Virtualizing Java with Symantec Workspace Virtualization

A fairly common virtualization scenario in Enterprise environments is to virtualize Java applications. Typically this need arises because there are older Java applications that require very specific versions of Java, and often these versions of Java do not work very well with newer versions. There are ways that applications can be designed to resolve these issues, but many times the software is from a third-party, and the problems cannot be solved using these traditional methods.

In this example scenario, we have two Java applets, creatively named Application_1 and Application_2. These applets require Java v1.4.2_08 and v1.4.2_13 respectively. To complicate the situation, we cannot guarantee which version of Java may be installed traditionally. To simulate this, we will install Java 1.5.0_07 traditionally.

Installing Java

The first step in setting up this scenario is installing Java. It is important to install the Java Runtime Environment virtually prior to installing it traditionally in order to avoid conflicts. (The installer may notice that JRE 1.5 is installed and behave differently.) As with most "packaging" activities, this should ideally be done on a completely clean machine.

The command-line instructions that I use to do this are listed below. Each installer launches in interactive mode, and I choose the typical install option. In a real-world packaging scenario I would likely install these in a silent mode to guarantee the repeatability of the operation.

1. Install Java Runtime Environment 1.4.2_08 virtually.
   svscmd.exe "JRE 1.4.2_08" capture -p j2re-1_4_2_08-windows-i586-p.exe
   svscmd.exe "JRE 1.4.2_08" deactivate -f
2. Install Java Runtime Environment 1.4.2_13 virtually.
   svscmd.exe "JRE 1.4.2_13" capture -p j2re-1_4_2_13-windows-i586-p.exe
   svscmd.exe "JRE 1.4.2_08" deactivate -f
3. Install Java Runtime Environment 1.5.0_07 traditionally.
   jre-1_5_0_07-windows-i586-p.exe

Installing Java Applications

For this part of the example scenario, I don't actually have two Java applications to work with, so I created a couple of applets from scratch. In a real-world scenario, the installation of these applications would be in the same manner as used in the previous section. For my purposes here, I will set up my sample applications manually.

As mentioned above, I have two sample Java applets to use in these layers. The source files for Application_1 are found in Figures 1 and 2. Application_2 is identical, but renamed as appropriate. Each of the .java files are compiled into .class files as referenced by the .html file for each applet.

<HTML>
<Head><Title>Application 1</Title></Head>
<Body>
<Applet Code="Application_1.class" width="150" height="50"></Applet>
</Body>
</HTML>

public class Application_1 extends java.applet.Applet
{
    public void paint( java.awt.Graphics g )
    {
        g.drawString( System.getProperty( "java.version" ), 50, 25 );
        System.out.println( System.getProperty( "java.version" ) );
    }
}

For our purposes, we create two layers, named "Application_1" and "Application_2", and copy the .html and .class files for each application into their respective layers in the [COMMONDESKTOP] directory.

Configuring Virtual Layers

Each Java application will depend on its preferred version of Java, and therefore should find that version of Java before it finds others. There are two classes of problems that arise in this kind of situation: 1) two applications are involve that use the same files / registry keys and simply need to be ordered correctly so that they find their preferred settings before other settings, and 2) two applications use different files / registry keys and the application is aware of both sets. Depending on the versions of Java involved, either or both of these situations could be occurring. In our example case, we have both: the two versions of JRE 1.4.2 use identical registry keys, while the JRE 1.5.0 uses a slightly different set of keys.

To solve the first kind of application conflict we will use a feature of SWV called dependent layers. Each Java application will depend on its preferred Java layer. This has two primary effects. First, starting the Application_1 layer will also start the JRE 1.4.2_08 layer because of the dependency. Second, when layers and the base are overlaid on top of each other, Application_1 will find settings existing in the JRE 1.4.2_08 layer before it finds settings in other layers (that are named the same).

svscmd.exe Application_1 depends -add "JRE 1.4.2_08"

svscmd.exe Application_2 depends -add "JRE 1.4.2_13"

The second kind of application conflict is a little more complicated to solve. We need to prevent each of our Java applications from seeing the Java in the base. To implement this we need to add an "isolation rule" to each of the application layers. This must be done by editing the registry. Each layer stores its settings in a registry key similar to the ones below. The exact number on the end of the key name will depend on your exact system.

If you run the command "svscmd.exe enum -v" you will notice that each layer has an entry called "Redirect Locations" which specifies the location of the redirect areas for the read-only and read-write sublayers. We are going to add the rules to the read-only sublayer. Create a Multi-String registry value named "IsolationRules" in each of the layers. Each isolation rule occupies a single line in the multi-string, and has a general form of "Processes named x running from layer x are blocked from accessing objects named (x,x,x) found in layer x." The individual fields within the rule are separated with a tab character. (You won't be able to create them directly in regedit, but can create them in notepad and then paste them into regedit.) The rules that we create for our two layers look like the following.

HKEY_LOCAL_MACHINE\SYSTEM\Altiris\FSL\5

IsolationRules (REG_MULTI_SZ) = "*\iexplore.exe<tab>a1d043ef-cc6a-4d4a-bbd6-689fcf81727c<tab>0x0002<tab>\REGISTRY\USER\S-1-5*\Software\Classes\CLSID\{CAFEEFAC*<tab>*<tab>BASE"

HKEY_LOCAL_MACHINE\SYSTEM\Altiris\FSL\7

IsolationRules (REG_MULTI_SZ) = "*\iexplore.exe<tab>1ea7e72d-e414-4eb9-aa53-57b5123751b7<tab>0x0002<tab>\REGISTRY\USER\S-1-5*\Software\Classes\CLSID\{CAFEEFAC*<tab>*<tab>BASE"

So examining the first one and explaining it in English, the rule is that "processes named iexplore.exe (running from any path) running from layer ID a1d043ef-cc6a-4d4a-bbd6-689fcf81727c cannot see registry keys (that's what the 0x0002 flag indicates) named HKU\S-1-5*\Software\Classes\CLSID\{CAFEEFAC* and values named * found in the BASE." This is all pretty complicated, but fortunately it's exactly what we need to prevent our application from seeing the Java 1.5 registry keys in the base.

Now there's just one last thing remaining to figure out. We have to get the Internet Explorer process that is going to display our applet to run from the appropriate layer. For the purposes of this example, a simple batch file that executes IE from the layers is sufficient.

 
@"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Documents and Settings\All Users\Desktop\Application_1.html"

@"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Documents and Settings\All Users\Desktop\Application_2.html"

@Echo off
setlocal
svscmd.exe Application_1 a
svscmd.exe Application_2 a
svscmd.exe Application_1 exec -p launchApplication1.cmd -nowait
svscmd.exe Application_2 exec -p launchApplication2.cmd -nowait
endlocal

Obviously for a real-world scenario, something a bit more complicated is required. There is a more advanced feature in Software Virtualization that we can use to accomplish this: Auto-Run-From-Layer. This feature allows us to specify a certain set of patterns that define a kind of process that should automatically be made to run from a specified layer. In this case, I want to create a rule that says "when a process named iexplore.exe is launched by any parent process with the string Application_1 on the command-line then add that process to the layer."

HKEY_LOCAL_MACHINE\SYSTEM\Altiris\FSL\5

AutoRunFromLayer (REG_MULTI_SZ) = "*\iexplore.exe<tab>*<tab>*Application_1*"

HKEY_LOCAL_MACHINE\SYSTEM\Altiris\FSL\7

AutoRunFromLayer (REG_MULTI_SZ) = "*\iexplore.exe<tab>*<tab>*Application_2*"

In some real-world scenarios we have seen Java applications that launch an applet in Internet Explorer using WMI. In these cases, we could replace the second field "*" in these values with a process name pattern, such as "*wmiprvse.exe".

Note that the user interface in SVSAdmin currently only allows the first field to be set, giving you a rule where the extra fields default to "*", such as "[_B_]WINDIR[_E_]\notepad.exe<tab>*<tab>*". A more advanced rule that specifies all the fields can be specified on the command-line via SVSCmd.

Additional Notes

In creating and resolving this scenario, I ran into a few interesting problems that are worth mentioning here. First, a note about the keys to making the technique work. The two major points that must be right in order for this technique to work are (1) that you are blocking the correct keys from being accessed by the application, and (2) that the process is running from the correct context (i.e., the layer). To ensure the former, I found myself several times creating an isolation rule identical to the one I was trying to use for iexplore.exe, but for reg.exe. Then I would activate the layer, run a "reg query" command to see if the key was being blocked correctly, and adjust my isolation rule accordingly. To ensure the latter, one method is to try to deactivate the layer while the application you are concerned with is still running. If it's running from the layer, you will be prompted to end the process when you try to deactivate the layer. If the layer just deactivates without prompting, then the process is not running from the layer correctly.

Another interesting problem that I encountered during this process was that if your settings are configured incorrectly, when the Java plug-in starts in Internet Explorer it will re-write all its registry settings. This means that if the iexplore process is running from the layer, but the registry isolation is not correct, Java will write all its 1.5 settings into your Java 1.4 application layer. You can resolve this condition by resetting the layer. (I had to do this a number of times while developing my layers and getting just the right settings.)

Another good question is how to determine which registry keys to block for a specific scenario. This can be a little painful, but what I do is use a tool like Process Monitor from Microsoft (formerly from Sysinternals) to see what keys the application is accessing. I search within a log for something that indicates Java version; e.g., in this case I search for "1.5" and see where iexplore is reading some 1.5 settings from. Then I can block those keys. A second way to narrow this down is to create a broad block, say for "\REGISTRY\USER\*" and see what happens. Then modify the rule to block the next layer down, and so on, narrowing down what makes the application behave the way you want it to.

One final problem that I encountered in one test was that the Java applets I had built were compiled with the JDK 1.5. This created applications that were targeted for 1.5, and would not run with the 1.4 I had configured with my isolation rules. There are some pages on the web about figuring out what version a .class file is configured to use that can help you out if you suspect this may be the case.

Attached is below is a .docx version of this article