Import certificates into Java RTE using ConfigMgr Compliance Settings

import-java-certs

We recently had a requirement from a customer to import two certificates into the Windows client’s Java Runtime certificate store.

The problem they were experiencing was that when they tried to connect to a particular custom web app they were receiving a security prompt. Prompts such as this usually generate service desk calls and conditioning users to accept security warnings may have repercussions in the future.java-certs-warning

Microsoft have advice on how to import certificates into the Java runtime certificate store here using the keytool.exe file that comes bundled with Java Runtime and SDK. After validating the commands required, it was decided that we could use ConfigMgr Compliance Settings to import the certificate into the currently installed Java runtime, as well as ensuring that the certificates are imported into future versions that are installed.

Assumptions and requirements

The script assumes that the default Java certificate store password has not been changed from the default of ‘changeit’. I may come back to the script later and swap this out for a variable, however in most cases this should be the case as that is how it is distributed by Oracle.

Scripted actions

Both scripts utilise the Get-JavaHomeLocation function which was provided by my colleague Steve Renard from powershell-guru.com.

The Get-JavHomeLocation function utilises the registry to find the relevant Java home folder for the latest installed version of Java and returns the path or an error message.

If an error message is returned by the Get-JavaHomeFunction we can catch and return this easily using Test-Path; in cases where the Java home is not found or not valid then the reason will be available in the compliance report.

 

Discovery Script

The customisable component of the discovery script is a simple array of the relevant certificates aliases. This are set upon import into the certificate store. If this is a new certificate then you can create appropriate aliases yourself.

Finally we iterate through the array of certificate aliases and check if they are present in the certificate store. If one is missing the script will exit and return ‘Non-Compliant’.

I’m going to assume that you know how to create configuration items and baselines as there are loads of resources out there detailing how to do this (example). The key aspect of this script to be aware of is that it will return ‘Compliant’ when the relevant certificates are present. The condition on the configuration item compliance rule should be set to ‘Equals’ and ‘Compliant’

edit-rule

Remediation Script

The remediation script requires a little more editing than the discovery script because it also needs to access the actual certificate files. ConfigMgr configuration items do not natively distribute files so they need to be made available on a network share. In our case we created a subfolder on an existing share and made it available for read-only to ‘Everyone’.

The hash table requires that the key of each entry is the alias and the value is the name of the certificate file. For example, ‘my-alias-1’ = ‘MyCertificate-1.cer’.

Because the error handling of the remediation action of configuration items is quite limited, the remediation script will create a log file in the <JavaHome>\lib\security folder named import-certificates.log. In addition to the path checks from the discovery script we will also test the path to the external store that will be used to store the certificate files.

Next we will iterate through the hash table of certificate aliases and certificates files importing each into the Java certificate store.

Finally we iterate through the certificates in the hash table to check that they have been added correctly.

Download the scripts

I have added the scripts to GitHub and they are heavily commented; if you are not a confident scripter it is clearly marked where you can customise these scripts for your organisation.

The discovery script

The discovery script will check the Java RTE certificate store and return ‘Compliant’ or ‘Non-Compliant’.

https://github.com/markhallen/configmgr/blob/master/ConfigurationItems/JavaCertificate-DiscoveryScript.ps1

The remediation script

The certificates are imported into certificate store; any errors will be recorded in the import-certificates.log.

https://github.com/markhallen/configmgr/blob/master/ConfigurationItems/JavaCertificate-RemediationScript.ps1

Leave a Reply

Your email address will not be published. Required fields are marked *

Please complete the calculation *