javacro'15 - managing java at scale security and compatibility applications - duško...
Upload: hujak-hrvatska-udruga-java-korisnika-croatian-java-user-association
Post on 21-Jul-2015
330 views
TRANSCRIPT
![Page 1: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/1.jpg)
Java SE AdvancedClient Management Best Practices
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Duško Vukmanović
Principal Sales Consultant FMW
![Page 2: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/2.jpg)
Client Management Best Practices
1. Automate scheduled updates.
– Plan ahead based on known schedule.
2. Collect usage information.
– Collect real information: which applications need which old Java versions, which users need which applications.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
users need which applications.
3. Protect old versions through Deployment Rule Set.
– Statically install old versions only as needed, protect them through Deployment Rule Sets.
![Page 3: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/3.jpg)
Java SE Advanced
• Same Java.
• Management & Monitoring Tools.
– Help understand/manage client usage.
– Help investigate production software.
Experienced Support.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
• Experienced Support.
– What information applies to this situation?
– What information from the last 19 years does not apply (anymore)?
![Page 4: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/4.jpg)
Automate scheduled updates.
1. Automate scheduled updates.
2. Collect usage information.
3. Protect old versions through DRS.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
3. Protect old versions through DRS.
![Page 5: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/5.jpg)
Schedule updates
• Quarterly patch schedule for the next year:http://www.oracle.com/technetwork/topics/security/alerts-086861.html
• MSI installer
– Customizable.
– Automated silent installs.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
– Automated silent installs.
![Page 6: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/6.jpg)
Deploy updates in timely fashionCustomize and roll out ASAP after Critical Patch Update
If you do not:
� Clients periodically check security baseline.
Built-in expiration a month after scheduled
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
� Built-in expiration a month after scheduled
Critical Patch.
Clients will change behavior to decrease
their attack surface.
Java or browser will prompt or block.
![Page 7: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/7.jpg)
Collect usage information.
1. Automate scheduled updates.
2. Collect usage information.
3. Protect old versions through DRS.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
3. Protect old versions through DRS.
![Page 8: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/8.jpg)
Advanced Management Console
• Usage Tracking across installations
– Tracks applications and their location.
– Tracks which Java version was used.
• Deployment Rule Set tool
Administer Java clients at scale.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
• Deployment Rule Set tool
– Control prompts: run or block.
– Verify against usage tracking.
![Page 9: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/9.jpg)
Management Console, Collector, and ClientsControl Java in the enterprise through real data.
1. Clients report
usage via UDP.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
2. Usage tracker keeps
records.
3. Management console helps configure the
desired outcome. Deploy configuration.
![Page 10: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/10.jpg)
Desktop Administrators can control multiple Java versions.
Deployment Rule Sets
� Many managed clients.
� Security: limiting the exposure of old versions.
� Different users need several at once.
� Different applications need different Java versions.
Follow-up Questions:
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Follow-up Questions:
� Which versions do I actually need?
� Which applications need which versions?
� How do I identify those applications?
� Which users need which applications?
� How do I validate answers to the above questions?
� Once validated, how do I integrate the answers into my
tool chains?
![Page 11: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/11.jpg)
“This needs Java 8, that needs 6 update 38, those needs 7, etc.”
Control Compatibility
Application A
Application B
Application C
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Follow-up Questions:
• How do I identify these applications across many users?
• Once identified, how do I know which needs which Java version?
• After associating application to Java version, how do I manage the compatibility across many users?
![Page 12: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/12.jpg)
• Run count:
– How important is this application?
– How many people need it?
• URL / Codebase:
– Where is this application?
Track and use real data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
– Where is this application?
• Java Version:
– Which version is the right one?
• Etc.
![Page 13: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/13.jpg)
Identify which Java versions are needed
Control Prompts and Compatibility
• Inspect applications to see environments.
• Guided rules to control dialog prompts and compatibility.
– “Run on Java 1.7 without prompting.”
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
– “Run on Java 1.7 without prompting.”
![Page 14: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/14.jpg)
Validate rules against Tracking System
• Compare whitelist / blacklist to real data.
– “Did I do what I intended?”
Ensure correctness before user testing
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
![Page 15: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/15.jpg)
Advanced Management Console
• Usage Tracking across installations.
– Tracks applications and their location.
– Tracks which Java version was used.
• Deployment Rule Set tool
Desktop Administrator can manage Java at scale.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
• Deployment Rule Set tool
– Control prompts: run or block.
– Verify against usage tracking.
![Page 16: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/16.jpg)
Protect old versions through DRS.
1. Automate scheduled updates.
2. Collect usage information.
3. Protect old versions through DRS.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
3. Protect old versions through DRS.
![Page 17: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/17.jpg)
Isolating old Java versions
• Do not connect old Java versions to current internet.
– Public: stay with scheduled critical patches of supported versions.
– SE Advanced: provides critical patches for end-of-public-life JREs.
• Control compatibility through Deployment Rule Sets.
– Use old version only for identified applications/users.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
– Use old version only for identified applications/users.
Major
ReleaseGA Date
End of Public
Updates
Notification
End of Public
Updates
5.0 May 2004 Apr 2008 Oct 2009
6 Dec 2006 Feb 2011 Feb 2013
7 July 2011 March 2014 April 2015*
8 March 2014 TBD March 2017*
http://www.oracle.com/technetwork/java/eol-135779.html
![Page 18: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/18.jpg)
Statically install old versions
• Regular “patch-in-place” of public version.
• Old version must be on system to be used.
– Static Installation keeps it separate.
– Current public version protects older version through DRS.
Only as needed.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
– Current public version protects older version through DRS.
http://docs.oracle.com/javase/8/docs/technotes/guides/install/wi
ndows_installer_options.html#static_installation
![Page 19: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/19.jpg)
Client Management Best Practices
1. Automate scheduled updates.
2. Collect usage information.
3. Protect old versions through DRS.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
3. Protect old versions through DRS.
![Page 20: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/20.jpg)
Java SE Advanced
• Same Java.
• Management & Monitoring Tools.
– Help understand/manage client usage.
– Help investigate production software.
Experienced Support.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
• Experienced Support.
– What information applies to this situation?
– What information from the last 19 years does not apply (anymore)?
![Page 21: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/21.jpg)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
![Page 22: JavaCro'15 - Managing Java at Scale Security and Compatibility Applications - Duško Vukmanović](https://reader030.vdocument.in/reader030/viewer/2022032715/55ae60661a28ab48798b457f/html5/thumbnails/22.jpg)