Solved: Java securityexception error on Web VPN - Page 2

Florian Ostkamp · ‎10-21-2013

Hello,

I have a problem with my Cisco ASA 5510 Clientless SSL Webvpn.

After Oracle updates its Java Version, our JAVA Webportal ist not completly working.

Our clientless SSL Web Portal is running on a Cisco ASA 5510 with Version 9.1.3.

On this portal we provide the JAVA RDP Plugin and the JAVA Citrix Plugin.

All Java Plugins are working with Java 7 Update 25.

But with the newest Version Java 7 Update 45 it is not working.

It is comming the following Error.

-----------------------------------

"SecurityException"

com.sun.deploy.net.JARSigningException: Unsignierter Eintrag gefunden in Ressource:

https://XXXXXXX/ica/JICA-configN.jar

---------------------------------

XX=our portal-url

Has somebody the same problem?

I need a solution, because we are using this solution for round about 200 User.

Thank you very much.

Florian

S M85 · ‎11-07-2013

@bart the specific update that mentinoned here is not public released. Maybe that you can obtain the bug fixed versions if you open a TAC case.

Roy Ros · ‎11-28-2013

Version 8.4(4)1 seems to be affected too.

S M85 · ‎11-28-2013

I would like to inform you that an interim release has been released which contains the fix for the CSCuj88114 bug.

8.4.7.5 à asa847-5-k8.bin

9.1.3.4 à asa913-4-smp-k8.bin

9.1.3.4 àasa913-4-k8.bin

rate if helpfull!

secureIT · ‎11-28-2013

Thank you Sander for the update..

Would you please share 8.4.7-5 interim image to us on priority as we are not finding this image in Cisco.

S M85 · ‎11-29-2013

I think that the files are given to us when opening a TAC case. So I have to advise to do the same.

Jan · ‎12-20-2013

Noticed that 8.2 is affected as well.. have an 5590 which is running latest 8.2.5 (46) which shows the same error..

I am unable to upgrade the box to 8.4 as it is missing RAM slots.. (yes there are none soldered on the mainboard - must be one of the first batches.. 1 RAM slot, 3 empty soldiering joints)

Ayhan Guec · ‎01-13-2014

Hi Florian,

i face this issue too.

When i start the RDP Plugin i get following "warning":

This application will be blocked in a future Java security update because the JAR file maifest does nocht contain the Permissions attribute. Please contact the Publisher for more information.

I am using ASA Version 9.1.4 but i think the RDP plugin have to be rewritten from Cisco to get this solved.

The version on the cisco website is very old 27-APR-2012.

Please keep us informed if you find a way to supress this warning (at the ASA not the client )

Best Regards

Ayhan

S M85 · ‎01-13-2014

Please follow the steps below:

1) Delete the following files from rdp_09.11.2012.jar:

properJavaRDP13-1.1.jar

properJavaRDP12-1.1.jar

properJavaRDP11-1.1.jar

2) Delete the following statements from "properrdp.html" :

properJavaRDP13-1.1.jar,properJavaRDP12-1.1.jar,properJavaRDP11-1.1.jar

3) Pack all other files from rdp_09.11.2012 in new .jar

4) Upload new plugin to ASA .

If that did not work, you can always re-download the plugin from the cisco website and upload it.

Ayhan Guec · ‎01-13-2014

Hi Sander,

i will give it a try and inform you about the results.

Best Regards

Ayhan

Ayhan Guec · ‎01-14-2014

Hi Sander,

i am still getting the Message that permission attribute in manifest.xlm is missing.

Do you know what to set there?

Best Regards

Ayhan

S M85 · ‎01-14-2014

From what I've have understand, Cisco needs to write a new plugin to replace the old Cisco certificate....

Try the one that we have created. It should be the same as the steps that I have posted.

https://www.dropbox.com/s/gtb0ew5v9uiwshm/rdp_plugin_changed.jar

Ayhan Guec · ‎01-14-2014

Hi Sander,

thank you very much, but i think this will not work too because the manifest.xml is not containing the required tags for permission handling.

Thats the manifest.xml from your jar file:

properrdp.html

rdp

3389

csco_rdp

1.0.2

Terminal Servers

Terminal Servers Bookmarks

icon.gif

Translation domain for RDP plugin

en

help/en/index.inc

host

Host Name

string

I would expect to find any of these tags in the manifest.xml to avoid the warning that this application will be blocked in future updates:

I've attached a Screenshot from the Warning to be sure that we both work on the same topic

S M85 · ‎01-14-2014

Yes these warnings are the same. However these steps were e-mailed by Cisco TAC. So i didn't make them myself. From our point the customer still gets errors. With the new software version. We need to wait untill Cisco makes a new RDP plugin.

Ayhan Guec · ‎01-14-2014

Many thanks for you investigations.

I have an open TAC-Case and hope the TAC-engineer can get in touch with the dev team

Best Regards

Ayhan

edvznadm · ‎01-17-2014

Hi Ayhan,

we have the same problem as you discribe and have found the following workaround for me:

in the java control panel either reduce the security level to 'medium',

or insert your asa-url to the exception list, e.g. https://asa.domain/.

(sorry, we use german language versions here, so I don't know the correct labels for the english version)

We still get the warnings about the obsolet certificate, but can at least start our rdp sessions again.

Hope this helps,

Wolfgang