this helps but is very to difficult to manage if you have permanent changing end-users which access the end systems. I have asked my TAC engineer for a aprroximate release date for the fixed rdp plugin.
I hope there will be a fixed version with permission attributes soon
Go ahead and configure smarttunnel. All your issues will get resolved. This is what TAC had done recently.
Rate if this was helpful.
Update from me too: The JAVA 7.45 Problem was fixed... but Oracle brings out JAVA 7.51...so we have again a new problem!!
In the Past I get an fixed Firmware-Version from Cisco. But I was not able to install this, because I had no downtime window.
But in the beginning from this year I saw that my bug was fixed in Version 9.1.4. So I choose this Version for my update. After my Update to 9.1.4 the JAVA with Version 7.45 was working fine.
After a few days Oracle brings out JAVA 7.51 and I has a new Problem. *now angry on cisco & oracle is*
missing required permissions manifest attribute in main jar
So today I opened again a Cisco TAC for this. I will bring out some informations when I get them from Cisco.
I hope that we will not get with every new JAVA Update a new Problem. Then the Cisco ASA will make a Free fly out of the window....
Thanks a lot.
You can also try adding your ASA as a Security Exception similar to the instructions in this thread (for Cisco TMS):
Please remember to rate responses and to mark your question as answered if appropriate.
Thanks for the update Wayne.
But all theese workarounds are too dificult for some users. I make public this workaround on our Webportal, but it is not acceptable for the future. I will wait for the answer from cisco-TAC.
I agree with Florian. I have over 500 home users that are not technical by any measure. Our helpdesk can barely keep up with walking people through making these changes to their personal computers.
An actual fix needs to be expedited for these JAVA security issues.
As it stands this is not a practical business solution. I am already being pressured by management staff to find a replacement solution that is "NOT Cisco". I have already opened a TAC case and performed all the recommended OS upgrades to the ASA. Still I have to implement these workarounds. It has now been over a month since the issue started presenting itself.
good luck finding a non Cisco solution, same thing is happening on juniper, same thing is happening on sonicwall, same thing is happening on fortinet.
this is oracles problem, I'm sure all the Dev teams are working to fix software for the new security settings for Java.
Ah! Good to know.
Doesn't really excuse Cisco from not being prepared with a fix for the updates to the JRE.
JAVA developers would have advance notice of patches to the JRE... I would hope.
Absolutely correct blumley,
it was not a big surprise, as with older Java Version you got the hint that this Plugin will be blocked in future Updates (enclosed file, german language).
I got in touch with TAC before this Update was released by Oracle, but got only client based workarounds which are useless for me.
At the end my customer managed to rewrite the given rdp plugin and add the missing attributes to it, but as everybody knows this is not Cisco supported solution
So now my Problem is fixed with this solution:
Download the newest Plugins from Cisco:
For Example Citrix (do-it-yourself) client plugin for ASA.
ica-plugin.04.23.2012.zip (Missing Attribute is inside)
Due to licensing restrictions, the administrator should manually import the Citrix jar files from citrix website into the plugin
The steps are explained in the ASA webvpn config guide
and for more information on the individual jar files, please refer to the Citrix Java admin guide:
Actual you can download a very new Version of the Java Files from CITRIX Website. The Version is from this year.
When you have merged the Zip files from Cisco and Citrix you can upload it to the ASA and it is working.
Note: Add the seamless Java file to the Zip too, if you want to use Full Screen!! Don´t forget it!
All of you > Thanks.
Now all Java Versions are running fine on my Systems. So we can wait for new Java Updates ;-)
My solution is to modify the manifest (MANIFEST.MF) of the Jar file and set the attribute "Permissions: all-permissions"
You have to install java JDK for having all tools.
Example : For the RDP plugin:
Unzip the rdp.12.21.2013.jar (last plugin from Cisco) file to c:\rdp
Create your own manifest file. Copy the existant MANIFEST.MF and add "Permissions: all-permissions". Save the file to c:\mymanifest.mf
In terminal mode, go into to c:\rdp and type
#C:\rdp>jar.exe cmf c:\mymanifest.mf c:\rdp\rdp.jar *
It will update the Manifest file with your file and create a new Jar.
You need to sign the jar before upload it to the Cisco ASA. (use jarsigner.exe)
here is an example : http://wiki.plexinfo.net/?title=How_to_sign_JAR_files (self sign)
I had sign mine with my SSL certificate:
#jarsigner.exe -storetype pkcs12 -keystore c:\xxx\ASA\Plugin\keystore.p12 c:\rdp\rdp.jar rdpalias
Upload it to the ASA. The manifest error (Java7 u51) will disappear.
Thank you for the input regarding this case. I've followed your steps and got it working till the creation of the new jar file. The new RDP files is configured correctly with 'all permissions.'
What I don't get, is the steps regarding the signing part. Are you using a regular certificate or a code signing certificate?
Before you can sign it with the jarsigner, you need to import the certificate into the JDK keystore, right? What were the particular steps that you commited?Cause I'm stuck at that point. I've exported the SSL certificate from the ASA in PKSC12 format with the private key. I think it has to do that my certificate is in PKSC12 format and not in x509.
If I use a code signing certificate on the ASA, I got the signing proces done by the ASA. Everything works for the new plugin. So my jar is signed with the information from the code signing certificate. However I really like to know, how it works to sign the applet with the the JDK keystore.
The Asa PKCS file is in "BASE64".
#openssl base64 -in trustpoint.pkcs -d out trustpoint.pfx
It will convert your pkcs in a "good format" .
#openssl pkcs12 -in trustpoint.pfx -info
and you will see your private key et the certificate.
copy the the certificate into .crt file and .key file. then create tour keystore
#openssl pkcs12 -export -in certif.crt -inkey private.key -out keystore.p12 -name MyAlias -CAfile certif.crt -caname root
last step, sign your jar with your keystore :
#jarsigner.exe -storetype pkcs12 -keystore keystore.p12 c:\rdp.jar
and verify it's ok
#jarsigner.exe -verify -verbose -certs c:\rdp.jar