Java Deployment Rule Set via AD Enterprise CA

Solution 1:

Fix found.

We had the exact same problem. I tried everything mentioned above and nothing work. Chrome does not seem to be pulling Windows Certificate manager properly or at least to verify the signature from our Enterprise CA. I tried adding our Root CA certificate and ever our Subordinate CA certificate to all system keystores unsuccessfully.

The issue is Chrome is only looking at the user keystores, not at the system keystores for some odd reason. After I added the RootCA certificate to the USER SIGNER CA, it worked.

Doesn't work: %JAVA_HOME%\lib\security\cacerts

Works: %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts

Google or JAVA should fix this issue.

Now time to script the injection for our users.

Solution 2:

My problem was that the new Java update didn't remove the old DeploymentRuleSet.jar which was used only by some previous versions, and which in my case resides at:

C:\Windows\Sun\Java\Deployment\DeploymentRuleSet.jar

The file in this folder does not depend on where the Java installation folder is, and even after Oracle removed Sun name from Java (and, thus, changed some file locations in newer versions of Java), the file given above remained in the system, and it seemed that new versions of Java continued to use it.

After Oracle removed medium security setting for Java applets, everything related to Java stopped to work, just reporting that "Can not verify rule set jar", and no solutions given on internet helped.

I found this folder by scanning registry for Java string to clean everything related to Java from mu system and make a clean install, and it turned out that it was the problem. Why latest versions of Java continued to use this file?

Since I removed this jar file from the system (on my 3 computers it was the same problem on Windows 7, both 32bit and 64bit), Java works without problems, but I didn't find this solution anywhere on Internet.

Solution 3:

Turns out that this only happens in both Chrome and Firefox, but not IE. I haven't tested with Opera or Safari. Chrome's certificate manager pulls up Windows' certificate manager, which already of course includes our enterprise CA's certificate, and adding that certificate into Firefox's certificate manager does not seem to have any effect. The Deployment Rule Set works perfectly in IE, though.

I only use Chrome because I am more comfortable with its dev tools than IE's - our users use IE and if you are using a Windows enterprise CA and connecting to old legacy systems with a mix of Java and ActiveX most likely your users are as well. I am going to mark this as the answer since switching to IE works for me, but I hope that in the future some solution can be found for the other browsers.