Tuesday, March 8, 2016

Use SCCM to Centrally Manage Java Configuration

Managing java settings, from site exceptions lists to trusted certs to which TLS versions to use, has been a major pain in the butt for techs and administrators for a long time.  Using SCCM's Compliance Settings (formerly Desired Configuration Management) we can make fairly quick work of this.

I am going to give you is two scripts.  The first one checks the four files against your central store to be sure that what is on the client machine matches the central store (discovery script).  The second script copies the files from your central store to the client machine (remediation script).  The contents of the four Java settings/configuration files are up to you.

Steps to set up your configuration item:
  • Build a configuration item with a compliance rule of type "Script" and data type "String".
  • Copy the scripts into the Discovery Script and Remediation Script areas of your CI.  Both scripts are powershell.
  • Put your Java files in a central place that all of your machine accounts have access to read (users don't need access but the machines do).
  • Modify the Discovery Script and Remediation Script in your CI and change the CentralFileLocation variable to point to the location of your files.
  • Add a compliance rule that evaluates as compliant if the value returned by the script = "True All Java files pass all checks."
  • Check the check-box "Run the specified remediation script when this setting is noncompliant"
  • Add the CI to a baseline and deploy the baseline to a collection.  Be sure that in the deployment you have selected "Remediate noncompliant rules when supported".

Discovery Script:

<#
.Synopsis
   Check the files in %windir%\Sun\Java\Deployment against centrally managed files.
.DESCRIPTION
   This script is meant to be used in conjunction with the Copy_JavaSettings.ps1 script to
   manage Java JRE settings from a central location.  This script checks the files on the
   local workstation.  If the files do not match the central repository then Copy_JavaSettings.ps1
   can be used to write the correct files.
   It is suggested that the two files be used together in an SCCM configuration item for checking
   and automated remediation.
   You will need to set $CentralFileLocation to the location of your centrally managed files.
   That should be the only change that you need to make to the script.  It is suggested that
   you use a location in your sysvol as shown in the example.
   Success condition will return "True All Java files pass all checks."
   Failure conditions will return "False " followed by the reason for failure.
#>

function Check-LocalJavaFolder
{
    [OutputType([Boolean],[String])]
    $Compliant=$false
    $JavaFolderExist=Test-Path $JavaFolder
    #write-host ("Checking Java Folder Existence")
    if ($JavaFolderExist -eq $true)
    {
        $Compliant=$true
        $Problem="Java Folder Exists in $JavaFolder"
    }
    else
    {
        $Compliant=$false
        $Problem='Folder %windir%\Sun\Java\Deployment does not exist.'
    }
    Return $Compliant, $Problem
}

function Check-JavaSettingsFileExist
{
    [OutputType([Boolean],[String])]
    $Compliant=$false
    $DeploymentConfigFileExist=Test-Path $DeploymentConfigFile
    $DeploymentPropertiesFileExist=Test-Path $DeploymentPropertiesFile
    $ExceptionSitesFileExist=Test-Path $ExceptionSitesFile
    $TrustedCertsFileExist=Test-Path $TrustedCertsFile
    if ($DeploymentConfigFileExist -ne $true)
    {
        $Compliant=$false
        $Problem="$DeploymentConfigFile does not exist."
        Return $Compliant, $Problem
    }
    if ($DeploymentPropertiesFileExist -ne $true)
    {
        $Compliant=$false
        $Problem="$DeploymentPropertiesFile does not exist."
        Return $Compliant, $Problem
    }
    if ($ExceptionSitesFileExist -ne $true)
    {
        $Compliant=$false
        $Problem="$ExceptionSitesFile does not exist."
        Return $Compliant, $Problem
    }
    if ($TrustedCertsFileExist -ne $true)
    {
        $Compliant=$false
        $Problem="$TrustedCertsFile does not exist."
        Return $Compliant, $Problem
    }
    $Compliant=$true
    $Problem='All managed files exist.'
    Return $Compliant, $Problem
}

function Check-JavaSettingsFileSizes
{
    [OutputType([Boolean],[String])]
    $Compliant=$false
    $DeploymentConfigFileSize=(Get-Item $CentralDeploymentConfigFile).length
    $DeploymentConfigLocalFileSize=(Get-Item $DeploymentConfigFile).Length
    if ($DeploymentConfigLocalFileSize -ne $DeploymentConfigFileSize)
    {
        $Compliant=$false
        $Problem="$DeploymentConfigFile file size is not correct."
        Return $Compliant, $Problem
    }
    $DeploymentPropertiesFileSize=(Get-Item $CentralDeploymentPropertiesFile).length
    $DeploymentPropertiesLocalFileSize=(Get-Item $DeploymentPropertiesFile).Length
    if ($DeploymentPropertiesLocalFileSize -ne $DeploymentPropertiesFileSize)
    {
        $Compliant=$false
        $Problem="$DeploymentPropertiesFile file size is not correct."
        Return $Compliant, $Problem
    }
    $ExceptionSitesFileSize=(Get-Item $CentralExceptionSitesFile).length
    $ExceptionSitesLocalFileSize=(Get-Item $ExceptionSitesFile).Length
    if ($ExceptionSitesLocalFileSize -ne $ExceptionSitesFileSize)
    {
        $Compliant=$false
        $Problem="$ExceptionSitesFile file size is not correct."
        Return $Compliant, $Problem
    }
    $TrustedCertsFileSize=(Get-Item $CentralTrustedCertsFile).length
    $TrustedCertsLocalFileSize=(Get-Item $TrustedCertsFile).Length
    if ($TrustedCertsLocalFileSize -ne $TrustedCertsFileSize)
    {
        $Compliant=$false
        $Problem="$TrustedCertsFile file size is not correct."
        Return $Compliant, $Problem
    }
    $Compliant=$true
    $Problem='All managed files are correct size.'
    Return $Compliant, $Problem
}

function Check-JavaSettingsFileDates
{
    [OutputType([Boolean],[String])]
    $Compliant=$false
    $DeploymentConfigFileDate=(Get-Item $CentralDeploymentConfigFile).length
    $DeploymentConfigLocalFileDate=(Get-Item $DeploymentConfigFile).Length
    if ($DeploymentConfigLocalFileDate -ne $DeploymentConfigFileDate)
    {
        $Compliant=$false
        $Problem="$DeploymentConfigFile file date is not correct."
        Return $Compliant, $Problem
    }
    $DeploymentPropertiesFileDate=(Get-Item $CentralDeploymentPropertiesFile).length
    $DeploymentPropertiesLocalFileDate=(Get-Item $DeploymentPropertiesFile).Length
    if ($DeploymentPropertiesLocalFileDate -ne $DeploymentPropertiesFileDate)
    {
        $Compliant=$false
        $Problem="$DeploymentPropertiesFile file date is not correct."
        Return $Compliant, $Problem
    }
    $ExceptionSitesFileDate=(Get-Item $CentralExceptionSitesFile).length
    $ExceptionSitesLocalFileDate=(Get-Item $ExceptionSitesFile).Length
    if ($ExceptionSitesLocalFileDate -ne $ExceptionSitesFileDate)
    {
        $Compliant=$false
        $Problem="$ExceptionSitesFile file date is not correct."
        Return $Compliant, $Problem
    }
    $TrustedCertsFileDate=(Get-Item $CentralTrustedCertsFile).length
    $TrustedCertsLocalFileDate=(Get-Item $TrustedCertsFile).Length
    if ($TrustedCertsLocalFileDate -ne $TrustedCertsFileDate)
    {
        $Compliant=$false
        $Problem="$TrustedCertsFile file date is not correct."
        Return $Compliant, $Problem
    }
    $Compliant=$true
    $Problem='All managed files are correct dates.'
    Return $Compliant, $Problem
}


$CentralFileLocation="\\domain.com\sysvol\domain.com\Java"
$WindowsFolder=$env:windir
$JavaFolder="$WindowsFolder\Sun\Java\Deployment"
$DeploymentConfigFile=$JavaFolder+"\deployment.config"
$DeploymentPropertiesFile=$JavaFolder+"\deployment.properties"
$ExceptionSitesFile=$JavaFolder+"\exception.sites"
$TrustedCertsFile=$JavaFolder+"\trusted.certs"
$CentralDeploymentConfigFile=$CentralFileLocation+"\deployment.config"
$CentralDeploymentPropertiesFile=$CentralFileLocation+"\deployment.properties"
$CentralExceptionSitesFile=$CentralFileLocation+"\exception.sites"
$CentralTrustedCertsFile=$CentralFileLocation+"\trusted.certs"
$Compliant=$false
$Problem='Compliant'

clear-host
$Compliance=(Check-LocalJavaFolder)
If ($Compliance -match $true)
    {
        $Compliance=(Check-JavaSettingsFileExist)
    }
If ($Compliance -match $true)
    {
        $Compliance=(Check-JavaSettingsFileSizes)
    }
If ($Compliance -match $true)
    {
        $Compliance=(Check-JavaSettingsFileDates)
    }
If ($Compliance -match $true)
    {
        $Compliance=($true, "All Java files pass all checks.")
        write-host $Compliance
    }
    else
    {
        write-host $Compliance
    }



Remediation Script:


<#
.Synopsis
    Copies files used for centralized management of Java JRE from central location to local workstation.
.DESCRIPTION
   This script will copy the centrally managed Java config files from a
   central repository (definied by $CentralFileLocation) to %windir%\Sun\Java\Deployment
   You will need to set $CentralFileLocation to the location of your centrally managed files.
   That should be the only change that you need to make to the script.  It is suggested that
   you use a location in your sysvol as shown in the example.
#>

$CentralFileLocation="\\domain.com\sysvol\domain.com\Java"
$WindowsFolder=$env:windir
$JavaFolder="$WindowsFolder\Sun\Java\Deployment"
$DeploymentConfigFile=$JavaFolder+"\deployment.config"
$DeploymentPropertiesFile=$JavaFolder+"\deployment.properties"
$ExceptionSitesFile=$JavaFolder+"\exception.sites"
$TrustedCertsFile=$JavaFolder+"\trusted.certs"
$CentralDeploymentConfigFile=$CentralFileLocation+"\deployment.config"
$CentralDeploymentPropertiesFile=$CentralFileLocation+"\deployment.properties"
$CentralExceptionSitesFile=$CentralFileLocation+"\exception.sites"
$CentralTrustedCertsFile=$CentralFileLocation+"\trusted.certs"

#Check first part of path - if it doesn't exist then create it
  $JavaFolder="$WindowsFolder\Sun"
  $JavaFolderExist=Test-Path $JavaFolder
  if ($JavaFolderExist -eq $false) {New-Item $JavaFolder -type directory}
#Check second part of path - if it doesn't exist then create it
  $JavaFolder="$WindowsFolder\Sun\Java"
  $JavaFolderExist=Test-Path $JavaFolder
  if ($JavaFolderExist -eq $false) {New-Item $JavaFolder -type directory}
#Check last part of path - if it doesn't exist then create it
  $JavaFolder="$WindowsFolder\Sun\Java\Deployment"
  $JavaFolderExist=Test-Path $JavaFolder
  if ($JavaFolderExist -eq $false)     {New-Item $JavaFolder -type directory}

Clear-Host

#clear any contents that might already be there
Get-ChildItem -Path $JavaFolder -Include *.* -File -Recurse | foreach { $_.Delete()}

#Drop in our configuration files
Copy-Item -path $CentralDeploymentConfigFile -destination $DeploymentConfigFile
Copy-Item -path $CentralDeploymentPropertiesFile -destination $DeploymentPropertiesFile
Copy-Item -path $CentralExceptionSitesFile -destination $ExceptionSitesFile
Copy-Item -path $CentralTrustedCertsFile -destination $TrustedCertsFile

No comments:

Post a Comment