WebVPN RDP Plugin and Java version compatability

shiblyibrahim · ‎07-02-2014

Hey,

I hope you can advise me.

I can see on Cisco downloads a new version of the rep plugin exist release in January, 2014. But the ASAs version is last year and the firmware on the ASA is 8.6(1)2.

I was hoping updating the RDP plugin will fix the java compatibility issue as the work around at the moment is to downgrade the Java version to 40 or below as advised on ciscos bug.

https://tools.cisco.com/quickview/bug/CSCuj88114

I hope you can shed some light on this.

Thanks in advance.

Shibly

Please rate the post Shibly Ibrahim

Dinesh Moudgil · ‎07-02-2014

Hi ,

With the latest Java update, there have been change in the security settings and now they are cross checking the Java code-signing cert expiration etc.
With the default Java applet code-signer cert being expired, it throws up the error message.
Please lower down the Java security setting to medium and add FQDN under the "Java control panel > security > exception site list."

Related to Java Code Signing certificate:

As per the changes that have been incorporated under the latest Java update about security feature related with the code signing cert, now Java is checking the certificate validity for Java Applet code singing cert and if it finds the cert to be expired then it throws the error we are seeing.

Now with ASA codes, the Java code signing cert is embedded during the development for the Webvpn, which is currently expired, and that's the reason the Java error message pops up.
In order for the Java to trust it, we need to add the ASA public IP or FQDN to "Java control panel > security > exception site list."

And in order to trust it automatically, you might need to get a code signing cert from any known vendor like VeriSign, Go-Daddy, Entrust, Geo-trust, Thwate, etc ...
You can have that Code signing cert installed on the ASA, and call it within the Webvpn config.

Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

shiblyibrahim · ‎07-02-2014

Also will uploading the latest plugin fix the issue.

Please rate the post Shibly Ibrahim

Dinesh Moudgil · ‎07-02-2014

The Java code signing certificate is used only when trying to use SSL plugins to access resources , so it is expected that we wont get the error while opening webVPN homepage via browser.
Also, irrespective of the plugin used, you would need to either add the IP/FQDN in trusted site or using java code signing certificate.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

shiblyibrahim · ‎07-03-2014

Dinesh

will it be ok if I generate a a certifate using the asa

if I do how do I apply this certificate to work with the web plugin

Please rate the post Shibly Ibrahim

Dinesh Moudgil · ‎07-03-2014

Here is the link that describes how you can apply code signer certificate on ASA.
https://supportforums.cisco.com/document/29171/replacing-java-code-signing-certificate-asa-55xx-vpnfirewall-appliance

For more information regarding code signing certificate, you can check the following link:-
http://www.cisco.com/c/en/us/td/docs/security/asdm/6_2/user/guide/asdmconfig/certs.html#wp1286400

Regards,
Dinesh Moudgil

P.S Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

shiblyibrahim · ‎07-02-2014

Hey Dinesh Thank you for the quick response. But it's quite strange that when we go the VPN site we don't get a ssl certificate error or is this different. Apologise my knowledge on this is not very good.

Please rate the post Shibly Ibrahim