Java Security Warning on Citrix

With the newer versions of JRE (specifically as it relates to this writing, 1.7_60), the security prompts included have become quite a bit more intrusive. Normally, you can click on the check box to always remember the decision to Run or Allow a Java applet. However, on Citrix this can be difficult if the user’s profile is built out on logon then removed upon logoff. After having searched through Java’s documentation for hours, I was unable to find a way to turn off these prompts globally, either completely, or just for certain signers or codebases. If you know of a way to do this, please let me know. Since I couldn’t find anything, I decided to do it for the user upon logon.

The first warning is the “Run” box. This window asks if you want to run the code by the above signer. Upon some search, I discovered that the checkbox imports the signers key into the user’s profile. This file is located at C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\6.0\security\trusted.certs. This checkbox is doing more than just import the certificate it seems. If you import the certificate manually, it still asks you. If you check this box, it won’t ask you again. It is adding the certificate to trusted.certs file with a specific name. So if you copy this file from a working profile into the folder above of a new user profile, you will not receive the first warning prompt. However, to make this global, you can instead put this file in the C:\Program Files (x86)\Java\jre7\lib\security folder and all users will check that file first. This is also a standard JKS (Java Keystore) file. I used KeyStore Explorer 5.0 to edit the file and add several certificates. When you add them, make sure you use the exact same name that Java creates when you check the box. Just so you know, the default password for this JKS file is blank.

The second prompt is the “codebase” and relates to JavaScript and Java working together. This file was a bit more difficult to find, and is in an odd location, but it appears to work. I haven’t tested this will any other applications yet, so you results may vary. When I checked the box for this web application, it created a file under C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\6.0\cache\??\. This file name had a GUID for the file name and the extension was .lap. The cache directory number appears to never change for the particular application. When I copied this file to the location above on a new profile, the second warning prompt did not come up for that new profile.

I understand there may be a better way to do this, but I was doing this quickly to remove the prompts. For this particular application in Citrix, we just created a batch file that created the directory structure and copied the files then opened up the website. I’ll continue to look for a permanent solution, but I feel that the Sun Java documentation hasn’t caught up with the newer versions just yet. I hope this helps you in a jiffy, and when I find a better way to do it, I’ll post about it.

Note: I need to confirm those paths. I am off this week and doing this from memory. Once I’ve confirmed them, I’ll remove this note.

Update #1 (7/3/14): I corrected the path for the LAP file. Apparently, it changes for each new app, but is always put in the same sub-directory. I also discovered that you can move the trusted.certs file to the system location, not the user, and it works just fine. Edits above. Also, I have concluded that the current version of Java just does NOT allow a way to bypass this yet. In fact, someone found a way, and Oracle fixed the “bug”.

3 thoughts on “Java Security Warning on Citrix”

  1. Great work! I was banging my head on that second prompt. Finally found it in the cache location by trial and error and googled .lap to find your site which confirmed what I found. Why in the world is Oracle putting prompt settings in a cache (appdata\locallow) location! Oracle just doesn’t get it.

Leave a Reply

Your email address will not be published. Required fields are marked *