becomes unsigned and out of date. You need to sign the rule sets again to make them effective.

5. Click Apply to apply your changes to the rule.

Deleting a Rule

You can delete existing deployment rules by using the Delete button in the Rule Sets tab of the Advanced Management Console .

To delete a rule:

1. In the Advanced Management Console click the Rule Sets tab.
2. Under Display Rules As, select a Rule from the Rules table.
3. Click Delete to display the Delete Rule confirmation dialog.
4. Click Delete to delete the rule.
   The rule gets deleted from the Rules table.

Rule Properties

Each deployment rule contains information that is used to determine if a web-based Java application matches the rule. When an application is run, the application properties are compared with the rule properties to determine if the application is allowed to run.

The following table describes the rule properties:

Property	Description
Name	Name given to the rule. This name is required for identification purposes within Advanced Management Console . The name is not exported with the rule set.
Title	Title of the application. If no title is provided, then all applications are considered a match to the title property. If a title is provided and Rule Action is set to either default or run, then information must be provided for Location, Certificate, or both.
Location	URL for the source of the application. If no URL is provided, then all applications are considered a match to the URL field. For applications that use JNLP, this is the location of the JNLP file. For applications embedded in a web page, this is the location of the web page.
Certificate	Hash value for the certificate that was used to sign the application and the algorithm used to create the hash value. Certificate hash values are typically used to identify signed applications.
Checksum	Hash value for the checksum for the JAR file and the algorithm used to create the hash value. Checksum hash values are typically used to identify unsigned JAR files.
Rule Action	Action taken for any application that matches the rule. Select one of the following options: default: Use default processing to determine if the application is allowed to run. block: Always block the application. run: Allow the application to run. If this option is selected, then you must also specify a JRE version and at least one of the following properties: Title, Location, Hash value. force-run: Override the JRE requested by the application, if any, and run the application with the JRE specified in the rule. If this option is selected, then you must also specify a JRE version.
Version	JRE version to use to run the application. This property is enabled only if the Rule Action is set to run or force-run. The version specified for the rule must match the version specified by the application; otherwise, the application is blocked. The versions don't need to be an exact match, for example, 1.7+ and 1.8* are considered a match. For Version, choose one of the following options and select a release or enter a version number: SECURE: Any secure version. This option matches the secure version from any API level. SECURE + API level: A secure version from the API level selected from the list. Select Or Later to allow secure versions newer than the selected API level to be used. For example, SECURE-1.7 matches any secure version from the 1.7 release only, and SECURE-1.7+ matches any secure version from the 1.7 release and later releases. API level: Any version from the API level selected from the list. Select Or Later to allow versions newer than the selected API level to be used. For example, 1.7* matches any version of the 1.7 release only, and 1.7+ matches any version of the 1.7 release and later releases. An asterisk is added to the API level when the rule is saved if Or Later is not selected. Product: The specific version entered in the field for versions. Enter the version that you want, or select a release from the list. Select Or Later to allow versions newer than the specified version to be used. For example, 1.8.0_05 matches only the 1.8.0_05 version of the 1.8 release, and 1.8.0_05+ matches the 1.8.0_05 version and later versions in the 1.8 release as well as versions in later releases. Latest available JRE: The latest version that is available on the user's system.
Message	Message shown to the user. If no message is provided, then a default message is shown when an application is blocked, and no message is shown when an application matches a run rule. To add a message, right click in the message table and select Add Message. A new row is added to the table. In the Locale column, enter the locale for the message and Enter. In the Message column, enter the message to show the user and press the Enter key. If the Locale field is set to <default>, then the message is used when no message is provided for the user's locale. If multiple messages are provided, then all messages are compared with the user's locale in the order shown. If more than one message matches the locale, then the last message matched is used. To reorder the messages in the table, delete and reenter the messages as needed.
Customer Data	Custom information that is included in a rule. This information is added to the Java Usage Tracker record when an application that matches the rule is run. Add valid XML in the Customer Data field. Each block of data must begin with the <customer> element and end with the </customer> element. Multiple <customer> blocks can be entered. All XML elements must be within a <customer> block. If the data is invalid, the rule cannot be saved.

Deploying Rule Sets

The Advanced Management Console provides administrators with a way to distribute a deployment rule set to desktops in their enterprise. The desktops must be registered with the Advanced Management Console .

Deployment Rule Set Distribution

A deployment rule set helps you manage the applications that are allowed to run in your enterprise. The Desktops tab in Advanced Management Console contains an option for pushing a deployment rule set to selected desktops.

The Advanced Management Console agent is used to install the rule set on a desktop. Pushing a rule set sends a command to the agent. The next time the agent contacts the Advanced Management Console server, the agent processes the command. View the status of the rule set by selecting the Rule Set Status display option or setting the Rule Set Status filter criteria.

Removing Deployment Rule Sets

Administrators can choose to remove the Deployment Rule Set from selected desktops that in turn sends a command to the Advanced Management Console agent. The agent removes the Deployment Rule Set files present in the deployment directory on the desktop and then reports the status back to the server. Use the Commands tab on the Status page to check the status.