cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4545
Views
5
Helpful
1
Comments
Anim Saxena
Level 1
Level 1

 

Introduction

This document describes an issue where WebVPN users were getting "Java" related error.

Problem

User facing a problem with his Cisco ASA 5510 Clientless SSL Webvpn. After Oracle updates its Java Version, the JAVA Webportal are not working completely . His clientless SSL Web Portal is running on a Cisco ASA 5510 with Version 9.1.3. On this portal user has provided the JAVA RDP Plugin and the JAVA Citrix Plugin. All Java Plugins are working with Java 7 Update 25. But with the newest Version Java 7 Update 45 it is not working.

Error is Shown below:
"SecurityException"

com.sun.deploy.net.JARSigningException: Unsignierter Eintrag gefunden in Ressource:

https://XXXXXXX/ica/JICA-configN.jar

---------------------------------

XX=our portal-url

Total number of users affected = 200

Solution

Scenario (Update to v7.45)

Symptom:
ASA WebVPN Java Plugins is  failing to load after upgrading to Java 7 Update 45
with the following General Exception error - 'com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: https:///+CSCO+xxxxxxxxxxxxxxxxxxxxxxx++/vnc/VncViewer.jar'
Conditions:
  • Windows or Mac OSX machines using Java 7 Update 45.
  • JRE build 1.6.0.51 and 65
RCA:
ASA WebVPN Java Plugins fail after upgrade to Java 7 Update 45 because of below mentioned bug: CSCuj88114
Workaround:
  • User need to disable the option "Keep temporary files on my computer" on the Java Control:

Panel -> General -> Settings 

This works for both Mac OSX and Windows.

 
  • Downgrade Java to version 7 Update 40 or below.
 
  • New Java platform 7.5

Step 1: The solution is to modify the manifest (MANIFEST.MF) of the Jar file and set the attribute "Permissions: all-permissions"

Step 2: You have to install java JDK for having all tools.
   Example : For the RDP plugin:
Unzip the rdp.12.21.2013.jar (last plugin from Cisco) file to c:\rdp

Step 3: Create your own manifest file. Copy the existant MANIFEST.MF and add "Permissions: all-permissions". Save the file to c:\mymanifest.mf
 
Step 4: In  terminal mode, go into to c:\rdp and type
 
#C:\rdp>jar.exe cmf c:\mymanifest.mf c:\rdp\rdp.jar *
 

It will update the Manifest file with your file and create a new Jar.

You need to sign the jar before upload it to the Cisco ASA. (use jarsigner.exe)

here is an example : http://wiki.plexinfo.net/?title=How_to_sign_JAR_files (self sign) I had sign mine with my SSL certificate:

#jarsigner.exe -storetype pkcs12 -keystore c:\xxx\ASA\Plugin\keystore.p12 c:\rdp\rdp.jar rdpalias

Upload it to the ASA. The manifest error (Java7 u51) will disappear.

IOS versions released with fixed bug:

  • IOS v 9.1(3.107)
  • IOS v 100.8(40.41)
  • IOS v 100.8(46.28)
  • IOS v 8.4(7.4)
  • IOS v 100.8(38.63)
  • IOS v 9.0(3.9)
  • IOS v 9.1(3.3)
  • IOS v 100.9(10.15)
  • IOS v 100.7(6.125)
  • IOS v 100.8(51.5)
  • IOS v 100.10(0.38)
  • IOS v 100.8(45.8)
  • IOS v 100.8(52.6)
  • IOS v 9.0(3.100)
  • IOS v 100.10(1.21)
  • IOS v 100.10(2.3)
  • IOS v 100.10(3.1)
  • IOS v 9.0(4)
  • IOS v 100.10(9.1)
  • IOS v 9.1(4)
  • IOS v9.2(0.99)
  • IOS v9.2(1)
 
After fixing the bug:
Download the newest Plugins from Cisco:

For Example  Citrix (do-it-yourself) client plugin for ASA.  
ica-plugin.04.23.2012.zip     (Missing Attribute is inside)
Due to licensing restrictions, the administrator should manually import the Citrix jar files from citrix website into the plugin
.

The steps are explained in the ASA webvpn config guide mentioned below:

Config Guide
and for more information on the individual jar files, please refer to the Citrix Java admin guide:
Citrix Java admin guide

When you have merged the Zip files from Cisco and Citrix you can upload it to the ASA and it is working.
Note: Add the seamless Java file to the Zip too, if you want to use Full Screen.

Source Discussion

 
Comments
it dude man
Level 1
Level 1

So.. does Cisco plan to ever release a real fix vs us having to hack their own jar files? can we get an updated jar file w/the above done already?

 

The above fix does work on Mac OS X 10.9.4 and Java 7 update 60. We are running ASA 5540 code v9.1.4.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: