Control your Java on Citrix


Control your Java on Citrix

In a current project we face the dreadful Java update pop-up and run question on a regular bases. We’ve done several settings to disable this, but none really worked to the extent that no calls got in anymore.
I’ve been reading a massive amount of articles and messages of people on fora, never really seeing anything that worked. A few lines from those docs stuck in my mind, something about Java not applying settings the first time and so on. 

Because the customer was still having the issue of getting an update message I tried some of the suggestions found online.

The suggestions were:
  • Create a variable to overcome the first-time-not-applying issue
  • Create properties file with all settings (had that one already but changed it).
  • Create config file to point to properties file
  • Add application certificate to trusted publishers
  • Add website to trusted sites
The last two ones are not for the updates message but for the run and trust this application message you get.

Overview

Before we start a picture, for a picture says more than a thousand words they say.
RES in this pictures is RES Workspace Manager.

Disable that update

So first step is to create a variable in the system that tells it to stop asking for an update.
The system environment variable is;

  •  Deployment.expiration.check.enabled 
  • Value = False
I created a properties file before with this setting but after you start a Java app the value in the file was changed and I never got any good control over that. With this variable you disable the expiration check all together.

 As I was working with Citrix Machine Creation Services I couldn’t update the machine just like that, they would loose the config after the reboot. So I reverted to GPP to add the variable.

Next step in the process is the creation of the properties file, this is the file that Java reads for all it’s settings when starting Java. I had this file created but I noticed that Java didn’t like my file, it would edit the file each time it started disabling all my settings to stop the update check.
I changed the file a bit more and left out all the links to dates and so on, this time I only added never for never is never right? I also added that the settings can’t be changed with a locked statement. 
So the variable is set, the properties file is created now I need to change the config file to point to the properties file. I’m not sure that this step is needed, I read somewhere that this was included in the config. I didn’t have it in my original one but added it just to make sure, it can’t hurt for it’s pointing to a ready properties file.
With all this in place I just needed to get the files on the server in the C:WindowsSunJavaDeployment folder and the customer would be happy…
Again working with Citrix MCS that easier said than done, can’t just copy them there, they’d be gone before dawn breaks.
So again GPP to the rescue and perhaps I’ll add them in the golden image later on but I might not for now I have control over the files without opening the golden image.
That concluded the updating of Java, it’s over and done with..
Next issue was the Run and trust issue with the Java application, customer got the question if the application was trusted and if it should be ran. This issue is there because the certificate used for the application is not installed on the Citrix server and when it starts the application it feels like going to a non-trusted site. 
The certificate is added to the Java control panel applet after you start the application but that too late for Windows and not the way Windows works.  There are several ways to handle this, for you can set “remember this” if you want but I like to be more thorough in solving things, I add the certificate to the certificate store to fix it at the root.
So I started the application and waited for the certificate to appear, next I exported it to a cer file and imported that one in the trusted publisher store at the Citrix server. I took a while to import it.
One last step is to add the site to the trusted sites and your’re good to go. 
The adding of the certificate is still on my list for I haven’t found a trustful way deploying this certificate to all Citrix servers in an MCS controlled environment. I’ve tried several tools and looked at the CA but none really did the trick.
Any suggestions are welcome 🙂
So if you have all this setup you are ready to rock and roll…. 
Hope this helps you guys, took me a while to figure this out, there are many articles and IT-guys on fora that I should give credits for sharing parts of knowledge that helped me write this, Thanks guys couldn’t have done this without you 🙂
p.s. I’m still waiting on a 100% solved from the customers, all tests so far look good but I want their Okay before I move on… 

Update 15-06

Seth Daemen contacted me @sdaemen on twitter and he suggested that I edit the deployment.properties file to add the trusted.certs file in there as well. 
So a little clarification, the trusted.certs file is created once you click on accept and trust to run the application, the certificate and all is accepted
The trusted.certs file is located in the %appdata% locallowSunJavaDeploymentsecurity folder. In the Deployment.properties file you add a line to point to this file.

deployment.system.security.trusted.certs=C:/Windows/Sun/Java/Deployment/Security/trusted.certs and you make sure the file is located there.

I again used GPP to make sure the file was there… 

One thing I now wonder about is whether this the best one or the %appdata% of the user.
Testing will reveal that.

Thanks to Seth for sharing his knowledge…. 


Leave a Reply

https://tracking.cirrusinsight.com/869c29e2-3a9b-48c5-9232-0b95e7993ae8/controlup-com-pixel-php