Java securityexception error on Web VPN

Answered Question
Oct 21st, 2013
User Badges:

Hello,


I have a problem with my Cisco ASA 5510 Clientless SSL Webvpn.

After Oracle updates its Java Version, our JAVA Webportal ist not completly working.


Our clientless SSL Web Portal is running on a Cisco ASA 5510 with Version 9.1.3.

On this portal we provide the JAVA RDP Plugin and the JAVA Citrix Plugin.


All Java Plugins are working with Java 7 Update 25.

But with the newest Version Java 7 Update 45 it is not working.


It is comming the following Error.


-----------------------------------


"SecurityException"


com.sun.deploy.net.JARSigningException: Unsignierter Eintrag gefunden in Ressource:

https://XXXXXXX/ica/JICA-configN.jar


---------------------------------

XX=our portal-url


Has somebody the same problem?

I need a solution, because we are using this solution for round about 200 User.


Thank you very much.


Florian

Correct Answer by Gordon Ross about 3 years 6 months ago

9.1.4 was released on the 9th December which claims to fix this bug.


GTG


Please rate all helpful posts.

Correct Answer by Mohammad Alhyari about 3 years 8 months ago

ASA WebVPN Java Plugins fail after upgrade to Java 7 Update 45
CSCuj88114


Sent from Cisco Technical Support Android App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (8 ratings)
Loading.
Jouni Forss Mon, 10/21/2013 - 06:50
User Badges:
  • Super Bronze, 10000 points or more

Hi,


We dont have much use for Clientless VPN environments and I have not been the person responsible for managing them (until now when one of our employees changed employer)


Though we only had reports from a single user and had to resort to changing to Java SE 6 Update 45. Though even then it seemed that Internet Explorer wouldnt work and "had" to use Firefox.


I have personally not run into many problems with Java as I have not managed Clientless VPN environments (until now) and I have never really used ASAs ASDM so usually the quickest choice would be to downgrade.


Though I would really love to have a proper solution to this myself also without resorting to downgrading each time a problem occurs.


In our situation the problematic situation doesnt show the error message that you are seeing each time. We have a bookmark for the user to use initiate RDP session which before changing the Java SE to 6 Update 45 resulted in the WebVPN portal just reloading the portal page without any error message or other output whatsoever.


- Jouni

jsalmonson Tue, 10/22/2013 - 08:24
User Badges:

We are experiencing the same issue with Chrome/FF.  IE seems to be OK.  Java v7 r45 that updated today.  Did anyone find a fix?


Here's the error's details.


Java Plug-in 10.45.2.18

Using JRE version 1.7.0_45-b18 Java HotSpot(TM) Client VM

User home directory = C:\Documents and Settings\name

----------------------------------------------------

----------------------------------------------------

CacheEntry[https://dn/CACHE/sdesktop/install/binaries/instjava.jar]: updateAvailable=false,lastModified=Wed Dec 31 19:00:00 EST 1969,length=117093

Missing Application-Name: manifest attribute for: https://dn/CACHE/sdesktop/install/binaries/instjava.jar

Missing Permissions manifest attribute for: https://dn/CACHE/sdesktop/install/binaries/instjava.jar

Missing Codebase manifest attribute for: https://dn/CACHE/sdesktop/install/binaries/instjava.jar

Missing Application-Name: manifest attribute for: https://dn/CACHE/sdesktop/install/binaries/instjava.jar

Missing Permissions manifest attribute for: https://dn/CACHE/sdesktop/install/binaries/instjava.jar

Missing Codebase manifest attribute for: https://dn/CACHE/sdesktop/install/binaries/instjava.jar

Missing Application-Name: manifest attribute for: https://dn/CACHE/sdesktop/install/binaries/instjava.jar

Missing Permissions manifest attribute for: https://dn/CACHE/sdesktop/install/binaries/instjava.jar

Missing Codebase manifest attribute for: https://dn/CACHE/sdesktop/install/binaries/instjava.jar

Tue Oct 22 11:26:52 EDT 2013 Retrieved CSD stub path: C:\Documents and Settings\name\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\cstub.exe

Tue Oct 22 11:26:52 EDT 2013 CSD stub will be downloaded

Tue Oct 22 11:26:52 EDT 2013 Download url : https://dn/CACHE/sdesktop/hostscan/windows_i386/cstub.exe

Tue Oct 22 11:26:52 EDT 2013 Download path : C:\Documents and Settings\name\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\cstub.exe

Tue Oct 22 11:26:54 EDT 2013 Downloaded https://dn/CACHE/sdesktop/hostscan/windows_i386/cstub.exe to C:\Documents and Settings\name\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\cstub.exe

Tue Oct 22 11:26:54 EDT 2013 file signature verification PASS: C:\Documents and Settings\name\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\cstub.exe

Tue Oct 22 11:26:54 EDT 2013 file signature verification PASS: C:\Documents and Settings\name\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\cstub.exe

Tue Oct 22 11:26:54 EDT 2013 Spawned CSD stub.

jsalmonson Wed, 10/23/2013 - 10:28
User Badges:

Here's my fix:


Install RE v7.025

Remove RE v7.045

Reduce the security level in Java to MED


I hope Cisco gets off of the Java engine soon.

Correct Answer
Mohammad Alhyari Tue, 10/22/2013 - 08:56
User Badges:
  • Bronze, 100 points or more

ASA WebVPN Java Plugins fail after upgrade to Java 7 Update 45
CSCuj88114


Sent from Cisco Technical Support Android App

Correct Answer
Gordon Ross Tue, 12/10/2013 - 01:03
User Badges:
  • Blue, 1500 points or more

9.1.4 was released on the 9th December which claims to fix this bug.


GTG


Please rate all helpful posts.

Gordon Ross Fri, 01/31/2014 - 07:58
User Badges:
  • Blue, 1500 points or more

This bug is now showing as fixed - But not for the latest 9.1(4) software.


GTG


Please rate all helpful posts.

markorchard Wed, 10/23/2013 - 06:57
User Badges:

Hi,


I've been having the same issue with users after they upgraded to Java 7 Update 45.


Error states: com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: https://FQDN/+CSCO+guid++/rdp/properJavaRDP14-1.1.jar


I have downloaded the latest Terminal Service Client Plugin for ASA from the download site but that has made no difference.

I have unzipped the jar and remove references to any signing and re-archived the jar file but still not working.

I have set Java security settings to medium but it still does not work.


Has anyone managed to get this working at all?

djlombardi Sun, 10/27/2013 - 14:15
User Badges:

David Charlebois wrote:


The workaround posted in the Cisco  Bug is to uncheck the setting "Keep temporary files on my computer"  which is found in the Java Control Panel under the General Tab /  Temporary Internet Files / Settings ...


This workaround has worked for me with Jave 7 Update 45 on both PC and Mac.


Hi David,


Thanks very much that fixed the issue for me as well. I've tested on PC with IE, Firefox and Chrome and can confirm they work as expected.


Regards


David

CSCuj88114


ASA WebVPN Java Plugins fail after upgrade to Java 7 Update 45
Symptom:
ASA WebVPN Java Plugins fail to load after  upgrade to Java 7 Update 45 with the following General Exception error -  'com.sun.deploy.net.JARSigningException: Found unsigned entry in  resource: https:///+CSCO+xxxxxxxxxxxxxxxxxxxxxxx++/vnc/VncViewer.jar'


Conditions:
Windows or Mac OSX machines using Java 7 Update 45.


Workaround:
1)  Disable the option 'Keep temporary files on my computer' on the Java  Control Panel -> General -> Settings. This works for both Mac OSX  and Windows.


2) Downgrade Java to version 7 Update 40 or below.


Further Problem Description:
Bart van Dam Wed, 11/06/2013 - 06:29
User Badges:

Hi,


I see that the status of this bug is fixed. How come that the bug ID is not mentioned in the release notes of the latest 9.1.3 intrim update ? Does the 9.1.3 intrim software update fix this issue ? Or did i overlook something ?

S M85 Thu, 11/07/2013 - 00:17
User Badges:

@bart the specific update that mentinoned here is not public released. Maybe that you can obtain the bug fixed versions if you open a TAC case.

Roy Ros Thu, 11/28/2013 - 06:49
User Badges:

Version 8.4(4)1 seems to be affected too.

S M85 Thu, 11/28/2013 - 14:16
User Badges:

I would like to inform you that an interim release has been released which contains the fix for the CSCuj88114 bug.

8.4.7.5 à asa847-5-k8.bin

9.1.3.4 à asa913-4-smp-k8.bin

9.1.3.4 àasa913-4-k8.bin


rate if helpfull!

Sec IT Thu, 11/28/2013 - 22:13
User Badges:

Thank you Sander for the update..

Would you please share 8.4.7-5 interim image to us on priority as we are not finding this image in Cisco.

S M85 Fri, 11/29/2013 - 00:19
User Badges:

I think that the files are given to us when opening a TAC case. So I have to advise to do the same.

Jan Fri, 12/20/2013 - 02:59
User Badges:

Noticed that 8.2 is affected as well.. have an 5590 which is running latest 8.2.5 (46) which shows the same error..


I am unable to upgrade the box to 8.4 as it is missing RAM slots.. (yes there are none soldered on the mainboard - must be one of the first batches.. 1 RAM slot, 3 empty soldiering joints)

Ayhan Guec Mon, 01/13/2014 - 06:56
User Badges:

Hi Florian,


i face this issue too.

When i start the RDP Plugin i get following "warning":


This  application will be blocked in a future Java security update because  the JAR file maifest does nocht contain the Permissions attribute.  Please contact the Publisher for more information.


I am using ASA Version 9.1.4 but i think the RDP plugin have to be rewritten from Cisco to get this solved.

The version on the cisco website is very old 27-APR-2012.

Please keep us informed if you find a way to supress this warning (at the ASA not the client )


Best Regards

Ayhan

S M85 Mon, 01/13/2014 - 07:07
User Badges:

Please follow the steps below:

1) Delete the following files from rdp_09.11.2012.jar:


      properJavaRDP13-1.1.jar

      properJavaRDP12-1.1.jar

      properJavaRDP11-1.1.jar


2) Delete the following statements from "properrdp.html" :


     properJavaRDP13-1.1.jar,properJavaRDP12-1.1.jar,properJavaRDP11-1.1.jar


3) Pack all other files from rdp_09.11.2012 in new .jar


4) Upload new plugin to ASA .


If that did not work, you can always re-download the plugin from the cisco website and upload it.

Ayhan Guec Mon, 01/13/2014 - 07:50
User Badges:

Hi Sander,


i will give it a try and inform you about the results.


Best Regards

Ayhan

Ayhan Guec Tue, 01/14/2014 - 04:13
User Badges:

Hi Sander,


i am still getting the Message that permission attribute in manifest.xlm is missing.

Do you know what to set there?


Best Regards

Ayhan

Ayhan Guec Tue, 01/14/2014 - 05:28
User Badges:

Hi Sander,


thank you very much, but i think this will not work too because the manifest.xml is not containing the required tags for permission handling.


Thats the manifest.xml from your jar file:



<?xml version="1.0" encoding="UTF-8"?>


  properrdp.html

  rdp

  3389

  csco_rdp

  1.0.2

  Terminal Servers

  Terminal Servers Bookmarks

  icon.gif

 

   

      translation-tables/rdp.pot

      Translation domain for RDP plugin

   

 

 

   

      en

      help/en/index.inc

   

 

 

   

      host

      Host Name

      string

   

 



I would expect to find any of these tags in the manifest.xml to avoid the warning that this application will be blocked in future updates:


<a href="http://developer.android.com/guide/topics/manifest/permission-element.html"><permission></a>
<a href="http://developer.android.com/guide/topics/manifest/permission-group-element.html"><permission-group></a>
<a href="http://developer.android.com/guide/topics/manifest/permission-tree-element.html"><permission-tree></a>



I've attached a Screenshot from the Warning to be sure that we both work on the same topic

Attachment: 
S M85 Tue, 01/14/2014 - 05:42
User Badges:

Yes these warnings are the same. However these steps were e-mailed by Cisco TAC. So i didn't make them myself. From our point the customer still gets errors. With the new software version. We need to wait untill Cisco makes a new RDP plugin.

Ayhan Guec Tue, 01/14/2014 - 05:49
User Badges:

Many thanks for you investigations.

I have an open TAC-Case and hope the TAC-engineer can get in touch with the dev team


Best Regards

Ayhan

edvznadm Fri, 01/17/2014 - 06:56
User Badges:

Hi Ayhan,


we have the same problem as you discribe and have found the following workaround for me:


in the java control panel either reduce the security level to 'medium',

or insert your asa-url to the exception list, e.g. https://asa.domain/.

(sorry, we use german language versions here, so I don't know the correct labels for the english version)


We still get the warnings about the obsolet certificate, but can at least start our rdp sessions again.


Hope this helps,

Wolfgang

Ayhan Guec Fri, 01/17/2014 - 07:02
User Badges:

Hi Wolfgang,


this helps but is very to difficult to manage if you have permanent  changing end-users which access the end systems. I have asked my TAC engineer for a aprroximate release date for the fixed rdp plugin.


I hope there will be a fixed version with permission attributes soon


Best Regards

Ayhan

Sec IT Sat, 02/01/2014 - 08:59
User Badges:

Hi All,


Go ahead and configure smarttunnel. All your issues will get resolved. This is what TAC had done recently.

Rate if this was helpful.


regards

Rajesh

Florian Ostkamp Wed, 02/05/2014 - 06:21
User Badges:

HI All,


Update from me too: The JAVA 7.45 Problem  was fixed... but Oracle brings out JAVA 7.51...so we have again a new problem!!



In the Past I get an fixed Firmware-Version from Cisco. But I was not able to install this, because I had no downtime window.

But in the beginning from this year I saw that my bug was fixed in Version 9.1.4. So I choose this Version for my update. After my Update to 9.1.4 the JAVA with Version 7.45 was working fine.

After a few days Oracle brings out JAVA 7.51 and I has a new Problem. *now angry on cisco & oracle is*


Error Message:


missing required permissions manifest attribute in main jar

XXXXXXX/ica/JICAEngN.jar


So today I opened again a Cisco TAC for this. I will bring out some informations when I get them from Cisco.


I hope that we will not get with every new JAVA Update a new Problem. Then the Cisco ASA will make a Free fly out of the window....


Thanks a lot.


Regards,


Florian

Florian Ostkamp Wed, 02/05/2014 - 06:47
User Badges:

The Workaround to reduce the Security Settings in the JAVA Control Panel to "medium" is working.

Florian Ostkamp Thu, 02/06/2014 - 21:54
User Badges:

Thanks for the update Wayne.


But all theese workarounds are too dificult for some users. I make public this workaround on our Webportal, but it is not acceptable for the future. I will wait for the answer from cisco-TAC.

blumley Fri, 02/07/2014 - 07:53
User Badges:

I agree with Florian.   I have over 500 home users that are not technical by any measure.  Our helpdesk can barely keep up with walking people through making these changes to their personal computers.


  An actual fix needs to be expedited for these JAVA security issues.


  As it stands this is not a practical business solution.  I am already being pressured by management staff to find a replacement solution that is "NOT Cisco".   I have already opened a TAC case and performed all the recommended OS upgrades to the ASA.   Still I have to implement these workarounds.  It has now been over a month since the issue started presenting itself.

blumley Mon, 02/10/2014 - 12:43
User Badges:

Ah!  Good to know.

Doesn't really excuse Cisco from not being prepared with a fix for the updates to the JRE.

JAVA developers would have advance notice of patches to the JRE... I would hope.

Ayhan Guec Tue, 02/11/2014 - 07:29
User Badges:

Absolutely correct blumley,


it was not a big surprise, as with older Java Version you got the hint that this Plugin will be blocked in future Updates (enclosed file, german language).

I got in touch with TAC before this Update was released by Oracle, but got only client based workarounds which are useless for me.


At the end my customer managed to rewrite the given rdp plugin and add the missing attributes to it, but as everybody knows this is not Cisco supported solution

Attachment: 
Florian Ostkamp Fri, 02/14/2014 - 08:32
User Badges:

Hello All!


So now my Problem is fixed with this solution:


Download the newest Plugins from Cisco:


http://tools.cisco.com/squish/aedfa


For Example Citrix (do-it-yourself) client plugin for ASA. 
ica-plugin.04.23.2012.zip     (Missing Attribute is inside)


Due to licensing restrictions, the administrator should manually import the Citrix jar files from citrix website into the plugin


The steps are explained in the ASA webvpn config guide

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1293004


and for more information on the individual jar files, please refer to the Citrix Java admin guide:

http://support.citrix.com/servlet/KbServlet/download/6284-102-17151/ICAJava.pdf


Actual you can download a very new Version of the Java Files from CITRIX Website. The Version is from this year.


When you have merged the Zip files from Cisco and Citrix you can upload it to the ASA and it is working.


Note: Add the seamless Java file to the Zip too, if you want to use Full Screen!! Don´t forget it!


All of you > Thanks.


Now all Java Versions are running fine on my Systems. So we can wait for new Java Updates ;-)

Kevin Martin Tue, 03/04/2014 - 08:50
User Badges:

Hello,


My solution is to modify the manifest (MANIFEST.MF) of the Jar file and set the attribute "Permissions: all-permissions"


You have to install java JDK for having all tools.


Example : For the RDP plugin:

Unzip the rdp.12.21.2013.jar (last plugin from Cisco) file to c:\rdp

Create your own manifest file. Copy the existant MANIFEST.MF and add "Permissions: all-permissions". Save the file to c:\mymanifest.mf


In  terminal mode, go into to c:\rdp and type

#C:\rdp>jar.exe cmf c:\mymanifest.mf c:\rdp\rdp.jar *

It will update the Manifest file with your file and create a new Jar.


You need to sign the jar before upload it to the Cisco ASA. (use jarsigner.exe)

here is an example : http://wiki.plexinfo.net/?title=How_to_sign_JAR_files (self sign)


I had sign mine with my SSL certificate:

#jarsigner.exe -storetype pkcs12 -keystore c:\xxx\ASA\Plugin\keystore.p12 c:\rdp\rdp.jar rdpalias


Upload it to the ASA. The manifest error (Java7 u51) will disappear.








S M85 Fri, 03/07/2014 - 05:19
User Badges:

Hi kevin,


Thank you for the input regarding this case. I've followed your steps and got it working till the creation of the new jar file. The new RDP files is configured correctly with 'all permissions.'


What I don't get, is the steps regarding the signing part. Are you using a regular certificate or a code signing certificate?

Before you can sign it with the jarsigner, you need to import the certificate into the JDK keystore, right? What were the particular steps that you commited?Cause I'm stuck at that point. I've exported the SSL certificate from the ASA in PKSC12 format with the private key. I think it has to do that my certificate is in PKSC12 format and not in x509.


If I use a code signing certificate on the ASA, I got the signing proces done by the ASA. Everything works for the new plugin. So my jar is signed with the information from the code signing certificate. However I really like to know, how it works to sign the applet with the the JDK keystore.


regards,
Sander

Kevin Martin Fri, 03/07/2014 - 05:44
User Badges:

Hi Sander,


The Asa PKCS file is in "BASE64".


Try this:

#openssl base64 -in trustpoint.pkcs -d out trustpoint.pfx


It will convert your pkcs in a "good format" .


then use

#openssl pkcs12 -in trustpoint.pfx -info


and you will see  your private key et the certificate.


copy the the certificate into .crt file and .key file. then create tour  keystore


#openssl pkcs12 -export -in certif.crt -inkey private.key -out keystore.p12 -name MyAlias -CAfile certif.crt -caname root



last step, sign your jar with your keystore :


#jarsigner.exe -storetype pkcs12 -keystore keystore.p12 c:\rdp.jar


and verify it's ok

#jarsigner.exe -verify -verbose -certs  c:\rdp.jar



Actions

This Discussion

Related Content