07-02-2014 09:21 PM
Hey,
I hope you can advise me.
I can see on Cisco downloads a new version of the rep plugin exist release in January, 2014. But the ASAs version is last year and the firmware on the ASA is 8.6(1)2.
I was hoping updating the RDP plugin will fix the java compatibility issue as the work around at the moment is to downgrade the Java version to 40 or below as advised on ciscos bug.
https://tools.cisco.com/quickview/bug/CSCuj88114
I hope you can shed some light on this.
Thanks in advance.
Shibly
07-02-2014 09:50 PM
Hi ,
With the latest Java update, there have been change in the security settings and now they are cross checking the Java code-signing cert expiration etc.
With the default Java applet code-signer cert being expired, it throws up the error message.
Please lower down the Java security setting to medium and add FQDN under the "Java control panel > security > exception site list."
Related to Java Code Signing certificate:
As per the changes that have been incorporated under the latest Java update about security feature related with the code signing cert, now Java is checking the certificate validity for Java Applet code singing cert and if it finds the cert to be expired then it throws the error we are seeing.
Now with ASA codes, the Java code signing cert is embedded during the development for the Webvpn, which is currently expired, and that's the reason the Java error message pops up.
In order for the Java to trust it, we need to add the ASA public IP or FQDN to "Java control panel > security > exception site list."
And in order to trust it automatically, you might need to get a code signing cert from any known vendor like VeriSign, Go-Daddy, Entrust, Geo-trust, Thwate, etc ...
You can have that Code signing cert installed on the ASA, and call it within the Webvpn config.
Hope this helps.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-02-2014 09:57 PM
Also will uploading the latest plugin fix the issue.
07-02-2014 10:04 PM
The Java code signing certificate is used only when trying to use SSL plugins to access resources , so it is expected that we wont get the error while opening webVPN homepage via browser.
Also, irrespective of the plugin used, you would need to either add the IP/FQDN in trusted site or using java code signing certificate.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-03-2014 12:48 AM
Dinesh
will it be ok if I generate a a certifate using the asa
if I do how do I apply this certificate to work with the web plugin
07-03-2014 01:00 AM
Here is the link that describes how you can apply code signer certificate on ASA.
https://supportforums.cisco.com/document/29171/replacing-java-code-signing-certificate-asa-55xx-vpnfirewall-appliance
For more information regarding code signing certificate, you can check the following link:-
http://www.cisco.com/c/en/us/td/docs/security/asdm/6_2/user/guide/asdmconfig/certs.html#wp1286400
Regards,
Dinesh Moudgil
P.S Please rate helpful posts.
07-02-2014 09:54 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide