ASA ASDM not start on Linux

M.Fly · ‎08-30-2022

Hi,

we have a cluster of ASA 5525X that running ASDM asdm-7181-152.bin.
With this version, we have an error on lounch ASDM on Linux that indicate:
jar resources in jnlp are not signed by same certificate

With previous version, 7.1.7 maybe, the problem is not present and ASDM start correctly on Linux.

We only change the .bin of ASDM, any change on ASA configuration.

The java version is 1.8 latest, that works fine with old ASDM version.
The Linux version is Oracle Linux 9

Some ideas?

Bluechip · ‎09-02-2022

I have the same problem: jar resources in jnlp are not signed by same certificate
All advice I've been able to find online lean towards suggesting clear Java cache/temp files, etc. This doesn't work.

The resources included in the JNLP are:

dm-launcher.jar
lzma.jar
jploader.jar
retroweaver-rt-2.0.jar

Removing lzma.jar from the JNLP resource list works around the error, but prevents the ASDM launcher from loading. Is there some reason the jars have different signers?

M.Fly · ‎09-02-2022

I have resolved with command line, and launch of single jar file via java command like this, after download the file via Windows OS :

/path/to/java -cp dm-launcher.jar:jploader.jar:lzma.jar:retroweaver-rt-2.0.jar com.cisco.launcher.Launcher cert.PEM

With ASDM latest version, and Java Oracle 1.8 latest version, it's all OK and ASDM start correctly.

asa_quandary · ‎09-06-2022

I've found a solution to this issue. In ASDM 7.18, Cisco transitioned away from using Java Web Launcher because of end of support. Cisco now requires you to use ASDM-IDM Launcher to access ASDM.

You can find the msi installer for ASDM-IDM Launcher by going to https://<asa-ip-address>/admin/dm-launcher.msi

More info can be found in the Release Notes for 7.18: https://www.cisco.com/c/en/us/td/docs/security/asdm/7_18/release/notes/rn718.html

MHM Cisco World · ‎09-06-2022

thanks a lot for sharing this info.

Bluechip · ‎09-06-2022

This is helpful if:
1. You have admin rights to the device from which you're accessing the ASDM, and;
2. You're accessing from a Cisco-supported windows platform in which you can install the MSI package (which appears to be a packaged version of JVM and a set of static JARs.

If your environment doesn't fit these pre-reqs, the MSI doesn't really help. The cleaner solution would be for Cisco to fix the problem and sign lzma.jar (the offending JAR) with the same signing cert as the other resources. Additionally, if the installed launcher doesn't throw the error, then you'd have to query whether the packaged version of JVM is as secure and vulnerability-free as a supported Oracle alternative.

You could also query why ASDM is still both Java-based and platform dependent in 2022 ... but that's probably a query for a different thread.

krumboeck · ‎10-04-2022

According to the release notes for ASDM 7.18, Cisco de facto dropped the linux support.

Just the next coffin nail.

But does not matter anymore:

Support is becoming worse since years
Price of Firepower compared to ASA is impudence (at least if you use about 200 VPN tunnels)
License/contract registration always leaves me speechless
Cisco support thinks: End-Of-Sale is End-Of-Support (IKE2 problems did'nt become fixed on supported ASAs)

Coutinho10 · ‎08-02-2023

A bit late to the party, but I found this website quite helpful: https://williamlieurance.com/cisco-asdm-718-719-linux/

Solved it for me!