cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
100237
Views
36
Helpful
43
Replies

Java securityexception error on Web VPN

Florian Ostkamp
Level 1
Level 1

Hello,

I have a problem with my Cisco ASA 5510 Clientless SSL Webvpn.

After Oracle updates its Java Version, our JAVA Webportal ist not completly working.

Our clientless SSL Web Portal is running on a Cisco ASA 5510 with Version 9.1.3.

On this portal we provide the JAVA RDP Plugin and the JAVA Citrix Plugin.

All Java Plugins are working with Java 7 Update 25.

But with the newest Version Java 7 Update 45 it is not working.

It is comming the following Error.

-----------------------------------

"SecurityException"

com.sun.deploy.net.JARSigningException: Unsignierter Eintrag gefunden in Ressource:

https://XXXXXXX/ica/JICA-configN.jar

---------------------------------

XX=our portal-url

Has somebody the same problem?

I need a solution, because we are using this solution for round about 200 User.

Thank you very much.

Florian

43 Replies 43

Hi Wolfgang,

this helps but is very to difficult to manage if you have permanent  changing end-users which access the end systems. I have asked my TAC engineer for a aprroximate release date for the fixed rdp plugin.

I hope there will be a fixed version with permission attributes soon

Best Regards

Ayhan

Hi All,

Go ahead and configure smarttunnel. All your issues will get resolved. This is what TAC had done recently.

Rate if this was helpful.

regards

Rajesh

Florian Ostkamp
Level 1
Level 1

HI All,

Update from me too: The JAVA 7.45 Problem  was fixed... but Oracle brings out JAVA 7.51...so we have again a new problem!!

In the Past I get an fixed Firmware-Version from Cisco. But I was not able to install this, because I had no downtime window.

But in the beginning from this year I saw that my bug was fixed in Version 9.1.4. So I choose this Version for my update. After my Update to 9.1.4 the JAVA with Version 7.45 was working fine.

After a few days Oracle brings out JAVA 7.51 and I has a new Problem. *now angry on cisco & oracle is*

Error Message:

missing required permissions manifest attribute in main jar

XXXXXXX/ica/JICAEngN.jar

So today I opened again a Cisco TAC for this. I will bring out some informations when I get them from Cisco.

I hope that we will not get with every new JAVA Update a new Problem. Then the Cisco ASA will make a Free fly out of the window....

Thanks a lot.

Regards,

Florian

The Workaround to reduce the Security Settings in the JAVA Control Panel to "medium" is working.

You can also try adding your ASA as a Security Exception similar to the instructions in this thread (for Cisco TMS):

https://supportforums.cisco.com/message/4139247#4139247


Wayne
--
Please remember to rate responses and to mark your question as answered if appropriate.

Wayne
--
Please remember to mark helpful responses and to set your question as answered if appropriate.

Thanks for the update Wayne.

But all theese workarounds are too dificult for some users. I make public this workaround on our Webportal, but it is not acceptable for the future. I will wait for the answer from cisco-TAC.

I agree with Florian.   I have over 500 home users that are not technical by any measure.  Our helpdesk can barely keep up with walking people through making these changes to their personal computers.

  An actual fix needs to be expedited for these JAVA security issues.

  As it stands this is not a practical business solution.  I am already being pressured by management staff to find a replacement solution that is "NOT Cisco".   I have already opened a TAC case and performed all the recommended OS upgrades to the ASA.   Still I have to implement these workarounds.  It has now been over a month since the issue started presenting itself.

good luck finding a non Cisco solution, same thing is happening on juniper, same thing is happening on sonicwall, same thing is happening on fortinet.

this is oracles problem, I'm sure all the Dev teams are working to fix software for the new security settings for Java. 

Ah!  Good to know.

Doesn't really excuse Cisco from not being prepared with a fix for the updates to the JRE.

JAVA developers would have advance notice of patches to the JRE... I would hope.

Absolutely correct blumley,

it was not a big surprise, as with older Java Version you got the hint that this Plugin will be blocked in future Updates (enclosed file, german language).

I got in touch with TAC before this Update was released by Oracle, but got only client based workarounds which are useless for me.

At the end my customer managed to rewrite the given rdp plugin and add the missing attributes to it, but as everybody knows this is not Cisco supported solution

Hello All!

So now my Problem is fixed with this solution:

Download the newest Plugins from Cisco:

http://tools.cisco.com/squish/aedfa

For Example Citrix (do-it-yourself) client plugin for ASA. 
ica-plugin.04.23.2012.zip     (Missing Attribute is inside)

Due to licensing restrictions, the administrator should manually import the Citrix jar files from citrix website into the plugin

The steps are explained in the ASA webvpn config guide

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1293004

and for more information on the individual jar files, please refer to the Citrix Java admin guide:

http://support.citrix.com/servlet/KbServlet/download/6284-102-17151/ICAJava.pdf

Actual you can download a very new Version of the Java Files from CITRIX Website. The Version is from this year.

When you have merged the Zip files from Cisco and Citrix you can upload it to the ASA and it is working.

Note: Add the seamless Java file to the Zip too, if you want to use Full Screen!! Don´t forget it!

All of you > Thanks.

Now all Java Versions are running fine on my Systems. So we can wait for new Java Updates ;-)

Hello,

My solution is to modify the manifest (MANIFEST.MF) of the Jar file and set the attribute "Permissions: all-permissions"

You have to install java JDK for having all tools.

Example : For the RDP plugin:

Unzip the rdp.12.21.2013.jar (last plugin from Cisco) file to c:\rdp

Create your own manifest file. Copy the existant MANIFEST.MF and add "Permissions: all-permissions". Save the file to c:\mymanifest.mf

In  terminal mode, go into to c:\rdp and type

#C:\rdp>jar.exe cmf c:\mymanifest.mf c:\rdp\rdp.jar *

It will update the Manifest file with your file and create a new Jar.

You need to sign the jar before upload it to the Cisco ASA. (use jarsigner.exe)

here is an example : http://wiki.plexinfo.net/?title=How_to_sign_JAR_files (self sign)

I had sign mine with my SSL certificate:

#jarsigner.exe -storetype pkcs12 -keystore c:\xxx\ASA\Plugin\keystore.p12 c:\rdp\rdp.jar rdpalias

Upload it to the ASA. The manifest error (Java7 u51) will disappear.


Hi kevin,

Thank you for the input regarding this case. I've followed your steps and got it working till the creation of the new jar file. The new RDP files is configured correctly with 'all permissions.'

What I don't get, is the steps regarding the signing part. Are you using a regular certificate or a code signing certificate?

Before you can sign it with the jarsigner, you need to import the certificate into the JDK keystore, right? What were the particular steps that you commited?Cause I'm stuck at that point. I've exported the SSL certificate from the ASA in PKSC12 format with the private key. I think it has to do that my certificate is in PKSC12 format and not in x509.

If I use a code signing certificate on the ASA, I got the signing proces done by the ASA. Everything works for the new plugin. So my jar is signed with the information from the code signing certificate. However I really like to know, how it works to sign the applet with the the JDK keystore.

regards,
Sander

Hi Sander,

The Asa PKCS file is in "BASE64".

Try this:

#openssl base64 -in trustpoint.pkcs -d out trustpoint.pfx

It will convert your pkcs in a "good format" .

then use

#openssl pkcs12 -in trustpoint.pfx -info

and you will see  your private key et the certificate.

copy the the certificate into .crt file and .key file. then create tour  keystore

#openssl pkcs12 -export -in certif.crt -inkey private.key -out keystore.p12 -name MyAlias -CAfile certif.crt -caname root

last step, sign your jar with your keystore :

#jarsigner.exe -storetype pkcs12 -keystore keystore.p12 c:\rdp.jar

and verify it's ok

#jarsigner.exe -verify -verbose -certs  c:\rdp.jar


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: