2021.03.18 - IE Enterprise and Java Security
Setting up IE Enterprise in MS Edge and altering Java Security settings so I can stop keeping a Windows XP VM running
Intro
As mentioned in another post (and probably more to come) we use the a CopperCom softswitch. The company that made it (as far as I know) doesn't exist anymore and there is no offical support for the system. That said it's rock solid and there's nothing really wrong with it, just from a user interface though it's stuck in 2005ish.
Sadly in 2005 there was no HTML5, but on the plus side at least it doesn't use flash. It does however use weird XHTML that only works right in IE and Java, lots of Java. Thankfully, other than having to fight with Java's security settings old Java code still runs just fine and Microsoft was kind enough to add an "Enterprise" mode to Edge so you can use a modern browser and have it fall back to IE only on certain pages.
IE Enterprise
So like anything enterprise there's a bunch of differant ways to tell Edge what websites it should run in "enterprise" mode. Microsoft has extensive documentation on it, so here's who me, not being in a domain did it. It might not be the best way or right, but it works :)
First download and install the Enterprise Mode Site List Manager (schema v.2). This is just a nice easy way of editing the site list. You could just edit the raw .xml file if you wanted, but that sounds like a pain. Run the Enterprise Mode Site List Manager as admin and add the URLs needed to the list. For the most part setting the site to open in IE11 with Compat Mode set to Default was good enough. For the CopperCom I set Compat Mode to IE7 Enterprise Mode. Then hit File, Save to XML and save it someplace convenient (I used c:\Users\sites.xml
You probably don't have the Policy Files to configure Edge with gpedit.msc. You can download these files at https://www.microsoft.com/en-us/edge/business/download. Once they are downloaded, open the zip and (assuming you are in the US and speak english) go to the windows\admx\en-US and extract all the files from that directory (in my case there were three .adml) files. Copy those files to C:\Windows\PolicyDefinitions\en-US on your computer.
From that same zip file you'll also need to extract the .admx file from windows\admx (again there were 3 of them in my download) and copy those files to C:\Windows\PolicyDefinitions on your computer.
Now you need to tell Edge about the file. I used gpedit.msc. The settings to enable are under Local Computer Policy / Computer Configuration / Administrative Templates / Microsoft Edge. You'll need to change Configure Internet Explorer integration and set that to Enabled in 1 / Internet Explorer mode and Configure the Enteprise Mode Site List with the location of your XML file. If for some reason you don't have those settings make sure you've installed the Policy Files above and maybe restart your computer?
Once all the Group Policy stuff is setup you can go here in Edge edge://compat/enterprise and you should see the XML file along with a list of currently configured sites and a Force Update button. Apparently Edge may take up to 65 seconds to notice changes to the XML file.
Configuring Java
The most current verison of Java seems to work fine, but as Java has added a ton of security since 2005ish we need to disable a bunch of it to make this work. Thankfully Java lets you set security by address so we aren't opening ourselves up to attacks from the world. First we'll need to install the 32-bit verison of the Java Runtime Environment (JRE) as IE runs in 32-bit, at least that's what it seems to when we use IE Enterprise mode in Edge. If you don't ready have it you can download it here: https://java.com/en/download/manual.jsp.
Once Java is installed and up-to-date we need to start changing security settings, first the easy ones. In your Control Panel open Java. Under the Security tab make sure Enable Java Content for browser is checked and you might not have to but I set the Security Level for sites not on the Execption Site list to high. Go ahead and add the server serving the Java apps to the Exception Site list. In my case the Java apps are served both from the default port 80 and port 8000, be sure to add all needed ports. The to make troubleshooting easier go to the Advanced tab and under Java console check Show console and at the buttom under Miscellaneous check Place Java icon in the system tray.
Now go ahead and give your app a try, in my case it doesn't work, but it's closer and in the console I can see the remaining security issues. In particular I get errors about Java not being permitted to access URLs and not able to open Sockets. So now to bypass those. Those settings are controlled but the java.policy in (in my case, your verison might be slightly differant) C:\Program Files (x86)\Java\jre1.8.0_281\lib\security. In that file you'll see grant with a bunch of permissions in it.
Best practice would probably be to only give the exact Java app the exact permissions it requires, but I'm gonna cut a corner because there's a TON of Java app names and I don't want to mess with every single one. So I'll be adding (inside grant): EDIT: There's actaully a better place to put this stuff, keep reading below
permission java.net.URLPermission "http://192.168.100.1/-", "*:*"; // The dash means anything below this path
permission java.net.URLPermission "http://192.168.100.2/-", "*:*";
permission java.net.SocketPermission "192.168.100.1:36376", "connect,resolve";
permission java.net.SocketPermission "192.168.100.2:36376", "connect,resolve";
permission java.net.SocketPermission "192.168.100.1:32849", "connect,resolve";
permission java.net.SocketPermission "192.168.100.2:32849", "connect,resolve";
permission java.net.SocketPermission "192.168.100.1:12500", "connect,resolve";
permission java.net.SocketPermission "192.168.100.2:12500", "connect,resolve";
permission java.net.SocketPermission "192.168.100.1:8000", "connect,resolve";
permission java.net.SocketPermission "192.168.100.2:8000", "connect,resolve";
permission java.net.SocketPermission "192.168.100.1:80", "connect,resolve";
permission java.net.SocketPermission "192.168.100.2:80", "connect,resolve";
EDIT: After some looking I realized on the java console I needed to pushed o for Trigger logging and 5 (not on the number pad, above the keyboard) for the max trace level to see ALL the connections that were being denied.
Also, if you use java.io.FilePermission on Windows you have to use double slashes so: permission java.io.FilePermission "E:\\*", "read";
I also found that disabling the java cache fixed a couple of lingering weird issues. To do that edit the %userprofile%\AppData\LocalLow\Sun\Java\Deployment\deployment.properties and add the line
deployment.cache.enabled=false
Also for good measure I deleted everything in the
%userprofile%\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\ folder.
That's it (for me at least) my legacy Java stuff now works as expected. Good luck with your attempts! Also, if you get really stuck and just can't figure out the permissions Java wants you can always add permission java.security.AllPermission; to the java.policy, but be sure to take it out as soon as possible!
EDIT: I found out later as a compromise between letting any jar to anything and having to name every single jar file you can specify a location in the grant statment so you could grant all permissions to only jars coming from a particular server. I also found you can make a %userprofile%\.java.policy in the user's home directory so that way these permissions don't have to be re-added everytime you update Java.
First add the line deployment.security.use.user.home.java.policy=true to your %userprofile%\AppData\LocalLow\Sun\Java\Deployment\deployment.properties file, and then open your favorite text editor and create the file %userprofile%\.java.policy with this stuff:
grant codeBase "http://192.168.100.1/-" {
permission java.security.AllPermission;
};
grant codeBase "http://192.168.100.2/-" {
permission java.security.AllPermission;
};
grant codeBase "http://192.168.100.1:8000/-" {
permission java.security.AllPermission;
};
grant codeBase "http://192.168.100.2:8000/-" {
permission java.security.AllPermission;
};
Also if you have the Java JDK installed (below) you can use the policytool.exe to give you a visual editor for the policy file. By default it will open the %userprofile%\.java.policy file.
Update: Killing the Java Security Warnings!
I'm really happy to come by and say I've FINALLY found a way to stop Java from popping up the "are you sure you want to run this?" box every single time. You can create Java Deployment Rules to stop that. In my case I'll be making very simple rules that say, if the file is from this URL just run it, but you can make them much more powerful. Read moree about them here: https://blogs.oracle.com/java-platform-group/introducing-deployment-rule-sets.
First you'll need to install the JAVA JDK as we will need to build a jar file and sign it. The JDK at this time can be downloaded here: https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html. You'll need a free Oracle account to download the file. At the time I wrote this 1.8.0_301 was the current verison and I installed the 32-bit verison so you may need to alter your command slightly from mine.
Once that is installed go ahead and make a folder that we can work in and open a Command Prompt window to that folder. In side that folder with your favorite text editor create a new file ruleset.xml. You can read about all the possible options and syntax in the blog post above, but for my use I entered these basic lines:
<ruleset version="1.0+">
<rule>
<id location="http://192.168.100.1/">
</id>
<action permission="run"/>
</rule>
<rule>
<id location="http://192.168.100.2/">
</id>
<action permission="run"/>
</rule>
<rule>
<id location="http://192.168.100.1:8000/">
</id>
<action permission="run"/>
</rule>
<rule>
<id location="http://192.168.100.2:8000/">
</id>
<action permission="run"/>
</rule>
<rule>
<id />
<action permission="default"/>
</rule>
</ruleset>
Then we need to generate the jar. This command will do that:
"C:\Program Files (x86)\Java\jdk1.8.0_301\bin\jar.exe" -cvf DeploymentRuleSet.jar ruleset.xml
Next we need a certifcate to sign the code with. To generate that will use this command:
"C:\Program Files (x86)\Java\jdk1.8.0_301\bin\keytool.exe" -genkey -keyalg RSA -alias selfsigned -keystore sign.jks -storepass 123456 -validity 3650 -keysize 2048
We'll be using the very secure password of 123456 to protect this key file and make it vaild for about 10 years. It will ask you for a bunch of information to generate the cert. It
doesn't much matter what you put in there.
We will then need to extract the certificate from the master file so we can install it on the computer, otherwise the computer won't trust the
file we are going to sign.
"C:\Program Files (x86)\Java\jdk1.8.0_301\bin\keytool.exe" -export -file sign.cer -alias selfsigned -keystore sign.jks -storepass 123456
Then go ahead and install the sign.cer in the windows Trusted Root Certification Authorities store. Now that the cert is installed and trusted we can do ahead
and sign our jar file with this command:
"C:\Program Files (x86)\Java\jdk1.8.0_301\bin\jarsigner.exe" -keystore sign.jks -storepass 123456 DeploymentRuleSet.jar selfsigned
The DeploymentRuleSet.jar file that we just created and signed will now need to go in the C:\Windows\Sun\Java\Deployment directory. In my case I didn't have that directory and had to create it. If all goes will after copying the jar file into that directory you should be able to open up the Java Control Panel, go to the Security Tab and see some new blue text at the bottom that says View the active Deployment Rule Set. When you click on that blue text it should show you the XML file you made earlier and says DeploymentRuleSet.jar is valid at the bottom. Assuming it does then congratulations! No more annoying Java pop-up warnings for you (at least on the sites you put in the allow list).
-Nick