Introduction
This document describes an issue where WebVPN users were getting "Java" related error.
Problem
User facing a problem with his Cisco ASA 5510 Clientless SSL Webvpn. After Oracle updates its Java Version, the JAVA Webportal are not working completely . His clientless SSL Web Portal is running on a Cisco ASA 5510 with Version 9.1.3. On this portal user has provided the JAVA RDP Plugin and the JAVA Citrix Plugin. All Java Plugins are working with Java 7 Update 25. But with the newest Version Java 7 Update 45 it is not working.
Error is Shown below:
"SecurityException"
com.sun.deploy.net.JARSigningException: Unsignierter Eintrag gefunden in Ressource:
https://XXXXXXX/ica/JICA-configN.jar
---------------------------------
XX=our portal-url
Total number of users affected = 200
Solution
Scenario (Update to v7.45)
Symptom:
ASA WebVPN Java Plugins is failing to load after upgrading to Java 7 Update 45
with the following General Exception error - 'com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: https:///+CSCO+xxxxxxxxxxxxxxxxxxxxxxx++/vnc/VncViewer.jar'
Conditions:
- Windows or Mac OSX machines using Java 7 Update 45.
- JRE build 1.6.0.51 and 65
RCA:
ASA WebVPN Java Plugins fail after upgrade to Java 7 Update 45 because of below mentioned bug: CSCuj88114
Workaround:
- User need to disable the option "Keep temporary files on my computer" on the Java Control:
Panel -> General -> Settings
This works for both Mac OSX and Windows.
- Downgrade Java to version 7 Update 40 or below.
Step 1: The solution is to modify the manifest (MANIFEST.MF) of the Jar file and set the attribute "Permissions: all-permissions"
Step 2: You have to install java JDK for having all tools.
Example : For the RDP plugin:
Unzip the rdp.12.21.2013.jar (last plugin from Cisco) file to c:\rdp
Step 3: Create your own manifest file. Copy the existant MANIFEST.MF and add "Permissions: all-permissions". Save the file to c:\mymanifest.mf
Step 4: In terminal mode, go into to c:\rdp and type
#C:\rdp>jar.exe cmf c:\mymanifest.mf c:\rdp\rdp.jar *
It will update the Manifest file with your file and create a new Jar.
You need to sign the jar before upload it to the Cisco ASA. (use jarsigner.exe)
here is an example : http://wiki.plexinfo.net/?title=How_to_sign_JAR_files (self sign) I had sign mine with my SSL certificate:
#jarsigner.exe -storetype pkcs12 -keystore c:\xxx\ASA\Plugin\keystore.p12 c:\rdp\rdp.jar rdpalias
Upload it to the ASA. The manifest error (Java7 u51) will disappear.
IOS versions released with fixed bug:
- IOS v 9.1(3.107)
- IOS v 100.8(40.41)
- IOS v 100.8(46.28)
- IOS v 8.4(7.4)
- IOS v 100.8(38.63)
- IOS v 9.0(3.9)
- IOS v 9.1(3.3)
- IOS v 100.9(10.15)
- IOS v 100.7(6.125)
- IOS v 100.8(51.5)
- IOS v 100.10(0.38)
- IOS v 100.8(45.8)
- IOS v 100.8(52.6)
- IOS v 9.0(3.100)
- IOS v 100.10(1.21)
- IOS v 100.10(2.3)
- IOS v 100.10(3.1)
- IOS v 9.0(4)
- IOS v 100.10(9.1)
- IOS v 9.1(4)
- IOS v9.2(0.99)
- IOS v9.2(1)
After fixing the bug:
Download the newest Plugins from Cisco:
For Example Citrix (do-it-yourself) client plugin for ASA.
ica-plugin.04.23.2012.zip (Missing Attribute is inside)
Due to licensing restrictions, the administrator should manually import the Citrix jar files from citrix website into the plugin.
The steps are explained in the ASA webvpn config guide mentioned below:
Config Guide
and for more information on the individual jar files, please refer to the Citrix Java admin guide:
Citrix Java admin guide
When you have merged the Zip files from Cisco and Citrix you can upload it to the ASA and it is working.
Note: Add the seamless Java file to the Zip too, if you want to use Full Screen.
Source Discussion