With the introduction of the Exception Site List in Java 7, many users have experienced havoc trying to manage all the exceptions needed for end-users in their environments. Through exhaustive research, I have found a way to manage Java’s control panel and Exception Site List from a system-level and have all the settings managed from a network share. I will show you how to collaborate your Java settings and Exception Site List into a couple of Packages to deploy throughout your environment using PDQ Deploy. These same steps work with Java 8.
First, let’s understand how the Java Control Panel settings are managed with a default installation of Java. The deployment.properties file is installed in a non-configurable location here:
%APPDATA%\..\LocalLow\Sun\Java\Deployment\deployment.properties
The Java Control Panel and the Exception Site List can both be managed from the deployment.properties file, but the changes reflect only on a per user basis. However, the user level deployment.properties file can be bypassed if a deployment.config file is created that also points to a system-level deployment.properties file. By default, the system-level deployment.config, and deployment.properties files are not created. (Only the User level deployment.properties file.)
So, how do we set up the system-level settings for Java? First, we will need to create the three files needed to manage the Java Control Panel settings. The three files once created, will go in the %WINDIR%\SUN\JAVA\Deployment
directory which if it doesn’t exist, will need to be created.
deployment.config file
The deployment.config file is used to specify the location of the deployment.properties file in your environment. Whether the deployment.properties file is located on the local machine or on a network share, the deployment.config file will only contain two properties:
deployment.system.config
and deployment.system.config.mandatory
The deployment.system.config property is the file path to the system-level (enterprise-wide) deployment.properties file. (Utilize the file protocol for the file path)
The deployment.system.config.mandatory is a Boolean value. The default value for this property is false. If left as the default value, there will be an attempt to load the deployment.properties file specified in the deployment.system.config path. If the property is set to true, the attempt to access the deployment.properties file will still be made; however, if the file cannot be found or loaded, nothing will be allowed to run.
Here are two examples of the contents in the deployment.config file. The first points to the deployment.properties file on the local (target) machines.
deployment.system.config=file\:C\:/Windows/Sun/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true
This example points to a deployment.properties file on the HQ-Svr1 server in the deploy share.
deployment.system.config=file\://HQ Svr1/deploy/Sun/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true
deployment.properties file
The deployment.properties file is used to manage the settings in Java Control Panel. A complete list of available settings and values that can be used is found here:
http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/properties.html
In addition, the exception.sites file path is set here as well.
Here are two example deployment.config files. The first example shows the contents of a deployment.properties file which points to a local (on each target machine) exception.sites file.
#deployment.properties
deployment.webjava.enabled=true
deployment.security.level=MEDIUM
deployment.security.level.locked
deployment.user.security.exception.sites=c\:/Windows/Sun/Java/Deployment/exception.sites
The second example points to a network share on a computer named HQ-Svr1 with a Windows shared directory called Deploy.
#deployment.properties
deployment.webjava.enabled=true
deployment.security.level=MEDIUM
deployment.security.level.locked
deployment.user.security.exception.sites=//HQ-Svr1/deploy/sun/java/deployment/exception.sites
exception.sites file
The exception.sites file is a one URL per line list of sites that you want in the Exception Site List field found in the Java Control Panel. Nothing else goes in this file.
Now that we have the three files we need, it is time to put them to good use. Depending on the set up desired (files on the local machine or a network share), it will determine where you will place your files. For our first example, we will be deploying our files out to the local machine. In this case, copy the three files you created into your repository or any other location on your machine you desire.
Create a new PDQ Deploy package
Now that your three files are in your repository or another location on your machine, open PDQ Deploy and create a new package. Create a command step and delete the default install step. In the command field, we need to enter a command that will copy the three files needed into the %WINDIR%\Sun\Java\Deployment
directory and also create the directory if it does not exist (only the deployment.config files needs to be copied over if you are storing the deployment.properties and the exception.sites files on a network share). We will use an xcopy command with a /I and a /Y to accomplish the copy task for us.(Type xcopy /? in a command prompt for a usage statement)
xcopy /I /Y "\\DEPLOY-SVR\Repository\SUN\JAVA\Deployment" %WINDIR%\SUN\JAVA\Deployment
That is all there is to it. Push out the packages to the respective machines and be amazed as the Java Control Panel properties and exception list conform to your desires. If you open the Java Control Panel and click on the Security Tab, you should see the changes you specified in the deployment.properties and exception.sites files are set. Remember the user’s deployment.properties file will be bypassed by the system-level properties. If the system-level properties are removed, Java will revert to the users deployment.properties settings.
NOTES:
If you store your Java configuration files on a network share make sure your users have Read access to the shared files.
If your exception.sites file is set to READ ONLY then the exception.sites list in the Control Panel will not be able to be modified.
The command step created to change the Java Control Panel settings and Exception Site List can be added to our Java 7 Update 51(and later) Packages in the Package Library, to install Java and have the settings applied all in one package. Trials to PDQ Deploy do not include full access to our package library. The trial does include access to some packages for testing purposes. To see the different levels available, see our Package Library page.