The Java Control Panel is a multipurpose control panel. It allows you to view and set a wide range of parameters controlling how, or if, Java technology runs on your computer. It lets you view and delete temporary files used by the Java Plug-in, which allows Java technology to be used by your Web browser to run applets; and Java Web Start, which allows you to run Java applications over the network. It allows you to control certificates, making it safe to run applets and applications over the network. It allows you to set runtime parameters for applets that run with Java Plug-in and applications that run with Java Web Start. It provides a mechanism for updating your version of the Java platform so that you always have the latest Java Runtime Environment (JRE). And it allows you to set options for debugging, applet handling, etc. The Java Control Panel includes the following separately viewable panels:
Contents
The General panel looks like this:
It includes three subpanels: About, Network Settings, and Temporary Internet Files. As of the JDK 7u10 release, this panel also informs you whether Java is enabled in the browser. This setting is controlled in the Security panel.
The About... button displays version information for the latest JRE installed on the computer.
These settings are for network connections. Press the Network Settings... button to get the Network Settings dialog. There are four choices:
Check this to use the browser default proxy settings. This is the default setting (checked).
You have two choices here:
You can specify the location (URL) for the JavaScript file (.js
or .pac extension) that contains the FindProxyForURL
function. FindProxyForURL
has the logic to determine
the proxy server to use for a connection request.
Select this for situations where you do not want to use a proxy.
You can do the following:
On Microsoft Windows platforms, the Update panel looks like this:
The Update panel, in conjunction with the Java
Update Scheduler (jusched.exe
), is used to provide the
latest Java updates to the end user.
Note: This panel is only available on Microsoft Windows and Mac OS X and only for users with Administrative privileges. On Microsoft Windows, if both the 32-bit and 64-bit versions of Java are installed, this panel is not available. In this event, you have to launch the Java Control Panel directly from the 32-bit directory command line (C:\Program Files (x86)\Java\jre7\bin\javacpl.exe).
There are two basic options on the Update tab:
Automatic update is performed on a scheduled basis and it is selected by checking the Check for Updates Automatically check box.
Manual update is performed by pressing the Update Now button.
If you select automatic update, you can then set the notification via the Notify Me: drop-down menu, and you can set the update schedule via the Advanced... button.
With notification, you can chose to be notified before an update is downloaded and before it is installed; or you can chose to be notified only before an update is installed (i.e., the download is automatic).
The Advanced... allows you to select the desired frequency for updates: daily, weekly, or monthly (default). For daily updates, you can select the time of the day for the update. For weekly updates, you can select the day of the week and the time of the day. For monthly updates, you can select the day of the week and the time of the day. Monthly updates check weekly and notify you within 30 days that an update is available, however, if an update is considered critical you are notified within a week of its release.
You can do manual updates at any time by pressing the Update Now button. This allows you to do immediate, unscheduled updates.
On Microsoft Windows platforms, the Java Update Scheduler (jusched.exe
) is used for
launching automatic updates when Update Automatically is
selected in the Update tab. jusched.exe
runs as a
background process that launches the Update Manager at predefined
intervals set by the user through the Advanced... button of
the Update tab. The Update Manager coordinates the update
process.
jusched.exe
is launched when the user reboots the
computer after installing the SDK/JRE. It is normally transparent
to the user but can be viewed in the Processes tab of the Windows
Task Manager. Should a user for some reason not want the scheduler
to run, it can be killed via End Process button of the
Processes tab.
The Java panel looks like this:
Click the View... button to access the Java Runtime Environment Settings dialog.
These settings will be used when a Java application is launched. The Java Runtime Environment Settings dialog looks like the following on Microsoft Windows:
Each row in the Java Runtime Versions panel represents a Java Runtime Environment that is installed in your computer. You may modify the value in each cell by double-clicking it:
Click the Find button to launch the JRE Finder. This utility searches for unregistered private Java Runtime Environments installed in your computer and adds them to the Java Runtime Versions panel.
Click the Add button to manually add a Java Runtime Environment to the Java Runtime Versions panel. When you click the Add button, a new row appears in the Java Runtime Versions panel; however, there are no values for Platform, Product, Path, Runtime Parameters, and Enabled; you must specify them yourself.
Click the Remove button to remove the selected Java Runtime Environment from the Java Runtime Versions panel.
Notes
There will always be at least one entry. It will be the most recently installed JRE; i.e., the JRE associated with the Java Control Panel.
Microsoft Windows will show all JREs installed on a computer. The Java Control Panel finds the JREs by looking in the registry. On Unix, the situation is different. There is no registry so there is no easy way to find the JREs that a user may have installed. The JRE that Java Web Start or Java Plug-in is using to deploy applications is the JRE that is considered registered. Consequently, use the Find, Add, and Remove buttons to change which JREs are listed in the Java Runtime Environments panel. On Mac OS X, only the currently installed JRE is displayed, JDKs are not included.
For Unix, only version 5.0 or higher should be added. For Microsoft Windows, where all JREs are found in the registry, version 1.3.1 or higher will be displayed.
Assume you are running on Microsoft Windows with Microsoft Internet Explorer, have first installed version 1.4.2, then version 5.0, and you want to run 1.4.2.
j2re1.4.2\bin
directory where JRE 1.4.2
was installed. On a Windows default installation, this would be
here: C:\Program Files\Java\j2re1.4.2\bin
jpicpl32.exe
file located there.
It will launch the control panel for 1.4.2.APPLET
tags.You can add a JRE by pressing Add and specifying its location (see notes above).
For Window and Unix you can optionally set Java Runtime Settings for the JRE.
You can override the Java Plug-in default startup parameters by
specifying custom options in the Java Runtime Parameters field.
With the exception of setting classpath
and cp
,
the syntax is the same as used with parameters to the java
command line invocation. See the java launcher for a full list of
command line options:
java launcher: Windows, Solaris and Linux.
Below are some examples of Java runtime parameters.
The following format should be used for setting
classpath
and cp
in Java Plug-in. It
differs slightly from the java
command line format,
which uses a space instead of the equal (=
) sign.
-classpath=<path> -cp=<path>
Enabling and disabling assertion support
To enable assertion support, the following system property must be specified in the Java Runtime Parameters:
-[ enableassertions | ea ][:<package name>"..." | : <class name> ]
To disable assertion in the Java Plug-in, specify the following in the Java Runtime Parameters:
-[ disableassertions | da ][:<package name>"..." | : <class name> ]
Assertion is disabled in Java Plug-in code by default. Since the effect of assertion is determined during Java Plug-in startup, changing assertion settings in the Java Plug-in Control Panel will require a browser restart in order for the new settings to take effect.
Because Java code in Java Plug-in also has built-in assertion, it is possible to enable the assertion in Java Plug-in code through the following:
-[ enableassertions | ea ]:sun.plugin
Tracing and logging support
Tracing is a facility to redirect any output in the Java Console
to a trace file (.plugin<version>.trace
).
-Djavaplugin.trace=true -Djavaplugin.trace.option=basic|net|security|ext|liveconnect
If you do not want to use the default trace file name:
-Djavaplugin.trace.filename=<tracefilename>
Similar to tracing, logging is a facility to redirect any output
in the Java Console to a log file
(.plugin<version>.log
) using the Java Logging
API. Logging can be turned on by enabling the property
javaplugin.logging
.
-Djavaplugin.logging=true
If you do not want to use the default log file name, enter:
-Djavaplugin.log.filename=<logfilename>
Furthermore, if you do not want to overwrite the trace and log files each session, you can set the property:
-Djavaplugin.outputfiles.overwrite=false
If the property is set to false
, then trace and log
files will be uniquely named for each session. If the default trace
and log file names are used, then the files would be named as
follows
.plugin<username><date hash code>.trace .plugin<username><date hash code>.log
Tracing and logging set through the Control Panel will take effect when the Plug-in is launched, but changes made through the Control Panel while a Plug-in is running will have no effect until a restart.
Debugging applets in Java Plug-in
The following options are used when debugging applets in the Java Plug-in.
-Djava.compiler=NONE -Xnoagent -Xdebug -Xrunjdwp:transport=dt_shmem,address=<connect-address>,server=y,suspend=n
The <connect-address>
can be any string
(example: 2502
) which is used by the Java Debugger
(jdb
) later to connect to the JVM
Default connection timeout
When a connection is made by an applet to a server and the server doesn't respond properly, the applet may appear to hang and may also cause the browser to hang, since by default there is no network connection timeout.
To avoid this problem, Java Plug-in 1.4 has added a default network timeout value (2 minutes) for all HTTP connections. You can override this setting in the Java Runtime Parameters:
-Dsun.net.client.defaultConnectTimeout=<value in milliseconds>
Another networking property that you can set is
sun.net.client.defaultReadTimeout
.
-Dsun.net.client.defaultReadTimeout=<value in milliseconds>
Note
Java Plug-in does not set
sun.net.client.defaultReadTimeout
by default. If you
want to set it, do so through the Java Runtime Parameters as shown
above.
Networking properties description:
sun.net.client.defaultConnectTimeout sun.net.client.defaultReadTimeout
These properties specify, respectively, the default connect and
read timeout values for the protocol handlers used by
java.net.URLConnection
. The default value set by the
protocol handlers is -1
, which means there is no
timeout set.
sun.net.client.defaultConnectTimeout
specifies the
timeout (in milliseconds) to establish the connection to the host.
For example, for http connections it is the timeout when
establishing the connection to the http server. For ftp connections
it is the timeout when establishing the connection to ftp
servers.
sun.net.client.defaultReadTimeout
specifies the
timeout (in milliseconds) when reading from an input stream when a
connection is established to a resource.
For the official description of these properties, see Networking Properties.
As of the JDK 7u45 release, the Security panel looks like this:
De-selecting the Enable Java content in the browser option, which is selected by default, will prevent any Java application from running in the browser.
When the Enable Java content in the browser option is selected, the Security Level slider becomes available. Depending on the security level and the type of application, one of the following actions is taken:
Applications are either privileged, which request permissions to access resources on your system, or sandbox, which run in the security sandbox. Applications can be signed with a certificate from a trusted certificate authority, self-signed, or unsigned.
The default security level setting is High. The available settings are:
Very High - The following table shows how the different types of applications are handled when the security level is set to Very High
.
Type of Application | Signed | Self-Signed | Unsigned |
---|---|---|---|
Privileged | Prompt | Block | Invalid |
Sandbox | Prompt | Block | Block |
If your JRE is out of date, you are given an option to update. To download the latest version of Java, go to java.com.
If the certificate used to sign the application is revoked, expired, or the revocation status of the certificate cannot be checked, the application is blocked.
High - The following table shows how the different types of applications are handled when the security level is set to High
.
Multi-click indicates that you must respond to more than one prompt or option to run the application.
Type of Application | Signed | Self-Signed | Unsigned |
---|---|---|---|
Privileged | Prompt | Block | Invalid |
Sandbox (JRE at or above baseline) | Prompt | Prompt (multi-click) | Prompt (multi-click) |
Sandbox (JRE below baseline) | Prompt | Block | Block |
If your JRE is out of date, you are given an option to update.
If the certificate used to sign the app is expired, or the revocation status of the certificate cannot be checked, you are prompted to accept the risk of running the application. If the certificate has been revoked, the app is blocked.
Medium - The following table shows how the different types of applications are handled when the security level is set to Medium
.
Multi-click indicates that you must respond to more than one prompt or option to run the application.
Type of Application | Signed | Self-Signed | Unsigned |
---|---|---|---|
Privileged | Prompt | Block | Invalid |
Sandbox (JRE at or above baseline) | Prompt | Prompt (multi-click) | Prompt (multi-click) |
If your JRE is out of date, you are given an option to update.
If the certificate used to sign the app is expired, or the revocation status of the certificate cannot be checked, the user is prompted to accept the risk of running the application. If the certificate has been revoked, the app is blocked.
The Security Level setting affects plug-in applets, Java Web Start applications, embedded JavaFX applications, and access to the native deployment toolkit plug-ins. This setting does not affect stand alone Java applications.
For more information, see Setting the Security Level of the Java Client.
If an active deployment rule set is installed on the system, the link View the active Deployment Rule Set is shown before the Manage Certificates button. Click the link to view the rule set. When a rule set is available, the rules determine if a RIA is run without security prompts, run with security prompts, or blocked. For more information on deployment rules, see Deployment Rule Set. For more information on security prompts, see Security Dialogs.
An option to hide a prompt in the future is included in some security prompts that are shown when an application starts. To insure the continued security of your system, it is recommended that you periodically restore the prompts that were hidden. Seeing the prompts again provides an opportunity to review the applications and ensure that you still want them to run.
To restore the prompts that were previously hidden, click Restore Security Prompts. When asked to confirm the selection, click Restore All. The next time an application is started, the security prompt for that application is shown.
Click Manage Certificates to get the Certificates dialog, which looks like this:
It handles both User- and System-Level (enterprise-wide) certificates of the following types:
These are certificates for signed applets and applications that are trusted.
These are certificates for secure sites.
These are certificates of Certificate Authorities (CAs) for Trusted Certificates; Certificate Authorities are the ones who issue the certificates to the signers of Trusted Certificates.
These are certificates of Certificate Authorities (CAs) for secure sites; Certificate Authorities are the ones who issue the certificates for secure sites.
These are certificates for a client to authenticate itself to a server.
For Trusted, Secure site, and Client Authentication certificates, there are four options: Import, Export, Remove, and Details. The user can import, export, remove, and view the details of a certificate.
For Signer CA and Secure site CA, there is only one option: Details. The user can only view the details of a certificate.
The default locations of the of the keystore
files
for Unix and Windows are as follows:
Operating System | Location |
---|---|
Unix | ${user.home}/.java/deployment/security |
Microsoft Windows |
|
For instance, on Microsoft Windows 7, the default location of the
keystore
files for user jsmith
would be
as follows:
C:\Users\jsmith\AppData\LocalLow\Sun\Java\Deployment\security
For non-default locations of the certificate
keystore
files, specify them in the
User-Level deployment.properties file
with the following
property names:
Certificate Type | Property Name |
---|---|
Trusted Certificates | deployment.user.security.trusted.certs |
Secure site | deployment.user.security.trusted.jssecerts |
Signer CA | deployment.user.security.trusted.cacerts |
Secure site CA | deployment.user.security.trusted.jssecacerts |
Client Authentication | deployment.user.security.trusted.clientcerts |
For System-Level certificates, the only options a user has are Export and Details.
Trusted, Secure Site, and Client Authentication certificate
keystore
files do not exist by default. Thus there are
no default locations for them.
The default location for the Signer CA keystore is:
Operating System | Location |
---|---|
Unix | $JAVA_HOME/lib/security/cacerts |
Microsoft Windows |
|
The default location for the Secure Site CA keystore is:
Operating System | Location |
---|---|
Unix | $JAVA_HOME/lib/security/jssecacerts |
Microsoft Windows |
|
The location of the keystore
files for the various
types of certificates can also be set in a System-Level
deployment.properties
file, if it exists. (The
System-Level deployment.properties
file does not exist
by default. It is specified in a deployment.config
file. See System-Level
deployment.properties file
.)
The following properties may be specified:
Certificate Type | Property Name |
---|---|
Trusted Certificates | deployment.system.security.trusted.certs |
Secure site | deployment.system.security.trusted.jssecerts |
Signer CA | deployment.system.security.trusted.cacerts |
Secure site CA | deployment.system.security.trusted.jssecacerts |
Client Authentication |
deployment.system.security.trusted.clientcerts |
The Advanced panel looks like this (three screen shots are required to show the entire list of options):
It includes options for Debugging, Java console, Default Java for browsers, Java Plug-in, Shortcut Creation, JNLP File/MIME Association, Application Installation, Secure Execution Environment, Mixed code security verification, Certificate revocation checks, Advanced Security Settings, and Miscellaneous.
You can enable tracing and logging.
There are three options:
There are two options; both are selected by default:
This option enables settings in your browser that enable you to use the JRE installed in your computer.
For example, if you enable this option for Microsoft Internet Explorer, then the option Use JRE <version number> for <applet> (requires restart) is available, where <version number> is the version of the JRE installed in your computer. (Find this option by going to Tools, then Internet Options, then click the tab Advanced.)
In addition, if you enable this option for Mozilla Family, and your browser is Firefox, then the extension Java Console <version number> appears in the Add-ons list, where <version number> is the version of the JRE installed in your computer. (Access the Add-ons list from the Tools menu in the menu bar.)
There is only one option, which is selected by default: Enable the next-generation Java Plug-in (requires browser restart).
If this option is selected, then the implementation of the Java Plug-In introduced in Java SE 6 update 10 is used. If this option is not selected, the Java Plug-In implementation prior to the one introduced in Java SE 6u10 is used.
This provides options for Java Web Start for creating shortcuts on the desktop. The options are:
This allows you to associate files with the JNLP MIME type. The options are (radio button, select only one):
There are four options:
A Java application or applet that is launched with Java Web Start can either be installed or cached on the client computer. If the Java application is cached, then Java Web Start stores the entire application in its cache; the application is removed from the client computer when Java Web Start empties its cache. If the Java application is installed, then the application will have an entry in the Add or Remove Programs applet in Windows Control Panel.
A Java application or applet can specify if it prefers to be cached or installed; if the Java application specifies that it prefers to be installed, then it is hinted. By default, Java applications that are hinted are installed on the client computer. You can also specify that a Java application is installed if it creates a shortcut on the client computer's desktop.
These options are check boxes. You can select any number of available options. All options are checked by default except for those specified. The following are the various Java security options:
The Mixed code options are radio buttons. You can select only one option. For more information, see Mixing Privileged Code and Sandbox Code.
Before a signed applet or Java Web Start application is run, the certificates used to sign the JAR file can be checked to ensure that none have been revoked. You can have all certificates checked, or only the certificate from the publisher of the app. If a certificate has been revoked, any app that is signed with the certificate is not allowed to run. This check can be disabled, but that is not recommended. You can select only one of the following options:
The following options indicate what to use to determine if a certificate has been revoked:
If Do Not Check is selected for Perform certificate revocation checks on, this setting is ignored.
These options are check boxes. You can select any number of available options. All options are checked by default except for those specified. The following are the various Java security options:
There are two options; both are checked by default:
Allows you to specify the location of the default browser to be launched.