Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Error on WebVPN falling under Java

 

Introduction

This document describes an issue where WebVPN users were getting "Java" related error.

Problem

User facing a problem with his Cisco ASA 5510 Clientless SSL Webvpn. After Oracle updates its Java Version, the JAVA Webportal are not working completely . His clientless SSL Web Portal is running on a Cisco ASA 5510 with Version 9.1.3. On this portal user has provided the JAVA RDP Plugin and the JAVA Citrix Plugin. All Java Plugins are working with Java 7 Update 25. But with the newest Version Java 7 Update 45 it is not working.

Error is Shown below:
"SecurityException"

com.sun.deploy.net.JARSigningException: Unsignierter Eintrag gefunden in Ressource:

https://XXXXXXX/ica/JICA-configN.jar

---------------------------------

XX=our portal-url

Total number of users affected = 200

Solution

Scenario (Update to v7.45)

Symptom:
ASA WebVPN Java Plugins is  failing to load after upgrading to Java 7 Update 45
with the following General Exception error - 'com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: https:///+CSCO+xxxxxxxxxxxxxxxxxxxxxxx++/vnc/VncViewer.jar'
Conditions:
  • Windows or Mac OSX machines using Java 7 Update 45.
  • JRE build 1.6.0.51 and 65
RCA:
ASA WebVPN Java Plugins fail after upgrade to Java 7 Update 45 because of below mentioned bug: CSCuj88114
Workaround:
  • User need to disable the option "Keep temporary files on my computer" on the Java Control:

Panel -> General -> Settings 

This works for both Mac OSX and Windows.

 
  • Downgrade Java to version 7 Update 40 or below.
 
  • New Java platform 7.5

Step 1: The solution is to modify the manifest (MANIFEST.MF) of the Jar file and set the attribute "Permissions: all-permissions"

Step 2: You have to install java JDK for having all tools.
   Example : For the RDP plugin:
Unzip the rdp.12.21.2013.jar (last plugin from Cisco) file to c:\rdp

Step 3: Create your own manifest file. Copy the existant MANIFEST.MF and add "Permissions: all-permissions". Save the file to c:\mymanifest.mf
 
Step 4: In  terminal mode, go into to c:\rdp and type
 
#C:\rdp>jar.exe cmf c:\mymanifest.mf c:\rdp\rdp.jar *
 

It will update the Manifest file with your file and create a new Jar.

You need to sign the jar before upload it to the Cisco ASA. (use jarsigner.exe)

here is an example : http://wiki.plexinfo.net/?title=How_to_sign_JAR_files (self sign) I had sign mine with my SSL certificate:

#jarsigner.exe -storetype pkcs12 -keystore c:\xxx\ASA\Plugin\keystore.p12 c:\rdp\rdp.jar rdpalias

Upload it to the ASA. The manifest error (Java7 u51) will disappear.

IOS versions released with fixed bug:

  • IOS v 9.1(3.107)
  • IOS v 100.8(40.41)
  • IOS v 100.8(46.28)
  • IOS v 8.4(7.4)
  • IOS v 100.8(38.63)
  • IOS v 9.0(3.9)
  • IOS v 9.1(3.3)
  • IOS v 100.9(10.15)
  • IOS v 100.7(6.125)
  • IOS v 100.8(51.5)
  • IOS v 100.10(0.38)
  • IOS v 100.8(45.8)
  • IOS v 100.8(52.6)
  • IOS v 9.0(3.100)
  • IOS v 100.10(1.21)
  • IOS v 100.10(2.3)
  • IOS v 100.10(3.1)
  • IOS v 9.0(4)
  • IOS v 100.10(9.1)
  • IOS v 9.1(4)
  • IOS v9.2(0.99)
  • IOS v9.2(1)
 
After fixing the bug:
Download the newest Plugins from Cisco:

For Example  Citrix (do-it-yourself) client plugin for ASA.  
ica-plugin.04.23.2012.zip     (Missing Attribute is inside)
Due to licensing restrictions, the administrator should manually import the Citrix jar files from citrix website into the plugin
.

The steps are explained in the ASA webvpn config guide mentioned below:

Config Guide
and for more information on the individual jar files, please refer to the Citrix Java admin guide:
Citrix Java admin guide

When you have merged the Zip files from Cisco and Citrix you can upload it to the ASA and it is working.
Note: Add the seamless Java file to the Zip too, if you want to use Full Screen.

Source Discussion

 
Comments
New Member

So.. does Cisco plan to ever release a real fix vs us having to hack their own jar files? can we get an updated jar file w/the above done already?

 

The above fix does work on Mac OS X 10.9.4 and Java 7 update 60. We are running ASA 5540 code v9.1.4.

2854
Views
5
Helpful
1
Comments